Cyber Risk International (CyberPrism) Terms of Service

Cyber Risk International Ltd – Terms of Service

1. Introduction

Parties. This Terms of Service (the “Agreement”) is a legal agreement between Cyber Risk International Ltd, an Irish limited company with its registered office in the Republic of Ireland (referred to as “Cyber Risk International”, “CRI”, “we” or “us”), and the client entity that signs an Order Form or Statement of Work referencing this Agreement (referred to as the “Client” or “you”). This Agreement governs the Client’s access to and use of CRI’s cybersecurity, cyber risk, compliance and resilience services, and the Client’s use of CRI’s software-as-a-service platform known as “CyberPrism” (including all versions and feature-based editions of CyberPrism) in a business-to-business context. Client Status. The Client represents that it is a business entity (not a consumer) acting in the course of business, and is entering this Agreement for commercial purposes only.

Acceptance. By executing an order, statement of work, or other ordering document that references this Agreement, or by using the Services (defined below), the Client agrees to be bound by these Terms of Service. If the Client does not agree, it must not use the Services. This Agreement is effective as of the date of last signature on the initial Order Form or Statement of Work between the parties (the “Effective Date”).

Structure. This Agreement includes the terms and conditions set forth below, any appendices attached hereto, and each Order Form, Statement of Work, schedule or annex executed by the parties that references this Agreement (collectively, the “Contract Documents”). In the event of any conflict between the terms of the main body of this Agreement and any Order Form or Statement of Work, the terms of the Order Form or Statement of Work shall prevail to the extent of that conflict (provided that, unless expressly stated otherwise, a special term in any Order or SOW will not override the general limitations of liability or data protection obligations in this Agreement). The Contract Documents constitute the entire agreement between the parties with respect to the subject matter and supersede any prior proposals or agreements.

2. Definitions

For the purposes of this Agreement, the following capitalized terms have the meanings set forth below. Other terms may be defined in context within this Agreement.

  • “Advisory Services” (also called “Professional Services”) means the cybersecurity, cyber risk management, compliance, and resilience consulting, advisory or training services provided by CRI (other than the CyberPrism SaaS platform), which may include strategic consulting, risk assessments, compliance audits, resilience planning, training sessions, or other expert services as described in a Statement of Work or Order Form.

  • “CyberPrism” (or the “Platform”) means CRI’s proprietary software-as-a-service platform (including the CyberPrism web application, tools, dashboards, and any related software components) that enables organizations to measure, assess, and manage cyber risk, compliance and resilience. CyberPrism Services refers to the subscription-based services through which CRI provides Client with access to and use of CyberPrism (including any specific editions or versions differentiated by features, such as “Enterprise” or “Audit” versions).

  • “Services” means, collectively, all services and products provided by CRI to Client under this Agreement, including (i) the Advisory Services and (ii) the CyberPrism Services, as may be further described in an Order Form or Statement of Work. Services may be provided separately or as part of a combined offering.

  • “Order Form” means a document (which may be titled an order, proposal, service order or similar) executed by the parties that describes the Services to be provided, including any subscription to the CyberPrism platform or any Advisory Services, and the associated fees, term, and other key details. An Order Form may also incorporate a Statement of Work (SOW) for Advisory Services if applicable.

  • “Authorized Users” means the individuals authorized by Client to access and use the CyberPrism platform under Client’s account, such as Client’s employees, officers, or contractors, and any other persons that the parties agree in writing may have access (for example, personnel of Client’s affiliates or service providers, if permitted in an Order Form). Authorized Users must be bound by obligations of confidentiality and use no less restrictive than those in this Agreement, and Client is responsible for their compliance with this Agreement.

  • “Client Data” means all data, information, content, and materials (including any personal data) that the Client or its Authorized Users input into the CyberPrism platform or otherwise provide to CRI in the course of using the Services. Client Data includes any reports, results, metrics, or other output generated by the CyberPrism platform based on Client’s inputs, as well as any materials provided by Client for use in Advisory Services.

  • “Confidential Information” means any information, in any form, that is disclosed by one party (the “Disclosing Party”) to the other (the “Receiving Party”) and that is identified as confidential or proprietary, or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information of Client includes Client Data and the Client’s business plans, security information, and strategies. Confidential Information of CRI includes the Services (including the CyberPrism software and algorithms), CRI’s methodologies, and any reports or deliverables provided to Client (subject to Client’s usage rights in such deliverables). Confidential Information does not include information that the Receiving Party can demonstrate: (a) is or becomes publicly available without breach of any obligation; (b) was known to the Receiving Party before disclosure by the Disclosing Party, without confidentiality obligations; (c) is received from a third party without breach of any obligation to the Disclosing Party; or (d) was independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information.

  • “Data Protection Laws” means all applicable laws and regulations relating to the processing, privacy, and use of personal data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and Ireland’s Data Protection Acts 1988 to 2018, and any amendments or successor legislation, as well as any other applicable data protection or privacy laws in any relevant jurisdiction.

  • “Fees” means all fees, charges, and amounts payable by Client for the Services, as specified in an Order Form or Statement of Work, or as otherwise agreed in writing. Fees may include subscription fees for CyberPrism (e.g. annual or monthly subscription charges), fees for Advisory Services (which may be on a fixed price, time-and-materials, or retainer basis), and any applicable one-time charges, usage-based fees, or additional service fees.

  • “Initial Term” means the initial contract term for the applicable Services as specified in the Order Form or Statement of Work (for example, a twelve (12) month period, or a specific project duration for Advisory Services).

  • “Renewal Term” means each successive renewal period for the applicable Services following the Initial Term, as defined in Section 13.1.

  • “Acceptable Use Policy” or “AUP” means the acceptable use requirements for the CyberPrism Services set forth in Appendix 1 of this Agreement. The AUP may be updated by CRI from time to time to address emerging threats or changes in law, provided no update will materially diminish Client’s rights under this Agreement.

  • “Support Services” means the support and maintenance services provided by CRI for the CyberPrism platform, as described in Appendix 2 (Support and Service Levels) or in the relevant Order Form.

  • “Technical Prerequisites” means the minimum technical requirements and client-side systems or resources necessary for Client to access and use the CyberPrism Services, such as supported web browsers, internet connectivity, hardware specifications, or other environment conditions, which may be provided in the documentation or communicated by CRI.

  • “Term” means the duration of this Agreement, as defined in Section 13.1, including the Initial Term and all Renewal Terms.

  • “Intellectual Property Rights” means all intellectual and industrial property rights throughout the world, whether registered or unregistered, including patents, utility models, trademarks, service marks, trade names, business names, logos, get-up, domain names, design rights, copyright (including rights in computer software and databases), moral rights, rights in Confidential Information (including know-how and trade secrets), and any applications or registrations for the foregoing, as well as all rights of a similar nature or having equivalent effect.

Note: Other capitalized terms are defined elsewhere in this Agreement. Definitions shall apply equally to their singular and plural forms.

3. Scope of Services

This Agreement governs two broad categories of services: (1) Advisory Services provided by CRI’s experts, and (2) CyberPrism SaaS Services (subscription-based access to the CyberPrism platform). The Client may obtain either or both categories of services under this Agreement. Specific details of the Services (such as scope, deliverables, duration, subscription level, and Fees) will be set out in one or more Order Forms or Statements of Work executed by the parties.

3.1 Advisory Services

CRI will provide the Advisory Services described in the applicable Order Form or Statement of Work. Such services may include cybersecurity strategy consulting, cyber risk assessments, compliance and regulatory gap analysis, cyber resilience planning, staff training, incident response planning, or other professional services tailored to the Client’s needs. CRI shall perform all Advisory Services using reasonable skill and care, in accordance with applicable professional standards and the specifications agreed in writing.

Deliverables. If the Advisory Services involve the preparation of reports, assessments, recommendations, training materials or other tangible deliverables (collectively, “Deliverables”), such Deliverables will be described in the Order Form or SOW. Unless otherwise specified, Deliverables are provided for the Client’s internal business use. The Client may use and copy any such Deliverables for its own internal purposes and may disclose them to its affiliates, regulators, or professional advisors as necessary, provided that any third-party recipient is bound to maintain confidentiality of the Deliverables. CRI retains ownership of the Intellectual Property Rights in the Deliverables (including any methodologies, templates, or know-how embedded therein) as set out in Section 9, but grants the Client a license to use the Deliverables as provided in Section 9.3. The Client acknowledges that the Deliverables (such as risk assessment reports or policy documents) are intended for the Client’s use and are not intended for distribution to or reliance by any third party. If the Client elects to disclose a Deliverable (in whole or part) to a third party, (a) the Client shall notify such third party that the Deliverable was prepared for the Client’s internal use and not for the third party’s benefit, and (b) to the maximum extent permitted by law, CRI shall have no liability whatsoever to any such third party for any use or reliance on the Deliverable.

Collaboration and Dependencies. The Client agrees to reasonably cooperate with CRI in the performance of Advisory Services. The Client will provide in a timely manner any information, resources, access, or decisions reasonably required by CRI to perform the Services. CRI is entitled to rely on all information and data provided by the Client or on the Client’s behalf as being complete and accurate, and CRI shall not be responsible for any delays or failures in the Services caused by inaccurate or incomplete information provided by the Client or by the Client’s failure to fulfill its obligations. If a Statement of Work includes specific milestones, acceptance criteria or delivery dates for Deliverables, both parties will use good faith efforts to meet those milestones and dates. Any changes to the scope or requirements of Advisory Services must be agreed in writing (via a change order or amendment to the SOW) and may be subject to additional fees.

3.2 CyberPrism SaaS Services

Under the CyberPrism Services, CRI grants the Client a limited, non-exclusive, non-transferable right during the Term to access and use the CyberPrism platform (and any related documentation) via a software-as-a-service (SaaS) model, solely for the Client’s internal business purposes and in accordance with this Agreement and the applicable Order Form. The CyberPrism Services may be provided in different editions or plans (for example, editions tailored by features or level of functionality), the specifics of which will be set forth in the Order Form or in the Service description provided to the Client. All such editions are governed by the same terms of this Agreement, unless otherwise expressly stated.

Access and Users. Client’s access to CyberPrism will be provisioned by CRI (for example, by providing login credentials or enabling account access). The Client is responsible for managing access credentials for its Authorized Users and shall ensure that only Authorized Users access the Platform. The Client and Authorized Users may use the CyberPrism platform to input data, respond to cyber risk assessment questions, generate reports, and utilize other features provided. The Client shall not provide access to the CyberPrism platform to any person or entity other than Authorized Users without CRI’s prior written consent. Use of the CyberPrism Services by Authorized Users shall be limited to the scope (such as number of user accounts, business units, or assessments) specified in the Order Form. If the Client’s usage exceeds any limits set forth in the Order (for example, if additional Authorized Users beyond the licensed number access the platform, or if additional modules or assessments are utilized beyond the subscribed level), the Client agrees to pay the applicable additional fees for such overuse, as invoiced by CRI in accordance with Section 5.

Updates and Features. The Client acknowledges that the CyberPrism platform may be updated, upgraded, or enhanced by CRI from time to time. CRI may add new or improved functionalities, apply bug fixes, or make changes to the platform’s user interface or underlying technology, at its discretion, provided that no such update will materially reduce the core functionality of the service subscribed by the Client. Certain new features or modules may be offered to the Client as optional upgrades subject to additional fees. CRI will endeavor to schedule any significant changes or maintenance so as to minimize disruption to the Client, in accordance with the Support and Maintenance terms in Appendix 2.

