***IMPORTANT READ CAREFULLY***

MASTER SOFTWARE AND SERVICES AGREEMENT

Updated September 18, 2017

THIS MASTER SOFTWARE AND SERVICES AGREEMENT (THIS “AGREEMENT”) GOVERNS THE LICENSE AND/OR ACCESS OF PHISHME SOFTWARE, SUBSCRIPTIONS AND SERVICES PROVIDED BY PHISHME INC., AND/OR ITS AFFILIATES (“PHISHME”) UNLESS YOU (OR THE BUSINESS, GOVERNMENT OR ENTITY YOU REPRESENT) HAVE EXECUTED A SEPARATE WRITTEN AGREEMENT WITH PHISHME GOVERNING SUCH SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES.

PLEASE READ THIS AGREEMENT CAREFULLY. CLICKING ON THE “YES” OR “I ACCEPT” BUTTON (OR OTHER BUTTON OR MECHANISM DESIGNED TO ACKNOWLEDGE AGREEMENT TO THE TERMS OF THIS AGREEMENT), DOWNLOADING, INSTALLING, ACCESSING OR USING PHISHME SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT YOUR SUBMISSION OF AN ORDER FOR THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES AN ACCEPTANCE OF THIS AGREEMENT.

IF YOU AGREE TO THIS AGREEMENT ON BEHALF OF A BUSINESS, GOVERNMENT, OR OTHER ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE POWER AND AUTHORITY TO BIND SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY TO THIS AGREEMENT, AND YOUR AGREEMENT TO THESE TERMS WILL BE TREATED AS THE AGREEMENT OF SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY. AS USED IN THIS AGREEMENT, “CUSTOMER” REFERS TO THE BUSINESS, GOVERNMENT, OR OTHER ENTITY ON WHOSE BEHALF YOU HAVE ENTERED INTO THIS AGREEMENT.

IF YOU ARE UNWILLING TO AGREE TO THIS AGREEMENT, OR YOU DO NOT HAVE THE RIGHT, POWER AND AUTHORITY TO ACT ON BEHALF OF AND BIND THE CUSTOMER, DO NOT CLICK ON THE BUTTON AND DO NOT INSTALL, DOWNLOAD, ACCESS, OR OTHERWISE USE THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES.

IF CUSTOMER RECEIVES THE SOFTWARE, SUBSCRIPTIONS OR SERVICES THROUGH A PHISHME AUTHORIZED RESELLER, PARTNER OR DISTRIBUTOR (COLLECTIVELY, “AUTHORIZED PARTNER”), ALL FEES AND OTHER PROCUREMENT AND DELIVERY TERMS WILL BE AGREED BETWEEN CUSTOMER AND THE AUTHORIZED PARTNER; HOWEVER, THE TERMS SET FORTH IN THIS AGREEMENT REGARDING CUSTOMER’S USE OF THE SOFTWARE, SUBSCRIPTIONS AND SERVICES REMAIN APPLICABLE. FOR CLARIFICATION, CUSTOMER’S AGREEMENT WITH THE AUTHORIZED PARTNER IS BETWEEN CUSTOMER AND THE AUTHORIZED PARTNER ONLY AND SUCH AGREEMENT IS NOT BINDING ON PHISHME.

I.         DEFINITIONS.

Authorized Users” means Customer authorized employees, agents or independent contractors with an assigned unique email address, who may (i) access the applicable Subscription or Software; and/or (ii) receive or send email messages with respect to the applicable Subscription or Software.

Confidential Information” means any non-public, confidential, or proprietary information of a disclosing Party (“Discloser”) that should reasonably be understood by the receiving Party (“Recipient”) to be confidential because of (i) legends or other markings; (ii) the circumstances of disclosure; or (iii) the nature of the information, which may be disclosed either directly or indirectly, in writing, visual, orally or by inspection of tangible objects (including without limitation documents, prototypes, samples, products, software, product specifications and white papers) or other means. Confidential Information includes but is not limited to technology and technical information, promotional and marketing activities, inventions, finances and financial plans, customers, business and product plans, know-how, source code, data, algorithms, methods and processes, trade secrets, designs, techniques, analyses, models, strategies and objectives, and any third-party information that Discloser is otherwise obligated to keep confidential.

Customer Marks” means Customer’s name and logo, the names of any of Customer’s websites, other names of Customer’s business, enterprises or properties, product marks, trademarks and any other registered intellectual property of Customer.

Customer Data” means the information submitted or provided by Customer and its Authorized Users for use with the Software and Services.

Documentation” means the applicable Software and Subscription user manuals provided by PhishMe to its customers (which may be in electronic format), as amended from time to time by PhishMe.

Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify, distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make, use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other intellectual property rights as may exist now and/or hereafter come into existence and all renewals and extensions thereof, regardless of whether such rights arise under the law of the United States or any other state, country or jurisdiction.

Order” means (i) a quotation issued to Customer by PhishMe that is signed by both Parties or (ii) a written purchase order or similar ordering document, signed or submitted by Customer and accepted by PhishMe, under which Customer agrees to purchase Software and/or Services. It is agreed that all Orders for the Software and Services hereunder will incorporate the terms of this Agreement, whether expressly referenced or not, and will only be accepted subject to the terms of this Agreement. The terms and conditions of this Agreement will govern all Orders, and any additional or different terms in an Order are deemed void and of no effect unless such additional or different terms are agreed upon by the Parties in writing. For clarity, acceptance by PhishMe of a Customer’s purchase order or similar ordering document will not be deemed an acceptance of any conflicting or additional terms and conditions.

PhishMe IP” means all PhishMe proprietary materials, including without limitation, the Software, Subscriptions, PhishMe’s Confidential Information, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools, Aggregate Data, Documentation, PhishMe Rules, proprietary processes and methods, and any PhishMe templates and/or forms.

Software” means the licensed software (object code and source code) described in the applicable exhibit for such Software attached to this Agreement.

Software Support Services” means the applicable support services provided with the Software, as described in the Software Support Services Exhibit attached to this Agreement.

Professional Services” means professional consulting services or managed services rendered or performed by PhishMe, as described under an applicable Statement of Work or schedule for such Professional Services attached to this Agreement.

Service(s)” means the Subscription Services, Professional Services and Software Support Services.

Statement of Work” or “SOW” means a written statement of work or addendum, mutually agreed-upon and signed by the Parties, describing Professional Services and incorporating this Agreement.

Subscription Services” or “Subscription” means the subscription service provided by PhishMe, as described in the applicable exhibit for such Subscription attached to this Agreement.

II.         PROVISION OF SOFTWARE AND SERVICES; CUSTOMER RESPONSIBILITIES.

A.    Orders and SOWs. PhishMe will provide the Software and Services set forth in Orders or Statements of Work, as applicable, pursuant and subject to this Agreement. Terms and licenses specific to each Software and Service are set forth in the applicable exhibit for such Software and Service attached hereto  (Exhibit A – PhishMe Professional Services; Exhibit B – PhishMe Simulator Subscription and Acceptable Use Policy Addendum; Exhibit C – PhishMe Intelligence Subscription; Exhibit D – PhishMe LMS Subscription; Exhibit E – PhishMe Reporter Software; Exhibit F- PhishMe Triage Software; Exhibit G – Software Support Services).

B.    Evaluations. If PhishMe provides any Software or Subscriptions, along with any other related materials and documentation for Customer’s evaluation purposes (collectively, “Evaluation Products”), then PhishMe grants Customer a limited, nontransferable, non-assignable, non-sublicensable right to use the Evaluation Product listed in the applicable activation email sent by PhishMe to Customer, subject to the terms of this Agreement and any other limitations expressly set forth in the activation email. In addition, if PhishMe grants Customer a license to evaluate PhishMe SimulatorTM pursuant to this Agreement, such license (along with Customer’s rights and obligations herein) will apply to any evaluation of PhishMe IntelligenceTM and PhishMe LMSTM made in conjunction with such evaluation of PhishMe Simulator. Customer may use the Evaluation Product for its own internal evaluation purposes from the date in which Customer first installs, downloads or accesses the Evaluation Product, until the expiration date set forth in the activation email or, if no expiration date is set forth in the activation email, for a period of up to thirty (30) days from the date of installation, download or access of the Evaluation Product (the “Evaluation Period”). PhishMe may, at its sole discretion, provide reasonable maintenance and support for the Evaluation Products during the Evaluation Period. Evaluation Products are provided to Customer “AS-IS”, and to the extent permitted by applicable law, PhishMe disclaims all indemnities and warranties relating to the evaluation of the Evaluation Product, express or implied, including but not limited to any warranties against infringement of third party rights, merchantability, and fitness for a particular purpose. Customer acknowledges that the Evaluation Product is PhishMe’s Intellectual Property. At the end of the Evaluation Period, all evaluation licenses granted herein will automatically terminate and Customer will delete or return Evaluation Products in Customer’s possession, and provide written certification of such destruction or return in writing to PhishMe. If applicable, Customer understands that PhishMe may disable access to the Evaluation Products automatically at the end of the Evaluation Period, without notice to Customer. This Section will take precedence over any contradictory language in this Agreement as it relates to an Evaluation Product.

C.    Customer Responsibilities. Customer (i) is responsible for the use of the Software and Services by Customer and its Authorized Users in compliance with this Agreement, including any applicable exhibits, addenda, Documentation and applicable laws and government regulations; (ii) is responsible for the accuracy, quality and legality of Customer Data, including the lawful use and transmission of Customer Data provided by Customer and its Authorized Users in connection with the Software and Services; (iii) will obtain all rights, permissions or consents from Authorized Users and other Customer personnel that are necessary to grant the rights and licenses in this Agreement; and (iv) will use commercially reasonable efforts to prevent unauthorized access to or use of PhishMe IP, Software and Subscriptions, and will notify PhishMe promptly of such unauthorized use. 

