Welcome to CYFOX, an AI-based XDR solution that reduces the complexity of managing multiple cybersecurity systems by consolidating several solutions and security tools into a single platform as further explained at: https://CYFOX.com/ (the “Service”).
The Service is developed and operated by CYFOX Technologies Ltd. (“CYFOX”), and may be provided directly to you by CYFOX or by other third parties, such as CYFOX partners (“Partner(s)”) or CYFOX distributers (“Distributer(s)”) that have entered into an agreement with CYFOX (collectively, the "Company", "we", "us" and "our").
Please carefully read the following terms and conditions, including our Data Processing Addendum (“DPA”), the Service Privacy Policy and any document referenced herein (the "Terms"). By accessing or using the Service in any way, or by registering as a user for the Service (in each case, a "Customer", "you"), you agree to be bound by these Terms and you signify that you have read and understood them. If you do not agree to these Terms, you may not use the Service in any way.
1.	Definitions 
1.1.	“CYFOX Technology” means CYFOX’s products, technology tools, product designs, algorithms, software (in source and object forms), user interface designs, architecture, class libraries, objects and documentation (both printed and electronic), network designs, trade secret, know-how, methodology, platforms, apps, application programming interface (“API”), and any other tools or programs used by or for CYFOX on its behalf with regard to its Service, and any related IP Rights related thereto throughout the world and also including any derivatives, improvements, translations, enhancements or extensions of or to the foregoing.
1.2.	Customer’s Content means information: (a) that identifies or depicts the Service Users’ content that is controlled or monitored through the Service, (b) all data or information uploaded, transmitted, shared or generated by Users to the Service and that is being processed through the Service.
1.3.	“Customer’s Data” means Customer’s Content and Output Data collectively.
1.4.	 “Delivery” means making the Service available to Customer via installation at Customer premises.
1.5.	“Order Form” means the order form that Customer has accepted or signed (including, but not limited to, by way of Customer issuing a purchase order pursuant to the quote or proposal provided by Company), in each case specifying, among others, the Customer’s details, the duration of the provision of the Service to Customer, the Fees (as defined below) and payment terms applicable to these Terms, the usage metrics, parameters and capacity limitations for the Customer’s use of the Service, the integrations supported, timetables and rollout plan. Such Order Form is incorporated by reference to these Terms and constitutes an integral part of it.
1.6.	“Output Data” means the various reports, alerts, analytics, content, documentation and other types of information and data that the Service may generate, provide or make available to Customer.
1.7.	“Service Data” means (a) the data collected and processed in the course of providing the Service, about the use of the Service, including suspicious files, de-identified data, bandwidth utilization, (b) statistical or aggregated information about Customer’s use of the Service and all pertinent information at Customer’s disposal concerning bugs, errors and malfunctions in the Service, performance of the Service, its compatibility and interoperability, and (c) any personal data processed for the proper administration of the Service. Service Data expressly excludes Output Data.
1.8.	“Support Services” means Service updates, maintenance, remote technical support for technical questions, problems and inquiries regarding the Service as agreed under the Order Form and the Service Level Agreement (“SLA”). 
1.9.	“Term” means the period of these Terms as specified in section ‎11 below.
1.10.	“Users” means Customer’s employees, agents, contractors and others, who have been authorized or enabled by Customer to use the Service.
2.	License & Services
2.1.	SaaS.  Subject to these Terms and applicable Order Form, including without limitation, Customer’s payment of the applicable fees hereunder, Customer may, during the applicable Term, access and use the Service flagged as “SaaS” in the Order Form, solely for internal use, within your organization (the “Purpose”), on a non-assignable, non-exclusive and non-transferrable basis, pursuant to the usage parameters, limits and metrics specified in the Order Form.
2.2.	License. Subject to these Terms and applicable Order Form, including without limitation, Customer’s payment of the applicable fees hereunder, Company shall grant Customer, a limited, non-assignable, non-exclusive and non-transferrable and not sublicense-able right to install, access, use the Service flagged as “On-Prem” in the Order Form and Output Data during the applicable Term solely for the Purpose and for internal use only, pursuant to the usage parameters, limits and metrics specified in the Order Form.
2.3.	Customer’s right to use the Service is expressly limited to the number of end users, workstations, servers or other such limitations as indicated by the Order Form. Only object code, machine-readable versions of the software are licensed or provided access to Customer hereunder, and Customer has no rights under these Terms to the source code versions of the software.
2.4.	The Service’s license or rights of use shall become effective upon Delivery (or upon acceptance of these terms in case of SaaS) of the Service and shall remain in force unless terminated pursuant to Section 11 of these Terms.  This right does not include permission to grant sub-licenses or otherwise transfer such rights. 
2.5.	Upon Delivery (where applicable), Customer may make a reasonable number of copies of the Service’s software for back-up, archival, and disaster recovery purposes during the Subscription Term. The Service software must be de-installed and destroyed at the end of the Subscription Term.
2.6.	Customer covenants that Customer and its Users will use the Service only in compliance with all applicable laws and regulations, these Terms and any policies or instructions issued by Company.
2.7.	Customer shall be permitted to designate the Users of the Service, provided that such usage is in accordance with these Terms. Customer must ensure that its Users fully comply with these Terms. Customer shall be liable to Company for all acts or omissions of those that use and deal with the Service on its behalf as though Customer had performed those acts or omissions. Customer shall not authorize access to or permit use of the Service by persons other than its Users. Company may, at any time and without any liability to Customer, suspend and/or terminate Customer or any User’s access to the Service in the event Company reasonably believes that the Customer or such User has violated any provision of these Terms.
2.8.	During the Term, Customer may change the usage parameters, capacity limits and other metrics applicable to its use of the Service by mutual written agreement (email being sufficient) with Company. Where such changes are agreed, they are incorporated by reference into the Order Form and apply pursuant to the conditions mutually agreed to, including with respect to the new Fees agreed to in light of the change.
2.9.	Customer and its Users are responsible for maintaining the confidentiality of their Service login credentials. Customer is solely responsible for any decision-making based on the Output Data, and for all consequences resulting therefrom.
3.	Installation (only applicable to On-Prem)
3.1.	Installation. Customer will provide Company with reasonable access to the installation site and will allocate sufficient personnel to assist with the installation and integration. 
3.2.	Customer Responsibility. Customer will assign a knowledgeable representative to act as project manager to provide information, answer questions and make decisions on behalf of Customer. Customer is responsible for installation of any local area network, host computer and telephone system connectivity required to support the Installation.  Prior to Installation, Customer is responsible for providing a stable operating environment (network, host computer, servers, telephone system, etc.).  In no event shall Company be liable for any failure or delay caused by events beyond its control, including, without limitation, the failure of Customer to furnish the necessary information required by Company to fulfill these Terms or a completed site preparation or failures or substitutions of Customer’s existing system.
3.3.	Customer Representative. Customer will assign a representative for receiving Service alerts, if included as part of the Service.  Customer is responsible for providing correct and contact information, updating it and maintaining it.  In no event shall CYFOX be liable for any failure or delay caused by events beyond its control, including, without limitation, the failure of Customer to maintain or provide the correct contact information required to fulfill this Agreement.