Usage Restrictions. Client’s use of the CyberPrism Services is subject to the Acceptable Use Policy (Appendix 1). The Client shall not: (a) use the Platform in any manner that violates the AUP or any applicable law or regulation; (b) permit any unauthorized person to access the Platform; (c) use the Platform to process or store any data that is highly sensitive or regulated (such as health or payment card data) unless expressly agreed by CRI; (d) attempt to copy, modify, duplicate, create derivative works from, decompile, reverse engineer, or otherwise attempt to discover or access the source code or underlying trade secrets of CyberPrism (except to the extent such restriction is prohibited by mandatory law); or (e) use the Platform for the benefit of any third party, as a service bureau, or to build a competing product or service.

Technical Prerequisites. The Client is responsible for ensuring that it meets all Technical Prerequisites for use of CyberPrism. This includes obtaining and maintaining adequate internet connectivity, compatible devices or browsers, and any required third-party software. CRI will provide the Client with information about system requirements and supported configurations upon request. The Client’s failure to meet required Technical Prerequisites or to maintain its own IT environment (networks, hardware, software) may affect the performance or availability of the CyberPrism Services, and CRI shall not be responsible for any issues, errors, or delays arising from such Client-side factors. The Client is also responsible for implementing reasonable security measures in its own systems to protect access to the Platform (such as safeguarding login credentials and using up-to-date anti-virus tools).

3.3 Combined Service Packages (Hybrid Services)

If the Client purchases a service package or engagement that includes both Advisory Services and access to the CyberPrism platform (a “Hybrid Services” arrangement), then the respective terms of this Agreement applicable to each component of the Services shall apply to the corresponding components. For example, use of the CyberPrism platform within a hybrid engagement is subject to the same license rights and restrictions stated in Section 3.2 and Appendix 1, while any consulting or advisory elements are subject to Section 3.1. The Order Form or SOW will specify the details of the hybrid package, including any concurrent term for the CyberPrism subscription and the Advisory Services. Unless otherwise specified, a hybrid package will have a unified term (e.g., a one-year engagement that includes ongoing platform access and periodic advisory consultations), and the auto-renewal provisions of Section 5.4/13.1 will apply to the recurring components (such as the platform subscription or any ongoing advisory retainer).

The Client acknowledges that some Advisory Services in a hybrid package may be delivered through or in conjunction with the CyberPrism platform (for example, CRI’s consultants may use the platform to perform assessments or generate reports for the Client). In such cases, the Client will receive the benefit of the platform output and the expert analysis together. Any support or issues related to the CyberPrism software in a hybrid package will be handled in accordance with the Support terms, and any consulting queries will be handled by CRI’s advisory team. CRI will clarify in the Order Form or SOW any special terms that apply to a combined offering. In the absence of any special terms, all general provisions of this Agreement shall apply to the Hybrid Services.

4. Use of Services and Client Obligations

4.1 Compliance with Law and AUP

The Client agrees to use the Services only for lawful business purposes and in accordance with this Agreement, including the Acceptable Use Policy in Appendix 1. The Client and its Authorized Users shall not use the CyberPrism platform or any Service: (i) in violation of any applicable laws or regulations (including data protection and export control laws); (ii) to transmit or store any content that is illegal, defamatory, obscene, discriminatory, or infringing; or (iii) to engage in any conduct that could harm the security, integrity, or availability of the Services. The Client is responsible for ensuring that all Authorized Users are aware of and abide by the terms of this Agreement and the AUP. If the Client becomes aware of any actual or suspected violation of the AUP or unauthorized use of the Services, it shall promptly notify CRI.

4.2 Account Security and Authorized Use

The Client is responsible for maintaining the confidentiality and security of its account credentials for the CyberPrism platform. Credentials (such as user IDs and passwords or API keys) must not be shared between individuals. The Client will manage its Authorized Users’ access (for example, promptly removing access for users who no longer should have it) and will be responsible for any actions taken under its accounts by its Authorized Users or any other person who gains access due to the Client’s failure to safeguard credentials. CRI employs security measures to protect the Platform, but the Client acknowledges that user account security also depends on the Client’s safe handling of credentials. CRI will not be liable for any unauthorized access or use of the Services resulting from the Client’s failure to protect its credentials. CRI reserves the right to suspend or lock user accounts if unauthorized or suspicious activity is detected, in order to protect both parties, and will inform the Client in such event.

4.3 Client Provided Content and Consents

The Client is solely responsible for all Client Data and any other materials or content that it (or its Authorized Users) provides to CRI or inputs into CyberPrism. The Client represents and warrants that: (a) the Client either owns all right, title and interest in the Client Data, or has obtained all necessary rights, licenses, and consents to allow the Client Data to be used as contemplated by this Agreement; (b) the Client Data and CRI’s processing or use of it in accordance with this Agreement will not infringe any intellectual property, privacy, or other rights of any third party, and will not violate any applicable law or regulation (including Data Protection Laws or export control laws); and (c) the Client Data does not contain any viruses, worms, malware or other harmful code. The Client shall not upload or provide any data to CRI that it is not legally permitted to transfer or use in this manner. CRI is not obligated to screen Client Data, but reserves the right to remove or restrict access to any Client Data that violates the foregoing warranties or the Acceptable Use Policy.

4.4 Acceptable Use Violations and Suspension

If the Client or its Authorized Users violate the Acceptable Use Policy or any other provision of Section 4 in a material way, CRI may give the Client a notice to remedy the violation. If the Client fails to cure the violation within thirty (30) days after such notice, or if the violation is such that it poses an imminent threat to CRI’s systems or the security or lawful operations of the Services (in which case CRI may require a more immediate remedy, or temporarily suspend the affected Services to prevent harm), then CRI reserves the right to suspend or terminate (as appropriate) the Client’s access to the Services. Any such suspension by CRI shall be limited to the scope reasonably necessary to address the violation (for example, suspending a specific user account or feature if possible, rather than the entire service, if the issue is isolated), and CRI will promptly restore the Services once the issue is resolved. Suspension of Services for breach does not relieve the Client of its obligation to pay Fees, and no credit or refund will be issued for suspended Services in the case of the Client’s breach. CRI will not be liable for any damages or losses suffered by the Client as a result of a suspension in accordance with this Section.

4.5 Support Cooperation

In relation to any technical support or troubleshooting, the Client agrees to reasonably cooperate with CRI’s support personnel. This may include providing information about the Client’s system environment, enabling remote diagnostic tools if applicable, or implementing temporary measures suggested by CRI to mitigate an issue. The Client should designate a primary contact person for communications regarding support and ensure that only trained or knowledgeable personnel interact with CRI’s support for efficient resolution of issues. Further details on support procedures and service levels are set out in Appendix 2.

5. Fees, Invoicing and Payment

5.1 Fees and Taxes

The Client agrees to pay all Fees as set forth in each Order Form or Statement of Work. Fees for CyberPrism subscription services may be structured as recurring subscription charges (for example, an annual fee, payable upfront or in periodic installments as stated in the Order Form). Fees for Advisory Services may be structured as a fixed project fee, a time-and-materials rate (with an estimated total), or a recurring retainer fee, as specified in the relevant Order or SOW. All Fees are stated in Euro (EUR) unless otherwise indicated, and are exclusive of any applicable taxes. The Client is responsible for any value-added tax (VAT), sales tax, GST, or similar indirect taxes that are required by law, which will be added to CRI’s invoices at the appropriate rate. If any withholding tax is required by law to be deducted from payments by the Client, the Client shall gross-up the payment such that CRI receives the full amount of Fees owed as if no withholding had occurred (and Client shall provide appropriate documentation to CRI evidencing payment of the withholding tax). The Client shall pay all Fees in full, without any set-off, deduction or counterclaim (except as may be required by law in respect of withholding taxes as noted, or except for any amounts disputed in good faith in accordance with Section 5.3).

In addition to the service Fees, the Client agrees to reimburse CRI for reasonable travel, accommodation, or other out-of-pocket expenses incurred by CRI in the course of performing any Advisory Services on-site or as otherwise necessary, provided that any such expenses are pre-approved by the Client (or provided for in the SOW). CRI shall itemize any reimbursable expenses on its invoices and provide supporting receipts upon request.

5.2 Invoicing and Payment Terms

Unless otherwise specified in the Order Form or SOW, CRI will invoice the Client for Fees as follows:

  • CyberPrism Subscription Fees: Subscription fees are typically invoiced in advance (e.g., annually in advance for an annual subscription, or monthly/quarterly in advance if agreed). The initial invoice will be issued promptly upon the Effective Date or the subscription start date (whichever is later), covering the Initial Term or initial billing period. Renewal Term fees will be invoiced as described in Section 5.4.

  • Advisory Services Fees: For fixed-fee projects, CRI may invoice according to a payment schedule outlined in the SOW (for example, a percentage upfront and the remainder upon completion or at milestones). For time-and-materials services or retainer services, CRI may invoice monthly in arrears for hours expended and any expenses, or as otherwise specified in the SOW. If not specified, CRI will invoice monthly for work performed in the prior month.

Each invoice will itemize the Services provided and the corresponding Fees, and will include any applicable taxes. The Client shall pay each invoice within thirty (30) days of the invoice date, unless a different payment period is stated in the Order Form or invoice. Payment shall be made via electronic bank transfer to the account specified by CRI (or by other payment methods if agreed, such as credit card or check for smaller amounts). All payments must be made in the currency specified on the invoice (which will be EUR unless otherwise noted). The date of payment shall be when funds are received by CRI in cleared form.

5.3 Disputed Charges and Late Payments

If the Client, in good faith, disputes any portion of an invoice, the Client must notify CRI in writing before the payment due date, specifying the amount in dispute and the reason for the dispute. The Client may withhold payment of the disputed portion until the dispute is resolved, but shall timely pay the undisputed portion. The parties shall negotiate in good faith to resolve any invoice disputes promptly. CRI will not exercise its rights under this Section 5.3 or Section 5.4 for non-payment of disputed amounts, provided the dispute was raised in good faith.

If any undisputed invoice is not paid in full by the due date, CRI reserves the right to charge interest on the overdue amount. Interest will accrue on a daily basis from the day after the due date until payment in full, at the higher of: (i) an annual rate of eight (8) percentage points above the European Central Bank’s main refinancing rate (permitted under Irish law for late payments in commercial transactions), or (ii) the maximum rate allowed by applicable law, whichever is lower. The Client shall also be responsible for any costs of collection (such as reasonable legal fees) incurred by CRI in recovering overdue amounts.

In addition to charging interest, if any payment is more than fifteen (15) days late (and not subject to a good-faith dispute), CRI may, after providing at least fifteen (15) days’ prior written notice to the Client of such late payment, suspend the provision of Services until all overdue amounts are paid. This could include disabling access to the CyberPrism platform or pausing work on Advisory Services. CRI will not suspend services if the Client is actively working with CRI to resolve the delinquency or if the Client has provided a credible commitment to pay by a specific date. However, persistent or significant payment defaults shall constitute a material breach, giving rise to termination rights per Section 13.2.

5.4 Automatic Renewal and Price Adjustments

Auto-Renewal of Term. Except as otherwise specified in an Order Form or SOW, each subscription to CyberPrism and any recurring service under this Agreement shall automatically renew at the end of its Initial Term for an additional term equal in length to the Initial Term (each a “Renewal Term”), unless either party gives written notice of non-renewal at least thirty (30) days before the end of the then-current term. For clarity, if the Client does not provide a written notice of intent not to renew at least 30 days prior to the expiration of the Initial Term (or the current Renewal Term), the subscription or service will renew automatically. CRI may also elect not to renew a Service by providing at least 30 days’ written notice to the Client prior to the end of the current term.