III.         TERM AND TERMINATION.

A.    Term.

1.     Software License and Support. Each Software will be licensed for the period of time stated on the applicable Order or, if no period of time for the Software License is specified in the Order, for a period of one (1) year from the date the Software was delivered to Customer (“Initial Software License Term”). Unless otherwise stated on the Order, the Software License will automatically renew after its Initial Software License Term for additional periods of one (1) year each (each, a “Renewal Software License Term” and together with the Initial Software License Term, the “Software License Term”), unless either Party notifies the other of its intention not to renew the Software License at least sixty (60) days prior to the expiration of the then-current Software License Term. If Customer is licensing the Software on a term basis, PhishMe will provide Software Support Services at no additional charge, for the duration of the Software License Term and such Software Support Services will be coterminous with the Software License Term. If Customer is licensing the Software on a perpetual basis, Software Support Services will be provided for the period of time stated on the applicable Order, or, if no period of time for Support Services is specified, Support Services will be provided for a period of one (1) year from the date the Software was delivered to Customer (“Initial Support Term”). Software Support Services for perpetual Software licenses will automatically renew for additional periods of one (1) year each (each, a “Renewal Support Term” and together with the Initial Support Term, the “Support Term”), unless either Party notifies the other of its intention not to renew such Software Support Services at least sixty (60) days prior to the expiration of the then-current Support Term.

2.     Subscriptions. The term of each Subscription is specified in the applicable Order or, if no period of time for the applicable Subscription is specified, for a period of one (1) year from the date in which access to the Subscription was made available to Customer (“Initial Subscription Term”).  Unless otherwise stated on the Order, the Subscription will automatically renew after its Initial Subscription Term for additional periods of one (1) year each (each, a “Renewal Subscription Term” and together with the Initial Subscription Term, the “Subscription Term”), unless either Party notifies the other of its intention not to renew the Subscription at least sixty (60) days prior to the expiration of the then-current Subscription Term.

3.    Professional Services. The term of performance for Professional Services begins on the date stated in the applicable SOW or Order or, as otherwise mutually agreed in writing between the Parties, and will remain in effect for the term stated in the applicable SOW or Order. If no term for Professional Services is set forth in the applicable SOW or Order, then (i) with respect to a SOW, the Professional Services will start on the effective date of the SOW and will continue until complete, unless otherwise terminated as set forth herein, and (ii) with respect to an Order, Professional Services will start on a mutually agreed upon date, and continue until complete, unless otherwise terminated as set forth herein.

B.    Termination for Material Breach; Suspension. A Party may terminate this Agreement or one or more of the Orders and Statements of Work hereunder, if the other Party commits a material breach, and fails to remedy such breach within thirty (30) days of being notified by the non-breaching Party of such breach (“Cure Period”). Notwithstanding the foregoing, Customer acknowledges and agrees that PhishMe may, in its sole and absolute discretion, immediately terminate this Agreement, or affected SOW or Order, or suspend Customer’s access to any Services in connection with any actual, alleged or suspected: (i) breach of confidentiality obligations and license or use restrictions set forth in this Agreement and applicable exhibit, (ii) direct or indirect technical or security issues or problems caused by or relating to Customer, or (iii) violations of applicable law and, in PhishMe’s determination, such violation cannot be adequately cured within the Cure Period. If PhishMe terminates this Agreement or any Order or Statement of Work due to Customer’s material breach, PhishMe will not refund any amounts to Customer. If Customer terminates a Software license or Service for PhishMe’s material breach, Customer will receive a refund for the remainder of the then-current term for such Software or Service; provided that Customer will not be entitled to any refund if Customer is also in breach of the Agreement at the time of such termination. If Customer terminates a Software License or Services other than for PhishMe’s material breach, Customer will not receive a refund or credit of any Fees already paid or due to PhishMe and, if applicable, all outstanding Software License and Services Fees under an applicable SOW or Order will accelerate and become immediately due and payable.

C.    Effect of Termination. Upon termination of an applicable SOW or Order for any reason, all access rights and licenses granted herein with respect to the affected Order or SOW will immediately terminate. Termination or expiration of any Order or SOW will not be deemed a termination or expiration of any other Orders or SOWs in effect as of the date of termination or expiration, and this Agreement will continue to govern and be effective as to those outstanding Orders and SOWs until those Orders and SOWs have expired or terminated by their own terms or as set forth herein. Within ten (10) business days of the termination of an applicable SOW or Order, each Party will return or delete all copies of the other Party’s intellectual property in its possession or control.

D.    Survival. The provisions of Section IV (Fees, Taxes and Expenses), Section V (Confidentiality and Data Privacy), Section VI (Intellectual Property), Section VII(D) (Disclaimers), Section IX (Limitation of Liability), Section XII (Miscellaneous), and all accrued payment obligations, will survive the termination of this Agreement and the termination of all Orders and SOWs.

IV.         FEES, TAXES AND EXPENSES.

A.   Customer will pay the fees for the Software and Services set forth in the applicable Order or Statement of Work (“Fees”).  All Fees are non-cancelable and non-refundable. All Fees will be fully invoiced in advance, unless otherwise agreed by the Parties in writing. Fees are exclusive of all tariffs, duties or taxes imposed or levied by any government or governmental agency, including without limitation, federal, state and local sales, use, value added or other similar taxes (collectively, “Taxes”) and Customer is responsible for paying all Taxes applicable to the Software and Services provided by PhishMe to Customer. Customer will reimburse PhishMe for any and all expenses incurred by PhishMe so long as such expenses are directly attributable to the Software and Services provided to Customer.

B.   Customer agrees to pay, in full, any undisputed invoice submitted by PhishMe within thirty (30) days of receipt of such invoice. If Customer fails to make any payment when due, then interest at a rate of one and one-half percent (1.5%) per month will accrue on such unpaid, undisputed amounts, calculated from the date the payment was originally due. If Customer disputes any invoice, it will promptly notify PhishMe of the disputed amount, but in no event later than the date payment is due, with an explanation of the reasons therefore.

V.         CONFIDENTIALITY AND DATA PRIVACY.

A.   Recipient will: (i) not use any Confidential Information for any purpose except to evaluate and engage in discussions concerning a potential business relationship between the Parties and/or to fulfill its obligations under this Agreement; (ii) use at least the same degree of care as Recipient uses to protect its own confidential information from unauthorized use, access or disclosure, but in no event less than a reasonable degree of care; (iii) limit disclosure of Confidential Information to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing, prior to the receipt of Confidential Information, to be bound by confidentiality obligations similar to those set forth in this Agreement; (iv) not disclose any Confidential Information to third parties without Discloser’s prior written consent; (v) not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible objects which embody Discloser’s Confidential Information; and (vi) comply with, and obtain all required authorizations arising from, all U.S. and other applicable export control laws or regulations. Any reproduction of Confidential Information requires Discloser’s prior written consent and will remain the property of Discloser. Any reproductions will contain any and all notices of confidentiality contained on the original Confidential Information.

B.   The foregoing confidentiality obligations will not apply to information that Recipient can demonstrate: (i) is publicly known and made generally available through no improper action or inaction of Recipient; (ii) was already in the possession of, or known by Recipient prior to the time of disclosure by Discloser through no fault or breach of this Agreement by Recipient; (iii) was rightfully obtained by, or disclosed to, Recipient from a third party without any obligation to maintain the Confidential Information as proprietary or confidential; or (iv) is independently developed by Recipient without use of or reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information to the extent such disclosure is required to comply with applicable law or a valid order or requirement of a governmental or regulatory agency or court of competent jurisdiction, provided that Recipient (a) restricts such disclosure to the maximum extent legally permissible; (b) notifies Discloser as soon as practicable of any such requirement to the extent such provision of prior notice is permitted by applicable law; and (c) that subject to such disclosure, such disclosed materials will in all respects remain subject to the restrictions set forth in this Agreement.

C.   Within ten (10) business days of the termination of this Agreement or upon Discloser’s written request, Recipient will promptly, at Recipient’s election, destroy or return all of Discloser’s Confidential Information in Recipient’s possession or in the possession of any representative of Recipient; provided, however, that Recipient will not, in connection with the foregoing obligations, be required to delete Confidential Information held electronically in archive or back-up systems, and such Confidential Information will in all respects remain subject to the restrictions set forth in this Agreement. Upon Discloser’s written request, Recipient will provide a certification, signed by an officer of Recipient, as to the destruction or return of Discloser’s Confidential Information.

D.   Discloser retains all right, title and interest to its Confidential Information.  Recipient acknowledges that the disclosure of Confidential Information may cause irreparable injury to Discloser. Discloser will, therefore, be entitled to seek injunctive relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that Discloser prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as may be available to Discloser at law or in equity. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.” DISCLOSER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY, COMPLETENESS OR PERFORMANCE.

E.   If use of the Software and Subscriptions includes the processing of personal data (as described in the EU Data Protection Directive 95/46/EC), when performing its obligations under this Agreement, the following will apply:

1.     Customer will ensure that: (i) Customer is entitled to transfer the relevant personal data to PhishMe so that PhishMe may lawfully use, process and transfer the personal data on Customer’s behalf and in accordance with this Agreement; and (ii) the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws.