4.	Use Restriction 
4.1.	Customer and its Users shall not: 
4.1.1.	distribute, rent, lease, sublicense, transfer and/or assign the Service, the access to or use thereof, or any part thereof to any third party, with or without consideration; 
4.1.2.	render any services to third parties using the Service;
4.1.3.	remove, or in any manner alter, any product identification, proprietary, trademark, copyright or other notices in the Service; 
4.1.4.	allow any third parties to use the Service; 
4.1.5.	interfere with, burden or disrupt the Service’s functionality; 
4.1.6.	make any copies of the Service, its content or any portions thereof. 
4.1.7.	display content from the Service in any way; including by any software, feature, gadget or communication protocol which may alter the content or its design; 
4.1.8.	download content from the Service for any purpose, unless explicitly stated by Company that such action is permitted; 
4.1.9.	breach the security of the Service, identify, probe or scan any security vulnerabilities in the Service other than such activities performed in mutual agreement with Company; 
4.1.10.	work around any technical limitations of the Service, or use any tool to enable features or functionalities that are otherwise disabled, inaccessible or undocumented in the Service; 
4.1.11.	send any virus, worm, Trojan horse or other malicious or harmful code or attachment;
4.1.12.	use robots, crawlers and similar applications to scrape, harvest, collect or compile content from or through the Service.
4.1.13.	enhance, supplement, modify, adapt, decompile, disseminate, disassemble, recreate, generate, reverse assemble, reverse compile, reverse engineer, or otherwise attempt to identify the underlying source code of the Service; or
4.1.14.	access and use the Service in order to develop, or create, or permit others to develop or create, a product or service similar or competitive to the Service.
4.2.	Any such improper use of the Service will result in irreparable harm to Company for which monetary damages would be inadequate. 
4.3.	Company has no obligation to monitor that Customer’s use of the Service complies with these Terms but may elect to do so. Company may suspend the provision of the Service to the Customer upon notice and good-faith discussion with the Customer, if Company reasonably believes that the Customer is in violation of the foregoing in a manner detrimental to Company or to the proper operation of the Service.
4.4.	CUSTOMER MAY NOT USE THE SERVICE FOR ANY ACTIVITY THAT CONSTITUTES, OR ENCOURAGES CONDUCT THAT WOULD CONSTITUTE, A CRIMINAL OFFENSE, GIVE RISE TO CIVIL LIABILITY OR OTHERWISE VIOLATE ANY APPLICABLE LAW.
5.	Fee
Where applicable, In consideration for the Customer’s access or license to use the Service, Customer will pay the fees specified in the Order Form (“Fee(s)”) according to the payment terms specified therein. The Fees are non-refundable. The Fees are exclusive of any excise, sales tax, VAT, withholding tax or other governmental charges or transaction charges. Customer shall bear all such taxes and charges. 
6.	Intellectual Property 
6.1.	All rights, title and interest in the Service and all CYFOX Technology, including any and all IP Rights related thereto, are the sole property of CYFOX. The Service is a proprietary offering of CYFOX, protected under copyright laws and international copyright treaties, patent law, trade secret law and other intellectual property rights of general applicability. The Service is offered or licensed to the Customer for use and access only in accordance with the terms of these Terms and is not sold or licensed in any other way. All rights in and to the Service or CYFOX Technology not expressly granted to Customer in these Terms are hereby reserved by CYFOX.
6.2.	Except for Customer’s limited license to access and use the Service and the Output Data according to these Terms, these Terms does not grant or assign to Customer, any other license, right, title, or interest in or to the Service or CYFOX Technology, or the intellectual property rights associated with them. All rights, title and interest, including copyrights, patents, trademarks, trade names, trade secrets and other intellectual property rights, and any goodwill associated therewith, in and to the Service or any part thereof, including computer code, graphic design, layout and the user interfaces of the Service, whether or not based on or resulting from Service Data, are and will remain at all times, owned by, or licensed, to CYFOX. 
6.3.	Customer acknowledges and agrees solely in connection with CYFOX’s provision of the Service, Company is hereby granted a limited, revocable, nonexclusive, internal, and royalty-free license, solely during the Term to access Customer Data for the strict limited purposes of supporting Customer’s use of the Service as described herein. 
6.4.	Customer owns all right, title and interest in Output Data. Customer grants Company and its third-party service providers a license to use Customer Data strictly for the proper support of the Service to the Customer.
6.5.	WE DO NOT CLAIM OWNERSHIP OVER CUSTOMER’S DATA. WHEN YOUR USE OF THE SERVICE INVOLVES CUSTOMER’S DATA, YOU REPRESENT AND WARRANT TO US THAT YOU ARE LAWFULLY PERMITTED TO HAVE US PROCESS THE CUSTOMER’S DATA FOR THE SUPPORT OF THE SERVICE TO YOU.
6.6.	Customer may provide Company with Service Data about the Service’s experience of use, including information pertaining to bugs, errors, suspicious files and malfunctions of the Service, performance of the Service, the Service’s compatibility and interoperability, and information or content concerning enhancements, changes or additions to the Service that Customer requests, desires or suggests. Customer hereby assigns all right, title and interest in and to the Service Data to CYFOX, including the right to make commercial use thereof, for any purpose CYFOX deems appropriate. The Customer is not entitled to any remuneration for the foregoing assignment or CYFOX’s use of the Service Data.
6.7.	The Service uses or includes open source software components listed within the Service’s documentation (“OSS”). To the extent so stipulated by the license that governs each OSS ("OSS License"), each such OSS is subject to its respective OSS License, not these Terms, and is licensed to you directly by its respective licensor, not sublicensed by us. If, and to the extent, an OSS License requires that these Terms effectively impose, or incorporate by reference, certain disclaimers, provisions, prohibitions or restrictions, then such disclaimers, provisions, prohibitions or restrictions shall be deemed to be imposed, or incorporated by reference into these Terms, as required, and shall supersede any conflicting provision of these Terms, solely with respect to the corresponding OSS which is governed by such OSS License
6.7.1.	CentOS 7 (GPLv2) - https://www.centos.org/
6.7.2.	Suricata (GPLv2) - https://suricata.io/
6.7.3.	NetDisco (BSD – 3 – Clause License) - http://netdisco.org/
6.7.4.	Nmap (GPLv2) - https://nmap.org/
6.7.5.	Modern Honeypot Network (GPLv2.1) – Gitub 
6.7.6.	Docker - https://www.docker.com/
6.7.7.	pywinrm - http://github.com/diyan/pywinrm/
6.7.8.	Postgresql - https://www.postgresql.org/
6.7.9.	Apache http server (httpd) - https://httpd.apache.org/
6.8.	Customer may provide Company with Feedback, includinginformation pertaining to bugs, errors and malfunctions of the Service, performance of the Service, content and accuracy of the Service, the Service’s compatibility and interoperability, and information or content concerning enhancements, changes or additions to the Service that Customer requests, desires or suggests. Customer hereby assigns, without charge, all right, title and interest in and to the Feedback to Company, including the right to make commercial use thereof, for any purpose Company deems appropriate.
7.	Confidentiality 
7.1.	”Confidential Information” shall mean any and all information disclosed by one party (”Disclosing Party”) to the other (”Receiving Party”) regarding past, present, or future marketing and business plans, customer lists, lists of prospective customers, technical, financial or other proprietary or confidential information of the Disclosing Party, formulas, concepts, discoveries, data, designs, ideas, inventions, methods, models, research plans, procedures, designs, formulations, processes, specifications and techniques, prototypes, samples, analyses, computer programs, trade secrets, data, methodologies, techniques, non-published patent applications and any other data or information, as well as improvements and know-how related thereto. 
