Cofense MSSA Template August 2024 – AWS MARKETPLACE
1
COFENSE CONFIDENTIAL
COFENSE INC.
MASTER SOFTWARE AND SERVICES AGREEMENT
(AWS MARKETPLACE FOR COFENSE PHISHME, COFENSE REPORTER AND ASSOCIATED
PROFESSIONAL SERVICES)
THIS MASTER SOFTWARE AND SERVICES AGREEMENT (THIS “AGREEMENT”) GOVERNS THE LICENSE
AND/OR ACCESS OF COFENSE SOFTWARE, SUBSCRIPTIONS AND SERVICES PROVIDED BY COFENSE INC.,
AND/OR ITS AFFILIATES (“COFENSE”) UNLESS YOU (OR THE BUSINESS, GOVERNMENT OR ENTITY YOU
REPRESENT) HAVE EXECUTED A SEPARATE WRITTEN AGREEMENT WITH COFENSE GOVERNING SUCH
SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES. PLEASE READ THIS AGREEMENT CAREFULLY. CLICKING
ON THE “YES” OR “I ACCEPT” BUTTON (OR OTHER BUTTON OR MECHANISM DESIGNED TO ACKNOWLEDGE
AGREEMENT TO THE TERMS OF THIS AGREEMENT), DOWNLOADING, INSTALLING, ACCESSING OR USING
COFENSE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES ACCEPTANCE OF THIS
AGREEMENT. WITHOUT LIMITING THE FOREGOING, YOU ACKNOWLEDGE THAT YOUR SUBMISSION OF AN
ORDER FOR THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES CONSTITUTES AN ACCEPTANCE OF THIS
AGREEMENT AND THAT ALL FUTURE ORDERS FOR THE SAME SOFTWARE, SUBSCRIPTIONS AND/OR
SERVICES FOLLOWING YOUR ACCEPTANCE OF THIS AGREEMENT WILL BE GOVERNED BY THE TERMS OF
THIS AGREEMENT. IF YOU AGREE TO THIS AGREEMENT ON BEHALF OF A BUSINESS, GOVERNMENT, OR
OTHER ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE THE POWER AND AUTHORITY TO BIND
SUCH BUSINESS, GOVERNMENT, OR OTHER ENTITY TO THIS AGREEMENT, AND YOUR AGREEMENT TO
THESE TERMS WILL BE TREATED AS THE AGREEMENT OF SUCH BUSINESS, GOVERNMENT, OR OTHER
ENTITY. AS USED IN THIS AGREEMENT, “CUSTOMER” REFERS TO THE BUSINESS, GOVERNMENT, OR OTHER
ENTITY ON WHOSE BEHALF YOU HAVE ENTERED INTO THIS AGREEMENT. IF YOU ARE UNWILLING TO
AGREE TO THIS AGREEMENT, OR YOU DO NOT HAVE THE RIGHT, POWER AND AUTHORITY TO ACT ON
BEHALF OF AND BIND THE CUSTOMER, DO NOT CLICK ON THE BUTTON AND DO NOT INSTALL,
DOWNLOAD, ACCESS, OR OTHERWISE USE THE SOFTWARE, SUBSCRIPTIONS AND/OR SERVICES. IF
CUSTOMER RECEIVES THE SOFTWARE, SUBSCRIPTIONS OR SERVICES THROUGH A COFENSE AUTHORIZED
RESELLER, PARTNER OR DISTRIBUTOR (COLLECTIVELY, “AUTHORIZED PARTNER”), ALL FEES AND OTHER
PROCUREMENT AND DELIVERY TERMS WILL BE AGREED BETWEEN CUSTOMER AND THE AUTHORIZED
PARTNER; HOWEVER, THE TERMS SET FORTH IN THIS AGREEMENT REGARDING CUSTOMER’S USE OF THE
SOFTWARE, SUBSCRIPTIONS AND SERVICES REMAIN APPLICABLE. FOR CLARIFICATION, CUSTOMER’S
AGREEMENT WITH THE AUTHORIZED PARTNER IS BETWEEN CUSTOMER AND THE AUTHORIZED PARTNER
ONLY AND SUCH AGREEMENT IS NOT BINDING ON COFENSE.
I. DEFINITIONS.
“Authorized Users” means Customer authorized employees, agents or independent contractors with an assigned unique email
address, who may (i) access the applicable Subscription or Software; and/or (ii) receive or send email messages with respect
to the applicable Subscription or Software.
“Confidential Information” means any non-public, confidential, or proprietary information of a disclosing Party (“Discloser”)
that should reasonably be understood by the receiving Party (“Recipient”) to be confidential because of (i) legends or other
markings; (ii) the circumstances of disclosure; or (iii) the nature of the information, which may be disclosed either directly or
indirectly, in writing, visual, orally or by inspection of tangible objects (including without limitation documents, prototypes,
samples, products, software, product specifications and white papers) or other means. Confidential Information includes but is
not limited to technology and technical information, promotional and marketing activities, inventions, finances and financial
plans, customers, business and product plans, know-how, source code, data, algorithms, methods and processes, trade secrets,
designs, techniques, analyses, models, strategies and objectives, and any third-party information that Discloser is otherwise
obligated to keep confidential.
“Customer Marks” means Customer’s name and logo, the names of any of Customer’s websites, other names of Customer’s
business, enterprises or properties, product marks, trademarks and any other registered intellectual property of Customer.
“Customer Data” means the information submitted or provided by Customer and its Authorized Users for use with the Software
and Services.MSSA Template August 5, 2024
2
COFENSE CONFIDENTIAL
“Documentation” means the applicable Software and Subscription user manuals provided by Cofense to its customers (which
may be in electronic format), as amended from time to time by Cofense.
“Intellectual Property Rights” means copyrights (including, without limitation, the exclusive right to use, reproduce, modify,
distribute, publicly display and publicly perform the copyrighted work), trademark rights (including, without limitation, trade
names, trademarks, service marks, and trade dress), patent rights (including, without limitation, the exclusive right to make,
use and sell), trade secrets, moral rights, right of publicity, authors’ rights, contract and licensing rights, goodwill and all other
intellectual property rights as may exist now and/or hereafter come into existence and all renewals and extensions thereof,
regardless of whether such rights arise under the law of the United States or any other state, country or jurisdiction.
“Order” means (i) a quotation issued to Customer by Cofense that is signed by both Parties or (ii) a written purchase order or
similar ordering document, signed or submitted by Customer and accepted by Cofense, under which Customer agrees to
purchase Software and/or Services. It is agreed that all Orders for the Software and Services hereunder will incorporate the
terms of this Agreement, whether expressly referenced or not, and will only be accepted subject to the terms of this Agreement.
The terms and conditions of this Agreement will govern all Orders, and any additional or different terms in an Order are deemed
void and of no effect unless such additional or different terms are agreed upon by the Parties in writing. For clarity, acceptance
by Cofense of a Customer’s purchase order or similar ordering document will not be deemed an acceptance of any conflicting
or additional terms and conditions.
“Cofense IP” means all Cofense proprietary materials, including without limitation, the Software, Subscriptions, Cofense’s
Confidential Information, threat intelligence and threat indicators, intelligence alerts and reports, and/or investigation tools,
Aggregate Data, Documentation, Cofense Rules, proprietary processes and methods, and any Cofense templates and/or forms.
“Software” means the licensed software (object code and source code) described in the applicable exhibit for such Software
attached to this Agreement.
“Software Support Services” means the applicable support services provided with the Software, as described in the Software
Support Services Exhibit attached to this Agreement.
“Professional Services” means professional consulting services or managed services rendered or performed by Cofense under
an applicable exhibit attached to this Agreement.
“Service(s)” means the Subscription Services, Professional Services and Software Support Services.
“Subscription Services” or “Subscription” means the subscription service provided by Cofense, as described in the applicable
exhibit for such Subscription attached to this Agreement.
II. PROVISION OF SOFTWARE AND SERVICES; CUSTOMER RESPONSIBILITIES.
A. Orders. Cofense will provide the Software and Services set forth in Orders, as applicable, pursuant and subject to this
Agreement. Terms and licenses specific to each Software and Service are set forth in the applicable exhibit for such
Software and Service attached hereto. If Customer receives the Software or Services through a Cofense authorized reseller,
partner or distributor (collectively, “Authorized Partner”), all fees and other procurement and delivery terms will be agreed
between Customer and the Authorized Partner; however, the terms set forth in this Agreement regarding Customer’s use
of the Software and Services remain applicable. For clarification, Customer’s agreement with the Authorized Partner is
between Customer and the Authorized Partner and is not binding on Cofense.
