Subscription Terms - Personal & SMB

SUBSCRIPTION TERMS

These subscription terms (“Terms”) set out the terms of the relationship between you, the individual or entity who has subscribed for one or more of our products (“Subscriber”) and us, Secureflag Limited (registered number: 12368322 whose registered address is at C/O Russell-Cooke LLP, 2 Putney Hill, London, England, SW15 6AB (“Secureflag", “us” or “we”).

Through its online platform, Secureflag provides practical application security training services to developers on an enterprise basis including secure coding practices through real-world exercises and relevant analytics.

We may also provide certain consultancy services and other additional services on an ad-hoc basis, for which additional terms will apply. For more information, please contact us at sales@secureflag.com.

These terms apply to individuals or entities who have signed up for our Services via our websites, apps or via a third-party host. If you are accessing our Services as part of an Enterprise subscription taken out by your employer then our EULA (see following paragraph) will apply but these terms will not apply to you.

These terms apply to individuals (“Individual Customers”) who have subscribed for our services and those businesses who have subscribed for our SMB Service (“SMB Customers”). Individual Customers and SMB Customers are referred to as “you” throughout these Terms.

Please note that although we provide our Software Service to Individual Customers, our Software Service is a professional product and our users are expected to use the Software Service as part of their business trade or profession, as such the Consumer Rights Act 2015 and related consumer legislation does not apply.

Separate end-user terms (available at www.secureflag.com/terms/eula.html) will apply between us and all Authorised End Users who use the Software Service. These terms will apply in addition to these terms.

We have agreed to grant you and (in the case of SMB Customers) your staff a non-exclusive licence to use the Software Service, on the terms set out below.

These terms should be read in conjunction with the Confirmation Form which together with these terms, comprise the contract between you and us for use of the Software Service (“Agreement”).

1. Definitions

In this Agreement the following expressions have the meanings stated, unless the context otherwise requires:

“Administrator”	means in the case of SMB Customers, an individual employee of yours who is entitled to administer the Software Service on your behalf and receive information in relation to your Authorised End Users;
“Agreement”	means these Terms, the Confirmation Form and any Schedules;
“Authorised End User”	means in the case of an Individual Customer, the Subscriber, and in the case of an SMB Customer any staff or employee of the Subscriber or Subscriber’s Group who is authorised by you to access the Software Service;
“Confidential Information”	has the meaning given to it by clause 11;
“Confirmation Form”	means the web form or account page which sets out the details of your subscription, together with any confirmation emails sent by us to you providing you with information relating to your subscription including, the relevant product, the term of your subscription, the price and, (in the case of SMB Customers) the number of user licences subscribed to;
“Data Protection Legislation”	means all applicable laws and regulations relating to the processing of personal data and privacy as may be applicable from time to time, including the Data Protection Act 2018, the GDPR (EU General Data Protection Regulation 2016/679), the retained EU law version of the GDPR (UK GDPR) and any successor legislation or as amended from time to time;
“Fees”	means the fees payable in order to access or use the Software Service, including the Subscription Fees;
“Initial Subscription Term”	means the initial term of your subscription to the Software Service as specified in the Confirmation Form;
“Intellectual Property Rights”	means patents, utility models, rights to inventions, copyright and related rights, trade marks and service marks, trade names and domain names, rights in get-up, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to preserve the confidentiality of information (including know-how and trade secrets) and any other intellectual property rights, including all applications for (and rights to apply for and be granted), renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist, now or in the future, in any part of the world;
“Party”	means Secureflag or the Subscriber (as the case may be) and collectively they are the “Parties”;
“Renewal Date”	means either: a) the last day of the Initial Subscription Term; or b) an anniversary of last day of the Initial Subscription Term.
“Renewal Period”	has the meaning given to it by clause 12;
"Software"	means the software integral to the operation of the Software Service and any background software which we use in providing the Software Service;
“Software Service”	means the services to which you have subscribed as described in the Confirmation Form and which includes access for Authorised End Users;
“Start Date”	means the date on which access to the Software Service commences as set out in the Confirmation Form;
“Subscription Fee”	means the fees payable for the subscription to the Software Service;
“Subscriber’s Group”	means the Subscriber, Subscriber’s parent company holding a majority interest in the Subscriber, any such parent company’s majority owned subsidiaries, and the Subscriber’s majority owned subsidiaries;
“Subscription Term”	means the term of your subscription to the Software Service;
“Use”	means the use, copying or transmission of the Software Service in any manner whatsoever;
“We” or “we”	means Secureflag Limited (registered number: 12368322) whose registered office is at C/O Russell-Cooke LLP, 2 Putney Hill, London, England, SW15 6AB;
“You” or “you”	means the Subscriber.