7.2.	Each party will, and will cause each of its personnel and agents to: (a) not disclose the other party’s Confidential Information to any third party, (b) not use the other party’s Confidential Information for any purpose other than to perform its obligations or exercise its rights under these Terms, and (c) protect the confidentiality of the Confidential Information of the other party in the same manner that it protects the confidentiality of its own proprietary and confidential information of like kind, but in no event shall either party exercise less than reasonable care in protecting such Confidential Information. Notwithstanding this Section, each party shall be able to disclose Confidential Information of the other party to its personnel and agents (including, without limitation, Users) who have a need to know for the Receiving Party to perform its obligations or exercise its rights under these Terms, provided such personnel or agents have been previously advised of the confidential nature of the information and have written obligations of confidentiality to the Receiving Party.
7.3.	The obligations set forth in this Section shall not apply to information that: (i) is now or subsequently becomes generally available in the public domain through no fault or breach on Receiving Party's part; (ii) Receiving Party can demonstrate in its prior established records to have had rightfully in Receiving Party's possession prior to disclosure of the same by the Disclosing Party; (iii) Receiving Party can demonstrate by written records that it had rightfully obtained from a third party who has the right to transfer or disclose said information, without default or breach of confidentiality obligations; (iv) Disclosing Party has provided its prior written approval for disclosure; or (v) Receiving Party are required to disclose pursuant to a binding order or request by court or other governmental authority, or a binding provision of applicable law, provided that, to the extent permissible, Receiving Party shall provide the Disclosing Party notice of the requested disclosure as soon as practicable, to allow the Disclosing Party, if it so chooses, to seek an appropriate protective or preventive order.
8.	Data and Privacy 
8.1.	Under the scope of these Terms, the Service provided by Company may involve processing of individuals’ personal data, which shall be governed by applicable data protection laws, the Service Privacy Policy and the Data Processing Addendum (DBA)
8.2.	Customer permits CYFOX to create and use metadata and de-identified data generated from Processed Customer’s Data, including data and bandwidth utilization and statistical or aggregated information (collectively, the “Metrics”), for any purpose CYFOX deems appropriate.
8.3.	Customer acknowledges and agrees that Company may handle and use (by itself or by using trusted third-party service providers, the Customer’s Service Data and Output Data as follows: 
8.3.1.	To provide the Service to Customer, conduct administrative and technical activities necessary to maintain and provide the Service; 
8.3.2.	To bill and collect Fees, enforce these Terms and take any action in any case of dispute, or legal proceeding of any kind involving Customer with respect to the Service; 
8.3.3.	To prevent fraud, misappropriation, infringements, and other illegal activities and misuse of the Service; 
Customer will not be entitled to any remuneration for all such uses. 
8.4.	Company may disclose or share Customer’s Data, if required, or if it reasonably believes that it is required, by law, pursuant to a subpoena, order, or decree, issued by a competent judicial or administrative authority, provided that, to the extent legally permitted, Company will endeavor to give Customer prompt notice of the requirement prior to such disclosure, to allow Customer, at Customer’s cost and expense, to intervene and protect its interests in the data. 
8.5.	The Service does not provide, and is not intended as, data back-up service. Customer is responsible for maintaining back-up copies of its Data. 
9.	Technical Support 
To the extent mutually agreed upon in the applicable Order Form, during the Term, Company, either directly or with the assistance of other third parties, will endeavor to provide Customer technical support for technical questions, problems and inquiries regarding the Service, during its business days and hours, and pursuant to its then-applicable support scheme, hours and channels, as may be further detailed in the Service Level Agreement (“SLA”) Company will attempt to respond to Customer’s technical questions, problems and inquiries as soon as practicably possible. However, Company makes no warranties to any specific response-time or the successful or satisfactory resolution of the question, problem or inquiry; and may decline to provide such support for matters that it deems, in its sole discretion, to require unreasonable time, effort, costs or expenses. For the purpose of the provision of technical support for Customer’s technical questions, problems and inquiries, Customer will cooperate, and work closely with Company, to reproduce malfunctions, including conducting diagnostic or troubleshooting activities, as Company reasonably requests. Customer agrees to cooperate and perform such requested modifications.
10.	Term and Termination 
10.1.	These Terms will be in effect for the period specified in the Order Form, and shall renew in accordance with the renewal terms and cycles specified in the Order Form (the “Term”), if not otherwise terminated earlier pursuant to this Section 11 or if a Party has given a notice of non-renewal at least thirty (30) days prior to the end of the period.
10.2.	Notwithstanding the above, either Party may terminate these Terms: 
10.2.1.	In the event of a material breach of these Terms by the other Party, where the breach remains uncured for thirty (30) days following written notice thereof from the non-breaching Party to the breaching Party, but if a breach is of a nature that cannot be cured, then the non-breaching Party may terminate the Terms immediately upon notice to the other Party; 
10.2.2.	If the terminating party is required to do so by law;
10.2.3.	If the other Party becomes or is declared insolvent or bankrupt, is the subject of any proceeding related to its liquidation or insolvency (whether voluntary or involuntary) which proceedings are not dismissed within sixty (60) days of their commencement, makes an assignment for the benefit of creditors, or takes or is subject to any such other comparable action in any relevant jurisdiction. 
10.3.	Immediately upon termination of these Terms: 
10.3.1.	CYFOX may terminate Customers’ account on the Service and delete the Customer’s Data (if stored) from its systems; 
10.3.2.	Customer shall cease any and all use of the Service;
10.3.3.	Customer will be charged for all then-outstanding Fees (if any). In the event of termination due to a material breach by Customer, Customer shall be required to pay  the Fees due for the full Term of these Terms; 
10.4.	Sections in these Terms that by their purpose of nature should survive termination of these Terms, will so survive.
11.	Warranties, Disclaimers & Limitation of Liability 
11.1.	Each party represents and warrants that it has full right, power, and authority to agree to these Terms and to perform its obligations and duties under the Terms, and that the performance of such obligations and duties does not and will not conflict with or result in a breach of any other agreement of such party or any judgment, order, or decree by which such party is bound. Each party shall use the Service only for lawful purposes and in accordance with these Terms. Each party will comply with all applicable laws and regulations in its performance and use under these Terms and, in the event of a failure to comply by a party, the other party will have the right to suspend performance hereunder or terminate these Terms.
11.2.	Customer represents and warrants that: (a) its use of the Service, including any Customer Content provided by Customer for use with the Service or handling by Company, will: (i) comply with any applicable law or regulation, (ii) not cause a breach of any agreement with or rights of any third party and (iii) not unreasonably interfere with use of services offered to third parties; and (b) it shall use the Service strictly in accordance with these Terms and other written instructions (e.g., product documentation, release notes, etc.) provided by Company. In the event of any breach of any of the foregoing warranties, in addition to any other remedies available at law or in equity, Company will have the right to suspend immediately any of the Service to prevent harm to Company or its business. If practicable, Company will provide notice and opportunity to cure. Once cured, in Company’s reasonable discretion, Company will use reasonable efforts to promptly restore the Service.
11.3.	Company will endeavor to have the Service operate properly during the Term. However, as the Service may rely on software, infrastructure, servers, and networks outside of its control, it cannot guarantee that the Service will operate in an uninterrupted or error-free manner, or that it will always be available, free from errors, omissions or malfunctions. 
