End User Platform Agreement
This End User Platform Agreement outlines the terms and conditions governing your use of the CyberRank SaaS platform and services.
Introduction
CyberRank is a SaaS platform operated by the Independent Information Security Rating Institute Ltd and its sister company IISRI Global Service Centre ltd (both as “IISRI”), providing cybersecurity and privacy ratings along with third-party risk management services (the “Services”). Our platform relies in its basic version exclusively on publicly available data collected and displayed through proprietary technology. We process limited personal data as described in our Privacy Policy and Section 3.6.
This End User Agreement outlines the terms and conditions governing your use of CyberRank’s services. By purchasing, accessing, or utilizing our services, you agree to comply with the terms set forth in this Agreement. If you register for a free trial, these terms will also apply unless explicitly stated otherwise.
By accepting this Agreement—whether by clicking a confirmation box, using our services, or signing a document or purchase order referencing this Agreement—you acknowledge and accept all included terms. If you lack the authority to accept these terms on behalf of an entity, or if you disagree with any provision, you must not accept this Agreement and may not use the services.
This Agreement was last updated on the date listed above and is effective from the earlier of:
- (a)The date you accept this Agreement, or
- (b)The date you first access or use the services (the “Effective Date”).
This agreement regulates the terms and conditions for end users (Customers). Specific terms, service scope, and costs for support are detailed in a separate contract for Partners, including resellers and managed security service providers.
1. Definitions
2. CyberRank Responsibilities and support
2.1Service Availability
CyberRank will provide purchased services as outlined in this Agreement and applicable Purchase orders. However, access may be temporarily unavailable due to:
- Scheduled maintenance (for which advance notice will be given), or
- External factors beyond CyberRank’s control, such as natural disasters, cyberattacks, or third-party service failures.
2.2Security Measures
CyberRank follows industry-standard security protocols and undergoes periodic audits. Any detected security breaches will be reported to affected customers within 72 hours of discovery, where required by applicable law, and without undue delay in all other cases.
2.3Beta Services
Customers may be invited to test beta services at no charge. These features are not yet fully developed and may be modified or discontinued at CyberRank’s discretion. Beta services are provided without warranties and may be subject to additional terms.
2.4Service Commitment
CyberRank is committed to ensuring high service availability and performance. While every effort is made to maintain continuous service uptime, interruptions may occur due to maintenance, unforeseen events, or circumstances beyond CyberRank’s control.
2.5Standard Support
CyberRank provides standard support “Basic” with commercially reasonable efforts for the Purchased Services to Customer at no additional charge. Customers can seek assistance for general inquiries, troubleshooting, and technical support during designated support hours via email and online resources.
2.6Premium Support
Customers requiring prioritized support, dedicated account management, or enhanced service-level guarantees may opt for premium support packages “Pro” and “Enterprise” under a separate agreement. Specific terms, service scope, and costs for premium support will be detailed in a separate contract.
2.7Reseller Support
Where a Customer has been referred by a Reseller, the Reseller shall serve as the primary support contact. CyberRank will provide second-line technical support to the Reseller on behalf of such Customers. CyberRank may assist Customers directly in exceptional circumstances.
Response Time
| Tier | P1 | P2 | P3 | P4 |
|---|---|---|---|---|
| Enterprise | 2h | 6h | 1 day | 2 days |
| Pro | 4h | 8h | 2 days | 4 days |
| Basic | 1 day | 2 days | 4 days | 5+ days |
Resolution Time
| Tier | P1 | P2 | P3 | P4 |
|---|---|---|---|---|
| Enterprise | 8h | 1 day | 3 days | 7 days |
| Pro | 1 day | 2 days | 5 days | 2 weeks |
| Basic | Best effort | Best effort | Backlog | Backlog |
3. Use of Services and Subscription Terms
3.1Free Trial
Customers who register for a free trial or use free features of the services will have temporary access at no cost until either (a) the trial period ends, (b) the obtained free credits are used or (c) the customer subscribes to a paid service. If the customer does not subscribe before the trial ends, any customer services data stored in CyberRank’s system may be permanently deleted. During the trial, services are provided “as-is” without warranties. CyberRank assumes no liability for any loss or damage related to the free trial.
3.2Subscriptions
Customers utilize services by expending credits throughout a one-year subscription period. At the conclusion of this period, any unused credits may become void and revoked without the possibility of a refund; impacted customers will be notified 60 days before expiry. If additional credits are purchased during an active Subscription Term, all remaining credits from the existing term will roll over and extended for an additional 12 months. The subscription term begins on the date specified in the purchase order and continues for the agreed period. Subscriptions automatically renew for successive terms unless cancelled in accordance with this Agreement.