2. The Software Service

2.1 The Software Service is accessible only to the Subscriber, and, in the case of SMB Customers, to your Authorised End Users. In order to subscribe to our Software Service and, in the case of SMB Customers, for your staff or employees to have use of it, you must comply with these Terms and you accept sole responsibility for obtaining appropriate local or national accreditations, memberships, affiliations, insurances (or other relevant requirements) for conducting your business as a Subscriber.

2.2 If you are an Individual Customer you will have a single log-in for your personal use. If you are an SMB Customer, you will be provided with an administrative account with us in order for your Administrator to access the Software Service. Your administration account is strictly for your organisation’s use and you are not authorised to share or otherwise permit any other individual outside of your organisation to have access to or use your administration account, including members of the Subscriber’s Group (unless authorised by us in writing).

2.3 Notwithstanding the above, once the applicable Fees have been paid in full by you in accordance with the Agreement, if you are an Individual Customer we will grant access to the Software Service, and if you are an SMB Customer, we will provide you with the means to grant your Authorised End Users access to the Software Service. For the avoidance of doubt, if you are an SMB Customer, your Authorised End Users (other than the Administrator) are not permitted to have access to your administration account with us but can otherwise access the Software Service once they have registered and logged into their account with us. In addition, each Authorised End User will be required to comply with the End User Terms (www.secureflag.com/terms/eula.html) in order to have access to and use the Software Service.

2.4 You acknowledge and agree that in the event an Authorised End User should leave employment or otherwise cease to be engaged by you at any time prior to the end of the relevant Subscription Term, the Administrator shall remove the relevant Authorised End User’s access to the Software Service, upon either of which the Authorised End User’s access to the Software Service shall be deactivated and access to the data, information or other material contained in it shall also cease. Notwithstanding this, the Subscription Fees shall still be payable in full and you will not be entitled to any refund although if you have an Enterprise subscription (but not for a Business subscription) you may be permitted to transfer the Software Service licence to another Authorised End User for the remaining duration of the relevant Subscription Term (as the case may be).

2.5 Individual licences are assigned to a named Authorised End User for the duration of at least one year. The permitted transfer referred to in clause 2.4 above will only apply where the relevant Authorised End User has left employment or otherwise ceased to be engaged by you. You are not otherwise permitted to re-allocate their licence to another individual, save during the first calendar month of any Renewal Period.

2.6 In relation to the Authorised End Users, you undertake that you will not allow any licence to be used by more than one individual Authorised End User.

2.7 If you are an SMB Customer, you may agree with us, from time to time during the term of this Agreement, to purchase additional Authorised End User licences and we shall grant access to the Software Service for the remaining period of the Subscription Term to such additional Authorised End Users in accordance with the provisions of this Agreement. We may provide self-service facilities to increase the number of Authorised End Users, otherwise please contact us if you would like to increase the number of Authorised End Users and we will confirm the process and payment terms.

2.8 We may offer differing levels of subscription with access to different levels of functionality or services. Accordingly access to certain features may be restricted or limited, depending on your subscription type.

2.9 We reserve the right to add or remove services and functionality from any subscription type or to add or remove subscription types as we reasonably deem appropriate provided such changes do not materially or adversely affect the provision of the Software Service.

2.10 Please note that for SMB Customers, Authorised End Users may be subject to differing permission or access levels depending on the subscription you have taken out and which we will specify. We reserve the right to change the level of access or permissions applicable provided such changes do not materially or adversely affect the provision of the Software Service.

2.11 You agree to use commercially reasonable efforts to prevent unauthorised access to, or Use of, the Software Service and will notify us as soon as possible if you become aware of any unauthorised access or Use. You agree to only Use the Software Service for lawful purposes and not to violate any law of any country or the intellectual property rights of any third party.