11.4.	If Company becomes aware of any failure or malfunction, it shall attempt to regain the Service’s availability as soon as practicable. However, such incidents will not be considered a breach of these Terms. In addition, where applicable, the Customer acknowledges that the Service may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control. Company shall provide an advanced notice by e-mail of any scheduled Service disruption.
11.5.	EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH IN THIS SECTION ‎12, ALL CYFOX PRODUCTS AND SERVICES PROVIDED HEREUNDER ARE PROVIDED SOLELY ON AN “AS IS” BASIS. COMPANY DOES NOT MAKE, AND HEREBY DISCLAIMS, ANY AND ALL OTHER EXPRESS AND IMPLIED WARRANTIES, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY, QUALITY, PERFORMANCE, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, TITLE, OR ARISING FROM COURSE OF DEALING, USAGE, OR TRADE PRACTICE, IN CONNECTION WITH THESE TERMS OR THE SERVICE. COMPANY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE.
11.6.	CUSTOMER SHALL BEAR THE SOLE AND EXCLUSIVE RESPONSIBILITY FOR COMPLYING WITH ANY APPLICABLE LAWS REGARDING ITS USE OF THE SERVICE, INCLUDING, BUT NOT LIMITED TO, ANY LAWS AND REGULATIONS REGARDING THE PROTECTION OF INTELLECTUAL PROPERTY WITH REGARD TO THE CUSTOMER CONTENT OR ITS USERS UPLOAD TO AND PROVIDE TO THE SERVICE, OR PERSONAL INFORMATION PROCESSED VIA OR IN CONNECTION WITH THE SERVICE. COMPANY TAKES NO RESPONSIBILITY FOR ANY CLAIM WHICH MAY ARISE OUT OF OR IN CONNECTION WITH CUSTOMER’S USE OF THE SERVICE OR ANY CONTENT USED OR UPLOADED TO THE SERVICE IN VIOLATION OF ANY APPLICABLE LAW. 
11.7.	TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF INTENTIONAL MISCONDUCT OR BREACH OF COMPANY’S CONFIDENTIALITY OBLIGATIONS, COMPANY, INCLUDING ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS AND ANYONE ACTING ON ITS BEHALF, WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, STATUTORY OR PUNITIVE DAMAGES, LOSSES (INCLUDING LOSS OF PROFIT, LOSS OF BUSINESS OR BUSINESS OPPORTUNITIES AND LOSS OF DATA), COSTS, EXPENSES AND PAYMENTS, EITHER IN TORT, CONTRACT, OR IN ANY OTHER FORM OR THEORY OF LIABILITY (INCLUDING NEGLIGENCE), ARISING FROM, OR IN CONNECTION, WITH THESE TERMS, ANY USE OF, OR THE INABILITY TO USE THE SERVICE OR THE OUTPUT DATA, ANY RELIANCE UPON THE OUTPUT DATA OR ANY ERROR, INCOMPLETENESS, INCORRECTNESS OR INACCURACY OF THE SERVICE OR THE OUTPUT DATA. 
11.8.	TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT IN THE EVENT OF INTENTIONAL MISCONDUCT, OR BREACH OF CONFIDENTIALITY OBLIGATIONS, THE TOTAL AND AGGREGATE LIABILITY OF COMPANY (INCLUDING ITS RESPECTIVE EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, ADVISORS, AND ANYONE ACTING ON ITS BEHALF), FOR DIRECT DAMAGES ARISING OUT OF OR RELATED TO THESE TERMS, THE SERVICE OR THE CUSTOMER'S DATA, SHALL BE LIMITED TO THE FEES PAYABLE TO COMPANY FOR THE SERVICES IN THE PRECEDING 12 MONTHS PRIOR TO THE EVENT PURPORTEDLY GIVING RISE TO THE CLAIM OCCURRED.
12.	Indemnification 
12.1.	Customer shall defend, indemnify and hold harmless Company and its directors, officers, employees, subcontractors (“Company Indemnitee”), upon Company’s request and at Customer’s expense, from, and against, any damages, liabilities, loss, costs, expenses and payments, including, but not limited to,  reasonable attorney’s fees and legal expenses, arising from any third-party complaint, claim, suit, action, arbitration, or proceeding brought against a brought against a Company Indemnitee relating to: (a) a breach or alleged breach by Customer of any of its representations, warranties, covenants or obligations hereunder; (b) infringement or misappropriation of any Intellectual Property rights by Customer; (c) any negligence or willful misconduct of Customer or its Users or other representatives; or (d) any claims in connection with the Customer Data.
12.2.	If Company seeks indemnification from Customer, it shall provide Customer with (i) prompt written notice of any indemnifiable claim; (ii) all reasonable assistance and cooperation in the defense of such indemnifiable claim and any related settlement negotiations, at Customer’s expense; and (iii) exclusive control over the defense or settlement of such indemnifiable claim, provided, however, that Company may settle or reach compromise on any such claim without Customer’s consent, if and to the extent such settlement or compromise does not impose any liability (monetary, criminal or otherwise) on Customer. Company shall have the right to participate, at its own expense, in the defense (and related settlement negotiations) of any indemnifiable claim with counsel of its selection.
13.	Governing Law and Jurisdiction 
13.1.	Regardless of Customer’s jurisdiction of incorporation, the jurisdiction where it engages in business, or access the Service from, these Terms and Customer’s use of the Service will be exclusively governed by and construed in accordance with the laws of the State of Israel, excluding any otherwise applicable rules of conflict of laws, which would result in the application of the laws of a jurisdiction other than Israel. Any dispute, controversy or claim which may arise out of or in connection with these Terms or the Service, shall be submitted to the sole and exclusive jurisdiction of the competent court in the Tel Aviv district in Israel. Subject to Section ‎14.2 below, the Parties hereby expressly consent to the exclusive personal jurisdiction and venue of such courts, and waive any objections related thereto including objections on the grounds of improper venue, lack of personal jurisdiction or forum non conveniens. 
13.2.	Notwithstanding the foregoing, Company may also lodge a claim against Customer: (a) pursuant to the indemnity clause above, in any court adjudicating a third party claim against Company; and (b) for interim, emergency or injunctive relief in any other court having general jurisdiction over Customer. 
13.3.	The Parties will use reasonable efforts to resolve any dispute arising out of these Terms through discussion between the appropriate personnel from each Party. If Parties are unable to resolve the dispute, either Party may escalate the dispute to its executives. If an executive level meeting fails to resolve the dispute within thirty (30) days after escalation, either Party may seek any available legal relief. This provision will not affect either Party’s right to seek injunctive or other provisional relief at any time.
14.	Miscellaneous 
14.1.	Assignment. Customer may not assign these Terms without obtaining Company’s prior written consent. Any purported assignment without Company’s prior written consent is void. To the greatest extent permissible by law, Company may assign these Terms in their entirety, including all right, duties, liabilities, performances and obligations herein, upon notice to Customer and without obtaining Customer’s further specific consent, to a third-party, upon a merger, acquisition, change of control or the sale of all or substantially all of Company’s equity or assets. By virtue of such assignment, the assignee assumes Company’s stead, including all right, duties, liabilities, performances and obligations hereunder, and Company shall be released therefrom.
14.2.	Relationship of the Parties. The relationship between the Parties hereto is strictly that of independent contractors, and neither Party is an agent, partner, joint venturer or employee of the other.
14.3.	Subcontracting. Company may subcontract or delegate the performance of its obligations under these Terms, or the provision of the Service (or any part thereof), to any third party of its choosing, provided however, that it remains liable to Customer for the performance of its obligations under these Terms. 
14.4.	Complete Terms and Severability. These Terms constitutes the entire and complete agreement between the Parties concerning the subject matter herein and supersede all prior oral or written statements, understandings, negotiations and representations with respect to the subject matter herein. If any provision of these Terms is held invalid or unenforceable, that provision shall be construed in a manner consistent with the applicable law to reflect, as nearly as possible, the original intentions of the Parties, and the remaining provisions will remain in full force and effect. These Terms may be modified or amended only in writing, signed by the duly authorized representatives of both Parties.
14.5.	No Waiver. Neither Party will, by mere lapse of time, without giving express notice thereof, be deemed to have waived any breach, by the other Party, of any terms or provisions of these Terms. Either Party waiver of such breach, will not be construed as a waiver of subsequent breaches or as a continuing waiver of such breach.


