2.     PhishMe will: (i) process personal data in compliance with and subject to this Agreement and any lawful and reasonable instructions received from Customer; (ii) not use or process or permit any PhishMe subcontractors to use or process, any personal data except to the extent necessary to perform its obligations under this Agreement; (iii) implement and maintain adequate and reasonable technical and organizational safeguards designed to protect against the unauthorized or accidental access, loss, alteration, disclosure or destruction of personal data in PhishMe’s possession or control; (iv) ensure that it has appropriate procedures in place designed to comply with applicable data protection laws and will take all reasonable steps to ensure that persons employed by it, and other persons engaged at its place of work, are aware of and comply with applicable data privacy laws and regulations.

3.     PhishMe may process or otherwise transfer personal data in or to any country outside the European Economic Area or any country not deemed adequate by the European Commission pursuant to Article 25(6) of the EU Data Protection Directive 95/46/EC to the extent necessary for the provision of the Software and Services. If required, PhishMe will enter into the EU Standard Contractual Clauses as approved by the European Commission for ensuring an adequate level of data protection in respect of the personal data that will be processed or transferred.

VI.         INTELLECTUAL PROPERTY.

A.    Intellectual Property of PhishMe; Restrictions. All Intellectual Property Rights in the PhishMe IP belong exclusively to PhishMe or its licensors.  Customer acknowledges and agrees that it will not (and will not allow any third party), in whole or in part, to directly or indirectly: (i) disassemble,  decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of any PhishMe IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes), (ii) sell, resell,  distribute, sublicense or otherwise transfer, the PhishMe IP, or make the functionality of the PhishMe IP available to any other party through any means (unless PhishMe has provided prior written consent), or (iii) reproduce, alter,  modify or create derivatives of the PhishMe IP (unless as expressly permitted in this Agreement). Customer will maintain the copyright notice and any other notices that appear on PhishMe IP, including any interfaces related to the Software or Subscriptions.

B.    Aggregate Data; Feedback. Notwithstanding the foregoing, PhishMe owns all Intellectual Property Rights in and to Aggregate Data, and may use, reproduce, sell, publicize or otherwise exploit Aggregate Data in any way, in its sole discretion. “Aggregate Data” refers to Customer Data that is de-identified (stripped of any information used to identify Customer, including personal data). Aggregate Data will also include statistical information related to the use and performance of Software and Services, provided that such statistical information is de-identified. Customer grants to PhishMe a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and exploit any suggestion, enhancement request, recommendation, correction or other feedback (“Feedback”) provided by Customer or its Authorized users relating to the Software and Services. Feedback will not include Confidential Information.

C.    PhishMe Templates and Formats.  Customer acknowledges that for applicable Software and Services, PhishMe may provide certain PhishMe templates and formats to Customer, and Customer will have a non-exclusive, nontransferable, non-sublicenseable right to use, modify, display and reproduce such templates and formats for Customer’s internal use with the applicable Software or Service, subject to the restrictions set forth in this Agreement. To the extent that any such modified templates and/or formats do not embody or otherwise include Customer’s Confidential Information and Customer Marks, PhishMe owns and holds all right, title and interest in and to such templates and/or formats.

D.    Intellectual Property of Customer; Restrictions. PhishMe acknowledges that Customer owns all right, title, and interest in and to Customer Marks and Customer Data (excluding Aggregate Data). Customer grants to PhishMe the worldwide right to use, access, host, copy, transmit and display Customer Marks and Customer Data, as reasonably necessary for PhishMe to perform its obligations in accordance with this Agreement. PhishMe may disclose Customer Data to its third-party contractors and service providers (including cloud service providers) to the extent necessary to provide the applicable Software and Services in accordance with this Agreement; provided that such third-party contractors and service providers are bound by confidentiality obligations similar to the provisions of this Agreement. PhishMe expressly disclaims any Customer Data which Customer has generated for use with an applicable Subscription or Software, and Customer agrees to indemnify, hold harmless and, at PhishMe’s option, to defend PhishMe, its officers, directors, employees, contractors and agents from and against any losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incurred as a result of any alleged or actual violations of any third party rights arising out of the Customer Data.

E.    U.S. Government Restricted Rights. The PhishMe IP, Software and Services are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable.  All PhishMe IP, Software, and Services are and were developed solely at private expense and the use of PhishMe IP, Software and Services by the United States Government are governed solely by this Agreement and are prohibited except to the extent expressly permitted by this Agreement.

VII.         WARRANTIES AND DISCLAIMERS.

A.    Software Warranty. PhishMe represents and warrants that, during the one (1) year period following delivery of the Software to Customer (“Software Warranty Period”), the Software will perform materially as described in the applicable Documentation. Customer must promptly notify PhishMe of any breach of this warranty, but in any event no later than the expiration of the Software Warranty Period. The warranty set forth in this Section will not apply if the Software (i) has been modified or altered by any party other than PhishMe or PhishMe’s duly authorized representatives; (ii) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by PhishMe; or (iii) has been subjected to abnormal stress, misuse, negligence, or accident. In the event of a breach of the warranty in this Section, PhishMe will at its sole option, either repair the Software or replace the Software with software of substantially similar functionality. The foregoing states Customer’s sole remedy and PhishMe’s entire liability for breach of warranty in this Section.

B.    Professional Services and Software Support Services Warranty. PhishMe warrants to Customer that Professional Services and Software Support Services will be performed in a professional manner in accordance with industry standards for like services.  Customer must promptly notify PhishMe of any breach of this warranty, but in any event no later than thirty (30) days following the date the Professional Services or Software Support Services were performed. For any breach of PhishMe’s warranty obligations set forth in this Section, PhishMe will promptly correct or re-perform the applicable Professional Services or Software Support Services, at PhishMe’s expense. The foregoing states Customer’s sole remedy and PhishMe’s entire liability for breach of warranty in this Section.

C.    Subscription Services Warranty. PhishMe warrants to Customer that during the applicable Subscription Term, the Subscription will be performed materially in accordance with the applicable Documentation, and in a professional manner with reasonable skill and care.  Customer must promptly notify PhishMe of any breach of this warranty, but in any event no later than thirty (30) days following the date this warranty was allegedly breached. The warranty set forth in this Section will not apply if (i) Customer has used the Subscription contrary to PhishMe’s instructions as may be set forth in the applicable exhibit or Documentation, or (ii) the Subscription has been modified or altered by any party other than PhishMe or PhishMe’s duly authorized representatives. For any breach of PhishMe’s warranty obligations set forth in this Section, PhishMe will promptly correct the non-conformity, at PhishMe’s expense. The preceding sentence states Customer’s sole remedy and PhishMe’s entire liability for breach of warranty in this Section.

D.    DISCLAIMERS. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, ALL SOFTWARE, SUBSCRIPTIONS, AND SERVICES ARE PROVIDED ON AN “AS IS” BASIS WITHOUT ANY WARRANTY WHATSOEVER AND PHISHME EXPRESSLY DISCLAIMS, TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, ALL WARRANTIES, EXPRESS, IMPLIED AND STATUTORY, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING, USAGE OR TRADE.  PHISHME ALSO MAKES NO WARRANTY REGARDING NONINTERRUPTION OF USE OR FREEDOM FROM BUGS, AND MAKES NO WARRANTY THAT SOFTWARE, SERVICES OR SUBSCRIPTIONS WILL BE ERROR-FREE. PhishMe DOES NOT GUARANTEE ANY SPECIFIC RESULTS FROM USING THE SOFTWARE, SERVICES AND SUBSCRIPTIONS.

VIII.         INDEMNIFICATION.

A.   PhishMe agrees to indemnify, defend, and hold Customer, its employees and agents harmless from any and all claims and/or demands, including reasonable attorneys’ fees, arising out of or in connection with a claim that the PhishMe IP, Software or Subscription, infringes a valid third party intellectual property right. If the PhishMe IP, Software or Subscription, or parts thereof, become, or in PhishMe’s opinion may become, the subject of an infringement claim, PhishMe may, at its option: (i) modify or replace such PhishMe IP, Software or Subscription with a non-infringing, functional equivalent; (ii) obtain for Customer all necessary licenses and permissions to continue using the PhishMe IP, Software or Subscription; or (iii) require that Customer cease to use the PhishMe IP, Software or Subscription and (a) with respect to Subscriptions and term Software Licenses, refund any pre-paid Fees for the unused remainder of the Software License Term or Subscription Term; (b) with respect to perpetual Software Licenses, refund the Fees paid for the Software License, less allowance for amortization over a three (3) year period, straight-line method and refund any pre-paid Fees for the unused remainder of the Software Support Term; and (c) with respect to Professional Services, refund any pre-paid Fees for Professional Services that have not been delivered.  This Section states PhishMe’s entire liability and Customer’s exclusive remedy for claims based on infringement of any third party’s intellectual property rights.

B.   PhishMe will have no indemnification obligations with respect to any action arising out of: (i) the use of any PhishMe IP, Software or Subscription, or any part thereof, in combination with other software or products not authorized by PhishMe; (ii) any modification of the PhishMe IP, Software or Subscription not performed or expressly authorized by PhishMe; (iii) Customer’s failure to substantially comply with PhishMe’s reasonable written instructions which if implemented would have rendered the PhishMe IP, Software or Subscription non-infringing, provided that a sufficient time period is given to Customer in order to implement such written instructions; or (iv) the use of the PhishMe IP, Software or Services other than in accordance with this Agreement and applicable Documentation.

C.   Customer agrees to indemnify, defend and hold PhishMe, its employees and agents harmless from any and all claims and/or demands, including reasonable attorneys’ fees, made by any third party arising out of or related to Customer’s alleged or actual use or misuse of the PhishMe IP, Software and Subscriptions, including without limitation: (a) claims related to the unauthorized disclosure or exposure of personal data or other private information by Customer; (b) claims that the Customer Data infringes a third party right; (c) claims that use of a Subscription by Customer, including by Customer’s Authorized Users, harasses, defames, or defrauds a third party; or (d) claims arising from Customer’s use of the Software and Services in violation of this Agreement.