B. Evaluations. If Cofense provides any Software or Subscriptions, along with any other related materials and documentation
for Customer’s evaluation purposes (collectively, “Evaluation Products”), then Cofense grants Customer a limited,
nontransferable, non-assignable, non-sublicensable right to use the Evaluation Product listed in the applicable activation
email sent by Cofense to Customer, subject to the terms of this Agreement and any other limitations expressly set forth in
the activation email. Customer may use the Evaluation Product for its own internal evaluation purposes from the date in
which Customer first installs, downloads or accesses the Evaluation Product, until the expiration date set forth in the
activation email or, if no expiration date is set forth in the activation email, for a period of up to thirty (30) days from the
date of installation, download or access of the Evaluation Product (the “Evaluation Period”). Cofense may, at its sole
discretion, provide reasonable maintenance and support for the Evaluation Products during the Evaluation Period.
Evaluation Products are provided to Customer “AS-IS”, and to the extent permitted by applicable law, Cofense disclaims
all indemnities and warranties relating to the evaluation of the Evaluation Product, express or implied, including but not
limited to any warranties against infringement of third party rights, merchantability, and fitness for a particular purpose.
Customer acknowledges that the Evaluation Product is Cofense’s Intellectual Property. At the end of the Evaluation Period,MSSA Template August 5, 2024
3
COFENSE CONFIDENTIAL
all evaluation licenses granted herein will automatically terminate and Customer will delete or return Evaluation Products
in Customer’s possession, and provide written certification of such destruction or return in writing to Cofense. If applicable,
Customer understands that Cofense may disable access to the Evaluation Products automatically at the end of the
Evaluation Period, without notice to Customer. This Section will take precedence over any contradictory language in this
Agreement as it relates to an Evaluation Product.
C. Customer Responsibilities. Customer (i) is responsible for the use of the Software and Services by Customer and its
Authorized Users in compliance with this Agreement, including any applicable exhibits, addenda, Documentation and
applicable laws and government regulations; (ii) is responsible for the accuracy, quality and legality of Customer Data,
including the lawful use and transmission of Customer Data provided by Customer and its Authorized Users in connection
with the Software and Services; (iii) will obtain all rights, permissions or consents from Authorized Users and other
Customer personnel that are necessary to grant the rights and licenses in this Agreement; and (iv) will use commercially
reasonable efforts to prevent unauthorized access to or use of Cofense IP, Software and Subscriptions, and will notify
Cofense promptly of such unauthorized use.
III. TERM AND TERMINATION.
A. Term.
1. Software License and Support. Each Software will be licensed for the period of time stated on the applicable Order
or, if no period of time for the Software License is specified in the Order, for a period of one (1) year from the date
the Software was delivered to Customer (“Initial Software License Term”). Unless otherwise stated on the Order, the
Software License will automatically renew after its Initial Software License Term for additional periods of one (1)
year each (each, a “Renewal Software License Term” and together with the Initial Software License Term, the
“Software License Term”), unless either Party notifies the other of its intention not to renew the Software License at
least sixty (60) days prior to the expiration of the then-current Software License Term. If Customer is licensing the
Software on a term basis, Cofense will provide Software Support Services at no additional charge, for the duration of
the Software License Term and such Software Support Services will be coterminous with the Software License Term.
If Customer is licensing the Software on a perpetual basis, Software Support Services will be provided for the period
of time stated on the applicable Order, or, if no period of time for Support Services is specified, Support Services will
be provided for a period of one (1) year from the date the Software was delivered to Customer (“Initial Support Term”).
Software Support Services for perpetual Software licenses will automatically renew for additional periods of one (1)
year each (each, a “Renewal Support Term” and together with the Initial Support Term, the “Support Term”), unless
either Party notifies the other of its intention not to renew such Software Support Services at least sixty (60) days prior
to the expiration of the then-current Support Term.
2. Subscriptions. The term of each Subscription is specified in the applicable Order or, if no period of time for the
applicable Subscription is specified, for a period of one (1) year from the date in which access to the Subscription was
made available to Customer (“Initial Subscription Term”). Unless otherwise stated on the Order, the Subscription
will automatically renew after its Initial Subscription Term for additional periods of one (1) year each (each, a
“Renewal Subscription Term” and together with the Initial Subscription Term, the “Subscription Term”), unless either
Party notifies the other of its intention not to renew the Subscription at least sixty (60) days prior to the expiration of
the then-current Subscription Term.
3. Professional Services. The term of performance for Professional Services begins on the date stated in the applicable
exhibit or Order or, as otherwise mutually agreed in writing between the Parties, and will remain in effect for term
length stated in the applicable exhibit or Order.
B. Termination for Material Breach; Suspension. A Party may terminate this Agreement or one or more of the Orders
hereunder, if the other Party commits a material breach, and fails to remedy such breach within thirty (30) days of being
notified by the non-breaching Party of such breach (“Cure Period”). Notwithstanding the foregoing, Customer
acknowledges and agrees that Cofense may, in its sole and absolute discretion, immediately terminate this Agreement, or
affected Order, or suspend Customer’s access to any Services in connection with any actual, alleged or suspected: (i)
breach of confidentiality obligations and license or use restrictions set forth in this Agreement and applicable exhibit, (ii)
direct or indirect technical or security issues or problems caused by or relating to Customer, or (iii) violations of applicable
law and, in Cofense’s determination, such violation cannot be adequately cured within the Cure Period. If Cofense
terminates this Agreement or any Order due to Customer’s material breach, Cofense will not refund any amounts to
Customer. If Customer terminates a Software license or Service for Cofense’s material breach, Customer will receive a
refund for the remainder of the then-current term for such Software or Service; provided that Customer will not be entitledMSSA Template August 5, 2024
4
COFENSE CONFIDENTIAL
to any refund if Customer is also in breach of the Agreement at the time of such termination. If Customer terminates a
Software License or Services other than for Cofense’s material breach, Customer will not receive a refund or credit of any
Fees already paid or due to Cofense and, if applicable, all outstanding Software License and Services Fees under an
applicable Order will accelerate and become immediately due and payable.
C. Effect of Termination. Upon termination of an applicable Order for any reason, all access rights and licenses granted herein
with respect to the affected Order will immediately terminate. Termination or expiration of any Order will not be deemed
a termination or expiration of any other Orders in effect as of the date of termination or expiration, and this Agreement
will continue to govern and be effective as to those outstanding Orders until those Orders have expired or terminated by
their own terms or as set forth herein. Within ten (10) business days of the termination of an applicable Order, each Party
will return or delete all copies of the other Party’s intellectual property in its possession or control.
D. Survival. The provisions of Section IV (Fees, Taxes and Expenses), Section V (Confidentiality and Data Privacy), Section
VI (Intellectual Property), Section VII(D) (Disclaimers), Section IX (Limitation of Liability), Section XII (Miscellaneous),
and all accrued payment obligations, will survive the termination of this Agreement and the termination of all Orders.
IV. FEES, TAXES AND EXPENSES.
A. Customer will pay the fees for the Software and Services set forth in the applicable Order (“Fees”). All Fees will be fully
invoiced in advance, unless otherwise agreed by the Parties in writing. All Fees are non-cancelable and non-refundable.
Fees are exclusive of all tariffs, duties or taxes imposed or levied by any government or governmental agency, including
without limitation, federal, state and local sales, use, value added or other similar taxes (collectively, “Taxes”) and
Customer is responsible for paying all Taxes applicable to the Software and Services provided by Cofense to Customer.
Customer will reimburse Cofense for any and all expenses incurred by Cofense so long as such expenses are directly
attributable to the Software and Services provided to Customer.
B. Customer agrees to pay, in full, any undisputed invoice submitted by Cofense within thirty (30) days of receipt of such
invoice. If Customer fails to make any payment when due, then interest at a rate of one and one-half percent (1.5%) per
month will accrue on such unpaid, undisputed amounts, calculated from the date the payment was originally due. If
Customer disputes any invoice, it will promptly notify Cofense of the disputed amount, but in no event later than the date
payment is due, with an explanation of the reasons therefore.
V. CONFIDENTIALITY AND DATA PRIVACY.
A. Recipient will: (i) not use any Confidential Information for any purpose except to evaluate and engage in discussions
concerning a potential business relationship between the Parties and/or to fulfill its obligations under this Agreement; (ii)
use at least the same degree of care as Recipient uses to protect its own confidential information from unauthorized use,
access or disclosure, but in no event less than a reasonable degree of care; (iii) limit disclosure of Confidential Information
to those persons within Recipient’s organization who have a need to know and who have previously agreed in writing,
prior to the receipt of Confidential Information, to be bound by confidentiality obligations similar to those set forth in this
Agreement; (iv) not disclose any Confidential Information to third parties without Discloser’s prior written consent; (v)
not copy, reverse engineer, disassemble, create any works from, or decompile any prototypes, software or other tangible
objects which embody Discloser’s Confidential Information; and (vi) comply with, and obtain all required authorizations
arising from, all U.S. and other applicable export control laws or regulations. Any reproduction of Confidential Information
requires Discloser’s prior written consent and will remain the property of Discloser. Any reproductions will contain any
and all notices of confidentiality contained on the original Confidential Information.