Renewal Pricing Increase. Upon each renewal, the Fees payable for the renewed term shall automatically increase by ten percent (10%) over the Fees applicable in the immediately preceding term, unless otherwise stated in the Order Form or unless the parties mutually agree in writing to a different renewal price. The Client acknowledges and agrees that this 10% increase is a predetermined price adjustment to account for factors such as inflation, increased costs, and service improvements, and shall apply to each Renewal Term by default. CRI may, as a courtesy, remind the Client of an upcoming renewal and any price increase in advance; however, the validity of the auto-renewal and price increase is not contingent on such reminder. If the Client has made a multi-year prepaid commitment, the auto-renewal (with price increase) will take effect after the end of the prepaid period.

CRI will invoice the Client for the Renewal Term on or about the start date of the Renewal Term (or on the schedule otherwise defined in the Order Form), and the Client shall pay the renewal Fees in accordance with Section 5.2. If the Client timely notifies CRI of non-renewal as per above, the Services will expire at the end of the then-current term and CRI will cease billing for subsequent terms.

5.5 Cancellation and Refund Policy for Prepaid CyberPrism Contracts

If the Client has prepaid subscription Fees for a fixed term of the CyberPrism Services (for example, paid upfront for an annual or multi-year subscription) and the Client elects to terminate the CyberPrism Services before the end of the prepaid term for convenience (i.e., for reasons other than CRI’s breach or a cause under Section 13.2), then the Client will not be entitled to any cash refund of the prepaid Fees. However, as a courtesy and subject to the conditions below, CRI will provide the Client with a pro-rata credit for the unused portion of the prepaid term.

The pro-rata credit will be calculated from the effective date of termination through the remainder of the prepaid term, based on the number of full months (or unused service period) that were remaining. The credit amount = (prepaid Fee for the term) × (remaining portion of term unused). This service credit can be applied by the Client towards future purchases of CRI’s services (for example, the Client may apply the credit against renewal fees for CyberPrism if restarting later, or against fees for Advisory Services, as mutually agreed). All credits issued under this policy are non-transferable, have no cash value, and will expire twelve (12) months after issuance if not used.

To exercise an early termination of a prepaid CyberPrism contract under this Section 5.5, the Client must provide at least thirty (30) days’ advance written notice to CRI specifying the effective termination date (which may be any date at least 30 days after the notice, but not later than the original end of the term). CRI will confirm the termination date and the calculated credit amount. CRI will process the issuance of the service credit within ninety (90) days after the effective termination date. During that processing period, CRI may verify the remaining term and ensure all Client obligations (such as any outstanding payments or return of CRI materials) are satisfied.

No Cash Refunds. Except for credits as described above, or in cases of termination due to CRI’s uncured material breach as described in Section 13.3, the Client acknowledges that all Fees are non-refundable. If the Client terminates a prepaid subscription early, the sole compensation to the Client shall be the service credit described, and no refund in cash will be provided for unused services.

Nothing in this Section 5.5 shall limit the Client’s rights to terminate for cause or any remedies in the event of CRI’s breach. If the Client terminates the subscription due to a material breach by CRI (as per Section 13.2) and such breach is not cured, then in lieu of a service credit, the Client will be entitled to a pro-rata refund of any prepaid Fees for the terminated portion of the term (if and as ordered by a court or agreed in a settlement), which CRI shall process within ninety (90) days of termination.

6. Support and Service Levels

CRI will provide technical support and customer service for the CyberPrism platform in accordance with the standards described in this Section and in Appendix 2 (Support and Service Levels). The goal of CRI’s support is to ensure that the CyberPrism platform operates substantially in accordance with its documentation and to assist the Client in resolving any issues that arise during permitted use of the Platform.

Support Hours and Contact. The Client can access CRI’s support team via email at support@cyberriskinternational.com or via the support portal (if provided), during CRI’s normal business hours of 9:00 AM to 5:30 PM Dublin time, Monday through Friday (excluding Irish public holidays), or as otherwise set out in Appendix 2. CRI may provide extended or 24/7 emergency support for critical issues as part of a separate support package or at its discretion for urgent incidents.

Incident Response. CRI will use commercially reasonable efforts to respond to support requests within the response times indicated in Appendix 2, which may vary based on the severity level of the issue. For example, critical issues (such as the CyberPrism platform being unavailable) will receive a faster initial response and higher priority than minor issues or general questions. CRI will assign qualified personnel to work with the Client to resolve issues and will keep the Client informed of progress. While CRI cannot guarantee a specific resolution time, it will make good faith efforts to resolve material defects or errors in the Platform and to provide workarounds when feasible.

Maintenance and Updates. CRI may from time to time perform scheduled maintenance or deploy updates to the CyberPrism platform. Whenever possible, CRI will perform scheduled maintenance during off-peak hours (such as nights or weekends) to minimize impact on the Client, and will provide advance notice for any maintenance that is expected to cause significant downtime or disruption. In the event of urgent unscheduled maintenance (for example, to address a security vulnerability or system instability), CRI will endeavor to notify the Client as soon as practicable, although immediate notice may not be possible in all cases. The Client acknowledges that occasional downtime for maintenance or updates is necessary to ensure optimal performance and security of the Services.

Service Levels. CRI aims to achieve high availability for the CyberPrism platform. While CRI does not warrant a specific uptime percentage in this Agreement (unless otherwise agreed in a Service Level Agreement appendix), its target is at least 99% uptime measured on a monthly basis, excluding scheduled maintenance windows and events of force majeure. Appendix 2 may contain further details on service level objectives and any remedies (such as service credits) for extended downtime. The Client’s sole and exclusive remedy for any failure by CRI to meet any service level or support obligation shall be as set forth in Appendix 2 (if any service credit scheme is defined) or to terminate the affected Service as provided in Section 13 if performance issues constitute a material breach.

Support Limitations. Support Services are intended to address issues with the CyberPrism platform itself and to provide guidance on its use. CRI’s support team cannot perform tasks that are the Client’s own responsibility, such as configuring the Client’s network or devices, managing the Client’s internal data, or providing general cybersecurity consulting outside the scope of the Platform’s operation (unless separately engaged under Advisory Services). If an issue is determined to have been caused by the Client’s misuse or modification of the Platform, or by third-party systems (e.g., an internet outage or third-party software integrated by the Client), CRI may charge the Client on a time-and-materials basis for support efforts beyond reasonable troubleshooting, after informing the Client and obtaining consent to such charges.

7. Data Protection and Privacy

Each party shall comply with all applicable Data Protection Laws in connection with the performance of this Agreement. In the course of providing the Services, the parties acknowledge that CRI may process certain personal data on behalf of the Client. For example, Client Data input into CyberPrism or shared during Advisory Services may include personal data such as employee names, contact information, or other identifying information relevant to risk assessments.

Controller and Processor Roles. To the extent CRI processes personal data that is part of Client Data on behalf of the Client (for instance, data about the Client’s employees or customers input into the CyberPrism platform), the Client is deemed the data Controller and CRI is the data Processor (as those terms are defined in GDPR). The Data Processing Addendum attached as Appendix 3 to this Agreement shall govern such processing of personal data and is hereby incorporated by reference. Among other things, Appendix 3 sets out the subject-matter and nature of the processing, the types of personal data and categories of data subjects, and the respective obligations of CRI as a Processor, including implementing appropriate technical and organizational measures to safeguard personal data, only processing data in accordance with Client’s instructions, and assisting the Client in meeting its compliance obligations under Data Protection Laws.

Data Security. CRI shall maintain administrative, physical, and technical safeguards for the security and integrity of Client Data (including personal data) that are reasonably appropriate for a provider of services of similar nature, and as required by Data Protection Laws. This includes measures to protect against unauthorized access, disclosure, or alteration of Client Data. Without limitation to the foregoing, CRI will (a) restrict its personnel and subprocessors from accessing personal data except as necessary to provide the Services and subject to confidentiality obligations; (b) ensure that any subprocessors handling personal data on CRI’s behalf are bound by equivalent obligations and are engaged under a data processing agreement consistent with GDPR Article 28; and (c) notify the Client without undue delay if CRI becomes aware of a personal data breach affecting Client Data, and cooperate with the Client in any investigation and remediation as required by law.

International Transfers. The Client acknowledges that CRI may process and store Client Data (including personal data) on secure cloud servers or data centers which could be located inside the European Economic Area (EEA) or in another jurisdiction, depending on CRI’s infrastructure arrangements. CRI’s primary operations are in Ireland and, to the extent possible, Client Data will be stored within data centers in the EEA. If CRI needs to transfer personal data from the EEA (or other jurisdiction with data transfer restrictions) to a country not recognized as providing an adequate level of data protection (such as to a subprocessor in the United States), CRI will ensure that such transfer is carried out in compliance with Data Protection Laws. This may include implementing European Commission Standard Contractual Clauses or other appropriate safeguards as per GDPR Chapter V. Appendix 3 may specify any such transfer mechanisms.

Data Subject Requests and Cooperation. Taking into account the nature of the Services, CRI shall assist the Client, by appropriate technical and organizational measures and at the Client’s reasonable expense, in fulfilling the Client’s obligations to respond to requests from individuals (data subjects) to exercise their rights under Data Protection Laws (such as rights to access, rectify, or erase their personal data). If CRI directly receives any such request relating to Client Data, it will promptly inform the Client and will not respond directly to the request unless required by law or authorized by the Client. Additionally, upon the Client’s request, CRI will reasonably assist the Client in ensuring compliance with the Client’s obligations regarding data security, data breach notifications, data protection impact assessments, and consultations with supervisory authorities, as relevant to the Services, again at the Client’s expense if the effort is significant.

Use of Anonymized Data. The Client agrees that CRI may collect and use data relating to the performance, use, and operation of the Services in aggregated or anonymized form for the purposes of improving CRI’s services, developing new features, compiling statistical insights, and benchmarking. For example, CRI may track general usage trends or average risk scores across its client base, provided that such analysis does not reveal any Confidential Information or personally identify the Client or any data subject. Data that has been fully anonymized (so that it is not considered personal data under Data Protection Laws) may be retained by CRI beyond the Term for the aforementioned purposes.

Privacy Policy. CRI’s general privacy policy (available on its website) provides additional information on how CRI handles personal data of business contacts and Authorized Users when acting as a data controller (for example, contact information of Client’s personnel for contract management, billing, or marketing purposes). The Client acknowledges that CRI may process such business contact data as a controller for legitimate business interests (e.g., contract administration, service announcements, or promoting similar services to the Client), in compliance with Data Protection Laws. Each party shall ensure that any personal data of the other party’s personnel that it holds (e.g., contact details) is kept secure and used only for the purposes of this Agreement.

8. Confidentiality

8.1 Non-Disclosure and Use

Each Receiving Party shall: (a) use the Disclosing Party’s Confidential Information solely for the purpose of performing its obligations and exercising its rights under this Agreement; and (b) not disclose or make available any Confidential Information of the Disclosing Party to any third party except as permitted in this Section. Each party shall protect the confidentiality of the other’s Confidential Information with at least the same degree of care it uses to protect its own Confidential Information of similar sensitivity, and in no event less than a reasonable standard of care. Access to Confidential Information of the other party shall be restricted to those personnel or authorized contractors or advisors of the Receiving Party who need such access for purposes consistent with this Agreement, and who are bound by confidentiality obligations no less stringent than those herein.