D.   Each Party which seeks indemnification (the “Indemnified Party”) will (i) notify the other Party (the “Indemnifying Party”) promptly after receiving notice of any threat or claim in writing of such actions set forth above, provided that if the Indemnified Party fails to notify the Indemnifying Party promptly of any threat or claim, the Indemnifying Party will be relieved of its obligation to indemnify the Indemnified Party to the extent the Indemnifying Party is prejudiced by the delay in notice; (ii) grant the Indemnifying Party sole control of the defense and any related settlement negotiations; provided no settlement may be agreed to without the Indemnified Party’s consent (which consent will not be unreasonably withheld); and (iii) reasonably cooperate, at the Indemnifying Party’s expense, with the Indemnifying Party in defense of such claim.

IX.         LIMITATION OF LIABILITY.

A.    Exclusion of Consequential and Related Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT WILL A PARTY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS AND LOST SAVINGS, HOWEVER CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY, NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.

B.    Limitation of Monetary Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY INTELLECTUAL PROPERTY RIGHT OF A PARTY, PAYMENT OBLIGATIONS OF CUSTOMER, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, AND NOTWITHSTANDING ANY OTHER PROVISIONS OF THIS AGREEMENT OR ANY ORDER OR STATEMENT OF WORK, A PARTY’S TOTAL LIABILITY ARISING OUT OF THIS AGREEMENT WILL BE LIMITED TO THE TOTAL AMOUNTS RECEIVED BY PHISHME FOR THE RELEVANT SOFTWARE, SUBSCRIPTIONS OR SERVICES DURING THE SIX (6) MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH LIABILITY .

C.    Applicability. THE LIMITATIONS AND EXCLUSIONS CONTAINED HEREIN WILL APPLY ONLY TO THE MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING HEREIN PURPORTS TO LIMIT EITHER PARTY’S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION.

X.         AUDIT RIGHTS.

A.   PhishMe agrees that Customer may conduct an audit of PhishMe’s records related to Customer, at Customer’s expense, subject to the following conditions: (i) the audit will only be of PhishMe records that pertain solely to this Agreement; (ii) Customer will provide no less than seventy-two (72) hours prior written notice of the date the audit is to be performed; (iii) the audit will be conducted at a location specified by PhishMe during PhishMe’s normal business hours and without interrupting PhishMe’s business operations; and (iv) Customer may not request more than one (1) audit in any twelve (12) month period. Notwithstanding anything in the foregoing to the contrary, Customer may not audit facilities, networks, systems, devices, or storage media of PhishMe or its personnel.

B.   PhishMe acknowledges that Customer may be subject to examination and audit by applicable government regulatory agencies having jurisdiction over Customer (“Regulatory Agencies”).  PhishMe further acknowledges that such Regulatory Agencies may require access to PhishMe’s books, records, data, and evidence of procedures and policies relating to PhishMe’s compliance with this Agreement. Upon request by such Regulatory Agencies, PhishMe will provide the reasonable assistance of PhishMe’s employees with knowledge of compliance efforts in connection with any such examination or audit.

C.   For any applicable Software License Term or Subscription Term, Customer agrees that at PhishMe’s request, Customer will furnish to PhishMe a certification signed by Customer’s authorized representative verifying that the Software or Subscription is being used in accordance with this Agreement.

XI.         NOTICES.

All notices in connection with this Agreement will be in writing and will be deemed effective (i) upon receipt, when delivered personally or by courier, overnight delivery service or confirmed facsimile, or (ii) five (5) business days after having been sent by registered or certified mail or the local equivalent, as evidenced by the postmark. Notices will be addressed to the applicable address as listed in the Order or as subsequently modified by written notice.

XII.         MISCELLANEOUS.

A.    Governing Law. This Agreement is governed by and construed in accordance with the laws of the State of Virginia and the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations Convention on the International Sale of Goods.  Any legal claims, proceedings or litigation arising out of or in connection with the Software and Services will be brought solely in the federal courts of the State of Virginia, and each Party hereto consents to the jurisdiction and venue of such courts in any suit, action or proceeding concerning this Agreement. The Parties agree that the Uniform Computer Information Transactions Act or any version thereof, adopted by any state, in any form, will not apply to this Agreement.

B.    Anti-Corruption and Anti-Bribery. Each Party acknowledges that it is familiar with and understands the provisions of the U.S. Foreign Corrupt Practices Act of 1977, as amended (“the FCPA”) and the U.K. Bribery Act of 2010 (“UKBA”) and agrees not violate or knowingly let anyone violate the FCPA or UKBA. Customer agrees that no payment it makes will constitute a bribe, influence payment, kickback, rebate, or other payment that violates the FCPA, the UKBA, or any other applicable anti-corruption or anti-bribery laws.

C.    Entire Agreement; Order of Precedence. This Agreement and the applicable exhibits, Orders, SOWs or addenda constitutes the complete and entire agreement between PhishMe and Customer with respect to the Software and Services.  It replaces and supersedes any prior agreements, oral or written, between PhishMe and Customer concerning the subject matter hereof. PhishMe hereby rejects and deems deleted any additional or different terms or conditions that Customer presents, including, but not limited to, any terms or conditions contained or referenced in any purchase order, acceptance, or acknowledgement.  No amendment to this Agreement will be effective unless it is in writing and signed by the authorized representatives of each Party. In the event of conflict between any of the terms in this Agreement and the terms set forth in an exhibit, Order, SOW or addendum, this Agreement will govern, unless otherwise expressly provided in such other exhibits, Orders, SOWs and addenda.

D.    Assignability. Any assignment of this Agreement, SOW, Order or addenda by either Party to another party, including any transfer by operation of law or otherwise, without the other Party’s prior written consent (which consent will not be unreasonably withheld) will be null and void; provided, however, that each Party may assign this Agreement, SOW, Order or addenda in whole or in part, without consent, to an affiliate or in connection with any merger, asset purchase or sale, stock purchase or sale or similar change of control transaction.

E.    Force Majeure. With the exception of Customer’s obligation to make payments due and payable to PhishMe, neither PhishMe nor Customer will be considered to be in breach or default of this Agreement as a result of its delay or failure to perform its obligations herein when such delay or failure arises out of causes beyond the reasonable control of the Party whose performance has been affected.

F.    No Third-Party Beneficiaries. Nothing in this Agreement will benefit or create any right or cause of action in or on behalf of any person or entity other than Customer and PhishMe.

G.   Waiver and Severability. The failure of a Party to exercise or enforce any right or provision of this Agreement will not constitute a waiver of such right or provision.  If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force and effect.

PHISHME PROFESSIONAL SERVICES
EXHIBIT A

In addition to the terms of the Agreement, the following terms apply to Professional Services.

  1. Each Statement of Work and Order for Professional Services will incorporate and be governed by this Agreement. Professional Services provided under an Order will be subject to the terms specific to each Professional Service in the schedules attached to this Exhibit. For clarity, PhishMe will not be obligated to perform any Professional Services until PhishMe has accepted an Order for the applicable Professional Services or a Statement of Work describing those Professional Services has been agreed to and signed by both Parties.
  2. When PhishMe’s personnel are performing Professional Services on site at Customer’s premises, Customer will allocate appropriate working space and physical access for all PhishMe personnel.
  3. Either Party may elect to submit written change requests to the other Party proposing changes to the Statement of Work. All changes to an applicable Statement of Work will be made using an amendment signed by both Parties.
  4. Grant of License. Subject to full payment of Fees by Customer for the Professional Services to which a Deliverable (as defined below) relates and in accordance with the terms of this Agreement, PhishMe will (a) assign to Customer all copyrights in and to the Deliverables, with the exception of any PhishMe IP included therein; and (b) grant to Customer a non-exclusive, royalty-free, worldwide license to use any PhishMe IP incorporated into the Deliverable, solely as part of the Deliverable and not separate from the Deliverable, as necessary for Customer to make use of the Deliverable as set forth herein. “Deliverables” means the written reports that are created for Customer as a result of the Professional Services provided hereunder.
  5. Deliverables containing PhishMe IP may not be shared with any third party other than (i) law enforcement agencies or (ii) third party consultants/subcontractors, provided that: (A) the consultant/subcontractor is under an obligation of confidentiality and non-use restrictions at least as restrictive as those set forth in this Agreement and (B) the consultant/subcontractor is receiving and using the Deliverable for the sole purposes of providing services to Customer.

 

PHISHME SIMULATOR
PROFESSIONAL SERVICES CONSULTING
SCHEDULE TO EXHIBIT A

 

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Simulator Professional Services Consulting provided under an applicable Order.