3.3Usage Limits
Service usage is subject to limitations, which may include, but are not limited to, the quantities specified in applicable purchase orders. Unless explicitly stated otherwise, the quantity referenced in a purchase order corresponds to Slots or Credits, as applicable. If the customer purchases additional credits, the contractual usage limit will automatically increase to reflect the revised number of Slots or Credits for the remainder of the Subscription Term and beyond, if applicable.
3.4Customer Responsibilities
The customer is responsible for:
- (a)Ensuring all their Users comply with this Agreement and for all activities conducted through their use of the Services.
- (b)Maintaining the accuracy, legality, and validity of all Customer Services Data, including obtaining necessary consents or rights to process such data.
- (c)Preventing unauthorized access to or usage of the Services, including securing user credentials and immediately notifying CyberRank of any unauthorized access or suspected breaches.
- (d)Complying with the terms of service of any Non-CyberRank Applications that are integrated with CyberRank’s Services.
3.5Usage Restrictions
Customers may not:
- (a)Provide access to any Service to unauthorized individuals or entities.
- (b)Resell, license, sublicense, lease, rent, or otherwise distribute any portion of the Services, including reports or outputs generated through the platform.
- (c)Use the Services to transmit illegal, defamatory, infringing, or otherwise tortious content or material.
- (d)Introduce or distribute Malicious Code through the Services.
- (e)Use the Services in violation of applicable laws, regulations, or for fraudulent or harmful purposes.
- (f)Interfere with or degrade the integrity or performance of the Services.
- (g)Attempt unauthorized access to the Services or related systems.
- (h)Circumvent contractual usage limitations.
- (i)Remove or alter proprietary notices such as copyright or trademark information from materials obtained through the Services.
- (j)Frame or mirror any part of the Services unless strictly for internal business use.
- (k)Utilize the Services to develop a competing product or service.
- (l)Modify, reverse-engineer, disassemble, or otherwise tamper with CyberRank’s Services or website through manual or automated methods.
Partners, including managed security service providers, adhere to a separate signed agreement with IISRI where it is stated that they can resell, license, sublicense, or otherwise distribute any portion of the Services, including reports or outputs generated through the platform.
3.6Privacy
CyberRank’s official privacy policy, available at CyberRank.ai, and subject to updates. This includes among others:
- Data Collection – CyberRank may collect personal information in connection with a customer’s use of the Services. The CyberRank Privacy Policy details the types of data collected, the purposes of collection, processing methods, and any third parties with whom such data may be shared.
- Customer Obligations – The customer affirms that they have adhered to all Applicable Data Privacy Laws concerning the collection and disclosure of personal information and that they are not relying on CyberRank to fulfil any of their compliance obligations.
- CyberRank Obligations – CyberRank confirms that, in relation to the limited personal information received from customers or their Users, it will independently adhere to all applicable legal requirements as a data controller. CyberRank will not rely on the customer to fulfil any obligations assigned to it as a data controller.
3.7Service Suspension
In cases where CyberRank identifies a violation of this Agreement by a User, it may request that the customer suspend that User’s access to the Services. If the customer does not comply, CyberRank reserves the right to suspend that User’s access directly. The suspension will remain in effect until the User has resolved the violation. In the event of a Disruption Event, CyberRank may impose an automatic suspension to prevent or mitigate harm. Such suspensions will be limited to the minimum scope and duration necessary to prevent or halt the disruption. If CyberRank suspends access without prior notice, it will provide the customer with an explanation as soon as reasonably possible upon request.
3.8Non-CyberRank Applications
- Third-Party Applications – CyberRank and third-party providers may offer additional products or services, including Non-CyberRank Applications and consulting services. If a customer chooses to use such Non-CyberRank Applications, all interactions between the customer and the external provider are independent of CyberRank. CyberRank neither guarantees nor supports Non-CyberRank Applications, regardless of whether they are designated or recommended by CyberRank.
- Customer Responsibility – The customer assumes full responsibility for reviewing and understanding any additional terms governing Non-CyberRank Applications, particularly concerning data collection, processing, and privacy practices. CyberRank does not control Non-CyberRank Applications and is not liable for any third-party products, services, websites, or content.
3.9Renewal and Cancellation
Customers may cancel their subscription by providing written notice at least 30 days before the renewal date. Failure to provide timely notice will result in automatic renewal for the next subscription period.
3.10Modification of Subscription
CyberRank reserves the right to update service offerings, pricing, and features at the time of renewal. Customers will be notified of any material changes 60 days in advance.