2.12 Notwithstanding anything to the contrary, this Agreement does not permit you to Use the Software Service in order to supply similar services to any third party.

2.13 These terms and conditions will prevail over any terms and conditions used by you or contained or set out or referred to in any documents sent by you to us, including any purchase order; by entering into this Agreement, you agree irrevocably to waive the application of any such terms and conditions.

3. Threat Model functionality

3.1 When using the Software Service, your Authorised End Users will have the option to input a textual description, images, diagrams, code or other inputs relating to a functionality or system they intend to build (“Input”) into a tool that generates a security diagram demonstrating the potential risks in their current design and how to incorporate the right compensating controls to mitigate those risks (the “Threat Model”). Please note that we do not save the Inputs.

3.2 To run the security analysis required for a Threat Model, the Input will be generated into a diagram automatically which can be modified by the relevant Authorised End User by adding elements and notes. The Authorised End User will have the option to save the resulting diagram (to reference or edit at a later stage).

3.2.1 We agree to keep confidential any information concerning your business and affairs that is:

3.2.2 provided to us as part of the Input; or

3.2.3 generated by the Threat Model functionality in accordance with the confidentiality provisions of this Agreement contained in clause 12 below.

3.3 We shall produce the Threat Model for the purpose set out in clause 3.1 above. The Threat Model should not be regarded as or relied upon as having comprehensively addressed all potential threats of the relevant application or functionality as inputted by the Authorised End User. The Threat Model will have been prepared on the basis of information, data and materials which were available at the time of creation. Accordingly, any conclusions, opinions or judgements made in the Threat Model should not be regarded as definitive or relied upon to the exclusion of other information, opinions and judgements.

3.4 Any decisions made by you, or by any organisation, agency or person who has read, received or been provided with information contained in the Threat Model (the “Recipient”) are decisions of the Recipient and we will not make, or be deemed to make, any decisions on behalf of any Recipient. We will not be liable for the consequences of any such decisions.

3.5 Any Recipient must take into account any other factors apart from the Threat Model of which they and their experts and advisers are or should be aware.

3.6 The information, data, conclusions, opinions and judgements set out in the Threat Model may relate to certain contexts and may not be suitable in other contexts. It is your responsibility to ensure that you do not use the information we provide in the wrong context.

4. Restrictions

4.1 You agree that you will not, except as may be allowed by any applicable law which is incapable of exclusion by this Agreement between the Parties or except to the extent expressly permitted under these terms or agreed between us in writing:

4.1.1 attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software Service or Software in any form or media or by any means;

4.1.2 attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software Service or Software;

4.1.3 access all or any part of the Software Service or Software in order to build a product or service which competes with the Software Service;

4.1.4 provide the Software Service to third parties other than in the context of allowing use by the Authorised End Users;

4.1.5 license, sell, rent, lease, transfer, assign, distribute, display, disclose, commercially exploit, or otherwise make the Software Service available to any third party except the Authorised End Users in accordance with this Agreement or as otherwise permitted pursuant to the Confirmation Form;

4.1.6 make available in any way for the use or benefit of any unauthorised party, any information, materials, software, or other proprietary information received from us, in whole or in part, unless we agree in writing;

4.1.7 unless we otherwise agree remove, deface, obscure, or alter our or any third party's copyright notices, trademarks or other proprietary rights notices affixed to or provided as part of the Software Service;

4.1.8 modify, incorporate into or otherwise Use the Software Service or Software with other software, or create a derivative work;

4.1.9 use any robot, spider, scraper, or other automated means to access the Software Service or Software for any purpose without our written consent; or

4.1.10 attempt to obtain, or assist third parties in obtaining, access to the Software Service other than in accordance with these terms.

4.2 We will not be responsible for your integration of the Software Service within your systems and are not liable for any loss, damage or liability, not due to our negligence or our breach of this Agreement, that may arise as a result of this.

5. Fees & Payment

5.1 You agree to pay all applicable Fees (including the Subscription Fee) in accordance with these terms and the Confirmation Form. Unless the Confirmation Form sets out otherwise, the Subscription Fee shall be payable in advance of the Start Date, by credit or debit card payment. In the event that you wish to upgrade your subscription, the relevant additional fees shall be invoiced to you and will be payable by credit or debit card at the time of the upgrade. The relevant additional licenses shall be co-termed with the existing Initial Subscription Term or Renewal Period, whichever is applicable.