8.2 Permitted Disclosures

Notwithstanding the foregoing, a Receiving Party may disclose Confidential Information of the Disclosing Party if and to the extent required by law, regulation, or court order, provided that (if legally permitted) the Receiving Party gives prompt written notice to the Disclosing Party of such requirement to allow the Disclosing Party an opportunity to seek a protective order or other appropriate remedy. If disclosure is ultimately required, the Receiving Party will disclose only that portion of the Confidential Information which its legal counsel advises is required to disclose. Additionally, either party may disclose the existence of this Agreement and general nature of the business relationship (for example, CRI may list Client’s name and logo in its client lists or marketing materials, unless the Client requests in writing to be excluded).

8.3 Duration of Confidentiality Obligations

The obligations in this Section 8 shall commence on the Effective Date and continue for the Term of the Agreement and for a period of five (5) years after termination or expiration of the Agreement. With respect to any trade secrets or highly sensitive information that are clearly identified as such at the time of disclosure, the obligations of confidentiality shall continue for so long as such information remains a trade secret under applicable law or otherwise confidential and not publicly known, whichever is longer.

8.4 Return or Destruction

Upon termination or expiration of this Agreement (or earlier upon request of the Disclosing Party), each Receiving Party shall promptly return or destroy (at the Disclosing Party’s election) all Confidential Information of the Disclosing Party in its possession or control, and certify in writing that it has done so, except to the extent that the Receiving Party is required by law or valid record-keeping policies (such as archival backup systems) to retain copies. Notwithstanding the foregoing, the Receiving Party shall not be required to delete electronically stored Confidential Information that is maintained as part of routine archival backups, provided that such retained information remains subject to the confidentiality obligations of this Agreement.

8.5 Confidentiality Exceptions

Information shall not be deemed Confidential Information if it falls into one of the exceptions enumerated in the definition in Section 2 (for example, information that becomes public through no breach by the Receiving Party). In addition, nothing in this Agreement shall restrict CRI from using any general know-how, skills or expertise developed in the course of providing the Services, provided that in doing so CRI does not use or disclose the Client’s Confidential Information. For instance, CRI’s consultants may utilize general methodologies or knowledge gained through performing services for the Client in servicing other clients, as long as no Client-specific Confidential Information is shared.

9. Intellectual Property Rights

9.1 CRI Property

All Intellectual Property Rights in and to the Services, the CyberPrism platform (including all software, code, algorithms, user interfaces, documentation, and underlying technology), and any methodologies, templates, tools or proprietary materials used by CRI in performing Advisory Services or creating Deliverables (collectively, “CRI Materials”), are and shall remain owned by CRI or its licensors. Except for the limited rights expressly granted to the Client under this Agreement, no rights or licenses to CRI Materials or Intellectual Property Rights are granted or implied. The Client is not acquiring any ownership interest in CyberPrism, the Deliverables, or any other CRI Materials, and CRI reserves all rights that are not expressly granted.

9.2 License to Use CyberPrism

Subject to the Client’s payment of all applicable Fees and compliance with the terms of this Agreement, CRI grants to the Client, during the Term, a limited, non-exclusive, non-transferable, revocable license (without the right to sublicense) to access and use the CyberPrism platform and any related CRI Materials (such as user manuals or online documentation) solely for the Client’s internal business operations. This license allows use by the Authorized Users within the agreed scope (e.g., number of users or assessments) and is limited to the features and modules of CyberPrism that the Client has subscribed to. Any software components that may be provided by CRI for installation on Client’s premises (if any, such as an optional data connector or agent) are licensed on the same terms for use only in connection with the CyberPrism Services and must be uninstalled upon termination. The Client shall not (and shall not permit any third party to) copy, distribute (except internally as permitted), modify, or create derivative works based on the software or content provided by CRI, except as expressly permitted by this Agreement. All copies of CRI Materials (e.g., downloaded reports or documentation) must include any proprietary notices present on the originals.

9.3 License to Deliverables and Work Product

Subject to the Client’s payment in full for the applicable Advisory Services, CRI hereby grants the Client a perpetual, worldwide, royalty-free, non-exclusive license to use, reproduce, and create derivative works from any Deliverables or other work product delivered to the Client as part of the Advisory Services, solely for the Client’s own internal business purposes. The Client may not resell or publicly distribute such Deliverables to third parties (except disclosure to advisors or regulators as permitted in Section 3.1) without CRI’s prior written consent. CRI retains the right to reuse any general knowledge, skills, experience, ideas, concepts, know-how and techniques acquired in the course of performing the Advisory Services, provided that no Client Confidential Information is used in doing so. If a Deliverable contains CRI’s pre-existing proprietary content or third-party components (for example, a template policy document created by CRI prior to the Client’s engagement), then CRI will identify such portions, and the Client’s license to those portions is limited to use in connection with the Deliverable as a whole and does not transfer any ownership of such pre-existing materials to the Client. CRI warrants that it has the necessary rights to grant the license in this Section 9.3 for any Deliverables provided.

9.4 Client Property and License to CRI

All Intellectual Property Rights in the Client’s own materials, data and content (including Client Data) are and will remain owned by the Client or its licensors. The Client grants to CRI a non-exclusive, royalty-free, worldwide license to use, copy, transmit, store, and process Client Data and any other materials provided by the Client to the extent necessary to perform the Services, including to display results within the CyberPrism platform, to generate reports or Deliverables, and otherwise as instructed by the Client. The Client also grants CRI the right to use the Client’s name, logo, and trademarks as needed within the Platform interface (for example, to personalize the dashboard for Client’s users) and in Deliverables. Aside from this usage license, CRI is not granted any rights in the Client’s intellectual property, and all rights not expressly granted to CRI are reserved by the Client. If the Client provides CRI with feedback, suggestions, or requests for improvements to the CyberPrism platform or Services, CRI shall be free to utilize such feedback without restriction or obligation (the Client hereby licenses any such feedback to CRI on a perpetual, irrevocable basis), provided that CRI shall not disclose the source of feedback or any Client Confidential Information in doing so.

9.5 Third-Party Components

The Services may include software, content, data, or other materials that are licensed from third parties (such as open source software libraries used within CyberPrism). CRI represents that it has obtained the necessary rights to include and use such third-party components in providing the Services. Some third-party components may be subject to additional or alternative license terms, which, to the extent required by the third-party licensor, will be identified in the documentation or via a notice within the Platform. The Client’s use of those third-party components as part of the Services shall be subject to those license terms. Nothing in this Agreement limits the Client’s rights under the license terms for any open source software incorporated into the Platform (if any).

10. Warranties and Disclaimers

10.1 Mutual Authority Warranty

Each party represents and warrants that it is duly organized, validly existing and in good standing under the laws of its jurisdiction of incorporation, and that it has full authority to enter into this Agreement and to perform its obligations hereunder. Each party further warrants that the person signing or accepting this Agreement on its behalf has been properly authorized and that once executed, this Agreement will constitute a legal, valid, and binding obligation of that party.

10.2 CRI Warranties

CRI warrants that: (a) it will perform all Services (both Advisory Services and any support services related to CyberPrism) in a professional and workmanlike manner, using personnel with appropriate skills, qualifications, and experience; and (b) the CyberPrism platform, when used in accordance with its documentation and this Agreement, will materially conform to the service description or specifications provided by CRI in the Order Form or documentation during the Term. In the event of a breach of the warranty in subpart (b), the Client’s sole and exclusive remedy, and CRI’s sole obligation, shall be for CRI to make commercially reasonable efforts to correct or provide a workaround for the non-conformity, or if CRI is unable to do so within a reasonable time, the Client may terminate the affected Service and receive a pro-rata refund or credit for any prepaid Fees covering the unused portion of the term for that Service.

CRI further warrants that to its knowledge, the Services and CRI Materials do not infringe upon any third party’s Intellectual Property Rights. This warranty is subject to Section 12.1 (Indemnification for IP Claims) which provides the Client’s remedies for any breach of this warranty.

Except as expressly provided in this Section 10.2, the Services are provided on an “as is” basis.

10.3 Client Warranties

The Client represents and warrants that: (a) it has the necessary rights and permissions to provide the Client Data to CRI and to authorize CRI to process the Client Data for the purposes of this Agreement; (b) the Client Data and its use in accordance with this Agreement will not violate the rights of any third party (including any intellectual property rights or privacy rights) or any applicable laws; (c) the Client will use the Services in compliance with all applicable laws (including obtaining any regulatory approvals or licenses that may be necessary for its use of the Services in its particular industry or jurisdiction, except to the extent CRI has expressly agreed in writing to obtain a specific regulatory clearance as part of the Services); and (d) no Client-provided software or systems interfacing with the CyberPrism platform will introduce any harmful code or vulnerabilities into CRI’s systems.

The Client also warrants that it will not re-sell or make available the Services to any third party (except Authorized Users and affiliates as permitted) and will not use the Services to process data for the benefit of third parties as a service bureau or similar.

10.4 Disclaimer of Warranties

General Disclaimer. Except for the express warranties set forth in Section 10.2 and 10.3 above, and to the maximum extent permitted by applicable law, CRI expressly disclaims all other warranties, representations, or conditions, whether express or implied, oral or written, including any implied warranties of merchantability, satisfactory quality, fitness for a particular purpose, non-infringement, title, and any warranties arising from course of dealing or usage in trade. CRI does not warrant that the Services will meet all of the Client’s requirements, or that operation of the CyberPrism platform will be uninterrupted or error-free, or that all defects will be corrected. CRI does not guarantee any particular results or outcomes from the use of the Services.

Cybersecurity Risk. The Client acknowledges that cybersecurity risk management and regulatory compliance are complex, continually evolving fields, and that no service or tool can guarantee absolute protection or compliance. CRI’s Services (including advice, assessments, and the CyberPrism platform) are intended to assist the Client in identifying and managing cyber risks, but the Client remains solely responsible for the decisions it makes and the actions it takes (or fails to take) in securing its systems and in achieving compliance with applicable laws or standards. CRI does not warrant that use of the Services will prevent all cyber attacks or security incidents, or that the Client will be compliant with every regulatory requirement. For example, CRI cannot guarantee that every vulnerability will be detected or that regulators will accept the Client’s cybersecurity program. The Client’s use of any recommendations or reports provided by CRI is at the Client’s own discretion and risk.

Third Party Systems. CRI is not responsible for the operation or security of any networks, applications, or services that are not provided by CRI. Any integration or use of the Services in conjunction with third-party systems (such as the Client’s existing IT infrastructure or any third-party software) is at the Client’s risk. CRI makes no representations or warranties about any third-party products or services that the Client may use in connection with the Services. If the CyberPrism platform allows for integration with third-party applications or data sources (e.g., importing data from a third-party tool), CRI does not warrant the functioning or results of such integration unless explicitly stated in the Order Form.

Internet and Data Transmission. The Client acknowledges that the use of internet-based services entails inherent risks. CRI is not responsible for any delays, delivery failures, or other damage resulting from problems inherent in the use of the internet and electronic communications, such as network interruptions, malware that travels through the internet, or data corruption in transit. The Client is responsible for ensuring that it employs appropriate measures (like firewalls and encryption) when transmitting sensitive data to and from the CyberPrism platform.

10.5 No Other Commitments

No advice or information obtained by the Client from CRI or through the Services, whether oral or written, shall create any warranty or condition not expressly stated in this Agreement. The Client has not relied on any representation or warranty regarding the Services except as specifically provided herein. Any estimates or forecasts provided by CRI (for example, of time to complete a project, or potential risk reductions) are for planning purposes only and are not guarantees of actual results.

Some jurisdictions do not allow the exclusion of certain warranties or conditions. To the extent such law applies to this Agreement, the exclusions above shall apply to the fullest extent permitted by law.