3.11Suspension or Termination
CyberRank may suspend or terminate a subscription if the customer violates any terms of this Agreement, fails to make timely payments, or engages in activities that disrupt CyberRank’s infrastructure or security.
3.12Usage Tracking and Compliance
CyberRank reserves the right to monitor and track usage to ensure compliance with the agreed subscription terms. If a customer exceeds allocated limits or misuses the services, CyberRank may require the Customer to purchase additional credits or restrict access to the Services.
4. Fees and Payment for Purchased Services
4.1Reseller Purchases
If the Customer acquires the Services through a Reseller, all payment-related terms, including pricing, invoicing, billing, payment methods, and late payment penalties, shall be governed by the Customer’s separate agreement with the Reseller. Such terms shall prevail over any conflicting provisions in this Agreement solely with respect to payment-related matters. CyberRank reserves the right to suspend or terminate access to the Services if any amounts payable to CyberRank are not received when due, including where non-payment by the Customer results in the Reseller failing to remit payment to CyberRank. The agreement between the Customer and the Reseller may govern only pricing and payment mechanics and shall not modify, amend, or otherwise affect any other provisions of this Agreement, nor shall it impose any binding obligations on CyberRank. If no valid or enforceable agreement exists between the Customer and the Reseller, or if such agreement is terminated or unenforceable, the terms of this Agreement shall apply directly to the Customer. When customers referred to by Reseller acquire services from CyberRank and pay directly IISRI, a separate agreement between IISRI and Reseller governs the payments of fees/commissions to Reseller by IISRI.
4.2Fees
The Customer is responsible for payment of all fees specified in applicable purchase orders. Unless otherwise stated in this Agreement or in a purchase order:
- (i)Fees are determined based on the number of credits purchased, not on actual usage.
- (ii)Payment obligations are non-cancelable, and fees paid are non-refundable except as outlined in Section 12.
- (iii)The number of credits purchased cannot be reduced during the Subscription Term.
4.3Invoicing and Payment
Fees must be paid in advance via CyberRank’s online payment portal, which redirects to a third-party payment processor (currently Stripe or PayPal, as further detailed in our Privacy Policy). In certain instances, payments may be made in advance based on an invoice. Unless otherwise specified in the purchase order, invoiced charges are due immediately upon receipt and must be paid within thirty (30) days of the invoice date. Any overdue payments will accrue interest at a rate of 18% per annum, or the maximum rate permitted by applicable law, whichever is lower. The Customer is responsible for providing accurate and up-to-date billing and contact information and notifying CyberRank of any changes. The Customer acknowledges that third-party payment processors engaged by CyberRank may process payments, and such processors will receive the necessary payment information to facilitate transactions.
4.4Overdue Charges
If CyberRank does not receive an undisputed invoice payment within thirty (30) days of the invoice date, CyberRank may, without waiving any rights or remedies:
- (a)Impose shorter payment terms for future renewals or purchase orders, and/or
- (b)Require the Customer to cover reasonable legal or collection costs incurred in recovering the outstanding payment.
4.5Suspension of Services and Acceleration of Payment
If any outstanding amount owed by the Customer under this or any other agreement for purchased services remains unpaid for thirty (30) days or more, CyberRank reserves the right to accelerate all unpaid fee obligations, making them immediately due and payable. Additionally, CyberRank may suspend the Customer’s access to the Services until full payment is received. CyberRank will provide at least ten (10) days’ prior notice before implementing a suspension.
4.6Taxes
Fees charged by CyberRank exclude applicable taxes, duties, levies, or other governmental charges, including but not limited to value-added tax (VAT), sales tax, or use tax (collectively, “Taxes”). The Customer is responsible for remitting all applicable Taxes related to its purchases. If CyberRank is legally obligated to collect and remit Taxes on behalf of the Customer, the corresponding amount will be invoiced and must be paid unless the Customer provides a valid tax exemption certificate from the relevant taxing authority. CyberRank remains solely responsible for taxes imposed on its own income, property, and employees.
4.7Future Functionality
The Customer acknowledges that its purchase of Services is not contingent upon the delivery of future features or functionality, nor is it dependent on any oral or written statements made by CyberRank regarding potential future enhancements.
5. Proprietary Rights and Licenses
5.1Reservation of Rights
- (a)Except for the limited rights expressly granted under this Agreement, CyberRank retains all ownership, title, and interest in and to the Services, including all associated proprietary materials and intellectual property rights. The Customer does not acquire any rights to the Services, whether by implication or otherwise, beyond those explicitly granted herein.