5.2 We reserve the right to charge you interest in respect of the late payment of any sum due under this Agreement (after as well as before judgment) at the rate of 1 per cent per annum above the base rate from time to time of the Bank of England from the due date until payment.

5.3 Notwithstanding clause 5.1 above, to the extent we have provided the Software Service but there remains Fees due from you which are outstanding for thirty (30) days or more from the payment due date (for instance if your credit or debt card payment has been subject to a charge-back or cancellation), we may at our discretion suspend access to the Software Service immediately and, we may delete your and the Authorised End Users’ accounts with Secureflag including any information uploaded or otherwise inputted into the Software Service.

5.4 In the event this Agreement is terminated by you under clause 13.4 or by us other than under clause 13.4, we will refund a pro rata proportion of any Subscription Fees paid in advance by you. In the event we terminate this Agreement under clause 13.4 or you terminate other than under clause 13.4 then no Subscription Fees paid in advance by you will be refundable to you. However other than as set out in this clause or elsewhere in this Agreement, Fees will only be refundable at our sole discretion and we are unlikely to provide you with a refund in the event that the Software Service is unused, an Authorised End User ceases to be engaged by you or in the event that you terminate, or change your subscription with us.

5.5 We reserve the right to change or amend our Subscription Fees on any relevant Renewal Date subject to providing you with notice of the increase to permit you to terminate your subscription.

6. Support and Maintenance Services

6.1 We conduct comprehensive data security audits on a regular basis to ensure that any data held by us is secure. In addition, we will provide you with certain support and maintenance services during the term of this Agreement, as set out in Schedule 1 (“SLA”). Notwithstanding this, we may from time to time and at our discretion, vary our support services. If you require enhanced support please contact us at support@secureflag.com.

6.2 Where possible we will give you prior written notice of scheduled maintenance services that are likely to affect the availability of the Software Service or are likely to have a material negative impact upon the Software Service. We will endeavour to provide advance notice of the provision of any major upgrade.

6.3 We may suspend the provision of the support and maintenance services if any amount due to be paid by you under this Agreement is overdue, and we have given you at least thirty (30) days' written notice, following the amount becoming overdue, of our intention to suspend the support and maintenance services on this basis.

6.4 You acknowledge that the Software Service may be unavailable during maintenance carried out during our planned maintenance windows as well as unscheduled maintenance (provided that we have used reasonable endeavours to give you notice in advance).

7. Data Protection

7.1 Secureflag and the Subscriber agree to comply with their respective obligations under the Data Protection Legislation in the processing of personal data. This clause does not relieve, remove or replace a Party's obligations under the Data Protection Legislation.

7.2 Secureflag agrees to process the personal data for which it is a controller in accordance with its Privacy Notice (available here: https://www.secureflag.com/terms/privacy.html).

7.3 The Parties acknowledge and agree that in respect of any personal data processed by Secureflag as a data processor for and on behalf of the Subscriber, the Parties shall comply with their respective obligations as set out in Schedule 2 of these Terms.

8. Intellectual Property and Third-Party Licence

8.1 You acknowledge that all Intellectual Property Rights in the Software and Software Service belong and shall belong to us or our licensors (as the case may be), and you shall have no rights in or to the Software or Software Service other than the right to access the Software Service in accordance with the terms of this Agreement.

8.2 You agree to comply with the terms of any third-party end-user licence agreement to the extent that we incorporate third party elements into the Software Service and communicate these terms to you prior to the commencement of your subscription.

8.3 You acknowledge and agree the Software Service may include links to other external websites or materials. We are not responsible for content on any site outside the Software Service so if you do follow a link to any of these websites, you acknowledge you do so at your own risk, and we will not be liable or otherwise be responsible in any way in relation to this.

9. Warranty

9.1 Subject to the exceptions set out below and the limitations on our liability, we warrant that we have the right power and authority to authorise access to the Software Service upon the terms and conditions of this Agreement and that the Software Service will comply in material respects with the functionality described in the Confirmation Form, documentation provided to you as a part of the vendor selection process, or to the extent applicable on our website or our other marketing materials when you register for it.