  1. Professional Services Description. PhishMe will provide the following Professional Services in connection with Customer’s current subscription of PhishMe Simulator, during the term set forth in the applicable Order.

a.   Overview. PhishMe will provide guidance for simulated phishing scenario campaigns (“Scenario(s)”) Customer sends through PhishMe Simulator, including analysis, recommendations, and strategy development as set forth herein.

b .  Initial Planning and Implementation. PhishMe will:

i.   Assign a PhishMe consultant as Customer’s point of contact for the performance of services under this Schedule.

ii.   Conduct an initial consultation conference call with Customer, which includes discussion to develop an understanding of Customer’s security environment, and Customer’s current security efforts, as well as assignment of decision making roles and required processes for Customer under this Schedule.

iii.   Conduct an additional conference call with Customer to discuss key phishing concepts, the services program phases, key technical and education requirements, establishment of desired outcomes, and an understanding of the measures of success for Customer’s PhishMe Simulator program.

iv.   Conduct Customer PhishMe Simulator training remotely, which includes an overview of key functions and processes in PhishMe Simulator for Customer administrators, if any, such as setup of simulated phishing scenario campaigns (“Scenario(s)”), loading of Authorized User recipient lists, development of Scenario education, and scheduling of Scenarios. Such training will be conducted in a single session and may be attended by all PhishMe Simulator Customer administrators. Additional training sessions may be conducted upon mutual written agreement by the Parties.

v.   Provide specific whitelisting information to Customer.

vi.   Provide guidance for Customer configuration of networks, messaging, and security systems for the proper setup and operation of PhishMe Simulator, including to allow emails to be delivered to Customer Authorized Users and for collection of program metrics as users engage with Scenarios.

vii.   Conduct a reasonable number of test Scenarios to confirm PhishMe Simulator setup is complete and functioning appropriately.

viii.   Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to the PhishMe Simulator program.

c.   Scheduled Meetings. The PhishMe consultant assigned as Customer’s point of contact will be available for up to one (1) hour per week to meet remotely with Customer to advise Customer regarding its PhishMe Simulator program. Customer will request such meetings no less than two (2) business days in advance.

  1. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by PhishMe.

b.   Customer and PhishMe will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

PHISHME SIMULATOR
PROFESSIONAL SERVICES PREMIUM
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Simulator Professional Services Premium provided under an applicable Order.

  1. Professional Services Description. PhishMe will provide the following Professional Services in connection with Customer’s current subscription of PhishMe Simulator, during the term set forth in the applicable Order.

a.   Overview. PhishMe will build and execute simulated phishing scenario campaigns (“Scenario(s)”) through PhishMe Simulator as directed by Customer. PhishMe will further conduct analysis of the results of such Scenarios, facilitate Customer meetings, and provide reports to Customer related to the services.

b.   Initial Planning and Implementation. PhishMe will:

i.   Assign a PhishMe consultant as Customer’s point of contact for the performance of services under this Schedule.

ii.   Conduct an initial consultation conference call with Customer, which includes discussion to develop an understanding of Customer’s security environment, and Customer’s current security efforts, as well as assignment of decision making roles and required processes for Customer under this Schedule.

iii.   Conduct an additional conference call with Customer to discuss key phishing concepts, the services program phases, key technical and education requirements, establishment of desired outcomes, and an understanding of the measures of success for Customer’s PhishMe Simulator program.

iv.   Conduct Customer PhishMe Simulator training remotely, which includes an overview of key functions and processes in PhishMe Simulator for Customer administrators, if any, such as setup of simulated phishing scenario campaigns (“Scenario(s)”), loading of Authorized User recipient lists, development of Scenario education, and scheduling of Scenarios. Such training will be conducted in a single session and may be attended by all PhishMe Simulator Customer administrators. Additional training sessions may be conducted upon mutual agreement by the Parties.

v.   Provide specific whitelisting information to Customer.

vi.   Provide guidance for Customer configuration of networks, messaging, and security systems for the proper setup and operation of PhishMe Simulator, including to allow emails to be delivered to Customer’s Authorized Users and for collection of program metrics as users engage with Scenarios.

vii.   Conduct a reasonable number of test Scenarios to confirm PhishMe Simulator setup is complete and functioning appropriately.

viii.   Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to the PhishMe Simulator program.

c.   Standard Program Services. PhishMe consultant will perform the following:

i.   Create and execute up to twelve (12) Scenarios annually in accordance with a mutually agreed schedule between PhishMe and Customer.

ii.   Conduct quarterly and annual PhishMe Simulator program reviews with Customer, and such other meetings as mutually agreed upon by the Parties.

iii.   Use commercially reasonable endeavors to create, send, and report on each Scenario within fourteen (14) business days of Customer’s request to conduct a Scenario. However, this delivery time frame may be increased or decreased depending on the complexity of the Scenario.

iiii.   If requested by Customer and agreed upon by PhishMe, PhishMe will translate Scenario content and education available in PhishMe Simulator into additional languages.

2.   Deliverables; PhishMe will provide the following Deliverables:

a.   A report following each Scenario including the following Scenario information:

i.   Executive Summary

ii.   Response Analysis

iii.  Overall Susceptibility Rate

iv.   Overall Reporting Rate, if applicable

v.   Overall Repeat Offense Rate, starting after two (2) production Scenarios

vi.   Standard Analytics Reporting

vii.   Observations and Recommendations

b.   Program review reports

c.   Provide a detailed data .csv file for Customer download following each Scenario containing Scenario result details

3.   Professional Services Premium Multi-Entity (if applicable)

a.   If Customer has ordered Professional Services Premium Multi-Entity (Coordinated), the following will apply: PhishMe will provide the services and Deliverables to Customer Affiliates which follow Customer’s overall program and scenario execution plan, and one Customer administrator would serve as the point of contact for the PhishMe consultant serving as the point of contact to Customer.

b.   If Customer has ordered Professional Services Premium Multi-Entity (Independent), the following will apply: PhishMe will provide the services and Deliverables to Customer’s Affiliates, however each Affiliate may determine its own Scenario content and execution plan independently from Customer. Each Affiliate would have its own, separate PhishMe Simulator account and neither Customer nor Affiliate data would be shared among Affiliates.

c.   For the purpose of this Section, an “Affiliate” of a Party will mean any entity that controls, is controlled by, or is under common control with such Party. For the purpose of the foregoing “control” will mean more than fifty percent (50%) ownership of assets or equity.

4.   Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by PhishMe.

b.   Customer and PhishMe will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

PHISHME TRIAGE
MANAGED SERVICES
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Triage Managed Services provided under an applicable Order.

1.    Managed Services Description. PhishMe will provide the following managed services in connection with Customer’s current software license to PhishMe Triage, during the term set forth in the applicable Order.

a.   Deployment and Configuration. PhishMe will provide Customer an initial deployment and configuration of Customer’s PhishMe Triage instance. PhishMe will perform the following:

i.   Deploy a PhishMe Triage instance dedicated to Customer in PhishMe’s cloud environment.

ii.   Configure Customer’s existing suspicious email reporting inbox with the PhishMe Triage.

iii.   Develop initial customized configuration of PhishMe Triage for efficient analysis of reported suspicious emails.

iv.   Create a Customer profile in PhishMe’s ticketing system for tracking of the services, which Customer can access for services status updates.

v.   Hold weekly conference calls with Customer as required to discuss such deployment and configuration of services.

vi.   The above deployment and configuration services may take up to approximately five (5) weeks to complete.

b.   Daily Analysis and Reporting. PhishMe will provide the following:

vii.   Using a combination of PhishMe Triage and additional analysis tools, analyze each email reported as suspicious to PhishMe by Customer.

viii.   Respond to individual Customer personnel regarding the outcome of the analysis of the suspicious email reported by such individual.

ix.   Inform Customer of any malicious email discovered upon analysis of reported suspicious emails and provide details of the analysis performed for such malicious email.

x.   Create a monthly summary report of the services performed.

2. Deliverables; PhishMe will provide the following Deliverables:

a.   Monthly summary report of the services performed.

3.   Service Levels for Daily Analysis and Reporting.

a.   PhishMe analysts will check and process the Customer Triage inbox of reported suspicious emails approximately once per hour, Monday – Friday, 8:00 AM – 8:00 PM ET, excluding PhishMe company observed holidays.

b.   PhishMe analysts will provide Customer notification of malicious emails discovered through analysis of suspicious emails reported by Customer approximately once per hour, Monday – Friday, 8:00 AM – 8:00 PM ET, excluding PhishMe company observed holidays.

c.   PhishMe analysts will conduct in-depth analysis of any malicious emails discovered and provide details of such analysis within one (1) hour of discovery of such malicious email if possible. Such in-depth analysis may exceed one (1) hour depending on the nature of the malicious email and complexity of threat. PhishMe will provide Customer continuous updates on such in-depth analysis approximately once per hour until such analysis is completed, Monday – Friday, 8:00 AM – 8:00 PM ET, excluding PhishMe company observed holidays.

4.   Additional Terms.

a.   Customer acknowledges and agrees that lack of timely responses to PhishMe requests may adversely affect the schedule of any services performed hereunder.

b.   Customer acknowledges and agrees that as part of the services, PhishMe may use the following third-party products (“Third-Party Products”) in combination with Customer’s PhishMe Triage instance: Cuckoo Sandbox, OpenDNS Investigate, VirusTotal, LogRhythm, HPE ArcSight, and any other third-party malware analysis solutions and syslog receivers as mutually agreed upon by the Parties. PhishMe does not make any representations and warranties or covenants of any nature or kind with respect to such Third-Party Products, and Customer acknowledges and agrees that Customer is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products.

PHISHME TRIAGE
PROFESSIONAL SERVICES CONSULTING
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Triage Professional Services Consulting provided under an applicable Order.