- (b)The Customer retains full ownership, title, and interest in its Customer Services Data. However, CyberRank is permitted to use Customer Services Data, excluding username, password and billing info, to generate Generic Reports and as specified in Section 5.2.
- (c)CyberRank grants the Customer a non-exclusive right to use and publish only its own aggregated security and privacy ratings at its discretion. No additional rights are granted to the Customer beyond those expressly stated in this Agreement.
5.2CyberRank’s Right to Use Vendor Services Data
Customers acknowledge that CyberRank processes publicly available vendor data under its own legal basis as an independent data controller. Vendor Services Data is the proprietary information of CyberRank. CyberRank has the right to process and use Vendor Services Data, including cybersecurity and privacy ratings, in compliance with applicable laws for the following purposes:
- (a)To provide the Services as outlined in this Agreement and the Privacy Policy, including but not limited to providing Vendor data to CyberRank Customers.
- (b)To communicate with vendors or contacts designated by the Customer.
- (c)To identify and resolve service or technical issues.
- (d)As explicitly authorized by the Customer.
- (e)As required by law.
Additionally, CyberRank may use Vendor Services Data in an aggregated, anonymized, and de-identified format for internal research, benchmarking, analytics, product improvements, and feature development, provided that:
- (i)Such use is strictly for administrative purposes and general usage statistics.
- (ii)The data does not identify the Customer, its representatives, customers, or employees.
- (iii)Any public disclosure of aggregated data will be limited to overall trends across CyberRank’s customer base.
Vendor-specific security findings, including unpatched vulnerabilities and breach details, are shared with Customers solely for the purpose of their own third-party risk assessments and may not be used for competitive intelligence or disclosed to third parties.
5.3Customer’s License to Provide Feedback
The Customer grants CyberRank a worldwide, perpetual, irrevocable, transferable, and royalty-free license to use and incorporate into the Services any suggestions, recommendations, enhancements, or other feedback provided by the Customer or its Users, provided that CyberRank does not publicly attribute such feedback to the Customer without consent.
5.4Use of Customer Ratings for Marketing
The Customer grants CyberRank a royalty-free license to use and incorporate its cybersecurity and privacy ratings for marketing purposes, including publishing the ratings on IISRI’s or CyberRank’s public website, provided that:
- (i)The Customer’s rating is at least a “B,” else CyberRank may publish it as “Lower than B”, or
- (ii)The Customer provides explicit consent to publicly disclose its rating, regardless the rating level.
Customer can withdraw this consent and require removal within 10 business days by contacting IISRI as defined in section 10.
6. Confidentiality
6.1Definition of Confidential Information
“Confidential Information” refers to all information and materials disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”), whether communicated orally or in writing, that is labeled as confidential or should reasonably be understood as confidential given its nature and the circumstances of disclosure. CyberRank’s Confidential Information includes the Services and any proprietary materials provided through the Services. The Customer’s Confidential Information includes personal identifiable information in Customer Services Data. Confidential Information of both parties also includes proprietary pricing information, business and marketing strategies, technology, technical specifications, product roadmaps, designs, and operational processes. However, Confidential Information does not include information that:
- (i)Becomes publicly known without any breach of obligation.
- (ii)Was already lawfully in the Receiving Party’s possession before disclosure.
- (iii)Is received from a third party without breach of obligation.
- (iv)Is independently developed by the Receiving Party without use of the Disclosing Party’s Confidential Information.
- (v)Was disclosed under Section 5.2 and 5.4.
6.2Protection of Confidential Information
The Receiving Party agrees to:
- (i)Employ the same level of care to protect the Disclosing Party’s Confidential Information as it does for its own confidential information, but no less than reasonable care.
- (ii)Use Confidential Information exclusively for purposes within the scope of this Agreement.
- (iii)Disclose Confidential Information only to employees, officers, advisors, contractors, and agents who require access for purposes aligned with this Agreement and who are bound by confidentiality obligations consistent with this Agreement. The Receiving Party is fully accountable for ensuring its personnel comply with these confidentiality obligations.
- (iv)Confidentiality obligations shall survive termination of this Agreement for a period of five (5) years, except in relation to trade secrets, which shall remain confidential indefinitely.
6.3Compelled Disclosure
The Receiving Party may disclose Confidential Information when legally required by law, regulation, court order, or governmental authority, provided that it gives the Disclosing Party prior notice (unless prohibited by law) and reasonable assistance, at the Disclosing Party’s expense, to challenge or limit the disclosure. If disclosure is required as part of a legal proceeding where the Disclosing Party is a party and does not contest the disclosure, the Disclosing Party shall reimburse the Receiving Party for the reasonable costs of providing secure access to the information.