Appendix A: CYFOX Service Level Agreement (SLA)
1. Technical support 

Company shall provide technical support from its’s designated offices, to assist Customer in resolving problems encountered in the use of the Service, according to its support package: An exclusive support package which provides support 24/7.
2. Technical support response times

Company is committed to make commercially reasonable efforts to provide the following response times:
	Support package:
Severity	Response Time (1st Answer)	Initial Handling
Critical	3 hours	12 Hours
Major	12 Hours	1 day
Minor	1 day	N/A
Technical Question	2 days	 - 
* All times set forth in the table above are in working hours or working days

1.1.	Severity 
Critical	An essential function is unavailable (login, research unavailable, reports unavailable, etc.), workaround impossible.
Major	An essential function is unavailable, limited workaround possible.
Minor	A non-essential function is unavailable, workaround possible.
Technical question	A question concerning general usage or standard configuration of the Service
	
1.2.	Response times 
"Response Time" (1st Answer)	Company confirms that the issue reported by Customer is being handled (Company acknowledges via confirmation email). This response period starts upon receipt of the full dysfunction description provided by the Customer’s User and supporting data to enable the start of case investigation. 
“Initial Handling”	Company informs Customer on the investigation done and provides a solution (either a Fix or an action plan for subsequent investigations). The status will be acknowledged via confirmation email by the Customer. If possible, from a technical standpoint, Company proposes a workaround. The Initial Solution period starts from the acknowledgment email.

3.  Updates and Infrastructure

Company will notify Customer upon each new release planned. The Customer will be trained on any new features upon their initial release.

4.  Discontinuation

Notwithstanding anything herein to the contrary, Company shall have no obligations under this SLA to provide any support and to correct any non-conformity of the Service in respect to any update or release that is older than 6 months and Company shall discontinue any support for past versions of the Service that are older than 6 months.







Appendix B: CYFOX Data Processing Addendum (DBA)
This Data Processing Addendum (the “Addendum”) forms part of the underlying agreement, inclusive of any amendments to the underlying agreement, by which Company provides the Service to Customer (the “Terms”) and reflects the parties’ agreement with regard to the Processing of Personal Data (as defined below) in accordance with the requirements of the applicable Privacy Laws and CYFOX Privacy Policy [All capitalized terms not defined herein shall have the meaning set forth in the Terms. 
WHEREAS, Company is involved in incidentally processing certain personal data for Customer for the provision of the Service, pursuant to the Terms signed between the parties, and the parties wish to regulate Company’s processing of such personal data, through this Addendum.
THEREFORE, the Parties have agreed as follows:
Part	Scope of applicability (as applies to Customer)
Part One – General provisions	Applies where Company is processing Customer Data (as defined in the Terms), in the course of the provision of the Service.
Part Two – EU General Data Protection Regulations (“GDPR”) and the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”)	Applies where, in the course of the provision of the Service, Company is processing Customer Data (as defined in the Terms) that is subject to the GDPR and UK GDPR.
Part Three – California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq., collectively, the “CPRA”)	Applies where the CPRA applies to the Customer.
Part Four – Israeli Privacy Protection Regulations (Information Security)	Applies where, in the course of the provision of the Service, Company is processing Customer Data (as defined in the Terms) that is subject to the Israeli privacy laws.




Part 1 (General Provisions)
1.	Processing. Company is prohibited from using or disclosing the Customer Data for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to perform Customer’s processing instructions; (b) selling the Customer Data; and (c) using or disclosing the Customer Data outside of the direct business relationship between the parties. Company certifies that it understands the restriction specified in this subsection and will comply with it. For the avoidance of doubt, Company may process Service Data, create and use Metrics for any purpose it deems appropriate (as the terms are defined in the Terms) and may process Customer Data for machine learning and AI development purposes.
2.	Data Subject Requests. Company will follow Customer’s instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Customer Data, such as accessing their restricting its processing. Company will pass on to Customer requests that it receives (if any) from data subjects regarding their information processed by Company. Company shall notify Customer of the receipt of such request as soon as possible, and no later than five (5) business days from the receipt of such request, together with the relevant details. 
3.	Disclosure. Unless legally prohibited, Company will provide Customer within reasonable time, notice of any request it receives from an Authority (as defined below) to produce or disclose Customer Data it has Processed on Customer’s behalf, so that Customer (or its customer) may contest or attempt to limit the scope of production or disclosure request.
4.	Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Company’s processing of Customer Data, Company shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Customer Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).
5.	Data Breaches. Company shall without undue delay, and in any event within 72 hours, notify Customer of any actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, that it becomes aware of regarding the Customer Data that it Processes. Company shall investigate the breach and take all available measures to mitigate the breach and prevent its reoccurrence. Company will reasonably cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
6.	Subcontracting to suppliers. Customer authorizes Company to subcontract any of its Service-related activities which involve Processing the Customer Data. Company shall ensure that the third party is bound by substantially same obligations of the Company under this Part and shall supervise compliance thereof, and Company shall remain fully liable vis-à-vis the Customer for the performance of any such third party that fails to fulfil its obligations.
7.	Data Return and Deletion. Upon Customer’s request, Company will delete the Customer Data processed on Customer’s behalf under this Addendum from its own and its Processor’s systems, if applicable, or, at Customer’s choice, return such Customer Data or delete existing copies, within 30 business days of receiving a request to do so. Customer acknowledges and agrees that the Service shall automatically delete Customer Data within 60 days as of the termination of the Terms. Upon Customer’s request, Processor will furnish written confirmation that the Customer Data has been deleted or returned pursuant to this Section. 