B. The foregoing confidentiality obligations will not apply to information that Recipient can demonstrate: (i) is publicly
known and made generally available through no improper action or inaction of Recipient; (ii) was already in the possession
of, or known by Recipient prior to the time of disclosure by Discloser through no fault or breach of this Agreement by
Recipient; (iii) was rightfully obtained by, or disclosed to, Recipient from a third party without any obligation to maintain
the Confidential Information as proprietary or confidential; or (iv) is independently developed by Recipient without use of
or reference to Discloser’s Confidential Information. Recipient may disclose Confidential Information to the extent such
disclosure is required to comply with applicable law or a valid order or requirement of a governmental or regulatory agency
or court of competent jurisdiction, provided that Recipient (a) restricts such disclosure to the maximum extent legally
permissible; (b) notifies Discloser as soon as practicable of any such requirement to the extent such provision of prior
notice is permitted by applicable law; and (c) that subject to such disclosure, such disclosed materials will in all respects
remain subject to the restrictions set forth in this Agreement.MSSA Template August 5, 2024
5
COFENSE CONFIDENTIAL
C. Within ten (10) business days of the termination of this Agreement or upon Discloser’s written request, Recipient will
promptly, at Recipient’s election, destroy or return all of Discloser’s Confidential Information in Recipient’s possession
or in the possession of any representative of Recipient; provided, however, that Recipient will not, in connection with the
foregoing obligations, be required to delete Confidential Information held electronically in archive or back-up systems,
and such Confidential Information will in all respects remain subject to the restrictions set forth in this Agreement. Upon
Discloser’s written request, Recipient will provide a certification, signed by an officer of Recipient, as to the destruction
or return of Discloser’s Confidential Information.
D. Discloser retains all right, title and interest to its Confidential Information. Recipient acknowledges that the disclosure of
Confidential Information may cause irreparable injury to Discloser. Discloser will, therefore, be entitled to seek injunctive
relief upon a disclosure or threatened disclosure of any Confidential Information, without a requirement that Discloser
prove irreparable harm and without the posting of a bond. This provision will not in any way limit such other remedies as
may be available to Discloser at law or in equity. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS.”
DISCLOSER MAKES NO WARRANTIES, EXPRESS, IMPLIED OR OTHERWISE, REGARDING ITS ACCURACY,
COMPLETENESS OR PERFORMANCE.
E. If use of the Software and Subscriptions includes the processing of personal data (as described in applicable data privacy
laws), when performing its obligations under this Agreement, the following will apply:
1. Customer will ensure that: (i) Customer is entitled to transfer the relevant personal data to Cofense so that Cofense
may lawfully use, process and transfer the personal data on Customer’s behalf and in accordance with this Agreement;
and (ii) the relevant third parties have been informed of, and have given their consent to, such use, processing, and
transfer as required by all applicable data protection laws.
2. Cofense will: (i) process personal data in compliance with and subject to this Agreement and any lawful and reasonable
instructions received from Customer; (ii) not use or process or permit any Cofense subcontractors to use or process,
any personal data except to the extent necessary to perform its obligations under this Agreement; (iii) implement and
maintain adequate and reasonable technical and organizational safeguards designed to protect against the unauthorized
or accidental access, loss, alteration, disclosure or destruction of personal data in Cofense’s possession or control; (iv)
ensure that it has appropriate procedures in place designed to comply with applicable data protection laws and will
take all reasonable steps to ensure that persons employed by it, and other persons engaged at its place of work, are
aware of and comply with applicable data privacy laws and regulations.
3. Cofense may process or otherwise transfer personal data in or to any country outside the European Economic Area or
any country not deemed adequate by the European Commission pursuant to applicable data protection laws to the
extent necessary for the provision of the Software and Services. If required, Cofense will enter into the EU Standard
Contractual Clauses as approved by the European Commission for ensuring an adequate level of data protection in
respect of the personal data that will be processed or transferred.
4. Cofense will not sell, process, retain, disclose, or use (i) for a commercial purpose or (ii) outside of the direct business
relationship between Cofense and Customer, any Customer Data that, under the California Consumer Privacy Act
(“CCPA”) constitutes “personal information” (“CA Personal Information”), except to provide the Software and
Services or as permitted by CCPA. Notwithstanding anything in this Agreement, Order or Statement of Work, the
Parties acknowledge and agree that Cofense’s access to CA Personal Information or any other Customer Data does
not constitute part of the consideration exchanged by the Parties in respect of this Agreement.
VI. INTELLECTUAL PROPERTY.
A. Intellectual Property of Cofense; Restrictions. All Intellectual Property Rights in the Cofense IP belong exclusively to
Cofense or its licensors. Customer acknowledges and agrees that it will not (and will not allow any third party), in whole
or in part, to directly or indirectly: (i) disassemble, decompile, reverse compile, reverse engineer or attempt to discover
any source code or underlying ideas or algorithms of any Cofense IP (except to the limited extent that applicable law
prohibits reverse engineering restrictions solely for interoperability purposes), (ii) sell, resell, distribute, sublicense or
otherwise transfer, the Cofense IP, or make the functionality of the Cofense IP available to any other party through any
means (unless Cofense has provided prior written consent), or (iii) reproduce, alter, modify or create derivatives of the
Cofense IP (unless as expressly permitted in this Agreement). Customer will maintain the copyright notice and any other
notices that appear on Cofense IP, including any interfaces related to the Software or Subscriptions.
B. Aggregate Data; Feedback. Notwithstanding the foregoing, Cofense owns all Intellectual Property Rights in and to
Aggregate Data, and may use, reproduce, sell, publicize or otherwise exploit Aggregate Data in any way, in its soleMSSA Template August 5, 2024
6
COFENSE CONFIDENTIAL
discretion. “Aggregate Data” refers to Customer Data that is de-identified (stripped of any information used to identify
Customer, including personal data). Aggregate Data will also include statistical information related to the use and
performance of Software and Services, provided that such statistical information is de-identified. Customer grants to
Cofense a worldwide, perpetual, irrevocable, royalty-free, fully paid-up license to use and exploit any suggestion,
enhancement request, recommendation, correction or other feedback (“Feedback”) provided by Customer or its Authorized
users relating to the Software and Services. Feedback will not include Confidential Information.
C. Cofense Templates and Formats. Customer acknowledges that for applicable Software and Services, Cofense may provide
certain Cofense templates and formats to Customer, and Customer will have a non-exclusive, nontransferable, nonsublicenseable right to use, modify, display and reproduce such templates and formats for Customer’s internal use with
the applicable Software or Service, subject to the restrictions set forth in this Agreement. To the extent that any such
modified templates and/or formats do not embody or otherwise include Customer’s Confidential Information and Customer
Marks, Cofense owns and holds all right, title and interest in and to such templates and/or formats.
D. Intellectual Property of Customer; Restrictions. Cofense acknowledges that Customer owns all right, title, and interest in
and to Customer Marks and Customer Data (excluding Aggregate Data). Customer grants to Cofense the worldwide right
to use, access, host, copy, transmit and display Customer Marks and Customer Data, as reasonably necessary for Cofense
to perform its obligations in accordance with this Agreement. Cofense may disclose Customer Data to its third-party
contractors and service providers (including cloud service providers) to the extent necessary to provide the applicable
Software and Services in accordance with this Agreement; provided that such third-party contractors and service providers
are bound by confidentiality obligations similar to the provisions of this Agreement. Cofense expressly disclaims any
Customer Data which Customer has generated for use with an applicable Subscription or Software, and Customer agrees
to indemnify, hold harmless and, at Cofense’s option, to defend Cofense, its officers, directors, employees, contractors and
agents from and against any losses, liabilities, damages, costs and expenses (including reasonable attorneys’ fees) incurred
as a result of any alleged or actual violations of any third party rights arising out of the Customer Data.
E. U.S. Government Restricted Rights. The Cofense IP, Software and Services are “commercial items”, “commercial
computer software” and “commercial computer software documentation,” pursuant to DFARS Section 227.7202 and FAR
Sections 12.211-12.212, as applicable. All Cofense IP, Software, and Services are and were developed solely at private
expense and the use of Cofense IP, Software and Services by the United States Government are governed solely by this
Agreement and are prohibited except to the extent expressly permitted by this Agreement.