9.2 Except as described in section 8.1, the Software Service is provided “as is” and we do not warrant that the use of the Software Service will be uninterrupted, error-free or 100% accurate.

9.3 You accept responsibility for the selection of the Software Service to achieve your intended results and acknowledge that the Software Service has not been developed to your specific requirements and we do not guarantee any particular level of engagement or outcome, except as otherwise described in this Agreement.

9.4 We will have no liability to remedy a breach of warranty where such breach arises solely as a result of any breach by you of the terms of this Agreement.

9.5 All other conditions, warranties or other terms which might have effect between the Parties or be implied or incorporated into this Agreement or any collateral contract, whether by statute, common law or otherwise, are hereby excluded, including the implied conditions, warranties or other terms as to including but not limited to the warranties of satisfactory quality, merchantability, fitness for a particular purpose and non-infringement.

9.6 We may, at our reasonable discretion, remedy any breach of warranty by the provision of technical support free of charge.

10. Anti-bribery and Compliance with Law

10.1 Each Party shall:

10.1.1 comply with all applicable laws, rules and regulations, including without limitation anti-bribery and anti-corruption laws and regulations;

10.1.2 not engage in any activity, practice or conduct which would constitute an offence under sections 1, 2 or 6 of the Bribery Act 2010 if such activity, practice or conduct had been carried out in the UK; and

10.1.3 comply with all laws, enactments, regulations, including import and export regulations, regulatory policies, guidelines and industry codes applicable to each of the Parties and shall maintain such authorisations and all other approvals, permits and authorities as are required from time to time to perform their obligations under or in connection with this Agreement.

11. Limitation of Liability

11.1 Except as expressly stated in this clause 11:

11.1.1 Neither Party shall in any circumstances have any liability for any losses or damages which may be suffered by the other Party (or any person claiming under or through you), whether the same are suffered directly or indirectly and whether the same arise in contract, tort (including negligence) or otherwise howsoever, and which fall within any of the following categories:

(a) loss of profits;

(b) loss of revenue;

(d) loss of business opportunity;

(e) loss of goodwill;

(f) loss or corruption of data;

(g) indirect or consequential losses.

11.2 While we take reasonable technical steps to verify and authenticate Authorised End Users, we do not offer any guarantee that each user is the person they purport to be and we cannot guarantee that the Software Service will not be fraudulently used by purported end-users. We will therefore not be liable for fraudulent use of the Software Service by third parties (including supposedly Authorised End Users) save in circumstances arising directly from our negligence.

11.3 We will use reasonable endeavours to ensure that the Software Service operates within applicable regulatory requirements as reported to us, but we will not be responsible for or liable for any regulatory requirements or obligations. We are not in a position to evaluate risks associated with your use of the Software Service for regulatory compliance. Accordingly if you propose to use the Software Service to comply with your regulatory obligations it is your responsibility to ensure that it meets such requirements.

11.4 We will not be liable for any losses arising from the integration of the Software Service with any other software or systems used by you.

11.5 All dates supplied by us for the commencement of the Software Service shall be treated as approximate only. We shall not in any circumstances be liable for any loss or damage arising from any delay in delivery beyond such approximate dates.

11.6 Each Party’s total liability, whether in contract, tort (including negligence) or otherwise and whether in connection with this Agreement or any collateral contract, shall in no circumstances exceed a sum equal to 100% of the Subscription Fees paid by you in the 12 month period leading up to the claim.

11.7 The exclusions in this clause 11 shall apply to the fullest extent permissible at law, but we do not exclude liability for:

11.7.1 death or personal injury caused by our negligence, or the negligence of our officers, employees, contractors or agents;

11.7.2 gross negligence, wilful misconduct, fraud or fraudulent misrepresentation;

11.8 any other liability which may not be limited or excluded by law.

12. Confidentiality

12.1 The Parties will keep confidential all information (whether written or oral) concerning the business and affairs of the other that it shall have obtained or received as a result of the discussions leading up to or the entering into of this Agreement (“Confidential Information”) save that which is:

12.1.1 trivial or obvious;

12.1.2 already in its possession other than as a result of a breach of this clause; or

12.1.3 already in or subsequently enters the public domain other than as a result of a breach of this clause.