11. Limitation of Liability

11.1 Unlimited Liabilities

Nothing in this Agreement shall exclude or limit a party’s liability for: (a) death or personal injury caused by its negligence or that of its employees or agents; (b) fraud or fraudulent misrepresentation; (c) any other liability which cannot be lawfully excluded or limited under applicable law. In addition, Section 11.2 and 11.3 below are subject to Section 12.1 (indemnification for IP claims), which provides separate remedies for certain third-party claims.

11.2 Exclusion of Consequential Damages

Subject to Section 11.1 above, in no event will either party be liable to the other party for any indirect, incidental, special, punitive, exemplary or consequential losses or damages of any kind, arising out of or in connection with this Agreement or the Services, whether in contract, tort (including negligence), strict liability or under any other theory of liability, and even if advised of the possibility of such damages. The foregoing exclusion includes, without limitation, any loss of profits, loss of revenue, loss of business opportunity, loss of anticipated savings, loss of or corruption of data, business interruption, or damage to goodwill or reputation, even if such loss or damage was foreseeable.

11.3 Cap on Liability

Subject to Section 11.1 and except for claims arising from the Client’s payment obligations, each party’s total cumulative liability arising out of or related to this Agreement (whether in contract, tort, breach of statutory duty or otherwise) shall not exceed the total amount of Fees paid or payable by the Client to CRI under this Agreement in the twelve (12) months immediately preceding the first event giving rise to liability. If the duration of Services under this Agreement is less than twelve months or if the claim arises during the Initial Term before twelve months of the term have elapsed, then the liability cap shall be the total Fees that are payable for the first twelve (12) months of the Agreement (as if the full year had been completed). For one-time or project-based Advisory Services with a fixed fee, CRI’s total liability shall not exceed the amount of fees paid for that specific project or SOW.

For clarity, multiple claims or causes of action arising out of the same or substantially similar facts or circumstances shall be considered a single claim for the purpose of the above cap. The parties agree that the pricing and terms of this Agreement have been set with regard to this liability allocation, and they intend that this Section 11.3 will apply regardless of the form or theory of claim.

11.4 Specific Risks

Without prejudice to the general exclusions and limitations above, the Client acknowledges that CRI cannot be responsible for all aspects of cybersecurity risk, some of which are outside of CRI’s control. To the extent permitted by law, CRI shall not be liable for any damages resulting from a cybersecurity incident or data breach at the Client or any third party, even if such incident occurs after the Client utilized CRI’s Services. The Client should maintain its own insurance coverage for cyber incidents, business interruptions, and related losses.

Additionally, any liability of CRI for any claim under this Agreement will be reduced proportionally to the extent that the loss was caused or contributed to by the Client’s own acts or omissions or those of a third party (for example, if the Client failed to implement a recommendation provided by CRI and that failure contributed to the loss, CRI’s liability would be reduced accordingly).

11.5 Application of Limitations

The limitations and exclusions of liability in this Section 11 shall apply to the fullest extent permitted by law. The parties agree that these limitations allocate the risks between them as authorized by applicable law, and that the pricing of Services reflects this allocation of risk and the exclusions and limitations of liability herein. The limitations in this Section shall survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose.

12. Indemnification

12.1 CRI Indemnity for Intellectual Property Infringement

CRI shall defend, indemnify and hold harmless the Client, its affiliates, and their respective officers, directors, and employees (collectively, “Client Indemnitees”) from and against any and all third-party claims, demands, suits, or proceedings (each, a “Claim”) alleging that the Client’s use of the CyberPrism platform or any other Services (excluding Client Data and third-party materials input by Client) in accordance with this Agreement infringes or misappropriates a valid patent, copyright, trademark, or trade secret of a third party. CRI will further indemnify Client Indemnitees against any damages, losses, and reasonable costs (including court fees and reasonable attorney’s fees) finally awarded against them by a court of competent jurisdiction (or agreed in settlement by CRI) as a result of such Claim.

In the event of any such Claim, or if CRI reasonably anticipates that a Claim is likely, CRI may, at its own expense and option, take one or more of the following actions:

  • Procure the Right to Continue: Obtain the right for the Client to continue using the allegedly infringing Service;

  • Replace or Modify: Replace the Service (or the infringing part thereof) with a non-infringing alternative, or modify the Service so that it becomes non-infringing (while maintaining materially equivalent functionality);

  • Terminate and Refund: If the above options are not commercially feasible, terminate the affected Service (or portion) and refund to the Client any prepaid fees for the unused remainder of the Subscription Term for that Service.

This Section 12.1 states CRI’s sole and exclusive liability, and the Client’s sole and exclusive remedy, for any third-party intellectual property infringement or misappropriation Claims arising from the Client’s use of the Services.

Exceptions: CRI’s indemnification obligations above shall not apply to any Claim that arises from:

  • Client Modifications: Modifications to the Service made by any party other than CRI or its authorized agents;

  • Combination with Other Products: The combination, operation, or use of the Service with equipment, software, or data not supplied or approved by CRI, if the infringement would have been avoided by using the Service alone;

  • Failure to Update: The Client’s failure to use corrections or enhancements made available by CRI that would have avoided the infringement;

  • Misuse or Unauthorized Use: Use of the Service in a manner not permitted by this Agreement or for a purpose or in a context for which it was not designed.

12.2 Client Indemnity

The Client shall defend, indemnify and hold harmless CRI, its affiliates, and their respective officers, directors, and employees (collectively, “CRI Indemnitees”) from and against any and all third-party Claims arising out of or relating to:

  • Unauthorized Use: The Client’s or any Authorized User’s use of the Services in a manner not authorized by this Agreement or in violation of law, including any use that violates the Acceptable Use Policy;

  • Client-Provided Content: Any Client Data or other materials provided by Client that infringe or misappropriate a third party’s intellectual property or privacy rights, or that are defamatory or otherwise illegal;

  • Legal/Regulatory Violations: The Client’s violation of any applicable laws or regulations (including data protection laws or export controls) in connection with its use of the Services, or any violation of third-party rights arising from Client’s use of the Services; or

  • Breach of Agreement: The Client’s material breach of this Agreement, including any breach of its representations, warranties, or covenants herein.

The Client will indemnify the CRI Indemnitees against any damages, losses and reasonable costs (including court fees and reasonable attorney’s fees) finally awarded against them by a court of competent jurisdiction (or agreed in settlement by Client) as a result of such Claims.

12.3 Indemnification Procedure

Each party’s indemnification obligations are conditioned on the indemnified party: (i) promptly notifying the indemnifying party in writing of the Claim (provided that failure to provide timely notice will not relieve the indemnifier of its obligations except to the extent it was materially prejudiced by the delay); (ii) giving the indemnifying party sole control of the defense and settlement of the Claim (except that the indemnified party’s prior written consent will be required for any settlement that requires any admission of liability by the indemnified party or imposes any non-monetary obligations on the indemnified party, such consent not to be unreasonably withheld or delayed); and (iii) providing to the indemnifying party, at the indemnifying party’s expense, all reasonable assistance in the defense or settlement of such Claim. The indemnified party may, at its own cost, participate in the defense with counsel of its choosing, but the indemnifying party shall have control.

12.4 Additional Exclusions

The indemnities set forth in this Agreement are conditioned on the following: (a) the indemnified party not making any admission or taking any action in connection with the Claim that prejudices the defense, and (b) the indemnified party not entering into any settlement of the Claim without the indemnifying party’s prior written consent (not to be unreasonably withheld). The indemnifying party shall have no liability or obligation under this Section 12 for any Claim to the extent the indemnified party makes an admission in respect of the Claim, or compromises or settles the Claim, without the indemnifying party’s permission. The rights and remedies set forth in this Section 12 shall be the sole remedy of the indemnified party (and exclusive liability of the indemnifying party) as to the Claims covered by the indemnities.

13. Term and Termination

13.1 Term of Agreement and Renewal

This Agreement commences on the Effective Date and will continue in effect for as long as any Order Form or SOW remains in force, unless earlier terminated in accordance with this Section 13. The Initial Term for each Service (e.g., the initial subscription term for CyberPrism, or the expected duration of an Advisory Services project) will be as set forth in the applicable Order Form or SOW. If no duration is specified for a particular Service, a default term of one (1) year shall apply for recurring services, and project-based services shall be deemed to have a term lasting until completion of the services or deliverables.

At the end of each Initial Term for a recurring Service (such as an annual subscription or ongoing retainer), the Service will automatically renew for successive Renewal Terms of equal length to the Initial Term (or as otherwise specified in the Order Form), under the terms of this Agreement, unless either party provides a written notice of its intent not to renew that Service at least thirty (30) days prior to the end of the current term. The Fees for any Renewal Term shall be subject to the price increase specified in Section 5.4 (10% increase) or as otherwise agreed. If either party gives a timely notice of non-renewal, the Service will expire at the end of the then-current term.

If the Client continues to use a Service past the expiration or termination of its term without a formal renewal in writing, such use shall be on a month-to-month basis subject to this Agreement and at the then-current standard Fees charged by CRI (which shall incorporate the applicable 10% increase from the last contracted rate).

13.2 Termination for Cause

Either party may terminate this Agreement (and any or all Order Forms or SOWs) immediately by giving written notice to the other party upon the occurrence of any of the following events:

  • Material Breach: The other party commits a material breach of this Agreement (including any Order Form or SOW) and, if the breach is curable, fails to cure that breach within thirty (30) days after receiving written notice detailing the breach. If the breach is of a nature that cannot reasonably be cured within 30 days, the breaching party may submit a plan acceptable to the non-breaching party to cure the breach as soon as practicable, but in any case within 60 days, to avoid termination.

  • Insolvency: The other party becomes insolvent, is unable to pay its debts as they fall due, has a receiver or examiner appointed over it or its assets, files for bankruptcy or similar protection, enters into liquidation (other than a voluntary solvent liquidation for reorganization purposes), or any analogous event occurs under the laws of any relevant jurisdiction that suggests the party is insolvent or nearing insolvency.

  • Ceasing Business: The other party ceases to carry on business or announces an intention to cease operations in a manner that would prevent it from performing its obligations under this Agreement.

CRI may additionally terminate or suspend this Agreement (or the affected Service) with immediate effect if the Client is in material breach of the Acceptable Use Policy or data protection obligations and, after written notice from CRI, fails to promptly remedy such breach (taking into account the urgency and potential harm of the situation). In cases where an uncured material breach by the Client relates only to one Order Form or Service (e.g., violation in the use of CyberPrism but not affecting a separate Advisory SOW, or vice versa), CRI may elect to terminate only that specific Order Form/Service, while other unrelated Orders may continue in effect at CRI’s discretion.

13.3 Termination for Convenience of Advisory Services

The Client may terminate any Statement of Work for Advisory Services (excluding any ongoing subscription components) for its convenience and without cause, by giving at least thirty (30) days’ prior written notice to CRI (or a shorter notice period if specified in the SOW). In such event, CRI will cease work on the terminated Services as of the effective termination date and will take reasonable steps to wind down any in-progress work in an orderly manner. The Client shall pay CRI for all Services performed up to the termination date and for any irrevocable commitments made by CRI on the Client’s behalf (such as non-cancellable travel bookings or subcontractor fees), as well as any reasonable additional costs incurred by CRI as a direct result of the early termination (provided CRI takes commercially reasonable steps to mitigate those costs). If the Client had prepaid any fees for Advisory Services that were not yet performed as of termination, CRI will, at the Client’s option, either refund the unused portion of such fees or credit them against future services (except that any non-refundable deposit or minimum fee agreed in the SOW will be retained by CRI). Termination of an Advisory Services SOW under this Section 13.3 does not automatically terminate any related CyberPrism subscription unless specified by the Client and agreed by CRI (in which case Section 5.5 would apply to the prepaid subscription fees).