1.   Professional Services Description. PhishMe will provide the following Professional Services in connection with Customer’s current software license to PhishMe Triage, during the term set forth in the applicable Order.

a.   Initial Planning.

i.    PhishMe will conduct a call to discuss resource and information requirements required for performance of the service. Additional such calls may be conducted as needed.

ii.   Customer will complete a questionnaire provided by PhishMe concerning technical requirements.

iii.   PhishMe will provide an agenda for Implementation and Training described below.

b.   Implementation and Training. A PhishMe consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Conduct a kickoff meeting to discuss the implementation and training process.

ii.   Provide guidance to the customer on installation and configuration of PhishMe Triage in the Customer’s environment.

iii.   Configure Customer’s existing suspicious email reporting inbox with PhishMe Triage and integrate all trusted roots and establish a signed certificate.

iv.   Perform initial customized configuration of PhishMe Triage for efficient analysis of reported suspicious emails.

v.   Discuss and establish PhishMe Triage administration and maintenance tasks for best practices.

vi.   Provide Customer training on the following items:

1.   Administration and maintenance of PhishMe Triage within the environment

2.   Analysis of reported email and clusters

3.   Notifications and process integrations

4.   Customizing responses to reported emails to Customer’s environment

5.   Guidance on success criteria and reporting

6.   Facilitate creation of use cases

7.   PhishMe Rules and how PhishMe Triage leverages PhishMe Rules for analysis

8.   Review of threat intelligence and how it relates to new threats and associated use cases

9.   Rule creation and optimization

10.   Recipe creation and tweaking

11.   Establishing a baseline for Customer’s environment

12.   Provide guidance on day-to-day activities of Customer’s analysts

13.   Properly identify threats and to respond accordingly within the system.

vii.   Conduct a closeout meeting.

c.   Follow-up Support. After conclusion of the Implementation and Training set forth in Section 1(B), PhishMe will perform the following:

i.   Provide a designated PhishMe consultant which will be available for additional calls and/or email communications to answer any questions that may arise and troubleshoot any problems for the remainder of the applicable term for Professional Services.

ii.   Monthly meetings will be conducted by the designated PhishMe consultant with Customer to review Customer’s program and progress.

2.   Timing of Implementation and Training. The Implementation and Training set forth in Section 1(B) will be performed over a mutually agreed three (3) day period and will not exceed twenty-four (24) hours total, including initial planning. For on-site services, PhishMe Consultant typically will arrive every day by 8:00 am local time with the exception of Monday morning to allow for travel to the site, unless otherwise agreed by Customer and PhishMe. The training schedule is typically planned for Tuesday through Thursday close of business. PhishMe recommends Customer allocate a minimum of eight (8) hours per day for training to maximize the PhishMe consultant’s time with Customer.

3.   Additional Terms.

A.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by PhishMe.

B.   Customer and PhishMe will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

PHISHME TRIAGE
PROFESSIONAL SERVICES IMPLEMENTATION AND TRAINING
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Triage Professional Services Implementation and Training provided under an applicable Order.

1.   Professional Services Description. PhishMe will provide the following Professional Services in connection with Customer’s current software license to PhishMe Triage, during the term set forth in the applicable Order.

a. Initial Planning.

i.   PhishMe will conduct a call prior to installation of PhishMe Triage to discuss resource and information requirements required for performance of the services. Additional such calls may be conducted as needed.

ii.   Customer will complete a questionnaire provided by PhishMe concerning technical requirements.

iii.   PhishMe will provide an agenda for the Implementation and Training described below.

b. Implementation and Training. A PhishMe consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Conduct a kickoff meeting to discuss the implementation and training process.

ii.   Install and configure PhishMe Triage in the Customer’s environment.

iii.   Configure Customer’s existing suspicious email reporting inbox with PhishMe Triage and integrate all trusted roots and establish a signed certificate.

iv.   Perform initial customized configuration of PhishMe Triage for efficient analysis of reported suspicious emails.

v.   Discuss and establish PhishMe Triage administration and maintenance tasks for best practices.

vi.   Provide Customer training on the following items:

1.   Administration and maintenance of PhishMe Triage within the environment

2.   Analysis of reported email and clusters

3.   Notifications and process integrations

4.   Customizing responses to reported emails to Customer’s environment

5.   Success criteria and reporting

6.   Establishing use cases for scenarios and reported intel from outside sources

7.   PhishMe Rules and how PhishMe Triage leverages PhishMe Rules for analysis

8.   Review of threat intelligence and how it relates to new threats and associated use cases

9.   Rule creation and optimization

10.   Recipe creation and tweaking

11.   Establishing a baseline for Customer’s environment

12.   Day-to-day activities of Customer’s analysts

13.   Properly identify threats and to respond accordingly within the system.

vii.   Assist in developing documentation for Customer’s corporate Incident Response (IR) or Security Operations plans to incorporate PhishMe Triage.

viii.  Assist in developing and customizing PhishMe Triage protocols, procedures and email templates.

ix.   Conduct a closeout meeting.

c. Follow-up Support. After conclusion of the Implementation and Training, PhishMe will perform the following: Provide remote post-implementation support as needed for ten (10) business days. During this time, the PhishMe consultant will be available for additional calls and/or email communications to answer any questions that may arise and troubleshoot any problems. After this time, all requests for assistance must be directed to support@phishme.com.

2. Timing of Implementation and Training. The Implementation and Training will be performed over a mutually agreed three (3) day period and will not exceed twenty-four (24) hours total, including initial planning. For on-site services, PhishMe Consultant typically will arrive every day by 8:00 am local time with the exception of Monday morning to allow for travel to the site, unless otherwise agreed by Customer and PhishMe. The training schedule is typically planned for Monday through Thursday close of business, with Friday morning allowed for miscellaneous Customer questions or requests, as well as the closeout meeting. PhishMe recommends Customer allocate a minimum of eight (8) hours per day for training to maximize the PhishMe consultant’s time with Customer.

3. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by PhishMe.

b.   Customer and PhishMe will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

PHISHME TRIAGE
PROFESSIONAL SERVICES OPTIMIZATION
SCHEDULE TO EXHIBIT A

In addition to the terms of the Agreement, including the Professional Services Exhibit to which this Schedule is attached, the following terms apply to PhishMe Triage Professional Services Optimization provided under an applicable Order.

1.   Professional Services Description. PhishMe will provide the following Professional Services in connection with Customer’s current software license to PhishMe Triage, during the term set forth in the applicable Order.

a.   Initial Planning. PhishMe will provide an agenda to Customer prior to the start of PhishMe Triage Review hereunder.

b.   PhishMe Triage Review. A PhishMe consultant will perform the following, either on-site at Customer’s facilities or remotely as mutually agreed by the Parties:

i.   Review the overall performance of Customer’s PhishMe Triage instance.

ii.  Examine Customer’s operational statistics, configuration, and PhishMe Triage version usage.

iii. Review Customer’s PhishMe Triage use cases, including rules, recipes, and responses being used, according to Customer’s profile and active threats identified in PhishMe Triage.

vi.  Ensure proper functionality, responsiveness, and adherence to best practices for Customer’s PhishMe Triage instance.

v.   Recommend changes to improve PhishMe Triage performance.

vi.  Provide additional ad-hoc platform training as requested by Customer and agreed upon by PhishMe.

vii. The services hereunder will be performed over a mutually agreed two (2) day period and will not exceed twenty (20) hours total.

2. Deliverables. PhishMe will provide the following Deliverables:

a.   Health assessment report summarizing the results of the services.

b.   Documentation, as applicable, regarding all findings resulting from the services.

3. Additional Terms.

a.   Customer agrees that failure to provide timely responses or input as required for performance of the services may impact the timing of performance by PhishMe.

b.   Customer and PhishMe will jointly develop a project plan as needed to facilitate scheduling of any meetings, reviews, and/or coordination of resources.

PHISHME SIMULATOR SUBSCRIPTION
EXHIBIT B

In addition to the terms of the Agreement, the following terms apply to PhishMe SimulatorTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of this Agreement, PhishMe grants to Customer a non-exclusive, non-transferable, non-assignable right to access PhishMe Simulator, including the applicable Documentation and all associated PhishMe IP, for Customer’s internal use only. Customer acknowledges that PhishMe has no delivery obligation and will not ship copies of software as part of PhishMe Simulator. If Customer is licensing PhishMe ReporterTM Software in conjunction with the PhishMe Simulator Subscription, the terms set forth in Exhibit E – PhishMe Reporter Software, will govern Customer’s use of PhishMe Reporter. If Customer orders PhishMe Simulator Professional Services in conjunction with the PhishMe Simulator Subscription, the terms set forth in Exhibit A – Professional Services, will govern PhishMe’s provision of such Professional Services. If Customer is purchasing a subscription to PhishMe IntelligenceTM in conjunction with the PhishMe Simulator Subscription, the terms set forth in Exhibit C – PhishMe Intelligence, will govern Customer’s PhishMe Intelligence Subscription. If Customer is purchasing a subscription to PhishMe LMSTM in conjunction with the PhishMe Simulator Subscription, the terms set forth in Exhibit D – PhishMe LMS Subscription, will govern Customer’s PhishMe LMS Subscription.
  2. Customer is responsible its Authorized Users’ compliance with the Agreement, this Exhibit and the PhishMe Simulator Acceptable Use Policy Addendum attached hereto.
  3. Customer acknowledges and agrees that the maximum number of Authorized Users will not exceed the number of Authorized Users set forth in the applicable Order. At the beginning of the Subscription Term, Customer will designate and allocate the Authorized Users and will not reassign or replace such Authorized Users (except for those designated by Customer to act as administrators) prior to the expiration of the Subscription Term. Customer may add additional Authorized Users during the Subscription Term, at the same pricing as set forth in the applicable Order, pro-rated for the portion of the Subscription Term remaining at the time.  Notwithstanding anything in the Agreement to the contrary, any breach by Customer and its Authorized Users of this Section will result in the immediate suspension or termination of Customer and its Authorized Users’ access to PhishMe Simulator.
  4. Customer may only designate Authorized User’s email addresses with Internet domain names that Customer owns or is authorized by the Internet domain name owner to use for the purposes contemplated herein.
  5. Subscription Availability and Uptime.
    • PhishMe will use commercially reasonable efforts to provide Customer administrators with online availability to PhishMe Simulator 99.8% of the time in any calendar month (“Uptime”), excluding downtime caused by Scheduled Maintenance, force majeure events, or acts or omissions of Customer not in accordance with the Agreement and Documentation.
    • Scheduled Maintenance. Scheduled maintenance is used for major upgrades to PhishMe applications, servers, or networks.  Scheduled maintenance timeslots are reserved in advance and a customer announcement message is presented to Customer in PhishMe Simulator.
  6. PhishMe will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support:
    • Basic Support (questions concerning feature inquiries, troubleshooting, and configuration support) is available 24×5 (M-F). Weekend support is available for high priority or urgent issues from 8:00 AM ET to 5:00 PM ET Saturday and Sunday. Support hours are subject to holiday hours and closures. Customer may refer to the most up to date hours as set forth in the PhishMe Community portal.
    • Expert Support (ad hoc inquiries for advanced and technical troubleshooting, bug verification and debugging, and deployment support questions) is available from 8:00 AM ET through 9:00 PM ET (M-F).
    • Special Support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time.
  7. Support may be reached via email at support@phishme.com. Requests received outside of standard support hours are placed in a support queue for processing by the applicable support team during standard support hours. General account maintenance requests (e.g. password resets, email uploads, etc.) are fulfilled the same day.  Domain registration requests take two days to complete. Telephone numbers to request Support Services can be found through the Support “Contact Us” link, located at the bottom of the PhishMe Community portal homepage.