12.2 It is agreed that a Party may disclose such Confidential Information to its employees, professional advisers, insurers, agents and subcontractors, as required by (i) law, regulation, judicial or administrative process, (ii) in accordance with applicable professional standards, or (iii) as deemed necessary in the performance of this Agreement.

12.3 Each of the Parties will take all such steps as shall from time to time be necessary to ensure compliance with the provisions of this clause by its employees, agents and subcontractors.

12.4 For the avoidance of doubt, these terms apply throughout the Subscription Term and shall continue following termination of this Agreement. In addition, any information relating to the running of Secureflag, such as processes relating to technology, methodologies, machine learning and/or other items relating to our Software and Software Service will also remain confidential beyond the Subscription Term.

13. Term, Renewals & Termination

13.1 The Agreement shall commence on the Start Date and, unless otherwise terminated in accordance with this clause, shall continue and remain in force for the Initial Subscription Term and thereafter this Agreement shall automatically renew on each Renewal Date for a further period of 12 months, unless you have turned off renewal via your account page on SecureFlag’s website (each a “Renewal Period”).

13.2 You will be provided with seven (7) days’ notice in writing by email to the email address provided as contact for the Subscriber prior to the Software Service automatically renewing in accordance with clause 13.1. Should you not wish to renew your subscription, you must turn off renewal via your account page on SecureFlag’s website at any time prior to a Renewal Date. If the Subscriber does not cancel their subscription in time and they enter a new billing period, the Fees in respect of that new Renewal Period will still be payable by the Subscriber and will not be refunded.

13.3 Notwithstanding the above or anything to the contrary in these terms, you are free to cancel your subscription to the Software Service at any time via your account page on SecureFlag’s website. Upon cancelling your subscription, you and the Authorised End Users will have access to the Software Service for the remainder of the Subscription Term however all Fees will still be due and payable by you for the full Initial Subscription Term or Renewal Period (as the case may be) and no refunds will be made. At the end of the applicable Subscription Term you and the Authorised End Users will no longer be permitted to use the Software Service.

13.4 Without affecting any other rights or remedies available to it, either Party may terminate this Agreement with immediate effect by giving written notice to the other Party if:

13.4.1 the other Party fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than thirty (30) days after being notified in writing to make such payment; or

13.4.2 the other Party commits a material breach of any other term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of thirty (30) days after being notified in writing to do so.

14. Reserved

15. General

15.1 Entire Agreement: This Agreement constitutes the whole agreement and understanding of the Parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter of this Agreement. Each Party acknowledges that, in entering into this Agreement, it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in this Agreement, provided always that nothing in this clause shall limit or exclude any liability for fraud.

15.2 No Waiver: The Parties agree that a failure by either Party to enforce the performance of any provision in this Agreement shall not constitute a waiver of the right to subsequently enforce that provision or any other provision of this Agreement. Such failure shall not be deemed to be a waiver of any preceding or subsequent breach and shall not constitute a continuing waiver.

15.3 Severance: If any provision of this Agreement (or part of a provision) is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with the minimum modification necessary to make it legal, valid and enforceable.

15.4 Variation: Unless otherwise expressly provided elsewhere in this Agreement, this Agreement may be varied only in writing by both of the Parties. A reference to “writing” or “written” in this Agreement includes email.

15.5 Notices: All notices or communication given under this Agreement shall be in writing. Notices shall be deemed to have been duly given:

o when delivered, if delivered by courier or other messenger (including registered mail) during normal business hours of the recipient;

o when sent by e-mail, at the time of transmission (provided a delivery failure notification has not been received);

o on the fifth business day following mailing, if mailed by national ordinary mail, postage prepaid;

o on the tenth business day following mailing, if mailed by airmail, postage prepaid.

If deemed receipt as set out above would occur outside business hours in the place of receipt, it shall be deferred until business hours resume. In this clause, business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.

In each case notices should be addressed to the address or e-mail address given in this Agreement or as otherwise notified to the other Party in writing. In the case of Secureflag, the email address for service of notices is directors@secureflag.com.