VII. WARRANTIES AND DISCLAIMERS.
A. Software Warranty. Cofense represents and warrants that, during the one (1) year period following delivery of the Software
to Customer (“Software Warranty Period”), the Software will perform materially as described in the applicable
Documentation. Customer must promptly notify Cofense of any breach of this warranty, but in any event no later than the
expiration of the Software Warranty Period. The warranty set forth in this Section will not apply if the Software (i) has
been modified or altered by any party other than Cofense or Cofense’s duly authorized representatives; (ii) has not been
installed, operated, repaired, or maintained in accordance with instructions supplied by Cofense; or (iii) has been subjected
to abnormal stress, misuse, negligence, or accident. In the event of a breach of the warranty in this Section, Cofense will
at its sole option, either repair the Software or replace the Software with software of substantially similar functionality.
The foregoing states Customer’s sole remedy and Cofense’s entire liability for breach of warranty in this Section.
B. Professional Services and Software Support Services Warranty. Cofense warrants to Customer that Professional
Services and Software Support Services will be performed in a professional manner in accordance with industry standards
for like services. Customer must promptly notify Cofense of any breach of this warranty, but in any event no later than
thirty (30) days following the date the Professional Services or Software Support Services were performed. For any breach
of Cofense’s warranty obligations set forth in this Section, Cofense will promptly correct or re-perform the applicable
Professional Services or Software Support Services, at Cofense’s expense. The foregoing states Customer’s sole remedy
and Cofense’s entire liability for breach of warranty in this Section.
C. Subscription Services Warranty. Cofense warrants to Customer that during the applicable Subscription Term, the
Subscription will be performed materially in accordance with the applicable Documentation, and in a professional manner
with reasonable skill and care. Customer must promptly notify Cofense of any breach of this warranty, but in any event
no later than thirty (30) days following the date this warranty was allegedly breached. The warranty set forth in this Section
will not apply if (i) Customer has used the Subscription contrary to Cofense’s instructions as may be set forth in the
applicable exhibit or Documentation, or (ii) the Subscription has been modified or altered by any party other than Cofense
or Cofense’s duly authorized representatives. For any breach of Cofense’s warranty obligations set forth in this Section,MSSA Template August 5, 2024
7
COFENSE CONFIDENTIAL
Cofense will promptly correct the non-conformity, at Cofense’s expense. The preceding sentence states Customer’s sole
remedy and Cofense’s entire liability for breach of warranty in this Section.
D. DISCLAIMERS. EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH HEREIN, ALL SOFTWARE,
SUBSCRIPTIONS, AND SERVICES ARE PROVIDED ON AN “AS IS” BASIS WITHOUT ANY WARRANTY
WHATSOEVER AND COFENSE EXPRESSLY DISCLAIMS, TO THE MAXIMUM EXTENT PERMISSIBLE
UNDER APPLICABLE LAW, ALL WARRANTIES, EXPRESS, IMPLIED AND STATUTORY, INCLUDING
WITHOUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, ACCURACY, NONINFRINGEMENT, OR ARISING FROM COURSE OF PERFORMANCE, DEALING,
USAGE OR TRADE. COFENSE ALSO MAKES NO WARRANTY REGARDING NONINTERRUPTION OF USE
OR FREEDOM FROM BUGS, AND MAKES NO WARRANTY THAT SOFTWARE, SERVICES OR
SUBSCRIPTIONS WILL BE ERROR-FREE. COFENSE DOES NOT GUARANTEE ANY SPECIFIC RESULTS
FROM USING THE SOFTWARE, SERVICES AND SUBSCRIPTIONS.
VIII. INDEMNIFICATION.
A. Cofense agrees to indemnify, defend, and hold Customer, its employees and agents harmless from any and all claims and/or
demands, including reasonable attorneys’ fees, arising out of or in connection with a claim that the Cofense IP, Software
or Subscription, infringes a valid third party intellectual property right. If the Cofense IP, Software or Subscription, or
parts thereof, become, or in Cofense’s opinion may become, the subject of an infringement claim, Cofense may, at its
option: (i) modify or replace such Cofense IP, Software or Subscription with a non-infringing, functional equivalent; (ii)
obtain for Customer all necessary licenses and permissions to continue using the Cofense IP, Software or Subscription; or
(iii) require that Customer cease to use the Cofense IP, Software or Subscription and (a) with respect to Subscriptions and
term Software Licenses, refund any pre-paid Fees for the unused remainder of the Software License Term or Subscription
Term; (b) with respect to perpetual Software Licenses, refund the Fees paid for the Software License, less allowance for
amortization over a three (3) year period, straight-line method and refund any pre-paid Fees for the unused remainder of
the Software Support Term; and (c) with respect to Professional Services, refund any pre-paid Fees for Professional
Services that have not been delivered. This Section states Cofense’s entire liability and Customer’s exclusive remedy for
claims based on infringement of any third party’s intellectual property rights.
B. Cofense will have no indemnification obligations with respect to any action arising out of: (i) the use of any Cofense IP,
Software or Subscription, or any part thereof, in combination with other software or products not authorized by Cofense;
(ii) any modification of the Cofense IP, Software or Subscription not performed or expressly authorized by Cofense; (iii)
Customer’s failure to substantially comply with Cofense’s reasonable written instructions which if implemented would have
rendered the Cofense IP, Software or Subscription non-infringing, provided that a sufficient time period is given to Customer
in order to implement such written instructions; or (iv) the use of the Cofense IP, Software or Services other than in
accordance with this Agreement and applicable Documentation.
C. Customer agrees to indemnify, defend and hold Cofense, its employees and agents harmless from any and all claims and/or
demands, including reasonable attorneys’ fees, made by any third party arising out of or related to Customer's alleged or
actual use or misuse of the Cofense IP, Software and Subscriptions, including without limitation: (a) claims related to the
unauthorized disclosure or exposure of personal data or other private information by Customer; (b) claims that the
Customer Data infringes a third party right; (c) claims that use of a Subscription by Customer, including by Customer’s
Authorized Users, harasses, defames, or defrauds a third party; or (d) claims arising from Customer’s use of the Software and
Services in violation of this Agreement.
D. Each Party which seeks indemnification (the “Indemnified Party”) will (i) notify the other Party (the “Indemnifying Party”)
promptly after receiving notice of any threat or claim in writing of such actions set forth above, provided that if the Indemnified
Party fails to notify the Indemnifying Party promptly of any threat or claim, the Indemnifying Party will be relieved of its
obligation to indemnify the Indemnified Party to the extent the Indemnifying Party is prejudiced by the delay in notice; (ii)
grant the Indemnifying Party sole control of the defense and any related settlement negotiations; provided no settlement
may be agreed to without the Indemnified Party’s consent (which consent will not be unreasonably withheld); and (iii)
reasonably cooperate, at the Indemnifying Party’s expense, with the Indemnifying Party in defense of such claim.
IX. LIMITATION OF LIABILITY.
A. Exclusion of Consequential and Related Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY
INTELLECTUAL PROPERTY RIGHT OF A PARTY, THE INDEMNIFICATION OBLIGATIONS SET FORTH IN
SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, IN NO EVENT WILL AMSSA Template August 5, 2024
8
COFENSE CONFIDENTIAL
PARTY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES OF
ANY KIND, INCLUDING BUT NOT LIMITED TO ANY LOST PROFITS AND LOST SAVINGS, HOWEVER
CAUSED, WHETHER FOR BREACH OR REPUDIATION OF CONTRACT, TORT, BREACH OF WARRANTY,
NEGLIGENCE, OR OTHERWISE, WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF
SUCH LOSS OR DAMAGES.
B. Limitation of Monetary Damages. EXCEPT FOR LIABILITY ARISING UNDER A BREACH OF ANY
INTELLECTUAL PROPERTY RIGHT OF A PARTY, PAYMENT OBLIGATIONS OF CUSTOMER, THE
INDEMNIFICATION OBLIGATIONS SET FORTH IN SECTION VIII, OR A PARTY’S GROSS NEGLIGENCE OR
WILLFUL MISCONDUCT, AND NOTWITHSTANDING ANY OTHER PROVISIONS OF THIS AGREEMENT OR
ANY ORDER OR STATEMENT OF WORK, A PARTY’S TOTAL LIABILITY ARISING OUT OF THIS
AGREEMENT WILL BE LIMITED TO THE TOTAL AMOUNTS RECEIVED BY COFENSE FOR THE RELEVANT
SOFTWARE, SUBSCRIPTIONS OR SERVICES DURING THE SIX (6) MONTHS PRIOR TO THE FIRST EVENT
GIVING RISE TO SUCH LIABILITY.
C. Applicability. THE LIMITATIONS AND EXCLUSIONS CONTAINED HEREIN WILL APPLY ONLY TO THE
MAXIMUM EXTENT PERMISSIBLE UNDER APPLICABLE LAW, AND NOTHING HEREIN PURPORTS TO
LIMIT EITHER PARTY’S LIABILITY IN A MANNER THAT WOULD BE UNENFORCEABLE OR VOID AS
AGAINST PUBLIC POLICY IN THE APPLICABLE JURISDICTION.