ACCEPTABLE USE POLICY ADDENDUM  FOR
PHISHME SIMULATOR

By using PhishMe Simulator, you are agreeing to this Acceptable Use Policy Addendum (this “Policy”). Please read this carefully.

Capitalized terms used below but not defined in this Policy will have the meaning set forth in the Agreement. Customer and its Authorized Users must promptly notify PhishMe of any actual or suspected illegal or unauthorized activity or a security breach involving PhishMe Simulator.

Customer and its Authorized Users may not:

  1. post or transmit unlawful materials, e-mail or information;
  2. post or transmit harassing, threatening or abusive materials, e-mail or information;
  3. post or transmit defamatory, libelous, slanderous or scandalous materials, e-mail or information;
  4. post or transmit obscene, pornographic, profane or otherwise objectionable information of any kind;
  5. post or transmit materials, e-mail or information that would constitute an infringement upon the patents, copyrights, trademarks, trade secrets or other intellectual property rights of others;
  6. post or transmit materials constituting or encouraging conduct that would constitute a criminal offence, give rise to civil liability, or otherwise violate any local, state, national or international law, including without limitation, the U.S. export control laws and regulations;
  7. post or transmit materials that would give rise to liability under the Computer Fraud and Abuse Act;
  8. use PhishMe Simulator to commit fraud or engage in other misleading or deceptive activities;
  9. upload to, or transmit from PhishMe Simulator any viruses, worms, defects, Trojan horses, time-bombs, malware, spyware, or any other computer code of a destructive or interruptive nature;
  10. share PhishMe Simulator and any associated PhishMe IP and PhishMe Confidential Information with any third-parties, except as expressly authorized in advance by PhishMe in writing;
  11. use PhishMe Simulator and PhishMe IP in any way to provide services to any third-party;
  12. disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas or algorithms of PhishMe Simulator and any PhishMe IP (except to the limited extent that applicable law prohibits reverse engineering restrictions solely for interoperability purposes);
  13. sell, resell, distribute, sublicense or otherwise transfer, PhishMe Simulator and any PhishMe IP, or make the functionality of PhishMe Simulator available to any other party through any means (unless PhishMe has provided prior written consent);
  14. and reproduce, alter, modify or create derivatives of the PhishMe IP (unless as expressly permitted in this Agreement).

Authorized Users must comply with any Intellectual Property Rights asserted in any PhishMe IP provided to Customer for the purposes of using with PhishMe Simulator.  Authorized Users will maintain and not remove or obscure any proprietary notices on PhishMe IP.

Remedies. Violation of this Policy may result in civil or criminal liability, and PhishMe may, in addition to any other remedy that PhishMe may have at law or in equity, terminate any permission for Customer and any Authorized User to access PhishMe Simulator or immediately remove the offending material. In addition, PhishMe may investigate incidents that are contrary to this Policy.

PhishMe reserves the right to update and modify this Policy at any time from time-to-time. Continued use of PhishMe Simulator by Customer and its Authorized Users after such update or modification will indicate Customer’s acceptance of the updates and/or modifications to this Policy.

PHISHME INTELLIGENCE SUBSCRIPTION
EXHIBIT C

In addition to the terms of the Agreement, the following terms apply to PhishMe IntelligenceTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of the Agreement, PhishMe grants to Customer a limited, non-exclusive, non-transferable, non-assignable, non-sublicenseable right to use the PhishMe Intelligence Subscription and any PhishMe IP (including phishing intelligence data and any reports, threat indicators, threat alerts, materials or information) provided by PhishMe through PhishMe Intelligence, solely for Customer’s internal business purposes of identification and mitigation of phishing attacks and as otherwise set forth herein, and may not be used for any other purpose. Customer and its Authorized Users may not share PhishMe Intelligence or any PhishMe IP with any third party, except as expressly authorized in advance by PhishMe in writing. PhishMe Intelligence may be delivered in the following formats: applicable machine-readable threat intelligence, human readable intelligence reports, and/or the PhishMe Intelligence Portal. PhishMe owns all Intellectual Property rights in and to the formats in which PhishMe Intelligence is delivered to customer, including any API or code provided by PhishMe to Customer. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
  2. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with PhishMe Intelligence, provided, however that PhishMe does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will PhishMe have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with PhishMe Intelligence. Customer further agrees and acknowledges that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by PhishMe and selected by Customer, for use in combination with PhishMe Intelligence.
  3. For any Customer phishing message or communication that Customer or its Authorized User submits to PhishMe, Customer hereby grants PhishMe a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, license, including the right to sublicense to third parties, and right to reproduce, fix, adapt, modify, translate, reformat, create derivative works from, publish, distribute, sell, transmit, publicly display, publicly perform, or provide access to electronically, broadcast, display, perform, and use and practice such phishing message or communication as well as all modified and derivative works thereof; provided that such phishing message or communication is deidentified (stripped of any information used to identify Customer, including personal data).
  4. PhishMe will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support:
  1. Basic support (questions concerning feature inquiries, troubleshooting, and configuration support) from 9:00 AM ET through 6:00 PM ET (M-F).
  2. Expert support is available for ad hoc inquiries (advanced and technical troubleshooting, bug verification and debugging, and deployment support questions) from 9:00 AM ET through 6:00 PM ET (M-F).
  3. Special support assistance outside of core hours may be arranged by customer request and scheduled at a mutually agreed upon date and time.

Support may be reached via email at support@phishme.com. Requests received outside of standard support hours are placed in a support queue for processing by the applicable support team during standard support hours. Support hours are subject to holiday hours and closures. Customer may refer to the most up to date hours as set forth in the PhishMe Community portal. Telephone numbers to request Support Services can be found through the Support “Contact Us” link, located at the bottom of the PhishMe Community portal homepage.

PHISHME LMS SUBSCRIPTION
EXHIBIT D

In addition to the terms of the Agreement, the following terms apply to PhishMe LMSTM.

  1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of the Agreement, PhishMe grants to Customer a limited, non-exclusive, non-transferable, non-assignable, non-sublicenseable right to use the PhishMe LMS Subscription and any PhishMe IP provided by PhishMe through PhishMe LMS, solely for Customer’s internal business purposes of identification and mitigation of phishing attacks and as otherwise set forth herein, and may not be used for any other purpose. Customer and its Authorized Users may not share PhishMe LMS or any PhishMe IP provided by PhishMe through PhishMe LMS, with any third party, except as expressly authorized in advance by PhishMe in writing. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
  2. Customer is responsible for all Customer materials or content input into, facilitated through, or otherwise used within PhishMe LMS and PhishMe will not be liable for such Customer materials.  Customer will indemnify, defend and hold PhishMe harmless for any and all damages, costs and other losses arising out of the use of content provided by Customer.
  3. PhishMe will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following support:

a.   Basic support (questions concerning feature inquiries, troubleshooting, and configuration support) from 9:00 AM ET through 6:00 PM ET (M-F).

b.   Expert support is available for ad hoc inquiries (advanced and technical troubleshooting, bug verification and debugging, and deployment support questions) from 9:00 AM ET through 6:00 PM ET (M-F).

c.   Special support assistance outside of core hours may be arranged by customer request and scheduled at a mutually agreed upon date and time.

Support may be reached via email at support@phishme.com. Requests received outside of standard support hours are placed in a support queue for processing by the applicable support team during standard support hours. Support hours are subject to holiday hours and closures. Customer may refer to the most up to date hours as set forth in the PhishMe Community portal. Telephone numbers to request Support Services can be found through the Support “Contact Us” link, located at the bottom of the PhishMe Community portal homepage.

PHISHME REPORTER SOFTWARE
EXHIBIT E

In addition to the terms of the Agreement, the following terms apply to PhishMe Reporter®.