13.4 Effect of Termination

Upon termination or expiration of this Agreement or any individual Service for any reason:

  • Cessation of Services: CRI will stop providing the terminated Services. The Client must immediately discontinue use of any terminated Services, including stopping all access to the CyberPrism platform for terminated subscriptions. Any licenses granted to the Client for the terminated Services (such as access to CyberPrism) will cease as of the termination date. The Client shall ensure that CRI’s intellectual property (including any software code or documentation) is removed from its systems if instructed by CRI (excluding any Deliverables or permitted copies under the license in Section 9.3 that the Client is entitled to retain).

  • Payment of Amounts Due: The Client will immediately pay any outstanding Fees and expenses owed for Services rendered up to the termination date. In the event of termination by CRI for the Client’s uncured breach, any unpaid Fees for the remainder of the term of an Order (for recurring services) shall become immediately due and payable as liquidated damages (not as a penalty), in recognition that CRI offered discounted or extended payment terms in reliance on the full term. If termination is by the Client for CRI’s breach, the Client shall pay the prorated Fees up to the effective termination date (and any pre-paid Fees for post-termination period shall be handled as per refund obligation below).

  • Refund or Credit: If this Agreement or a particular Service is terminated by the Client for CRI’s uncured material breach under Section 13.2, or by either party due to the other’s insolvency, CRI shall refund to the Client any portion of Fees that were paid in advance for the period after the termination date for that Service (this refund is not applicable if CRI has already provided a credit as per Section 5.5 or if the Fees are non-refundable as per the contract, except where law requires). If the Agreement is terminated by CRI for Client’s breach, Client is not entitled to any refund for prepaid Fees, and any service credits unused are forfeited. If terminated by Client for convenience under Section 13.3 or an early cancellation under Section 5.5, the agreed provisions for credits or refunds in those sections will apply.

  • Return of Confidential Information and Data: Each party shall return or, at the Disclosing Party’s request, destroy all Confidential Information of the other party in its possession relating to the terminated Services, in accordance with Section 8.4. For the CyberPrism platform, CRI will make Client Data available for export by the Client upon request. Specifically, if the Client requests in writing within thirty (30) days after termination of a CyberPrism subscription, CRI will provide the Client with a one-time export of the Client’s data from the Platform (for example, exporting assessment results and reports in a common format) or will enable the Client to download its data through the interface, at no additional charge except for any professional services fee if a special format or assistance is requested. After such 30-day period, CRI may, unless legally prohibited, delete the Client’s data associated with the CyberPrism Services, and will have no further obligation to retain it. CRI may retain copies of Client Data as required for legal or regulatory purposes or backup, subject to ongoing confidentiality.

  • Survival: The termination or expiration of this Agreement shall not affect any provisions which by their nature are intended to survive, including but not limited to: Section 2 (Definitions, to the extent needed for interpretation), Section 5 (to the extent of any unpaid fees or refund obligations), Section 7 (Data Protection) with respect to ongoing obligations on data handling or deletion, Section 8 (Confidentiality), Section 9.1, 9.3, 9.4 (ownership and license rights, to the extent perpetual or related to Deliverables and Client’s rights to use them), Section 10.4 (Disclaimers), Section 11 (Limitation of Liability), Section 12 (Indemnification), Section 13.4 (Effects of Termination), Section 14 (Governing Law and Dispute Resolution), and Section 15 (Miscellaneous), as well as any other clause that is expressed to survive or that is necessary to enforce or interpret the rights and obligations of the parties post-termination.

Termination is not an exclusive remedy and the exercise by either party of any remedy under this Agreement will be without prejudice to any other remedies it may have, whether under this Agreement, at law, or in equity.

14. Governing Law and Jurisdiction

This Agreement and any disputes or claims arising out of or in connection with it or its subject matter (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Republic of Ireland. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to this Agreement.

The courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim arising out of or relating to this Agreement or its subject matter. Each party irrevocably submits to the personal jurisdiction of such courts. Notwithstanding the foregoing, CRI reserves the right to seek injunctive or equitable relief in any jurisdiction to protect its intellectual property or confidential information.

Each party agrees to the chosen governing law and jurisdiction regardless of its place of incorporation or the location from which the Services are used, and waives any objection (on the grounds of inconvenient forum or otherwise) to the exercise of jurisdiction by the Irish courts.

15. Miscellaneous Provisions

15.1 Notices

All notices or other communications required or permitted under this Agreement shall be in writing and shall be deemed given: (a) when delivered personally; (b) when sent by commercial courier with tracking; (c) on the fifth business day after being mailed by registered post (airmail if international) to the address of the party as specified in the Order Form or as updated by notice; or (d) on the day of transmission if sent by email to the official notice email address provided by a party, provided that no bounce or error message is received and a confirmation copy is sent by another method. For clarity, routine operational communications (e.g., support requests or account notifications) may be sent by email to the usual contacts. Formal legal notices (such as termination or breach notices) should be marked as such and directed to the party’s legal department or registered address. The initial notice addresses are: for CRI, [Registered Office Address] and email: [official email]; for Client, the address and email on the Order Form.

15.2 Force Majeure

Neither party shall be liable for any delay or failure to perform its obligations (except payment obligations) under this Agreement if such delay or failure results from events or circumstances beyond that party’s reasonable control, including but not limited to acts of God, war, terrorism, civil unrest, strikes or labor disputes, epidemics or pandemics, government regulations or orders, fire, explosion, power outages, communications or internet service provider failures, or other force majeure events. The affected party shall notify the other party as soon as practicable of the event and use its reasonable efforts to mitigate the impact and resume performance. If a force majeure event continues for a period exceeding sixty (60) days and materially affects the Services, either party may terminate the affected Services with written notice, without further liability (except that if the Client terminates due to extended force majeure, it shall be entitled to a pro-rata refund of any prepaid Fees for the terminated portion of the Services).

15.3 Assignment

Neither party may assign or transfer this Agreement, in whole or in part, to any third party without the prior written consent of the other party, which consent shall not be unreasonably withheld or delayed. However, either party may assign this Agreement without consent (a) to an Affiliate (an entity controlling, controlled by, or under common control with, the assigning party) as long as the assigning party remains responsible for the affiliate’s performance, or (b) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets or equity (provided that the assignee agrees in writing to be bound by all terms of this Agreement and is not a direct competitor of the non-assigning party). Any attempted assignment in violation of this section shall be null and void. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties and their respective successors and permitted assigns.

15.4 Relationship of the Parties

The relationship between the parties is that of independent contractors. Nothing in this Agreement is intended to, or shall be deemed to, create any partnership, joint venture, agency, fiduciary or employment relationship between the parties. Neither party is an agent or representative of the other or is authorized to make any commitments or representations on behalf of the other. Each party remains responsible for its own taxes, employees, and business operations.

15.5 Third-Party Beneficiaries

This Agreement is made for the sole benefit of the signatory parties and their respective successors and permitted assigns. Except as expressly provided in this Agreement (for example, indemnification covering affiliates and officers as described in Section 12), no third party shall be deemed to be a beneficiary of or entitled to enforce any terms of this Agreement. The parties agree that any legislation implementing the concept of third-party beneficiary rights (such as the Contracts (Rights of Third Parties) Act 1999 in the UK, if it were applicable, or any similar law in Ireland if enacted) shall not apply to this Agreement, to the maximum extent permitted by law.

15.6 No Waiver

No failure or delay by either party in exercising any right, power or remedy under this Agreement shall operate as a waiver of that right, power or remedy. No waiver of any provision of this Agreement shall be effective unless in writing and signed by the party against whom the waiver is claimed. A single or partial exercise of any right or remedy shall not preclude any other or further exercise of that or any other right or remedy. A waiver of any breach shall not be deemed a waiver of any subsequent breach of the same or any other provision.

15.7 Severability

If any provision of this Agreement is held by a court of competent jurisdiction or other authority to be invalid, illegal, or unenforceable, that provision (or the offending part thereof) shall be deemed deleted or limited to the minimum extent necessary, and the remainder of the Agreement shall remain in full force and effect. In such case, the parties shall negotiate in good faith to replace the void or unenforceable provision with a valid provision that, as closely as possible, achieves the original intent and economic effect of the invalid provision.

15.8 Amendments

Any amendment or modification to this Agreement (including any Order Form or SOW) must be in writing and signed by authorized representatives of both parties. The parties can mutually agree to modify scopes of work, fees, or other terms through change orders or addenda, which shall become effective when signed by both parties. For clarity, CRI’s updating of Appendices (like the Acceptable Use Policy or Support terms) as contemplated herein (e.g., updating AUP for legal compliance) does not constitute an amendment requiring Client signature, provided that such updates do not materially reduce the Client’s rights. Any material update will be communicated to the Client and if the Client objects with reasonable grounds, the parties will negotiate in good faith to resolve the concern or maintain the prior terms for that Client.

15.9 Counterparts and Signatures

If this Agreement (or any Order Form or SOW) is executed in hard copy, it may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. Signatures delivered by electronic means (such as PDF or via an electronic signature service) shall be deemed binding as if they were original signatures. If this Agreement is presented and accepted online (click-through), the electronic acceptance by the Client or its authorized representative shall constitute a binding execution of the Agreement.

15.10 Headings

The headings in this Agreement (including section and paragraph titles) are for convenience of reference only and have no legal effect in interpreting the provisions. Any section references in this Agreement refer to sections of the main body of this Agreement, unless stated otherwise.

Appendices

The following Appendices are included as part of this Agreement and are incorporated by reference. They provide additional terms and details for specific aspects of the Services.

Appendix 1: Acceptable Use Policy (AUP)

This Acceptable Use Policy sets forth specific rules and prohibitions that govern the Client’s and Authorized Users’ use of the CyberPrism platform and related Services. These requirements are in addition to the obligations in the main body of the Agreement (see Section 4). Failure to comply with this AUP constitutes a material breach of the Agreement and may result in suspension or termination of Services.

When using CyberPrism or any CRI Service, the Client and its Authorized Users shall NOT:

  • Unauthorized Access & Security Violations: Attempt to gain unauthorized access to any part of the CyberPrism platform, its underlying systems, or networks. This includes not attempting to probe, scan, or test the vulnerability of the platform or to breach any security or authentication measures used by CRI. You must not impersonate any other user or entity or misrepresent your affiliation with any person or entity in order to gain access to the Services. Sharing of login credentials outside of your organization or with unauthorized persons is strictly forbidden.

  • Malicious Code & Interference: Introduce, transmit, or store any viruses, worms, Trojan horses, malware, or other harmful code or devices that could damage, disrupt, or otherwise impair the Services, CRI’s systems, or the data of any other user. You shall not use the Services to launch a denial-of-service attack or to interfere with or disrupt the integrity or performance of the Services or data contained therein. Any action that imposes an unreasonable or disproportionately large load on the infrastructure of the platform (such as automated scripting or excessive API calls beyond usage limits) is prohibited.

  • Illegal or Harmful Content: Upload, submit, create, or distribute via the Services any content or data that:

    • is unlawful, fraudulent, or otherwise violates any applicable law or regulation;

    • is defamatory, libelous, discriminatory, or knowingly false/misleading;

    • is harassing or threatening, or advocates harassment or harm;

    • is obscene, pornographic, or contains sexually explicit material;

    • promotes violence, hate, or discrimination against any group or individual;

    • infringes or misappropriates any third party’s intellectual property rights, privacy rights, or other proprietary rights;

    • contains personal data of individuals in violation of Data Protection Laws (for example, uploading personal data without having a lawful basis or necessary consents);

    • contains any unsolicited or unauthorized advertising, promotional materials, “spam,” “junk mail,” “chain letters,” “pyramid schemes,” or any other form of solicitation; or

    • encourages or facilitates any activity that could constitute a criminal offense or give rise to civil liability.