 
Part 2 (GDPR & UK GDPR)
1.	DEFINITIONS
1.1.	“Authority” means any supervisory authority with authority under Privacy Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.2.	“Customer” means the relevant entity that has entered into an agreement with Company to receive the Service, and if applicable, any of its Authorized Affiliates that have signed the Terms or any Order Forms related thereto.
1.3.	“Customer Data” has the same meaning as in the Terms.
1.4.	“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
1.5.	“Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
1.6.	“Data Subject” means the individual to whom Personal Data relates (including Customer’s employee).
1.7.	“Data Subject Request” means a Data Subject’s request to access, correct, amend, transfer, block or delete that person’s Personal Data consistent with that person’s rights under Privacy Laws.
1.8.	 “Instructions” means all provisions of the Terms, any Order Form, and any written amendments to either, concerning the Processing of Customer Data.
1.9.	“Personal Data” has the meaning set forth in Privacy Laws, namely (and without limitation) any information relating to an identified or identifiable person, including sensitive data, where such data is submitted to Company as part of the Service.
1.10.	“Privacy Laws” means all applicable laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data under the Terms, and including the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”) as of its effective date and the United Kingdom's Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”).
1.11.	“Process”, “Processes” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, transfer, dissemination by means of transmission, distribution or otherwise making available, merging, linking as well as blocking, erasure or destruction.
1.12.	“Service(s)” has the same meaning as in the Terms.
1.13.	“Standard Contractual Clauses” means where the GDPR applies the Standard Contractual Clauses between controllers and processors under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council pursuant to Commission implementing decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”);
1.14.	“Subprocessor” means any Data Processor engaged by Company for Processing or having authorized access to Personal Data as part of the subcontractor’s role in delivering the Service.

2.	SUBJECT-MATTER, DURATION, NATURE AND PURPOSE OF THE PROCESSING, TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
2.1.	Subject-matter of the Processing. The Processing is carried out in an automated Processing using the Service provided by the Company. The Processing operations are further set out in the Details of the Data Processing
2.2.	Duration of the Processing. The Processing begins and ends with performance of the Service for Customer, as specified in the Instructions.
2.3.	Nature and Purpose of the Processing. The purpose and object of the Processing of Personal Data by Company is to perform and provide the Service pursuant to the Instructions, as specified in the Terms and this Addendum, on behalf of and for the benefit of Customer, machine learning and for AI development purposes, Service Data and Metrics, as further described in the Service Privacy Policy 
2.4.	Type of Personal Data and Categories of Data Subjects. The type of personal data and categories of affected Data Subjects are set out in the Details of the Data Processing 
3.	INSTRUCTIONS, COMMITMENT TO CONFIDENTIALITY 
3.1.	Controller Processor Relationship. Other than the data Company process as a Controller, such as for machine learning and for AI development purposes, Service Data and Metrics, as further described in the Service Privacy Policy [, Company shall only Process Personal Data on behalf of the Customer while providing the Services. The parties acknowledge that with regard to the Processing of Personal Data as between the parties, Customer acts as the Data Controller and Company acts as the Data Processor (e.g., even where Customer is a data processor on behalf of another data controller, as between the parties to the Terms, Customer will act as the Data Controller).
3.2.	Instructions. Company shall only Process Personal Data on behalf of and in accordance with the Instructions of Customer, as part of the Services, and shall protect Personal Data as Confidential Information. Customer shall ensure that its Instructions to Company shall comply with Privacy Laws. The Instructions are Customer’s complete and final instructions to Company for the Processing of Personal Data as part of the Service. Any additional or alternate instructions must be agreed upon separately with prior written agreement between Customer and Company. The foregoing applies unless Company is otherwise required by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest) or where it process data for machine learning and for AI development purposes, Service Data and Metrics, as further described in the Service Privacy Policy 
3.3.	Where Company believes that compliance with any Customer’s Instructions infringes Privacy Laws, Company shall immediately notify Customer thereof. 
3.4.	Commitment to Confidentiality. Company shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have committed themselves to confidentiality. Company shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Terms. 
3.5.	Compliance with Laws. Each party will comply with all laws, regulations and rules applicable to it in the performance of this Addendum, including Privacy Laws. Without prejudice to the foregoing, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, and the means by which Customer acquired Personal Data and shall establish the legal basis for Processing under Privacy Laws, including by providing all notices and obtaining all consents as may be required under Privacy Laws, in order for Company to Process Personal Data on behalf of the Customer pursuant to the Instructions.

4.	SECURITY 
4.1.	Security Controls Company shall implement appropriate technical and organizational measures to protect and safeguard the Customer Data that is processed as part of the Services, against Personal Data Breaches (as defined under the Privacy Laws). In addition, Company and Customer shall have in place and shall comply with documented written policies and procedures, periodically reviewed, covering the administrative, physical and technical safeguards in place and relevant to the access, use, loss, alteration, disclosure, storage, destruction and control of information. Such policies and procedures will include encryption of data, virus detection and firewall utilization.

5.	COMPLIANCE DEMONSTRATION BY COMPANY
Company will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Privacy Laws.
6.	DATA SUBJECT OR AUTHORITY REQUESTS 
6.1.	Data Subject Requests. Company will follow Customer’s instructions to accommodate Data Subjects’ Requests to exercise their rights in relation to their Personal Data processed as part of the Service, to the extent Customer, in its use of the Service, does not have the ability to do so. To the extent legally permitted, Company will notify Customer of any Data Subject Request it receives (if any) from Data Subjects regarding their Personal Data Processed by Company as part of the Service. Company shall notify Customer of the receipt of such request as soon as possible, and no later than five (5) business days from the receipt of such request, together with the relevant details. Company shall not respond to any such Data Subject Request without Customer’s prior written approval. Company shall provide Customer with assistance in relation to handling of a Data Subject Request, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Service. If legally permitted, Customer shall be responsible for any actual, reasonable costs arising from Company’s provision of such assistance.
6.2.	Authority Requests. Company shall promptly notify Customer of all enquiries from an Authority that Company receives which relate to the Processing of Customer’s Data as part of the Service or the provision to or receipt of the Service by Customer, unless prohibited from doing so by law or by the Authority.
7.	SUBPROCESSORS. 
7.1.	Appointment of Subprocessors. Customer acknowledges and specifically authorizes Company’s use of its Subprocessors existing as of the Effective Date, as detailed in the List of Sub-processors Customer hereby gives a general authorization to further Subprocessors, provided Company follows the following procedure:
7.1.1.	Customer authorizes the Company to engage another Processor for carrying out specific processing activities as part of the Service, provided that the Company informs Customer at least ten (10) business days in advance of any new or substitute Processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced Processor. If Customer so objects, the Company may not engage that new or substitute Processor for the purpose of Processing Personal Data as part of the Service.
7.1.2.	Without limiting the foregoing, in any event where the Company engages another Processor, the Company will ensure that substantially equivalent data protection obligations as set out in this Addendum are imposed on that other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Privacy Laws. Where the other Processor fails to fulfil its data protection obligations, the Company shall remain fully liable to Customer for the performance of that other Processor’s obligations.
7.1.3.	Company and its other Processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., EU SCC or UK Addendum, as applicable). 
8.	PERSONAL DATA BREACH.
Upon becoming aware of Personal Data Breach (as defined by Privacy Laws) related to Customer Data and that materially infringes Privacy Laws, Company shall without undue delay, and in any event within seventy-two (72) hours, notify Customer of such Personal Data Breach. Company shall investigate the breach and take all available measures to mitigate the breach and prevent its reoccurrence. Company will reasonably cooperate in good-faith with Customer on issuing any statements or notices regarding such breaches, to Authorities and Data Subjects. Notification of or response to a Personal Data Breach under this Section will not be construed as an acknowledgement by Company of any fault or liability with respect to the Personal Data Breach.
9.	DATA PROTECTION IMPACT ASSESSMENT.
Company will reasonably assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate (and if needed). Customer shall be responsible for the actual, reasonable costs for Company’s provision of such assistance by Company.
10.	DELETION OR RETURN OF PERSONAL DATA.
Upon Customer’s request, Company will delete the Customer Data, including, Personal Data, Processed on Customer’s behalf for the provision of the Service under this Addendum and Terms, if stored from its own and its Processor’s systems, or, at Customer’s choice, return such Personal Data and delete existing copies if they exist in its own systems, within 30 business days of receiving a request to do so. Customer acknowledges and agrees that the Service shall automatically delete Customer Data sixty (60) days as of the termination of the Terms. 
 