The Receiving Party may disclose Confidential Information when legally required by law, regulation, court order, or governmental authority, provided that it gives the Disclosing Party prior notice (unless prohibited by law) and reasonable assistance, at the Disclosing Party’s expense, to challenge or limit the disclosure. If disclosure is required as part of a legal proceeding where the Disclosing Party is a party and does not contest the disclosure, the Disclosing Party shall reimburse the Receiving Party for the reasonable costs of providing secure access to the information.
7. Representations, Warranties, Exclusive Remedies, and Disclaimers
7.1Representations
Each party represents that it has the legal authority to enter into this Agreement and perform its obligations hereunder.
7.2CyberRank’s Warranties
CyberRank warrants that:
- (a)The Purchased Services will perform materially in accordance with the specifications detailed in the Documentation.
- (b)Any Professional Services provided will be performed in a competent and professional manner.
- (c)CyberRank has taken commercially reasonable measures to prevent the introduction of Malicious Code into the Services.
In the event of a breach of the above warranties, the Customer’s exclusive remedy shall be as specified in Sections 12.1 and 12.2.
7.3Mutual Warranties
Both parties warrant that they will comply with all applicable laws and regulations concerning the provision and use of the Services, including data security and breach notification laws.
7.4Disclaimers
Except as expressly provided herein, neither party makes any warranties, whether express, implied, statutory, or otherwise. Each party specifically disclaims all implied warranties, including merchantability and fitness for a particular purpose, to the maximum extent permitted by law. Neither party assumes liability or indemnification obligations for damages caused by third-party hosting providers or non-CyberRank applications.
8. Mutual Indemnification
8.1Indemnification by CyberRank
IISRI shall defend the Customer against any third-party claims alleging that the Customer’s use of a Purchased Service under this Agreement infringes or misappropriates any intellectual property rights (“Claim Against Customer”), provided that the Customer:
- (a)Promptly notifies IISRI in writing of the claim.
- (b)Grants IISRI full control over the defense and settlement.
- (c)Provides reasonable assistance.
If such a claim arises, IISRI may, at its sole option:
- (i)Modify the Services to avoid infringement without materially reducing functionality.
- (ii)Obtain a license permitting continued use of the Services.
- (iii)Terminate the affected Services upon 30 days’ written notice and refund any prepaid, unused fees for the terminated portion.
IISRI shall have no indemnification obligation to the extent the claim arises from:
- (i)Any Non-CyberRank Application.
- (ii)The Customer’s breach of this Agreement.
- (iii)Negligence, recklessness, or wilful misconduct by the Customer.
- (iv)Combination of the Services with unauthorized products, systems, or data.
- (v)Modifications made by the Customer or any third party acting on the Customer’s behalf.
The indemnification liability is capped at total fees paid in the prior 12 months.
8.2Indemnification by Customer
The Customer shall defend CyberRank against any third-party claims arising from: (i) Customer Services Data; or (ii) the Customer’s use of the Services in breach of this Agreement, alleging infringement or misappropriation of intellectual property rights (“Claim Against CyberRank”). The Customer shall indemnify CyberRank for damages, losses, settlement amounts approved in writing by CyberRank, and reasonable legal fees awarded in connection with such claim, provided that CyberRank:
- (a)Promptly notifies the Customer in writing of the claim.
- (b)Grants the Customer full control over the defense and settlement (except that the Customer cannot settle a claim without unconditionally releasing CyberRank of liability).
- (c)Provides reasonable assistance at the Customer’s expense.
This clause does not apply to the extent the claim arises from CyberRank’s breach of this Agreement or CyberRank’s negligence, recklessness, or wilful misconduct. The indemnification liability is capped at total fees paid in the prior 12 months.
8.3Exclusive Remedy
This Section 8 sets forth the exclusive remedies and obligations of the parties with respect to any claims described herein.
8.4Nature of CyberRank Services – Cyber Risk Intelligence Disclaimer
The Customer acknowledges and agrees that by using CyberRank it provides artificial intelligence, cybersecurity and privacy intelligence and analytical services based on the aggregation and interpretation of External Data Sources, including but not limited to publicly available information, internet-facing infrastructure, domain and network metadata, threat intelligence feeds, third-party datasets, and non-invasive scanning techniques. The Services may incorporate artificial intelligence and machine learning systems that generate probabilistic, predictive, and/or inferred outputs, and the Customer acknowledges that such outputs are inherently subject to limitations in data quality, completeness, timeliness, and model interpretation, including bias, uncertainty, and potential error.