15.6 Assignment: You are not entitled to assign or otherwise transfer this Agreement or any of your rights or obligations, nor are you permitted to sublicense the use (in whole or in part) of the Software Service without our prior written consent. Notwithstanding the foregoing, you may assign any of your rights or obligations under this Agreement to another entity within the Subscriber’s Group or to an entity with which you merge, consolidate or amalgamate or to which you transfer all or substantially all of your assets, upon prior written notice and provided that the assignee agrees to be bound by the Agreement.

15.7 Force Majeure: Neither Party will be liable to the other for any delay in performing or failure to perform any of its obligations (other than a payment obligation) under this Agreement as a result of any cause outside its reasonable control. Subject to the affected Party promptly notifying the other Party in writing of the cause and the likely duration of the delay or non-performance and provided that the affected Party shall use reasonable endeavours to limit the effect of such event on such other Party, such delay or failure, to the extent affected by the cause will not constitute a breach of the Agreement.

15.8 Rights & Remedies: Except as otherwise expressly provided in this Agreement, all rights contained in this Agreement and all remedies available to either Party for breach of this Agreement are cumulative and may be exercised separately or concurrently. The exercise of any one right or remedy shall not be deemed an election of such right or remedy to the exclusion of other rights and remedies. No single or partial exercise of such right or remedy will prevent or restrict the further exercise of that or any other right or remedy.

15.9 Contracts (Rights of Third Parties) Act 1999: Except as otherwise expressly provided in this Agreement, a person who is not a Party to this Agreement or a permitted assignee has no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Agreement but this does not affect any right or remedy of a third party which exists, or is available, apart from that Act.

15.10 Governing Law and Jurisdiction: This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of Delaware, United States and the Parties irrevocably submit to the exclusive jurisdiction of the courts in Delaware, United States.

Schedule 1 – “SLA”

“Normal Business Hours” shall mean 09.00 to 17.00 Monday to Friday on a Working Day.

“Working Day” shall mean Monday, Tuesday, Wednesday, Thursday or Friday and other than a public holiday in England or Wales.

We shall provide you with certain day to day support and maintenance services in relation to the use of, and the identification and resolution of errors in, the Software Service, including the provision of updates (hotfixes, patches or minor version update to the Software Service or Software) and upgrades (meaning major version upgrades of the Software Service or Software) but this shall not include the provision of training services unless otherwise set out in the Agreement. Support communications will be with the Administrator and not with individual Authorised End Users.

SUBSCRIBER RESPONSIBILITIES

The provisions in this Schedule 1 shall apply subject to the Subscriber:

- Notifying us of issues or problems relating to the Software Service in a timely manner; and

- Co-operating and maintaining good communication with us at all times

UPTIME

Subject to the exclusions below, we will aim to deliver the following uptime levels and/or target responses in supplying the Software Service support and maintenance services:

	Measure	Target
Uptime	Software Service available and operational	>98%

SUPPORT

Remote support will be provided by email at support@secureflag.com and will be operational during Normal Business Hours.

INCIDENT RESPONSE

We will endeavour to respond to incidents within the following target response times.

Priority Level	Target Response
P0 - Catastrophic The Software Service is not operational	We will use reasonable efforts to resolve the issue within 12 hours.
P1 – Critical Material functionality is not available and there is no temporary work around.	We will use reasonable efforts to resolve the issue within 1 Working Day.
P2 – Serious Important but non-material or non-critical functionality is unavailable and there is no temporary work around.	We will use reasonable efforts to resolve the issue within 3 Working Days.
P3 – Normal Important but non-material or non-critical functionality is unavailable and there is no temporary work around.	We will use reasonable efforts to resolve the issue within 15 Working Days.
P4 – Minor Any other incident	We will use reasonable efforts to resolve the issue within 1 month.

Response times do not apply:

● outside of Normal Business Hours unless the Parties specifically include provisions for out-of-hours support;

● when the incident has been caused by using software or service(s) for a use other than as permitted;

● if you have prevented us from performing required maintenance and update tasks; or

● in circumstances that could be reasonably said to be beyond our reasonable control.

SCHEDULE 2 – DATA PROCESSING SCHEDULE

1. Definitions

1.1 In this Schedule, except where the context otherwise requires the following words and expressions shall have the following meanings.

Controller, Processor, Data Subject, Personal Data and Processing shall have the same meaning as in the Data Protection Legislation, and their cognate terms shall be construed accordingly.