Part 3 (CPRA)
1.	This ‎Part 3 applies if the CPRA (as defined below) applies to the Customer.
2.	Capitalized terms used in this Part 3 but not defined in this Addendum have the meaning ascribed to them in the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq., collectively, the “CPRA”).
3.	The parties acknowledge and agree that Company is a Service Provider. To that end, and unless otherwise required by law:
1.1.	Company will process, retain, use, and disclose Personal Information on behalf of the Customer, only as necessary to provide the Service as specified in the Terms. The parties agree that Customer is disclosing the Customer’s Data to Company only for the purpose of properly performing the Service, Support Services, or for any commercial purpose other than as reasonably necessary to provide the Service, to comply with other reasonable and lawful instructions provided by Customer, for development of the Service via machine learning and AI development, processing of Service Data and Metrics, as further described in the Service Privacy Policy, or as otherwise permitted under 11 CCR §7051I (the “Business Purpose”).
1.2.	Company shall not sell or share Customer‘s Personal Information; retain, use or disclose Customer’s Data for any commercial purpose outside of the direct business relationship between the parties, or for any purpose other than the Business Purposes, unless expressly permitted by the CPRA. Company certifies that it understands its obligations under the applicable Data Protection Law and will comply with them. 
1.3.	Company is prohibited from combining the Customer’s Data with other Personal Information about the Customer, or on behalf of another person, or that it Collects from its own interaction with a Consumer, unless expressly permitted by the CPRA.
1.4.	If Company receives a request from a California Consumer of the Customer, about his or her Personal Information, Company shall not comply with the request itself, but shall inform the Consumer that Company’s basis for denying the request is that Company is merely a Service Provider that follows Customer’s instruction, and inform the Consumer that they should submit the request directly to the Customer and provide the Consumer with the Customer’s contact information.
1.5.	Commensurate with the nature of CYFOX’s services to Customer and in accordance with Customer’s specified instructions to Company, Company shall help Customer to comply with California Consumers requests made pursuant to the CPRA of which Company is informed of by Customer.
2.	At Customer’s direction, Company shall delete or return to Customer the Personal Information it has Processed on Customer’s behalf from its own and its service provider’s systems, shortly after it completes the requested Service, and upon Customer’s request, will furnish written confirmation that the Personal Information has been deleted pursuant to this Section, unless retention of the Personal Information is required by law.
3.	Company shall comply with all applicable sections of the CPRA and shall provide, with respect to the Personal Information it Collects pursuant to the Terms, the same level of privacy protection as required of Businesses by the CPRA, and as follows:
3.1.	Company shall cooperate with Client in responding to and complying with Consumers’ requests made pursuant to the CPRA, such as assisting Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Consumer rights under the CPRA.
3.2.	Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Company’s processing of Personal Information of the Customer, as well as the nature of personal information processed for Customer, Company shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches), in accordance with Cal. Civ. Code §1798.81.5, and commensurate with the 18 Critical Security Controls published by the Center for Internet Security (CIS).
4.	Company grants Customer the right to take reasonable and appropriate steps to ensure that Company uses the Customer’s Data in a manner consistent with Customer’s obligations under the CPRA. Customer may, in coordination with Company, monitor Company’s compliance with the Terms through measures, including, but not limited to ongoing manual reviews and automated scans of Company’s system, at least once every 12 months. Company shall perform regular internal or third-party assessments, audits, or other technical and operational testing of its security procedures and practices at least once every 12 months. Upon the reasonable request of Customer, Company shall make available to Customer all information in its possession necessary to demonstrate Company’s compliance with the obligations in this clause.
5.	Company shall promptly notify Customer once it makes a determination that it can no longer meet its obligations under the CPRA.
6.	Company grants Customer the right, upon notice, including under Section ‎‎‎7, to take reasonable and appropriate steps to stop and remediate Company’s unauthorized use of Customer’s Data.
7.	Company shall ensure that each person involved in Processing the Customer’s Data it collects pursuant to the Terms is subject to a contractual or statutory duty of confidentiality with respect to that Customer’s Data.
 