- (a)CyberRank outputs, including risk scores, alerts, reports, classifications, and recommendations, may be based on both factual data and probabilistic, inferred, or predictive modelling.
- (b)Such outputs are inherently subject to uncertainty, including limitations in data availability, timing delays, incomplete visibility, false positives, and false negatives.
- (c)IISRI does not guarantee that any output of CyberRank is accurate, complete, current, or free from error.
- (d)IISRI does not perform intrusive penetration testing, exploitation, or internal system auditing through CyberRank unless expressly agreed in a separate written agreement.
- (e)CyberRank outputs do not constitute legal, regulatory, compliance, or security certification or assurance.
- (f)The Customer acknowledges and agrees that, prior to using any invasive scanning functionality made available through CyberRank, the Customer shall obtain all necessary authorisations and consents from the organisation being assessed or scanned. The Customer assumes full responsibility and liability for such activities and releases, indemnifies, and holds harmless IISRI from any claims, losses, liabilities, damages, or expenses arising from or relating to the Customer’s use of such functionality.
The Customer acknowledges that any reliance on CyberRank outputs is at the Customer’s sole risk and responsibility, and the Customer shall independently evaluate and validate all outputs before taking any action or making any business, security, or compliance decision.
9. Limitation of Liability
9.1Limitation of Liability
Except for the Customer’s payment obligations under Section 4, neither party shall be liable for any single incident or series of related incidents arising out of or in connection with this Agreement in excess of the total amount paid by the Customer in the twelve (12) months preceding the event giving rise to the claim. In no event shall either party’s aggregate liability exceed the total amounts paid by the Customer under this Agreement during the term. These limitations apply regardless of the form of action, whether in contract, tort (including negligence), strict liability, or otherwise, to the maximum extent permitted by law. Indemnification obligations are governed exclusively by Section 8, which sets out the applicable scope, conditions, and caps for each party’s indemnification liability. Nothing in this Section 9.1 shall be construed to expand or remove the caps expressly stated in Sections 8.1 and 8.2.
9.2Exclusion of Consequential and Related Damages
Except for each party’s indemnification obligations under Section 8, neither party shall be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including but not limited to loss of profits, revenue, data, business opportunity, or goodwill, even if advised of the possibility of such damages. These exclusions apply regardless of the legal theory under which such damages are sought. Where a Customer has been referred to the Services by a Reseller, the indemnification caps set out in Sections 8.1 and 8.2 apply exclusively to disputes between IISRI and the Customer under this Agreement. These caps do not apply to, and shall have no bearing on, any indemnification obligations or liability caps agreed separately between IISRI and any Reseller under a Reseller Agreement. For the avoidance of doubt, the indemnification caps in this Agreement bind only the Customer and IISRI as parties to this Agreement.
10. Notices, Governing Law, and Jurisdiction
10.1Manner of Giving Notice
All notices, consents, requests and approvals under this Agreement must be in writing and shall be deemed given:
- (i)Upon personal delivery.
- (ii)Five business days after mailing.
- (iii)Two business days after confirmed facsimile transmission.
- (iv)One business day after email transmission (excluding indemnification notices).
Notices to us about CyberRank shall be sent to mail address:
CyberRank
Independent Information Security Rating Institute (IISRI) ltd
Level G, 26 Hobson Street, Auckland City 1010, New Zealand
Legal@iisri.com10.2Governing Law and Jurisdiction
This Agreement shall be governed by and interpreted under the laws of New Zealand, without regard to conflict-of-law principles. All disputes shall be subject to the exclusive jurisdiction of the courts located in New Zealand, and both parties waive objections to venue. Customers established in the European Economic Area, the United Kingdom, or the State of California, or whose use of the Services involves personal data of individuals in those jurisdictions, are subject to the applicable jurisdiction-specific addenda forming part of this Agreement: Addendum A (EU GDPR), Addendum B (UK GDPR), and Addendum C (CCPA/CPRA). In the event of conflict between those addenda and this Agreement, the relevant addendum prevails to the extent required by applicable law. Where a Customer has been referred to the Services by a Reseller, and a dispute arises that involves both this Agreement and the applicable Reseller Agreement between IISRI and that Reseller, the following applies: this Agreement and any dispute between IISRI and the Customer shall remain governed exclusively by the laws of New Zealand and subject to the jurisdiction of the courts of New Zealand, regardless of the governing law or dispute resolution mechanism contained in the Reseller Agreement. The Reseller Agreement governs only the relationship between IISRI and the Reseller. No provision of any Reseller Agreement shall alter, override, or affect the governing law or jurisdiction applicable to any Customer under this Agreement.