2. Controller and Processor

2.1 For the purposes of the Data Protection Legislation and this Schedule 2, the Subscriber, if they are an SMB Customer and to the extent that SecureFlag is processing personal data on their behalf, is Controller and Secureflag is Processor. The table at paragraph 9 below sets out the scope, nature and purpose of the Processing, the duration of the Processing, the types of Personal Data and categories of Data Subject.

2.2 Secureflag agrees that it will not process Personal Data other than:

2.2.1 as set out in this Schedule;

2.2.2 on the Subscriber’s written instructions; or

2.2.3 unless required by law in which case Secureflag agrees (to the extent permitted by law) to inform the Subscriber of that legal requirement before such processing.

3. Protection Measures

3.1 Secureflag agrees that all staff who have access to and/or process Personal Data will be legally bound by appropriate confidentiality obligations.

3.2 Secureflag will ensure that they have in place appropriate technical and organisational measures to ensure that Personal Data is subject to an appropriate level of security, including to the extent required the measures referred to in Article 32(1) of the GDPR/UK GDPR (as the case may be).

3.3 In reaching its judgement as to the appropriate level of security, Secureflag will take into account current technology, costs of implementation and the nature, scope, context and purposes of the processing undertaken as well as the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage of the Personal Data.

4. Transfers outside of the UK and EEA

4.1 Secureflag will not process or transfer any Personal Data outside of the UK or the European Economic Area (“EEA”) unless Secureflag has the written prior consent of the Subscriber or there are appropriate safeguards in place in accordance with Chapter 5 of the GDPR/UK GDPR (as the case may be), in relation to the transfer and Secureflag is providing an adequate level of protection to any Personal Data that is transferred.

5. Data Breach

5.1 Secureflag will assist the Subscriber in ensuring compliance with its obligations pursuant to Articles 32 – 36 GDPR/UK GDPR including, without limitation, notifying the Subscriber without undue delay upon becoming aware of any Personal Data breach affecting Personal Data. Secureflag will assist the Subscriber in responding to any request from a Data Subject and in ensuring compliance with the Subscriber’s obligations under Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

6. Records and Audit

6.1 Secureflag will maintain complete and accurate records and information to demonstrate its compliance with this Agreement and Data Protection Legislation and will cooperate with and allow for audits by the Subscriber or its designated auditor in relation to the Processing of Personal Data by Secureflag (including, without limitation, making available all information necessary to demonstrate compliance with Article 28 GDPR/UK GDPR).

7. Third Party Processors

7.1 With respect to each third-party processor, Secureflag will only engage such processor if a written contract or other agreement is in place that is binding on the third party processor and ensure that the applicable terms with that processor will offer at least the same level of protection for Personal Data as those set out in this Schedule and which meet the requirements of Article 28(3) of the GDPR/UK GDPR (as the case may be). As between Secureflag and the Subscriber, Secureflag will remain fully liable for all acts or omissions of any third-party processor appointed by Secureflag.

7.2 Without prejudice to the above, the Subscriber consents to Secureflag continuing to use any third-party processor already engaged by Secureflag at the date of the Agreement, or otherwise in respect of its core IT and business support functions and systems.

8. Effect of Termination

8.1 Secureflag will upon termination of the Agreement or Schedule (howsoever arising) or at any other time requested by the Subscriber delete or return all Personal Data to the Subscriber. Secureflag may retain Personal Data if required by law only to the extent and for such period as required by those laws.

9. Data Processing Activity

9.1 The following table includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR/UK GDPR.

Subject matter and duration of the Processing of the Personal Data	Personal Data may be processed by Secureflag in the course of the provision of the Software Service under the Agreement Personal Data will be held and processed for as long as the Agreement remains in force
Nature and purpose of the Processing of Personal Data	Collection of data Recording of data Organisation of data Structuring of data Storage of data Adaptation of data Alteration of data Combining data Erasure of data The Personal Data is processed for the purposes of facilitating the provision of the Software Service by Secureflag pursuant to the Agreement
Type(s) of Personal Data to be Processed	name, email address, country
Categories of Data Subject to whom the Personal Data relates	Authorised End Users of the Software Service
Obligations and rights of Secureflag in relation to the processing	As set out in this Schedule