Part 4 (Israeli law)
1.	Definitions. In this Part, the following terms shall be interpreted as follows: 
1.1.	The “Applicable Law” – shall mean the Israeli Protection of Privacy Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to the Company in connection with Processing Personal Data.
1.2.	"Database" - a collection of Personal Data held by physical, magnetic or optical means.
1.3.	“Personal Data” means Customer Data that relates to an individual, and which is Processed by Company in the course of Service.
1.4.	"Processing" (and its derivatives, including, but not limited “o "Processor") – the collection, access, retention, modification, use, disclosure and transfer of Personal Data.
2.	General Provisions 
2.1.	Customer is the sole owner of the Databases containing the Personal Data, and nothing contained in this Part shall be deemed to constitute the grant of proprietary rights to the Company in the Personal Data.
2.2.	Customer may instruct the Company regarding the manner in which the Personal Data should be Processed, and the Company undertakes to comply with all of Customer's instructions, as shall be determined from time to time, provided that if the instructions entail new costs to the Company, their performance is subject to additional payment as shall be agreed upon by the parties. 
2.3.	Customer must maintain an up-to-date listing of all authorized individuals of the Database and prevent access to any individual who does not have the need to be exposed to the Personal Data.
2.4.	Customer shall grant its employees with access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Customer by virtue of the Applicable Law and/or this Part 4. Such training shall take place at least once every two years and as soon as possible after recruiting.
2.5.	Customer shall implement security and monitoring measures through which the Customer shall record each access made to the Database Systems (as defined below).
2.6.	Customer shall develop, implement and enforce an information security policy that shall include at least the following issues ("Information Security Policy"):
2.6.1.	Mapping of all the of the security measures taken by the Customer regarding the Database Systems;
2.6.2.	Instructions regarding the manner in which access to the Database is managed and the means of controlling access to Personal Data and the actions taken in it.
2.6.3.	Guidelines for individuals authorized to access Personal Data and Database Systems;
2.6.4.	A review of the risks to which the Personal Data is exposed to as part of the Customer's ongoing activities;
2.6.5.	Instructions regarding the means of recording, monitoring and identifying threats to which the Database systems are exposed, and events in which there is a risk of Breach of Information Security;
2.6.6.	Instructions regarding periodic audit reports as stated in Section ‎6 below;
2.6.7.	Instructions and procedures regarding periodic backup and restore of the audit data as stated;
2.6.8.	Instruction regarding the manner in which development activities in the Database are performed and documented. 
2.7.	Customer shall map the operational environment of the Database. In this regard, Customer shall prepare an inventory list that includes all the data systems, software, interfaces, infrastructures of hardware components and communications components that the Company operates in the Database environment for the ongoing operation of the Database (the “Database Systems"). Customer shall update the list of inventories specified in this Section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. Customer shall update the aforesaid list in any case in which substantial changes to the operating environment are performed on the Database Systems or in the manner in which data is being Processed.
3.	Company’s obligations regarding the processing of Personal Data
3.1.	Company shall process the Personal Data for Customer solely in accordance with Customer’s instructions, and only in the manner determined in this Part 4, for the development of the Service via machine learning and AI development, for processing Service Data and Metrics, as further described in the Service Privacy Policy and for no other purpose, unless expressly instructed by Customer to do so.
3.2.	Company undertakes to manage access rights to Personal Data, including providing its users with ‘Least Privileges’ based on their ‘Need to Know’, for the purpose of carrying out their tasks, and shall take measures in order prevent access by unauthorized individuals to Personal Data. In addition, Company must maintain an up-to-date listing of all authorized individuals of the Database and prevent access to any individual who does not have the need to be exposed to the Personal Data.
3.3.	Company shall not grant access to the Personal Data to its employees, consultants or anyone acting on its behalf, before: (a) reviewing and confirming that their background and personal integrity and reliability are suitable for a position granting them access to Personal Data; and (b) binding them to a letter of undertaking in order to maintain the confidentiality, security of information and privacy of the data subjects whose details are included in the Database. Company shall be liable to Customer for any act and/or omission of itself or any of its employees, advisors, Sub-contractors (as defined below) and anyone else acting on its behalf in connection with the breach of the provisions of this Part 4. 
4.	Disclosure and transfer of Personal Data
4.1.	Company shall not disclose any Personal Data that the Company processed for Customer to any person or entity without Customer’s prior written consent, except to the extent required for the performance of Customer’s instructions in accordance with this Part 4.
4.2.	If Company desires to disclose Personal Data to a subcontractor of the Company or use a subcontractor to Process Personal Data (each, a "Sub-contractor"), then prior to such disclosure, the Company shall enter into a written, valid and enforceable agreement with the Sub-Contractor containing substantially adequate protective terms on data security. Company shall provide Customer any information reasonable requested by Customer about Company’s use of Sub-contractors, about Sub-contractors’ Processing activities for Company and their data security practices. 
4.3.	Company shall use accepted encryption mechanisms for each transfer of Personal Data to a third party and for any remote access to the Database Systems.
5.	Retention and return of Personal Data
5.1.	Each Party declares and undertakes that it shall take appropriate information security measures, when applicable, in order to ensure the integrity, availability, confidentiality and reliability of the Personal Data.
5.2.	Customer shall maintain logical separation between the Database Systems and the computer systems used by the Customer which are not directly related to the Personal Data from the Service.. In the event of connection of the Database Systems to the Internet or to another public network, the Customer shall implement appropriate safeguards against information security issues.
5.3.	Customer shall regularly update the Database Systems, including the software, which is installed in the Database Systems, with information security updates. In operating the Database Systems, the Customer shall not use any software or hardware components whose manufacturer does not support their security aspects.
6.	Audit, documentation and monitoring
6.1.	Customer undertakes to document by an automated mechanism the activity carried out in the Database Systems, including (but not limited to) documentation of attempts to access the Database Systems, deletion and/or change of Personal Data and change of access rights to the Database Systems (“Audit Mechanism"). The Audit Mechanism shall collect at least the following data: the user identity, the date and time of the activity, the source of the activity (Internet address or computer name), the component of the system in which the activity was performed, the type of activity, and whether or not the activity was successful.
6.2.	The audit data to be generated by the Audit Mechanism shall be maintained for 24 months.
6.3.	Customer undertake to backup all data generated by the Audit Mechanisms. 
6.4.	Customer undertakes to conduct at least once in 24 months, an internal or external audit by an entity or a person with appropriate certification for auditing information security, and who is not Customer's CISO, in order to ascertain the Customer's compliance with these provisions and the provisions of the Applicable Law.
7.	Transfer of Personal Data to foreign jurisdiction
7.1.	Company shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.
8.	General cooperation
Company shall cooperate with Customer and Customer’s client in providing information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy and regulatory matters relating to the Database.







Appendix C: Details of the Data Processing
Categories of data subjects whose personal data may be processed	•	The Customer and its users, such as employees, agents and anyone on Customer’s behalf who is authorized to use the Service; 
•	Data subjects who may be included in the data Customer provides to the Service
Categories of personal data Processed 	•	Full name, email address, phone number, company position, company name and usernames of Customer and Customer’s users, employees, agents and anyone on Customer’s behalf who is authorized to use the Service
•	content uploaded, provided or imported by Customer and its users to the Service and that is being processed through the Service, including suspicious files and data subjects Personal Data in files.
•	analytics information, such as IP address from which Customer Users access the Service, time and date of access, type of device and browser used, language used, links clicked via a mouse or a touch screen, and actions taken while using the Service, in accordance with the users preferences.
The frequency of the Processing 	while providing the Service to the Customer
Nature of the processing	Company processes personal data to provide the Service as specified under the Terms. The nature of the processing is mainly to provide the Service, technical support for technical questions, problems and inquiries regarding the Service as agreed under the Order Form, uploading data to the Service, storage on the Service (where applicable), analytics reporting, the development of the Service via machine learning and AI development, for processing Service Data and Metrics, as further described in the Service Privacy Policy

Purpose(s) of the data Processing and further processing 	Personal Data is contained in the data which Customer and its Users share through Service under the Terms. Company has access to such data solely for purposes pursuant to the Terms and relevant Order Forms, for the purpose of machine learning and AI development. for processing Service Data and Metrics, as further described in the Service Privacy Policy.

The period for which the personal data will be retained	During the provision of the Services requested by Customer, within the Term
Transfers location, subject matter, nature and duration of the processing	As detailed in the List of Sub-processors for the Service. 



Appendix D: List of Sub-processors

Sub-processor’ Name	Purpose of Processing	Location
CYFOX*
*Applicable when the Service is provided by a Distributer/Partner and not directly by CYFOX	Provision of the Service and Technical Support	Israel
AWS*
*Applicable when the costumer is using CYFOX cloud and/or SOC services	Storing security data.