11. General Provisions
11.1Entire Agreement and Order of Precedence
This Agreement, including all Purchase Orders, constitutes the complete understanding between the parties and supersedes any prior agreements or representations. Any conflicting terms in Customer-issued documents, such as purchase orders, shall be void. In case of a conflict, the order of precedence is:
- Applicable Jurisdiction-Specific Addenda (to the extent required by law).
- The applicable Purchase Order.
- This Agreement.
- The Documentation.
11.2Assignment
Neither party may assign this Agreement without prior written consent, except in cases of merger, acquisition, or sale of substantially all assets. However, if a party is acquired by a direct competitor of the other party, the other party may terminate the Agreement with written notice.
11.3Relationship of the Parties
The parties are independent contractors. This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship.
11.4Third-Party Beneficiaries
This Agreement does not create any third-party beneficiary rights.
11.5Waiver
Failure to enforce any provision of this Agreement shall not constitute a waiver of that provision.
11.6Severability
If any provision is deemed invalid, the remaining provisions shall continue in effect.
11.7Headings
Section headings are for reference only and do not affect interpretation.
11.8Equitable Relief
Each party may seek equitable relief to prevent unauthorized use of its intellectual property.
11.9Force Majeure
Neither party is liable for delays or failures due to causes beyond reasonable control, including natural disasters, terrorism, labor disruptions, and internet failures. For the avoidance of doubt, a merger, acquisition, or change of control affecting either party shall not in itself constitute a force majeure event, but shall be governed by the assignment provisions in §11.2.
12. Termination
12.1Termination for Cause
Either party may terminate this Agreement for cause upon written notice if the other party materially breaches this Agreement and fails to cure such breach within twenty (20) days after receiving written notice thereof.
12.2Termination Without Cause
12.3Effect of Termination
Upon termination or expiration of this Agreement, the Customer’s right to access and use the Services shall immediately cease. Termination shall not relieve either party of any obligations accrued prior to the effective date of termination. Following termination, IISRI will retain personal identifiable information of Customer for no longer than 90 days, after which it will be deleted or anonymised, unless retention is required by applicable law.
Addendum A: EU General Data Protection Regulation (GDPR) Data Processing Agreement
Effective as part of the CyberRank End User Platform Agreement
A.1Scope and Purpose
This Addendum applies where the Customer is established in the European Economic Area (EEA), or where the Customer’s use of the Services involves the processing of personal data of individuals located in the EEA, as governed by Regulation (EU) 2016/679 (GDPR).
A.2Roles of the Parties
The parties acknowledge that:
- (a)IISRI acts as an independent Data Controller in respect of personal data it collects directly from Customers and Users (such as account credentials and billing contact details), and processes such data for its own purposes in accordance with its Privacy Policy.
- (b)IISRI does not act as a Data Processor on behalf of the Customer. CyberRank processes Vendor Services Data under its own legal basis as an independent data controller. The Customer is not instructing IISRI to process personal data on the Customer’s behalf through the Services.
- (c)Where the Customer inputs or submits any personal data into the Services beyond what is contemplated in this Agreement, the Customer does so as an independent data controller and is solely responsible for ensuring a valid legal basis exists for such processing.
A.3IISRI’s Obligations as Data Controller
In respect of personal data for which IISRI acts as Data Controller, IISRI shall:
- (a)Process personal data only for the purposes described in its Privacy Policy and this Agreement.
- (b)Implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction, in accordance with Article 32 GDPR.
- (c)Notify affected Customers of a personal data breach within 72 hours of becoming aware of it, where such breach is likely to result in a risk to the rights and freedoms of natural persons, in accordance with Articles 33 and 34 GDPR.
- (d)Honour data subject rights requests (access, rectification, erasure, restriction, portability, objection) directed to IISRI within one calendar month of receipt, extendable by a further two months where requests are complex or numerous, in accordance with Article 12(3) GDPR.
- (e)Not transfer personal data outside the EEA without ensuring an adequate level of protection, including through Standard Contractual Clauses (SCCs) as adopted by the European Commission, or another approved transfer mechanism under Chapter V GDPR.
- (f)Maintain records of processing activities as required by Article 30 GDPR.
A.4International Data Transfers
Where IISRI transfers personal data from the EEA to New Zealand, the parties acknowledge that New Zealand holds an adequacy decision from the European Commission. Where personal data is transferred to any other third country, IISRI shall implement appropriate safeguards including the EU SCCs (Commission Implementing Decision (EU) 2021/914) or successor instruments.