X. AUDIT RIGHTS.
A. Cofense agrees that Customer may conduct an audit of Cofense’s records related to Customer, at Customer’s expense,
subject to the following conditions: (i) the audit will only be of Cofense records that pertain solely to this Agreement; (ii)
Customer will provide no less than seventy-two (72) hours prior written notice of the date the audit is to be performed;
(iii) the audit will be conducted at a location specified by Cofense during Cofense’s normal business hours and without
interrupting Cofense’s business operations; and (iv) Customer may not request more than one (1) audit in any twelve (12)
month period. Notwithstanding anything in the foregoing to the contrary, Customer may not audit facilities, networks,
systems, devices, or storage media of Cofense or its personnel.
B. Cofense acknowledges that Customer may be subject to examination and audit by applicable government regulatory
agencies having jurisdiction over Customer (“Regulatory Agencies”). Cofense further acknowledges that such Regulatory
Agencies may require access to Cofense’s books, records, data, and evidence of procedures and policies relating to
Cofense’s compliance with this Agreement. Upon request by such Regulatory Agencies, Cofense will provide the
reasonable assistance of Cofense’s employees with knowledge of compliance efforts in connection with any such
examination or audit.
C. For any applicable Software License Term or Subscription Term, Customer agrees that at Cofense’s request, Customer
will furnish to Cofense a certification signed by Customer’s authorized representative verifying that the Software or
Subscription is being used in accordance with this Agreement.
XI. NOTICES.
All notices in connection with this Agreement will be in writing and will be deemed effective (i) upon receipt, when
delivered personally or by courier, overnight delivery service or confirmed facsimile, or (ii) five (5) business days after
having been sent by registered or certified mail or the local equivalent, as evidenced by the postmark. Notices will be
addressed to the applicable address as listed in this Agreement or as subsequently modified by written notice.
XII. MISCELLANEOUS.
A. Governing Law. This Agreement is governed by and construed in accordance with the laws of the State of Virginia and
the United States without regard to conflicts of laws provisions thereof, and without regard to the United Nations
Convention on the International Sale of Goods. Any legal claims, proceedings or litigation arising out of or in connection
with the Software and Services will be brought solely in the federal courts of the State of Virginia, and each Party hereto
consents to the jurisdiction and venue of such courts in any suit, action or proceeding concerning this Agreement.
Notwithstanding anything in the foregoing to the contrary: (i) if Customer is located in the United Kingdom, this
Agreement is governed by and construed in accordance with the laws of England & Wales; and (ii) if Customer is located
in the European Union, this Agreement is governed by and construed in accordance with the laws of the Republic of
Ireland, each without regard to conflicts of laws provisions thereof, and without regard to the United Nations ConventionMSSA Template August 5, 2024
9
COFENSE CONFIDENTIAL
on the International Sale of Goods. The Parties agree that the Uniform Computer Information Transactions Act or any
version thereof, adopted by any state, in any form, will not apply to this Agreement.
B. Anti-Corruption and Anti-Bribery. Each Party acknowledges that it is familiar with and understands the provisions of the
U.S. Foreign Corrupt Practices Act of 1977, as amended (“the FCPA”) and the U.K. Bribery Act of 2010 (“UKBA”) and
agrees not violate or knowingly let anyone violate the FCPA or UKBA. Customer agrees that no payment it makes will
constitute a bribe, influence payment, kickback, rebate, or other payment that violates the FCPA, the UKBA, or any other
applicable anti-corruption or anti-bribery laws.
C. Entire Agreement; Order of Precedence. This Agreement and the applicable exhibits, Orders, or addenda constitutes the
complete and entire agreement between Cofense and Customer with respect to the Software and Services. It replaces and
supersedes any prior agreements, oral or written, between Cofense and Customer concerning the subject matter hereof.
Cofense hereby rejects and deems deleted any additional or different terms or conditions that Customer presents, including,
but not limited to, any terms or conditions contained or referenced in any purchase order, acceptance, or
acknowledgement. No amendment to this Agreement will be effective unless it is in writing and signed by the authorized
representatives of each Party. In the event of conflict between any of the terms in this Agreement and the terms set forth
in an exhibit, Order, or addendum, this Agreement will govern, unless otherwise expressly provided in such other exhibits,
Orders, and addenda.
D. Assignability. Any assignment of this Agreement, Order or addenda by either Party to another party, including any transfer
by operation of law or otherwise, without the other Party's prior written consent (which consent will not be unreasonably
withheld) will be null and void; provided, however, that each Party may assign this Agreement, Order or addenda in whole
or in part, without consent, to an affiliate or in connection with any merger, asset purchase or sale, stock purchase or sale
or similar change of control transaction. Cofense may use subcontractors in the performance of its obligations. Cofense
will disclose subcontractors having access to Customer Data upon Customer’s written request.
E. Force Majeure. With the exception of Customer’s obligation to make payments due and payable to Cofense, neither
Cofense nor Customer will be considered to be in breach or default of this Agreement as a result of its delay or failure to
perform its obligations herein when such delay or failure arises out of causes beyond the reasonable control of the Party
whose performance has been affected.
F. No Third-Party Beneficiaries. Nothing in this Agreement will benefit or create any right or cause of action in or on behalf
of any person or entity other than Customer and Cofense.
G. Waiver and Severability. The failure of a Party to exercise or enforce any right or provision of this Agreement will not
constitute a waiver of such right or provision. If any provision of this Agreement is held to be invalid or unenforceable,
the remaining provisions of this Agreement will remain in full force and effect.
H. Counterparts. This Agreement may be executed in counterparts, each of which for all purposes to be deemed an original,
and both of which together will constitute one and the same instrument. Counterparts may be delivered via facsimile,
electronic mail (including pdf or any electronic signature complying with the U.S. federal ESIGN Act of 2000, e.g.,
www.docusign.com) or other transmission method and any counterpart so delivered will be deemed to have been duly and
validly delivered and be valid and effective for all purposes.MSSA Template August 5, 2024
10
COFENSE CONFIDENTIAL
COFENSE PROFESSIONAL SERVICES
EXHIBIT
In addition to the terms of the Agreement and an applicable Statement of Work, the following terms apply to Professional
Services.
1. From time to time, Cofense and Customer may enter into mutually agreed upon Statements of Work, executed by both
Parties, for Cofense’s performance of Professional Services. Each Statement of Work will incorporate and be governed by
this Agreement. For clarity, Cofense will not be obligated to perform any Professional Services until a Statement of Work
describing those Professional Services has been agreed to and signed by both Parties.
2. When Cofense’s personnel are performing Professional Services on site at Customer’s premises, Customer will allocate
appropriate working space and physical access for all Cofense personnel.
3. Either Party may elect to submit written change requests to the other Party proposing changes to the Statement of Work.
All changes to an applicable Statement of Work will be made using an amendment signed by both Parties.
4. Grant of License. Subject to full payment of Fees by Customer for the Professional Services to which a Deliverable (as
defined below) relates and in accordance with the terms of this Agreement, Cofense will (a) assign to Customer all
copyrights in and to the Deliverables, with the exception of any Cofense IP included therein; and (b) grant to Customer a
non-exclusive, royalty-free, worldwide license to use any Cofense IP incorporated into the Deliverable, solely as part of
the Deliverable and not separate from the Deliverable, as necessary for Customer to make use of the Deliverable as set
forth herein. “Deliverables” means the written reports that are created for Customer as a result of the Professional Services
provided, and specified as Deliverables under an applicable Statement of Work.
5. Deliverables containing Cofense IP may not be shared with any third party other than (i) law enforcement agencies or (ii)
third party consultants/subcontractors, provided that: (A) the consultant/subcontractor is under an obligation of
confidentiality and non-use restrictions at least as restrictive as those set forth in this Agreement and (B) the
consultant/subcontractor is receiving and using the Deliverable for the sole purposes of providing services to Customer.MSSA Template August 5, 2024
11
COFENSE CONFIDENTIAL
COFENSE PHISHME SUBSCRIPTION
EXHIBIT
In addition to the terms of the Agreement, the following terms apply to Cofense PhishMeTM.
1. For the duration of the applicable Subscription Term set forth in the applicable Order and in accordance with the terms of
this Agreement, Cofense grants to Customer a non-exclusive, non-transferable, non-assignable right to access Cofense
PhishMe, including the applicable Documentation and all associated Cofense IP, for Customer’s internal use only.
Customer acknowledges that Cofense has no delivery obligation and will not ship copies of software as part of Cofense
PhishMe.