  • Misuse of Services & Intellectual Property: Use the Services for any purpose other than the Client’s internal cybersecurity, risk management, and compliance activities. You shall not resell, lease, or provide access to the CyberPrism platform (or any output of the Services) to third parties without CRI’s prior written consent. You may not use the Services to develop or enhance any competing product or service. You shall not copy, distribute (except internally as permitted), modify, or create derivative works from the software or content provided by CRI, except as allowed under the Agreement. Reverse engineering, decompiling, or disassembling the platform or any software provided as part of the Services is prohibited (except to the extent such restriction is not allowed by law).

  • Violation of Others’ Rights: Use the Services in a manner that infringes upon the intellectual property rights, trade secrets, privacy, publicity, or other legal rights of CRI or any third party. This includes uploading or using any content or data that you do not have the right or permission to use. You should not attempt to access or retrieve data of other clients of CRI, or any data not belonging to or intended for you.

  • Abusive Behavior: Engage in any abusive or disruptive behavior toward CRI’s personnel or other users of the platform. This includes refraining from using the support channels to threaten or harass CRI staff, and cooperating in a civil manner during support and service interactions.

  • Violation of Security Measures: Remove, circumvent, disable, damage, or otherwise interfere with any security-related features of the Services, or features that enforce limitations on use of the Services. For example, you shall not intentionally bypass usage limits, or attempt to mask your usage (such as creating multiple accounts to exceed license quantities).

Consequences of Violation: If CRI suspects, in its reasonable opinion, that the Client or any Authorized User has violated this AUP, CRI may investigate the matter. The Client agrees to cooperate with any reasonable investigation. CRI reserves the right to suspend or restrict the Services (in whole or part) without advance notice if necessary to prevent ongoing harm or legal violation, though CRI will notify the Client as soon as practicable and work with the Client in good faith to resolve the issue. Repeated or egregious violations may result in termination of the Agreement for breach.

The Client is responsible for any breaches of this AUP by its Authorized Users or anyone using its accounts. It should ensure all users understand these rules. This AUP may be updated by CRI from time to time to adapt to evolving threats or regulations; CRI will provide notice of any material changes. Continued use of the Services after an update signifies acceptance of the revised AUP.

Appendix 2: Support and Service Levels

This appendix describes the standard support services and service level objectives provided by Cyber Risk International (CRI) for the CyberPrism platform. CRI is committed to providing professional and timely support to help ensure the Client’s successful use of the Services.

1. Support Hours and Contact Methods:
Standard support is available during Business Hours, defined as 9:00 AM to 5:30 PM local Irish time (GMT/BST), Monday through Friday, excluding Irish public holidays. Clients may request support by:

  • Email: Sending a detailed description of the issue to CRI’s support email: support@cyberriskinternational.com.

  • Web Portal: (If provided) Submitting a ticket through the CyberPrism support portal or helpdesk system.

  • Phone: For critical issues (Severity 1, defined below) outside of Business Hours, an emergency telephone support line is available at [Emergency Contact Number]. This line should be used only for reporting complete outages or other Severity 1 incidents that occur outside normal support hours.

CRI will assign a support ticket number to each request and will work with the Client’s designated contact until the issue is resolved or an acceptable workaround is provided.

2. Severity Levels:
Upon receiving a support request, CRI will categorize the issue into one of the following severity levels, based on the description provided and initial assessment:

  • Severity 1 (Critical): The CyberPrism platform is completely unavailable or unusable for all Authorized Users, or a critical functionality is severely impaired, with no workaround (e.g., inability to log in for all users, major data loss, or the platform is down). This level also includes severe security issues (e.g., detected unauthorized access to Client data).

  • Severity 2 (High): A major function of the platform is significantly impaired or performance is severely degraded for the Client, but partial or limited use of the platform is still possible. No feasible workaround exists, and the issue is impacting key operations or deliverables (e.g., dashboards not loading for majority of users, or assessment results cannot be submitted, but other features work).

  • Severity 3 (Medium): A non-critical issue that affects some aspect of the platform’s functionality or a minor subset of users, where an inconvenient workaround may exist. This could include errors in certain reports, minor bugs in features, or moderate performance issues that do not stop overall use.

  • Severity 4 (Low): A general question, cosmetic issue, documentation clarification, or feature request that does not materially affect the platform’s functionality. This includes minor UI issues, trivial bugs, or requests for improvement/enhancement that do not require immediate action.

The Client should indicate the perceived severity when reporting an issue. CRI may adjust the severity after initial review, in consultation with the Client, to ensure it reflects the actual business impact.

3. Target Response Times:
CRI will use commercially reasonable efforts to respond to support requests within the following time frames, based on the severity level:

  • Severity 1 (Critical): Initial response within 1 hour (24×7). CRI recognizes the urgency of Severity 1 issues. If a critical issue is reported outside of standard Business Hours via the emergency contact method, CRI’s on-call personnel will respond as soon as possible, aiming for within 1 hour of notification.

  • Severity 2 (High): Initial response within 4 business hours during Business Hours. If a Severity 2 issue is reported near the end of the business day, CRI will respond the next business morning at the latest.

  • Severity 3 (Medium): Initial response within 1 business day. These issues will typically be addressed in the normal support queue.

  • Severity 4 (Low): Initial response within 2-3 business days. Acknowledgment may be quick, but full resolution may be scheduled into future updates or provided as information.

The “initial response” means a qualified support engineer has reviewed the ticket and replied to the Client (which may include requesting additional information or providing an assessment of the issue). It may not mean a full resolution is provided at first contact.

4. Resolution and Updates:
CRI will work diligently to resolve issues after initial response. Target resolution times can vary depending on complexity:

  • For Severity 1 (Critical) issues: CRI will dedicate appropriate resources and work continuously (including outside Business Hours, as reasonably necessary) until the issue is mitigated or a workaround is provided. The goal is to restore service as quickly as possible, ideally within 24 hours or less. CRI will provide updates to the Client at least every 4 hours (during waking hours) or as agreed, until restoration of service.

  • For Severity 2 (High) issues: CRI aims to resolve or mitigate the issue within 1-3 business days. If a full resolution will take longer (for instance, requiring a software patch), CRI will provide an interim workaround if available and give an estimated timeline for final fix (e.g., in the next maintenance release). Updates will be given daily or as significant progress is made.

  • For Severity 3 (Medium) issues: Resolution may be provided in a forthcoming maintenance update or patch. CRI typically addresses medium issues within the normal development cycle (for example, within 2-4 weeks). CRI will update the Client when a fix is scheduled or if a workaround is identified.

  • For Severity 4 (Low) issues: These may be queued for resolution in a future release or addressed when convenient. Cosmetic issues or general inquiries may be resolved in the next planned software update or answered via email. CRI will provide updates if the status changes (e.g., a feature request being accepted for a future version).

Please note that the above resolution targets are goals, not guaranteed commitments. Actual resolution times may vary depending on the nature of the issue, the need for development work, the availability of third-party fixes (if the issue relates to third-party components), and the Client’s cooperation in providing information or testing solutions.

5. Maintenance and Upgrades:

  • Scheduled Maintenance: CRI will conduct routine maintenance during low-usage periods whenever possible. CRI will give the Client at least 5 business days’ notice for any scheduled maintenance that is expected to cause downtime or significant service degradation. Maintenance notices will include the expected date, time, and duration of the downtime, and will be sent via email to the Client’s technical contact or posted on the platform’s notice board. Scheduled maintenance typically occurs outside of normal business hours (e.g., evenings or weekends).

  • Emergency Maintenance: In urgent situations (for example, to patch a critical security vulnerability or to address a system instability), CRI may perform emergency maintenance without prior notice. In such cases, CRI will make reasonable efforts to inform Clients as soon as possible, even if after the fact, and to minimize disruption.

  • Software Updates: CRI will periodically deploy updates or new versions of the CyberPrism platform that may include enhancements, new features, bug fixes, or security patches. CRI will endeavor to test updates to ensure compatibility and will, when feasible, inform the Client of any major changes in functionality. Updates are generally designed to be backward-compatible with existing data.

6. Service Availability:
CRI targets a high level of uptime for the CyberPrism platform. While not legally binding as a warranty, CRI’s service level objective is 99% or higher availability of the platform, measured monthly. Availability means the platform is accessible and operational, excluding announced maintenance windows or downtime due to force majeure or issues on the Client’s side (such as internet outages or firewall blocks).

If the Client experiences an unexpected outage or severe performance degradation, it should be reported immediately as a Severity 1 support issue. CRI will verify and respond per the Severity 1 process. In the event that uptime consistently falls below target due to causes within CRI’s control, the Client may discuss remedial actions or service credits with CRI in good faith (any service credit would be a percentage of monthly fee corresponding to downtime beyond the target). Such discussions or credits (if any) do not constitute an admission of liability but are a gesture of goodwill to maintain customer satisfaction.

7. Escalation:
If the Client is not satisfied with the handling or progress of a support issue, it may request escalation. CRI has an internal escalation path: support engineers can escalate to senior engineers, and then to the product development team or management, depending on the nature of the issue. The Client may also contact the assigned account manager or point of contact at CRI to express concerns. CRI’s management will review escalated issues to ensure adequate resources are allocated and that the Client’s concerns are addressed.

8. Client Responsibilities:
Effective support requires cooperation. The Client should:

  • Provide detailed information about issues, including steps to reproduce, screenshots, error messages, and the impact on operations.

  • Designate knowledgeable liaisons who can communicate with CRI support and perform requested actions (such as trying a workaround or gathering logs).

  • Maintain its own systems (browsers, network, hardware) to the recommended standards, as many issues can be resolved by using supported software versions or correct configurations.

  • Use the support channels appropriately (e.g., reserve the emergency phone for actual emergencies).

  • Test and accept patches or fixes provided by CRI in a timely manner, especially if an update requires Client-side action.

9. Additional Support Services:
If the Client requires support beyond standard offerings (such as on-site support, dedicated support staff, or a custom SLA with 24/7 guaranteed response), this can be arranged via a separate agreement or an addendum to the Order Form, potentially at additional cost. Unless explicitly agreed, the support covered under the Agreement is limited to the standard support described above.

This Support and Service Levels Appendix may be updated by CRI from time to time (for example, to improve response times or adjust procedures). CRI will notify the Client of any significant changes. However, no change will materially reduce the overall support level provided during an ongoing subscription term without the Client’s consent.

Appendix 3: Data Processing Addendum (DPA)

This Data Processing Addendum forms part of the Agreement between Client (as Data Controller) and Cyber Risk International (as Data Processor) when CRI processes Personal Data on behalf of the Client in the course of providing the Services. This DPA is intended to satisfy the requirements of Article 28 of the GDPR and equivalent provisions of other Data Protection Laws. All capitalized terms not defined in this DPA have the meanings set forth in the main body of the Agreement.

1. Subject Matter, Duration, Nature and Purpose of Processing:

  • Subject Matter: CRI will process Personal Data submitted by or collected on behalf of the Client for the purpose of providing the contracted cybersecurity, risk, compliance, and resilience Services (including access to the CyberPrism platform and any Advisory Services that involve analysis of the Client’s data).

  • Duration: CRI will process Personal Data for the duration of the Agreement, until all Personal Data is deleted or returned in accordance with the Agreement. Some processing (e.g., retention for compliance or backup) may extend beyond termination as required by law or as permitted by the Agreement.