A.5Sub-processors
IISRI may engage sub-processors to assist in delivering the Services. IISRI shall ensure sub-processors are bound by data protection obligations at least equivalent to those in this Addendum. IISRI shall make available a current list of sub-processors upon Customer request.
A.6Supervisory Authority
The lead supervisory authority for IISRI’s data processing activities under GDPR shall be determined by the location of IISRI’s EU representative (as required under Article 27 GDPR) or the supervisory authority of the Member State in which the relevant processing takes place.
A.7Conflict
In the event of any conflict between this Addendum and the main Agreement, this Addendum shall prevail to the extent necessary to ensure GDPR compliance.
Addendum B: UK General Data Protection Regulation (UK GDPR)
Effective as part of the CyberRank End User Platform Agreement
B.1Scope and Purpose
This Addendum applies where the Customer is established in the United Kingdom, or where the Customer’s use of the Services involves the processing of personal data of individuals located in the United Kingdom, as governed by the UK GDPR (as defined in section 3(10) of the Data Protection Act 2018, as amended by the European Union (Withdrawal) Act 2018) and the Data Protection Act 2018 (together, “UK Data Protection Law”).
B.2Relationship to EU GDPR Addendum
The terms of Addendum A (EU GDPR DPA) are incorporated into this Addendum B by reference, with the following modifications:
- (a)All references to “GDPR” shall be read as references to “UK GDPR” and “UK Data Protection Law”.
- (b)All references to the “European Commission” shall be read as references to the “UK Secretary of State” or the “ICO” as appropriate.
- (c)All references to “EEA” shall be read as references to the “United Kingdom”.
- (d)The supervisory authority shall be the Information Commissioner’s Office (ICO), reachable at ico.org.uk.
- (e)International data transfers from the UK shall be governed by the International Data Transfer Agreement (IDTA) issued by the ICO, or the Addendum to the EU SCCs approved by the ICO (or successor instruments), rather than the EU SCCs referenced in Addendum A.
B.3Adequacy
The parties acknowledge that New Zealand holds an adequacy regulation under UK data protection law. Where personal data is transferred to any other third country not covered by an adequacy regulation, IISRI shall implement the IDTA or such other transfer mechanism as approved by the ICO.
B.4Conflict
In the event of any conflict between this Addendum and the main Agreement or Addendum A, this Addendum shall prevail to the extent necessary to ensure compliance with UK Data Protection Law.
Addendum C: California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Effective as part of the CyberRank End User Platform Agreement
C.1Scope and Purpose
This Addendum applies where the Customer is a business subject to the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), and where the Customer’s use of the Services involves personal information of California residents.
C.2Roles of the Parties
IISRI acts as an independent Business (as defined under CCPA) in respect of personal information it collects from Customers and Users for its own commercial purposes. Where IISRI processes personal information solely on behalf of the Customer and at the Customer’s direction, IISRI acts as a Service Provider (as defined under CCPA). In such capacity, IISRI shall not: sell or share the personal information for cross-context behavioural advertising; retain, use, or disclose personal information outside the scope of the Services or as permitted by applicable law; or combine personal information received from the Customer with personal information received from other sources except as permitted by CCPA/CPRA.
C.3IISRI’s Obligations
IISRI shall:
- (a)Provide the same level of privacy protection as required of businesses under the CCPA/CPRA.
- (b)Notify the Customer promptly if IISRI determines it can no longer meet its obligations under the CCPA/CPRA.
- (c)Upon verified consumer request forwarded by the Customer, assist the Customer in responding to requests to know, delete, correct, or opt out of the sale or sharing of personal information, within 45 days of receipt.
- (d)Not sell or share personal information as those terms are defined under CCPA/CPRA.
- (e)Upon termination of the Agreement, delete or return all personal information to the Customer as directed, unless retention is required by law.
C.4Customer Obligations
The Customer represents and warrants that:
- (a)It has provided all required notices to California consumers regarding the collection and use of their personal information.
- (b)It has a valid legal basis to share personal information with IISRI.
- (c)It will honour consumer rights requests in accordance with CCPA/CPRA timelines.
C.5No Sale of Personal Information
IISRI confirms it does not sell personal information of California residents as defined under CCPA/CPRA and will not do so without explicit agreement and required notices.
C.6Conflict
In the event of any conflict between this Addendum and the main Agreement, this Addendum shall prevail to the extent necessary to ensure compliance with CCPA/CPRA.
Questions about this agreement?
If you have any questions or need clarification regarding the terms of this Platform Agreement, please contact our support team.