2. If Customer orders Cofense PhishMe Professional Services in conjunction with the Cofense PhishMe Subscription, the
terms set forth in the applicable Cofense PhishMe professional services exhibit attached to this Agreement, will governs
Cofense’s provision of such Professional Services.
3. Customer is responsible for its Authorized Users’ compliance with the Agreement, this Exhibit and the Cofense PhishMe
Acceptable Use Policy Addendum attached hereto.
4. Cofense PhishMe includes access to Cofense’s standard computer-based training modules for cybersecurity awareness
(“CBTs”) as set forth in the Order. If agreed upon by Cofense, Customer may order additional features or content for the
CBTs at the pricing stated in the Order (“CBT Enhancements”).
5. Customer acknowledges and agrees that the maximum number of Authorized Users will not exceed the number of
Authorized Users set forth in the applicable Order. At the beginning of the Subscription Term, Customer will designate
and allocate the Authorized Users and will not reassign or replace such Authorized Users (except for those designated by
Customer to act as administrators) prior to the expiration of the Subscription Term. Customer may add additional
Authorized Users during the Subscription Term, at the same pricing as set forth in the applicable Order, pro-rated for the
portion of the Subscription Term remaining at the time. Customer will provide Cofense with a primary contact person who
will approve requests for new administrators. Notwithstanding anything in the Agreement to the contrary, any breach by
Customer and its Authorized Users of this Section will result in the immediate suspension or termination of Customer and
its Authorized Users’ access to Cofense PhishMe.
6. Customer may only designate Authorized User’s email addresses with Internet domain names that Customer owns or is
authorized by the Internet domain name owner to use for the purposes contemplated herein.
7. Subscription Availability and Uptime.
a. Cofense will use commercially reasonable efforts to provide Customer administrators with online availability to
Cofense PhishMe 99.8% of the time in any calendar month (“Uptime”), excluding downtime caused by Scheduled
Maintenance, force majeure events, or acts or omissions of Customer not in accordance with the Agreement and
Documentation.
b. Scheduled Maintenance. Scheduled maintenance is used for major upgrades to Cofense applications, servers, or
networks. Scheduled maintenance timeslots are provided in advance and a customer announcement message is
presented to Customer in Cofense PhishMe.
8. The Documentation for Cofense PhishMe sets forth multiple implementation options for Customer to ensure that
simulation emails are delivered to Authorized Users’ inboxes successfully (the “Allow List and Delivery Options”).
Customer acknowledges and understands that (i) it may be necessary for Customer to enable one or more of the Allow List
and Delivery Options and (ii) certain Allow List and Delivery Options may require Customer to submit an additional
acknowledgement and consent.
9. Cofense will, as part of the Subscription, and at no additional cost to Customer, provide Customer with the following
support by the Technical Operations Center (TOC):
a. Cofense PhishMe (Enterprise) support (questions concerning basic feature inquiries, troubleshooting, and
configuration support) is available 24x6 (Sunday-Friday).
b. Cofense PhishMe (SBE) support (questions concerning basic feature inquiries, troubleshooting, and configuration
support) is available 9:00 AM ET to 6:00 PM ET (Monday-Friday).MSSA Template August 5, 2024
12
COFENSE CONFIDENTIAL
c. Normal priority requests received outside of support hours are placed in a support queue for processing by TOC
Engineers during standard support hours. Urgent issues outside of business hours will be received and escalated by a
US based answering service.
d. Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed
upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be
reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense
Resource Center. Customer may refer to the most up to date hours as set forth in the Cofense Resource Center.
e. The TOC may be reached via service portal, live chat, and telephone as listed in the Cofense Resource Center.MSSA Template August 5, 2024
13
COFENSE CONFIDENTIAL
ACCEPTABLE USE POLICY ADDENDUM FOR
COFENSE PHISHME
In addition to the terms of the Agreement and the Cofense PhishMe Subscription Exhibit to which this Acceptable Use Policy
Addendum (this “Policy”) is attached, the following conduct and usage restrictions set forth in this Policy govern Customer
and its Authorized Users’ access to Cofense PhishMe (“Subscription”). Capitalized terms used below but not defined in this
Policy will have the meaning set forth in the Agreement and the Cofense PhishMe Subscription Exhibit. Customer and its
Authorized Users must promptly notify Cofense of any actual or suspected illegal or unauthorized activity or a security breach
involving Cofense PhishMe.
If Customer creates their own customized simulations using Cofense PhishMe as an interactive computer service, Customer
and its Authorized Users may not:
a) disseminate material that is abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar,
threatening, or malicious;
b) disseminate materials that would constitute an infringement upon the patents, copyrights, trademarks, trade secrets or
other intellectual property rights of others;
c) disseminate materials that would constitute impersonation of any governmental agency;
d) remove any disclaimers from any Cofense IP or materials;
e) use third-party logos without prominent disclaimers of trademark ownership, relationship and/or affiliation;
f) use Cofense PhishMe for any illegal purpose, or in violation of any laws;
g) disseminate materials that would give rise to liability under the Computer Fraud and Abuse Act;
h) use Cofense PhishMe to commit fraud or engage in other misleading or deceptive activities;
i) upload to, or transmit from Cofense PhishMe any viruses, worms, defects, Trojan horses, time-bombs, malware,
spyware, or any other computer code of a destructive or interruptive nature;
j) remove any legal disclaimers provided by Cofense that are present on any simulations or educational pages;
k) share Cofense PhishMe and any associated Cofense IP and Cofense Confidential Information with any third-parties,
except as expressly authorized in advance by Cofense in writing;
l) use Cofense PhishMe and Cofense IP in any way to provide services to any third-party;
m) disassemble, decompile, reverse compile, reverse engineer or attempt to discover any source code or underlying ideas
or algorithms of Cofense PhishMe and any Cofense IP (except to the limited extent that applicable law prohibits
reverse engineering restrictions solely for interoperability purposes);
n) sell, resell, distribute, sublicense or otherwise transfer, Cofense PhishMe and any Cofense IP, or make the functionality
of Cofense PhishMe available to any other party through any means (unless Cofense has provided prior written
consent); and
o) reproduce, alter, modify or create derivatives of the Cofense IP (unless as expressly permitted in this Agreement).
Authorized Users must comply with any Intellectual Property Rights asserted in any Cofense IP provided to Customer for the
purposes of using with Cofense PhishMe. Authorized Users will maintain and not remove or obscure any proprietary notices
on Cofense IP.
Remedies. Violation of this Policy may result in civil or criminal liability, and Cofense may, in addition to any other remedy
that Cofense may have at law or in equity, terminate any permission for Customer and any Authorized User to access Cofense
PhishMe or immediately remove the offending material. In addition, Cofense may investigate incidents that are contrary to this
Policy.MSSA Template August 5, 2024
14
COFENSE CONFIDENTIAL
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the
property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the
holders of the trademarks. Cofense reserves the right to update and modify this Policy at any time from time-to-time. Continued
use of Cofense PhishMe by Customer and its Authorized Users after such update or modification will indicate Customer’s
acceptance of the updates and/or modifications to this Policy.MSSA Template August 5, 2024
15
COFENSE CONFIDENTIAL
COFENSE REPORTER
EXHIBIT
In addition to the terms of the Agreement, the following terms apply to Cofense ReporterTM.
1. For the duration of the applicable Subscription Term (or if the Software version of Cofense Reporter, the Software License
Term) set forth in the applicable Order and in accordance with the terms of this Agreement, Cofense grants to Customer
a non-exclusive, non-transferable, non-assignable right to access or use Cofense Reporter, including the applicable
Documentation, for Customer’s internal use only. Authorized User-initiated Cofense Reporter reports must be sent to a
mailbox owned by Customer or authorized mailbox. Customer acknowledges and agrees that Cofense may store Customer
Data from Cofense Reporter in the United States. Customer acknowledges and agrees that Cofense may use data analyzed
in received emails to provide and improve our products and services. Customer is responsible for its Authorized Users’
compliance with the Agreement and this Exhibit.
2. The use of Cofense Reporter by Customer will be at no cost as long as Customer is under a current Cofense PhishMe
Subscription Term or Cofense Triage Software License Term; provided, however, if at any time Customer is using
Cofense Reporter and is not under a then-current Cofense PhishMe Subscription Term or Cofense Triage Software
License Term, Customer will be charged an annual maintenance fee equal to sixty percent (60%) of the then current
Cofense PhishMe or Cofense Triage list price, unless otherwise mutually agreed by the Parties in writing.
3. Notwithstanding anything in the Agreement to the contrary, Customer may use any “Third-Party Products” (as such term
is defined herein) in combination with Cofense Reporter, provided, however that Cofense does not make any
representations and warranties or covenants of any nature or kind with respect to any Third Party Products, nor will
Cofense have any liability for any damages that Customer may directly or indirectly incur or suffer as result of or arising
from Customer’s use of any Third Party Product in combination with Cofense Reporter. Customer further acknowledges
and agrees that it is subject to a third party’s respective terms and conditions with respect to the use of any Third-Party
Products. For purposes of this Exhibit, the term, “Third-Party Products” means any third-party products authorized by
Cofense and selected by Customer, for use in combination with Cofense Reporter.