  • Nature and Purpose: The processing includes activities such as hosting, storing, and organizing data within the CyberPrism platform; performing computations or analyses on data to generate risk assessments and reports; transmitting communications related to the Services (e.g., notifications or reports to Client users); and any other activities necessary to fulfill CRI’s obligations under the Agreement. The purpose of the processing is to enable the Client to evaluate and manage its cybersecurity risk and compliance posture, and to receive expert analysis and recommendations from CRI.

  • Types of Personal Data: Personal Data processed may include (but is not limited to) identification and contact data of the Client’s personnel (e.g., names, business email addresses, job titles, department info); login credentials and usage data for Authorized Users of CyberPrism; responses to assessment questions which might incidentally contain personal information (e.g., an assessment entry might mention a person responsible for a certain function); and any other personal data the Client chooses to input into the platform or share with CRI as part of the Services (such as lists of vendors or employees involved in security processes, audit findings referencing personnel, etc.). The Services are not intended to process special categories of personal data (sensitive data such as health, biometric, or financial account information) nor data relating to children, and Client agrees not to intentionally input such data without notifying CRI and obtaining necessary agreements.

  • Categories of Data Subjects: Data subjects may include the Client’s employees, contractors, officers, or consultants whose information is entered into CyberPrism; the Client’s customers or end-users if their data is somehow included in risk assessments (Client should minimize this); and any other individuals whose personal data is contained in documents or information provided by the Client to CRI. Typically, data subjects are limited to the Client’s internal personnel and possibly points of contact at third-party organizations (e.g., vendors or partners) if the Client uses CyberPrism to assess supply chain risks.

2. Roles and Responsibilities:

  • Data Controller: The Client is the Controller of the Personal Data. The Client determines the purposes and means of the processing of Personal Data. It is the Client’s responsibility to ensure that the Personal Data it instructs CRI to process has been collected and is being processed in compliance with Data Protection Laws (for example, that individuals have been provided with appropriate privacy notices and that there is a valid legal basis for processing their data).

  • Data Processor: CRI is the Processor and will only process Personal Data on behalf of and in accordance with the Client’s documented instructions, as defined by the Agreement and this DPA. By entering into the Agreement, the Client instructs CRI to process Personal Data to provide the Services. Any additional or alternate instructions should be agreed in writing. CRI will inform the Client if, in its opinion, an instruction violates Data Protection Laws (unless such notification is prohibited by law).

3. Processor Obligations: CRI agrees to:

  • Process Only on Instructions: Process Personal Data only on documented instructions from the Client (including those in the Agreement and this DPA) unless required by EU or Member State law. If a law requires processing, CRI will inform Client prior (unless law prohibits).

  • Confidentiality: Ensure that all personnel (including employees and authorized subcontractors) who have access to Personal Data are subject to binding confidentiality obligations and are informed of the confidential nature of the data.

  • Security Measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. Such measures include, where appropriate: pseudonymization and encryption of Personal Data; the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; the ability to restore availability and access in a timely manner in case of an incident; and regular testing of security effectiveness. (Examples of CRI’s measures: secure hosting environment with firewall protection, role-based access controls for CRI staff, encryption of data in transit (TLS) and at rest, regular security training for staff, etc.)

  • Sub-Processors: Obtain general authorization from the Client to engage sub-processors as outlined in Section 4 below, and remain responsible for ensuring any sub-processor meets the obligations of this DPA. CRI will maintain a list of sub-processors and will provide it to the Client upon request.

  • Assistance to Controller: Assist the Client, insofar as possible and taking into account the nature of processing, with fulfilling the Client’s obligations to respond to requests from data subjects (e.g., for access, rectification, erasure, restriction, or data portability) by providing relevant tools or data access. If a data subject sends a request directly to CRI regarding Personal Data, CRI will promptly notify the Client and not respond directly unless legally compelled (in which case CRI will inform Client).

  • Data Protection Impact Assessment: Taking into account the nature of processing and information available, assist the Client in conducting data protection impact assessments (DPIAs) and consultation with supervisory authorities, if the Client is required to do so by law and such assistance relates to CRI’s processing under the Agreement. This assistance may be billable as professional services if it goes beyond standard Service features.

  • Personal Data Breach Notification: Notify the Client without undue delay (and within 48 hours where feasible) after becoming aware of a Personal Data Breach (as defined in GDPR, meaning a confirmed security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data). Such notice will include relevant details known to CRI about the nature of the breach, affected data, likely consequences, and measures taken or proposed by CRI to address the breach. CRI will promptly investigate the breach, take necessary remediation, and reasonably cooperate with Client’s own breach notification obligations.

  • Deletion or Return of Data: After termination of Services or upon Client’s written request, at Client’s choice, delete or return all Personal Data to the Client and delete existing copies, except where retention is required by law or permitted for legitimate business purposes (with Personal Data securely isolated and protected). CRI’s deletion shall occur within a reasonable timeframe in line with Section 13.4 of the Agreement.

  • Audit and Compliance: Make available to Client all information reasonably necessary to demonstrate compliance with the obligations in Article 28 of GDPR and allow for and contribute to audits or inspections. Specifically, the Client (or an independent auditor mandated by Client that is not a competitor of CRI) may, not more than once per year and with at least 30 days’ notice, conduct an audit of CRI’s relevant systems, security measures, and records related to the processing of Client’s Personal Data. This audit will be conducted during normal business hours, in a manner not disruptive to CRI’s business, and subject to reasonable confidentiality and security measures. Before any on-site audit, Client agrees to first request relevant documentation from CRI (such as third-party certifications, security summaries, or audit reports like ISO 27001 or SOC 2 if available) and to accept those in lieu of an on-site audit if they provide sufficient assurance. If an on-site audit is still required, the parties will mutually agree on the scope and timing. The Client shall bear any costs of the audit, and CRI’s assistance with the audit (beyond making existing materials available) may be billed at reasonable professional service rates.

4. Use of Sub-Processors:
Client provides a general authorization for CRI to engage third-party sub-processors to assist in the provision of Services, provided that:

  • CRI will maintain a list of sub-processors (such as data center operators, cloud hosting providers, email delivery services, or contractors assisting with support) and share it with the Client upon request. Current sub-processors may include reputable cloud infrastructure providers (e.g., Microsoft Azure, Amazon Web Services, or others) where the CyberPrism platform is hosted, as well as any analytics or support tools that necessarily process data.

  • CRI shall impose on its sub-processors data protection terms that are no less protective than those set forth in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in compliance with GDPR.

  • CRI remains fully liable to the Client for the performance of sub-processors’ obligations. If a sub-processor fails to fulfill its data protection obligations, CRI will fulfill those obligations or indemnify the Client for any breach to the same extent as if CRI caused the breach.

  • CRI will notify the Client in advance (through a notification on a portal or via email) of any intended addition or replacement of sub-processors that will process Client Personal Data, thereby giving the Client the opportunity to reasonably object. If the Client has legitimate and reasonable grounds to object (related to data protection) to the new sub-processor and the parties cannot resolve the objection, the Client may terminate the portion of Services affected by that sub-processor and receive a pro-rata refund of fees for those Services not yet rendered.

  • Standard Sub-Processors: By default, the Client consents to CRI’s use of infrastructure providers (data hosting) and basic services like backup storage, email service for notifications, etc. All such providers will be subject to EU Standard Contractual Clauses or other lawful transfer mechanisms if they are outside the EEA (see Section 5 on International Transfers).

5. International Data Transfers:
CRI is established in Ireland and will primarily process Personal Data within the European Economic Area (EEA). However, some sub-processors or CRI support personnel may be located outside the EEA. For any transfer of Personal Data from the EEA (or from another jurisdiction with transfer restrictions) to a country that has not been deemed by the European Commission (or relevant authority) to provide an adequate level of protection, CRI will ensure that appropriate safeguards are in place as required by GDPR Chapter V. Such safeguards may include:

  • The EU Standard Contractual Clauses (SCCs) for processors as approved by the European Commission (including the UK International Data Transfer Addendum for transfers from the UK, if applicable). The SCCs will be deemed incorporated into this DPA by reference for any such transfers, with CRI as the “data importer” and Client as the “data exporter,” and the details in this DPA filling out Annex I/II of the SCCs.

  • If applicable and available, reliance on an adequacy decision for the recipient country, or participation by the sub-processor in a recognized certification or code of conduct that constitutes an appropriate safeguard.

  • Implementing additional technical measures such as encryption in transit and at rest to ensure transferred data is protected against unauthorized access.

The Client agrees that CRI may store and process data in, and transfer data pursuant to this Agreement into, the United States and other jurisdictions where CRI or its sub-processors operate, solely for the purposes of providing the Services, provided such transfers are done in compliance with the aforementioned safeguards.

6. Controller Assistance and Responsibilities:
The Client, as Controller, shall:

  • Ensure that it has an appropriate legal basis for the processing of Personal Data and for any instructions it gives to CRI. This includes (if required) obtaining consents from data subjects or having legitimate interests or other grounds as per GDPR.

  • Provide all necessary transparency and privacy notices to data subjects whose data may be processed under this Agreement, informing them that their data will be processed by a service provider (CRI) for the stated purposes.

  • Be responsible for managing data subject requests that it receives and, when needed, promptly direct CRI on how to assist (for example, specifying which data to retrieve or delete for a data subject exercising their rights).

  • Maintain a record of processing activities as required by GDPR Article 30 (covering the use of CRI as a processor).

  • Not instruct CRI to process any data in a manner that would violate applicable laws. If any of Client’s instructions require processing of special categories of data (GDPR Art 9) or data about criminal convictions (Art 10), the Client must inform CRI and ensure lawful grounds exist.

7. Liability and Indemnity:
The parties agree that all liabilities arising from or in connection with the processing of personal data under this DPA are subject to the limitations and exclusions of liability set forth in the main Agreement (Section 11). No provision of this DPA is intended to waive or supersede any rights or remedies available to individuals under Data Protection Laws. The Client shall indemnify and hold CRI harmless for any fines, penalties, or claims incurred by CRI as a result of the Client’s failure to comply with its obligations as a Controller, to the extent that such liability is not due to CRI’s breach of this DPA or Data Protection Laws (such indemnity is subject to the Agreement’s indemnification procedures and limitations).

8. Miscellaneous:

  • In the event of any conflict between the terms of this DPA and the terms of the main Agreement or any other agreement between the parties, the terms of this DPA shall prevail with regard to the processing of Personal Data.

  • If any provision of this DPA is held invalid or unenforceable, it shall be replaced with a provision that accomplishes, to the extent possible, the original purpose of the provision in a valid and enforceable manner, and the remainder of this DPA shall remain in effect.

  • This DPA may be executed in counterparts (if standalone), or may be accepted electronically. It will become legally binding once the main Agreement is in effect.

  • By signing the Agreement, the Client and CRI are deemed to have signed this DPA including (if applicable) the Standard Contractual Clauses and their Annexes, which are considered incorporated herein by reference for international transfers.

Data Controller (Client) and Data Processor (CRI) have caused this DPA to be executed by their duly authorized representatives as of the Effective Date of the Agreement.

strategic leadership

Digital Resilience with CRI

Cyber Risk International empowers organisations to achieve true digital resilience through expert-led advisory, integrated technology, and executive education — enabling leadership to confidently navigate complex threats and regulatory demands.

Contact Us

Cyber Risk International Ltd
Unit 8 Kinsealy Business Park, Kinsealy Lane, Co Dublin, K36 CX92, Ireland
Registered Company: 550801 VAT: IE 329285TH DUNS: 985605977

W: www.cri.ie E: info@cri.ie P: +353-(0)1-905 3260

Terms of Service        Privacy Policy

Scroll to top