  1. For the duration of the applicable Software License Term set forth in the applicable Order and in accordance with the terms of this Agreement, PhishMe grants to Customer a limited, non-exclusive, non-sublicensable, non-transferrable, non-assignable software license to use PhishMe Reporter, including the applicable Documentation, for Customer’s internal use only (“Software License”). Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
  2. The use of PhishMe Reporter by Customer will be at no cost as long as Customer is under a current PhishMe Simulator Subscription Term or PhishMe Triage Software License Term; provided, however, if at any time Customer is using PhishMe Reporter and is not under a then-current PhishMe Simulator Subscription Term or PhishMe Triage Software License Term, Customer will be charged an annual maintenance fee equal to sixty percent (60%) of the then current PhishMe Simulator or PhishMe Triage list price, unless otherwise mutually agreed by the Parties in writing.
  3. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with PhishMe Reporter, provided, however that PhishMe does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will PhishMe have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with PhishMe Reporter. Customer further acknowledges and agrees that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by PhishMe and selected by Customer, for use in combination with PhishMe Reporter.
  4. Software Support Services. If Customer is under a current Support Term, PhishMe will provide the Software Support Services set forth in the Software Support Services Exhibit, as may be updated by PhishMe in its discretion.

PHISHME TRIAGE SOFTWARE
EXHIBIT F

In addition to the terms of the Agreement, the following terms apply to PhishMe TriageTM.

  1. For the duration of the applicable Software License Term set forth in the applicable Order and in accordance with the terms of the Agreement, PhishMe grants to Customer a limited, non-exclusive, non-sublicensable, non-transferrable, non-assignable software license to use PhishMe Triage (Software version set forth in the Order), including the applicable Documentation, for Customer’s internal use only (“Software License”). Software License validations will be performed from time to time during the Software License Term across an encrypted communication channel over HTTPS. Customer is responsible for its Authorized Users’ compliance with the Agreement and this Exhibit.
  2. PhishMe Triage may only be (i) installed as a virtual machine on one server in Customer’s environment or (ii) hosted in PhishMe’s secure cloud infrastructure.
  3. PhishMe grants Customer the right to use PhishMe proprietary tags which characterize and organize specific phishing content (“PhishMe Rule(s)”) in connection with PhishMe Triage, subject to the terms herein. For clarification, PhishMe Rules will not contain any Customer Confidential Information or be attributable to Customer. Customer may use PhishMe Rules within its own organization, on systems or networks owned or controlled by Customer, but not with any other unaffiliated third party; provided that Customer will not remove any proprietary markings within the PhishMe Rules.
  4. Customer may create its own rules to import into PhishMe Triage, and PhishMe will not share such rules with any other customer of PhishMe. Notwithstanding anything in the foregoing to the contrary, for any Customer created-rule that Customer chooses to share with other PhishMe Triage customers via PhishMe Triage Community Exchange (“Community Exchange Rules”), Customer hereby grants PhishMe a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive, license, including the right to sublicense to third parties, and right to reproduce, fix, adapt, modify, translate, reformat, create derivative works from, publish, distribute, sell, transmit, publicly display, publicly perform, or provide access to electronically, broadcast, display, perform, and use and practice such Community Exchange Rule as well as all modified and derivative works thereof.
  5. Customer acknowledges and agrees that PhishMe will not be liable for any damages of any nature or kind, directly or indirectly, resulting from (i) Customer or any of its personnel (including its Authorized Users) downloading and using any PhishMe Rule or any other type of data from PhishMe Triage; and (ii) the integration of PhishMe Triage into Customer’s existing or future security system or network.
  6. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term is defined herein) in combination with PhishMe Triage, provided, however that PhishMe does not make any representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will PhishMe have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising from Customer’s use of any Third Party Product in combination with PhishMe Triage. Customer further agrees and acknowledges that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by PhishMe and selected by Customer, for use in combination with PhishMe Triage.
  7. Software Support Services.  If Customer is under a current Support Term, PhishMe will provide the Software Support Services set forth in the Software Support Services Exhibit, as may be updated by PhishMe in its discretion. Any Updates (as defined in the Software Support Services Exhibit) provided under Support Services and relating to PhishMe Triage will be made available to Customer via an encrypted communication channel over HTTPS.  Customer will be responsible for installing such Updates.

SOFTWARE SUPPORT SERVICES
EXHIBIT G

In addition to the terms of the Agreement, the following terms will govern the Software Support Services with respect to Customer’s license of the applicable PhishMe Software.

During the Support Term, PhishMe will provide Customer notification of bug fixes, maintenance patches and new releases which may contain minor enhancements to the features or functions of the Software (“Updates”).  Unless otherwise set forth elsewhere in the Agreement, Customer may obtain Updates from PhishMe’s server via the Internet.  PhishMe reserves the right to impose additional charges for releases of Software (i) that provide major enhancements to the features or functions of the Software, as determined by PhishMe at its sole discretion; or, (ii) that provide additional features or perform additional functions not provided or performed by the Software.

Support Structure and Hours

PhishMe Basic Support: PhishMe Basic Support includes questions concerning feature inquiries, troubleshooting, installation and configuration support.

Basic Support Hours (Monday – Friday)

  • PhishMe Reporter – 8:00 AM through 5:00 PM ET
  • PhishMe Triage –  9:00 AM through 6:00 PM ET

PhishMe Expert Support: PhishMe Expert Support is available for ad hoc inquiries and includes advanced and technical troubleshooting, bug verification and debugging, and deployment support questions.

Expert Support Hours (Monday – Friday)

  • PhishMe Reporter – 8:00 AM through 5:00 PM ET
  • PhishMe Triage – 9:00 AM through 6:00 PM ET

Special Support

Special Support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed upon date and time.

Support may be reached via email at support@phishme.com. Requests received outside of standard support hours are placed in a support queue for processing by the applicable support team during standard support hours. Support hours are subject to holiday hours and closures. Customer may refer to the most up to date hours as set forth in the PhishMe Community portal. Telephone numbers to request Support Services can be found through the Support “Contact Us” link, located at the bottom of the PhishMe Community portal homepage.

UNITED STATES GOVERNMENT
EXHIBIT H

In addition to the terms of the Agreement, the terms set forth in this Exhibit will apply if Customer is an agency, department, court, or instrumentality of the United States Federal Government.

To the extent the terms and conditions in the Agreement are inconsistent with Federal Law (e.g., the Antideficiency Act (31 U.S.C. § 1341(a)(1)(B)), the Contracts Disputes Act of 1978 (41 U.S.C. §§ 7101-7109), the Prompt Payment Act (31 U.S.C. §§ 3901 et seq.), the Anti-Assignment statues (31 U.S.C. § 3727 and 41 U.S.C. §6305), 28 U.S.C. § 516 (Conduct of litigation reserved to Department of Justice), and 28 U.S.C. § 1498 (unauthorized use of a patented invention by or for the United States, or copyright infringement by the United States)) such terms and conditions will be subject to the following:

  1. Order of Precedence. If there is any conflict between the terms and conditions of the Agreement and this Exhibit, this Exhibit will govern and control.
  2. No Automatic Renewal; Termination. Any provisions in the Agreement providing for automatic renewal are hereby deleted. Any provisions in the Agreement referencing Termination will be subject to FAR 52.212-4 and Customer’s authorization and consent rights under 28 USC 1498(a).
  3. Fees; Taxes. Customer will not pay any future costs or fees under an applicable Order. All taxes are subject to FAR 52.212-4(k).
  4. Customer Indemnification Obligations. Any provisions in the Agreement referencing Customer Indemnification obligations are hereby deleted, to the extent inconsistent with Federal Law.
  5. PhishMe Indemnification Obligations. Any provisions in the Agreement that (1) violate DOJ’s right to represent Customer in any case (28 U.S.C. 516) and or (2) require that Customer give sole control over the litigation and or settlement, are hereby deleted. Any injunctive relief regarding a claim for intellectual property infringement is deleted, to the extent inconsistent with 28 USC 1498(b).
  6. Limitation of Liability. Any provisions in the Agreement referencing Limitation of Liability are deleted and replaced with FAR 52.246-25.
  7. Dispute Resolution and Venue. Any provisions in the Agreement requiring Customer to follow a specific procedure to raise claims or to resolve disputes are hereby deleted.  Any provisions in the Agreement selecting a particular judicial forum or form of alternative dispute resolution for resolving claims relating to the Agreement are hereby deleted.  Any disputes relating to the Agreement will be resolved in accordance with FAR 233-1 and the Contract Disputes Act of 1978 (41 U.S.C. §§ 7101-7109).
  8. Assignment; Novation. Any provisions referencing Assignment are deleted in their entirety, and assignment and novation will be subject to FAR 52.232-23 and FAR 42.12.
  9. Intellectual Property. The PhishMe IP, Software and Services are “commercial items”, “commercial computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR Sections 12.211-12.212, as applicable. All PhishMe IP, Software, and Services are and were developed solely at private expense and the use of PhishMe IP, Software and Services by the United States Government are governed solely by the Agreement and are prohibited except to the extent expressly permitted by the Agreement.
  10. Governing Law. The Agreement will be governed by the laws of the United States. Any provisions in the Agreement stating that the Agreement will only be governed by the law of any particular U.S. State or U.S. Territory or district, or foreign nation, is hereby deleted. In the event the Uniform Computer Information Transactions Act (UCITA) or any similar federal laws or regulations are enacted, to the extent allowed by law, it will not apply to the Agreement, and the governing law will remain as if such law or regulation had not been enacted.
  11. Unilateral Modification. Any provisions in the Agreement allowing for PhishMe’s unilateral modification are deleted in their entirety.
  12. Confidential Information. The written terms and conditions set forth in the Agreement, including this Exhibit, will not be considered confidential information. All other confidentiality obligations set forth in the Agreement will apply. For clarification, all PhishMe Confidential Information, including specific line-item pricing, is provided solely by PhishMe, and is not generated by Customer.