4. As part of the license to Cofense Reporter (depending on the email client), Customer may configure the Cofense Reporter
icon logo and user facing language. Customer acknowledges and agrees that it will not: a) use any image or language that
is abusive, obscene, pornographic, defamatory, harassing, grossly offensive, vulgar, threatening, or malicious; b) use any
image or language that infringes upon the patents, copyrights, trademarks, trade secrets or other intellectual property
rights of others; and c) use Cofense Reporter for any illegal purpose, or in violation of any laws.
5. Availability and Uptime for SaaS Subscription version of Cofense Reporter only.
a. Cofense will use commercially reasonable efforts to provide Customer administrators with online availability to
Cofense Reporter 99.8% of the time in any calendar month (“Uptime”), excluding downtime caused by Scheduled
Maintenance, force majeure events, or acts or omissions of Customer not in accordance with the Agreement and
Documentation.
b. Scheduled Maintenance. Scheduled maintenance is used for major upgrades to Cofense applications, servers, or
networks. Scheduled maintenance notice will be provided in advance.MSSA Template August 5, 2024
16
COFENSE CONFIDENTIAL
SOFTWARE SUPPORT SERVICES
EXHIBIT
In addition to the terms of the Agreement, the following terms will govern the Software Support Services with respect to
Customer’s license of the applicable Cofense Software.
During the Support Term, Cofense will provide Customer notification of bug fixes, maintenance patches and new releases
which may contain minor enhancements to the features or functions of the Software (“Updates”). Unless otherwise set forth
elsewhere in the Agreement, Customer may obtain Updates from Cofense’s server via the Internet. Cofense reserves the right
to impose additional charges for releases of Software (i) that provide major enhancements to the features or functions of the
Software, as determined by Cofense at its sole discretion; or, (ii) that provide additional features or perform additional functions
not provided or performed by the Software. Support for Software is subject to Cofense’s End of Life Policy as set forth in the
Cofense Resource Center.
Technical Operations Center (TOC) for Cofense Reporter, Cofense Vision and Cofense Triage Enterprise Support:
a. Cofense Support (questions concerning basic feature inquiries, troubleshooting, installation and configuration
support) is available 9:00 AM ET to 6:00 PM ET (Monday-Friday) US ET.
b. Normal priority requests received outside of support hours are placed in a support queue for processing by TOC
Engineers during standard support hours. Urgent issues outside of business hours will be received and escalated by a
US based answering service.
c. Special support assistance outside of core hours may be arranged and scheduled by the Parties at a mutually agreed
upon date and time. TOC support hours are subject to holiday hours and closures. TOC support hours may be
reasonably updated at any time by Cofense, with thirty (30) days’ advanced notice to Customer through the Cofense
Resource Center. Customer may refer to the most up to date hours as set forth in the Cofense Resource Center.
d. The TOC Reporter, Vision and Triage Support teams may be reached via service portal, live chat, and telephone as
listed in the Cofense Resource Center.MSSA Template August 5, 2024
17
COFENSE CONFIDENTIAL
COFENSE PHISHME™ (ENTERPRISE)
PROFESSIONAL SERVICES PREMIUM
EXHIBIT
1. Services Description. Notwithstanding anything in the Agreement to the contrary, Cofense will provide the professional services set
forth below in connection with an applicable Order and Customer’s current subscription of Cofense PhishMe™. For purposes of this
Exhibit, the term “Professional Services” will include the Cofense PhishMe Professional Services Premium services described in this
Exhibit.
A. Professional Services Overview. Cofense will build and execute simulated phishing scenario campaigns (“Scenario(s)”) through
Cofense PhishMe. Cofense will further conduct analysis of the results of such Scenarios, facilitate Customer meetings, and provide
reports to Customer as set forth herein.
B. Initial Planning and Implementation. Cofense will:
i. Assign a Cofense consultant as Customer’s point of contact for the performance of Professional Services under this Exhibit.
ii. Conduct a kickoff call with Customer to develop an understanding of Customer’s security environment, Customer’s current
security efforts, and assignment of decision making roles and required processes for Customer under this Exhibit.
iii. Conduct an additional conference call with Customer to discuss key phishing concepts, the Professional Services program
phases, key technical and education requirements, establishment of desired outcomes, and an understanding of the measures of
success for Customer’s Cofense PhishMe program.
iv. Conduct a reasonable number of test Scenarios (no more than four) to confirm Cofense PhishMe setup is complete and
functioning appropriately.
v. Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to the Cofense
PhishMe program.
C. Standard Program Services. Cofense consultant will perform the following:
i. Provide support for up to twelve (12) Scenarios annually in accordance with a mutually agreed schedule between Cofense and
Customer which may include recipient list upload to Cofense PhishMe, preparing phishing email templates and scheduling of
Scenarios. With respect to the foregoing Scenarios, Cofense will use commercially reasonable endeavors to create, send, and
report on each Scenario within seven (7) business days of Scenario completion. However, this delivery time frame may be
increased depending on the complexity of the Scenario.
ii. Conduct quarterly Cofense PhishMe program reviews with Customer, and such other meetings as mutually agreed upon by the
Parties.
2. Deliverables. Cofense will provide the following Deliverables.
A. Program Plan. Cofense will provide a standard Cofense program plan including best practices and a recommended schedule of
phishing Scenarios for the Professional Services Term.
B. Scenario Reports. Up to twelve (12) Scenario Reports subject to Section 1(C)(i).
C. Standard Quarterly Program Review Reports.
D. Semi-annual “Board of Directors” Reports. Cofense will provide a standard Board of Directors Report two (2) times during the
current Professional Services Term.
3. Cofense PhishMe Professional Services – Premium, Multi-Entity (if applicable).
A. If Customer has ordered Professional Services Premium Multi-Entity (Coordinated), the following will apply: Cofense will provide
the services and Deliverables to Customer Affiliates which follow Customer’s overall program and scenario execution plan, and
one Customer administrator would serve as the point of contact for the Cofense consultant serving as the point of contact to
Customer.
B. If Customer has ordered Professional Services Premium Multi-Entity (Independent), the following will apply: Cofense will provide
the services and Deliverables to Customer’s Affiliates, however each Affiliate may determine its own Scenario content and
execution plan independently from Customer. Each Affiliate would have its own, separate Cofense PhishMe account and neither
Customer nor Affiliate data would be shared among Affiliates.
C. For the purpose of this Section, an “Affiliate” of a Party will mean any entity that controls, is controlled by, or is under common
control with such Party. For the purpose of the foregoing “control” will mean more than fifty percent (50%) ownership of assets or
equity.
4. Term. The term of Professional Services performance will be set forth in the applicable Order, or if not specified in the Order, theMSSA Template August 5, 2024
18
COFENSE CONFIDENTIAL
Professional Services will commence on the date set forth in the Order and will continue until the earlier of (i) one (1) year from such
date or (ii) the expiration or termination of Customer’s subscription to Cofense PhishMe (“Professional Services Term”). Unless
otherwise stated on the Order, Customer may renew the Professional Services for additional periods of one (1) year subject to Customer
having a subscription to Cofense PhishMe by providing written to Cofense of its intent to renew the Professional Services no later than
sixty (60) days prior to the end of the then-current Professional Services Term.
5. Fees. Fees for the Professional Services shall be set forth in the applicable Order.
6. Additional Terms.
A. Customer agrees that failure to provide timely responses or input as required for performance of the Professional Services may
impact the timing of performance by Cofense.
B. Customer and Cofense will jointly schedule any meetings, reviews, and/or coordination of resources.
C. Customer agrees that any request to increase the frequency of Deliverables, to customize the Deliverables, or to provide reports not
expressly set forth in this Exhibit fall outside the scope of this Exhibit and a mutually agreed upon amendment will be required.
D. Customer understands and acknowledges that the Professional Services require downloading and analyzing Customer data outside
of the Cofense PhishMe environment (i.e. a local analysis) in order for Cofense to perform its obligations.MSSA Template August 5, 2024
19
COFENSE CONFIDENTIAL
COFENSE PHISHME™ (ENTERPRISE)
PROFESSIONAL SERVICES CONSULTING
EXHIBIT
1. Services Description. Notwithstanding anything in the Agreement to the contrary, Cofense will provide the professional
consulting services set forth below in connection with an applicable Order and Customer’s current subscription of Cofense
PhishMe™. For purposes of this Exhibit, the term “Professional Services” will include the Cofense PhishMe Professional
Services Consulting services described in this Exhibit.
A. Professional Services Overview. Cofense will provide guidance for simulated phishing scenario campaigns
(“Scenario(s)”) Customer sends through Cofense PhishMe, including recommendations, and strategy development as
set forth herein.
B. Cofense will:
i. Assign a Cofense consultant as Customer’s point of contact for the performance of Professional Services under
this Exhibit.
ii. Conduct a kick-off call with Customer to develop an understanding of Customer’s security environment,
Customer’s current security efforts, and assignment of decision making roles and required processes for Customer
under this Exhibit.
iii. Conduct an additional conference call with Customer to discuss key phishing concepts, the Professional Services
program phases, key technical and education requirements, establishment of desired outcomes, and an
understanding of the measures of success for Customer’s Cofense PhishMe program.
iv. Conduct a reasonable number of test Scenarios (no more than four) to confirm Cofense PhishMe setup is complete
and functioning appropriately.
v. Provide an appropriate phishing program announcement for use by Customer to introduce Customer personnel to
the Cofense PhishMe program.
vi. Conduct quarterly Cofense PhishMe program reviews with Customer, and such other meetings as mutually agreed
upon by the Parties.
C. Scheduled Meetings. The Cofense consultant assigned as Customer’s point of contact will be available for up to one
(1) hour per week to meet remotely with Customer to advise Customer regarding its Cofense PhishMe program.
Customer will request such meetings no less than two (2) business days in advance.
2. Deliverables. Cofense will provide the following Deliverables:
A. Program Plan. Cofense will provide a standard Cofense program plan including best practices and a recommended
schedule of phishing Scenarios for the Professional Services Term.
B. Standard Quarterly Program Review Reports.
C. Semi-annual “Board of Directors” Reports. Cofense will provide a standard Board of Directors Report two (2) times
during the current Professional Services Term.
3. Term. The term of Professional Services will be set forth in the applicable Order, or if not specified in the Order, the
Professional Services will commence on the date set forth in the Order and will continue until the earlier of (i) one (1) year
from such date or (ii) the expiration or termination of Customer’s subscription to Cofense PhishMe (“Professional Services
Term”). Unless otherwise stated on the Order, Customer may renew the Professional Services for additional periods of one
(1) year subject to Customer having a subscription to Cofense PhishMe by providing written notice to Cofense of its intent
to renew the Professional Services no later than sixty (60) days prior to the end of the then-current Professional Services
Term.
4. Fees. Fees for the Professional Service(s) shall be set forth in the applicable Order.
5. Additional Terms.
A. Customer agrees that failure to provide timely responses or input as required for performance of the Professional
Services may impact the timing of performance by Cofense.MSSA Template August 5, 2024
20
COFENSE CONFIDENTIAL
B. Customer and Cofense will jointly schedule any meetings, reviews, and/or coordination of resources.
C. Customer agrees that any request to increase the frequency of Deliverables, to customize the Deliverables, or to
provide reports not expressly set forth in this Exhibit fall outside the scope of this Exhibit and a mutually agreed upon
amendment will be required.
D. Customer understands and acknowledges that the Professional Services require downloading and analyzing Customer
data outside of the Cofense PhishMe environment (i.e. a local analysis) in order for Cofense to perform its obligations.MSSA Template August 5, 2024
21
COFENSE CONFIDENTIAL
COFENSE PHISHME PROFESSIONAL SERVICES VISHING
EXHIBIT
1. Services Description. Notwithstanding anything in the Agreement to the contrary, Cofense will provide the professional services set
forth below in connection with an applicable Order and Customer’s current subscription to Cofense PhishMe™. For the purposes of this
Exhibit, the term “Professional Services” will include the Cofense PhishMe Professional Services Vishing services described in this
Exhibit.
A. Professional Services Overview. Cofense will build and execute simulated vishing campaigns (“Vishing Scenario(s)”) through
Cofense PhishMe. The Professional Services will include four (4) Vishing Scenarios for each twelve (12) month period during the
Professional Services Term. Cofense will further conduct analysis of the results of such Vishing Scenarios, facilitate Customer
meetings, and provide reports to Customer as set forth herein.
B. Initial Planning and Implementation. Cofense will:
i. Assign a Cofense consultant as Customer’s point of contact for the performance of Professional Services under this Exhibit.
ii. Conduct a kickoff call with Customer to develop an understanding of Customer’s security environment, Customer’s current
security efforts, and assignment of decision-making roles and required processes for Customer under this Exhibit.
iii. Conduct a reasonable number of test vishing scenarios (no more than four (4)) to a designated Customer test group to confirm
Cofense vishing solution is complete and functioning appropriately before launching the production Vishing Scenario.
iv. Provide an appropriate phishing/vishing program newsletter for use by Customer to introduce Customer personnel to the
Cofense PhishMe and vishing program.
C. Standard Vishing Program Services. Cofense consultant will perform the following:
i. Setup initial configuration including one (1) toll-free/Direct Inward Dialing (DID) line (the “Line”) for each Vishing Scenario.
This includes building, recording and uploading phone message recordings for greeting and susceptibility messages (the “Phone
Message Recordings”) for the Line.
ii. Provide support for each Vishing Scenario in accordance with a mutually agreed upon schedule between Cofense and Customer
which includes recipient list upload to Cofense PhishMe, preparing vishing email templates and scheduling of Vishing
Scenarios. With respect to the foregoing Vishing Scenarios, Cofense will use commercially reasonable efforts to create, send,
and report on each Vishing Scenario within ten (10) business days of Vishing Scenario completion. However, this delivery time
frame may be increased depending on the complexity of the Vishing Scenario.
iii. Conduct a Cofense vishing program review for each Vishing Scenario with Customer, and such other meetings as mutually
agreed upon by the Parties, to prepare and launch Vishing Scenarios.
iv. Provide follow up educational materials to those recipients that dialed in and input their unique authentication code and/or
clicked on the Vishing Scenario URL.
2. Deliverables. Cofense will provide the following Deliverables.
A. Program Plan. Cofense will provide a standard program plan including best practices and a recommended schedule of Vishing
Scenarios for the Professional Services Term.
B. Standard Vishing Vulnerability Reports. Vishing Vulnerability Report for each Vishing Scenario subject to Section 1(C)(ii).
3. Term. The term of Professional Services performance will be set forth in the applicable Order, or if not specified in the Order, the
Professional Services will commence on the date set forth in the Order and will continue until the earlier of (i) one (1) year from such
date or (ii) the expiration or termination of Customer’s subscription to Cofense PhishMe (the “Professional Services Term”). Unless
otherwise stated on the Order, Customer may renew the Professional Services for additional periods of one (1) year subject to Customer
having a subscription to Cofense PhishMe by providing written notice to Cofense of its intent to renew the Professional Services no
later than sixty (60) days prior to the end of the then-current Professional Services Term.
4. Fees. Fees for the Professional Service(s) shall be set forth in the applicable Order.
5. Additional Terms.
A. Customer agrees that failure to provide timely responses or input as required for the performance of the Professional Services may
impact the timing of performance by Cofense. Customer and Cofense will jointly schedule any meetings, reviews, and/or
coordination of resources.
B. At the beginning of the Professional Services Term, Customer will designate and allocate the Authorized Users who will receive
the Vishing Scenarios and will not reassign or replace such Authorized Users prior to the expiration of the Professional Services
Term. Customer may add additional Authorized Users who will receive the Vishing Scenarios during the Professional Services
Term, at the same pricing as set forth in the applicable Order, pro-rated for the portion of the Professional Services Term remaining
at the time.
C. Customer will (i) comply with all applicable legal requirements regarding privacy and data protection; and (ii) provide sufficient
notice to, and obtain sufficient consent and authorization from Customer personnel, Authorized Users, and any other party
providing personal data to Customer and Cofense to permit the use, processing, and transfer of the data by Customer, Cofense, and
each Party’s respective affiliates, subsidiaries, and service providers as contemplated by this Exhibit.MSSA Template August 5, 2024
22
COFENSE CONFIDENTIAL
D. Customer agrees to indemnify, defend and hold Cofense, its employees and agents harmless from any and all claims and/or
demands, including reasonable attorneys’ fees, made by any third party arising out of or related to: (a) the unauthorized disclosure
or exposure of personal data or other private information by Customer; (b) use of the Professional Services by Customer, including
by Customer’s Authorized Users, infringing a third party right, or harassing, defaming, or defrauding a third party or Customer
personnel; or (c) Customer’s use of the Professional Services in violation of this Exhibit.
E. Customer agrees that any request to increase the frequency of Deliverables, to customize the Deliverables, to provide reports not
expressly set forth in this Exhibit, to setup additional toll-free/Direct Inward Dialing (DID) lines, to localize and/or translat