AttackIQ Enterprise Agreement

Revision Date: April 2025

AttackIQ EULA

If you contracted online with AttackIQ before August 21, 2019, or renewed that contract prior to August 21, 2019, your use of the Service will be governed by the previous version of the EULA located at attackiq.com/archive_2019_EULA.

If you contracted online with AttackIQ between July 9, 2023 and August 21, 2019, or renewed that contract on or before July 9, 2023, your use of the Service will be governed by the previous version of the EULA located at attackiq.com/archive_2023_EULA.

For all AttackIQ Enterprise customers who contract online with AttackIQ, including any customers renewing a contract with AttackIQ on or after July 10, 2023, your use of the AttackIQ Solution will be governed by the AttackIQ Enterprise Agreement displayed below.

If you are using AttackIQ Ready! or AttackIQ Flex, please refer to the AttackIQ Flex and Ready! EULA.

Customer’s use of the AttackIQ Solution will be governed by the AttackIQ Enterprise Agreement displayed below.

PLEASE READ THIS ATTACKIQ ENTERPRISE AGREEMENT CAREFULLY. THIS ATTACKIQ ENTERPRISE AGREEMENT, TOGETHER WITH THE QUOTE, IS A BINDING CONTRACT FOR THE USE OF THE ATTACKIQ SOLUTION.

IF YOU DO NOT AGREE TO BE BOUND BY ALL OF THE PROVISIONS OF THIS ATTACKIQ ENTERPRISE AGREEMENT THEN DO NOT ACCESS OR USE THE ATTACKIQ SOLUTION.

This AttackIQ Enterprise Agreement is entered into by AttackIQ, Inc. a Delaware corporation (“AttackIQ”) and the undersigned customer (“Customer”).

Section 1—Agreement; Overview.

1.1 Agreement.

This AttackIQ Enterprise Agreement made between Customer and AttackIQ governs the quote for the AttackIQ Solution prepared for Customer (“Quote”) and includes Attachment 1 (Additional Definitions), Attachment 2 (Priority Support Services) and Attachment 3 (AttackIQ Enterprise Professional Services) (collectively, the “Agreement”). This Agreement grants Customer a limited license to use the AttackIQ Solution and Content Library.

1.2 Overview.

Subject to the terms of the Agreement, AttackIQ will provide the Service to Customer. The Service provides guidance intended to assist Customer in demonstrating the capabilities, readiness and efficacy of its security technologies, identifying evidence of gaps in security that require remediation, and ultimately, demonstrating improvements in its security program over time.

Section 2—Hosted Services Access; License Grants.

2.1 Access.

Subject to the terms of this Agreement, AttackIQ will use commercially reasonable efforts to provide access to the Hosted Service according to the Documentation.

2.2 License Grants.

(a) Agent. In order to access the Hosted Service Customer first must deploy the Agent. Subject to the terms of this Agreement, AttackIQ grants to Customer a limited, non-exclusive, non-sublicensable, non-transferable license during the Term to install, reproduce and use the Agent, solely for the Purpose. Customer may install the Agent on machine endpoints Customer owns or controls, up to the maximum number indicated on the Quote.

(b) Documentation and Content Library. Subject to the terms of this Agreement, AttackIQ grants to Customer a limited, non-exclusive, non-sublicensable, non-transferable license during the Term to: (i) reproduce and use the Documentation and Content Library solely for the Purpose and (ii) enhance and modify the Content Library solely for the Purpose, provided that Customer delivers each modification and enhancement to AttackIQ promptly. Customer may make a reasonable number of copies of the Documentation for backup and disaster recovery purposes during the Term, provided that Customer also reproduces on such copy any copyright, trademark or other proprietary markings and notices contained in the AttackIQ Solution.

2.3 Delivery.

AttackIQ and Customer agree that the Agent, Documentation and Content Library shall be delivered to Customer only electronically.

2.4 Changes to Hosted Service and Content Library.

AttackIQ may modify, enhance or remove features or functionality of the Hosted Service from time to time. If the changes materially reduce the overall functionality, usability and capability of the Hosted Service, then Customer shall have the right to terminate the Agreement and AttackIQ shall refund Customer any unused pre-paid fees on a pro rata basis for the remaining Term following the effective date of termination by Customer. AttackIQ will issue this refund within thirty (30) days of Customer’s termination of the Agreement. Customer acknowledges that security vulnerabilities and security threats change constantly and this in turn may result in changes to the Content Library.

2.5 System Security.

AttackIQ will take commercially reasonable technical and organizational measures designed to secure its computer networks and the AttackIQ Solution from unauthorized access, use, alteration or disclosure. AttackIQ shall not be liable for unauthorized third-party access to its computer networks or the AttackIQ Solution, except to the extent caused by AttackIQ’s negligence or willful misconduct.

2.6 Limitations.

Customer shall use the AttackIQ Solution and Content Library only according to the Documentation, use commercially reasonable efforts to prevent unauthorized access to or use of the AttackIQ Solution and Content Library, and promptly notify AttackIQ of any unauthorized access or use of the AttackIQ Solution or Content Library. Customer is responsible for each User’s compliance with the Agreement.

2.7 Restrictions.

Customer may not use the Service or Content Library in any manner or for any purpose other than the Purpose and as expressly permitted by this Agreement. Customer shall not, and shall not permit or enable any third party to: (a) sublicense, distribute or otherwise grant access to or transfer the AttackIQ Solution or the Content Library to any third party (except as permitted in the Subsection entitled Assignment), (b) alter, create derivative works of or otherwise modify the AttackIQ Solution (except to the extent applicable laws specifically prohibit such restriction), (d) use the Service or Content Library to damage or circumvent the security of any other party’s network or data, (e) perform or disclose the results of stress tests or benchmarking testing of the AttackIQ Solution, provided that Customer may compare the AttackIQ Solution to other products for its internal purposes, or (f) use the AttackIQ Solution to build a competitive product or service.

Section 3—AttackIQ Enterprise Professional Services; Monthly Report.

3.1 AttackIQ Enterprise Professional Services.

AttackIQ will provide professional services: (a) in collaboration with Customer to identify a list of Customer’s security controls to be tested or threat actors to be emulated, or both and (b) to perform these tests and assessments on the in-scope resources of Customer (the “AttackIQ Enterprise Professional Services”). The AttackIQ Enterprise Professional Services are further described at Attachment 3.

3.2 AttackIQ Enterprise Reporting.

During the Term, AttackIQ will provide Users with a monthly report outlining the in-scope testing performed and the results of the completed battery of assessments run pursuant to Section 3.1 (the “AttackIQ Enterprise Report”). AttackIQ will deliver the AttackIQ Enterprise Report to Users only electronically.

3.3 Limitations.

Customer may not use the AttackIQ Enterprise Report in any manner or for any purpose other than the Purpose. The AttackIQ Enterprise Report follows a defined testing method, based on industry vulnerability standards, to identify weaknesses, vulnerabilities and exploits, on the in-scope resources being tested. A weakness, noncompliance issue or vulnerability may not be discovered if evidence of it is not encountered by AttackIQ, or if it is a new, unknown or unlikely weakness, vulnerability or exploit.

Section 4—AttackIQ Solution Support Services.

Subject to Customer’s payment obligations under this Agreement, AttackIQ will provide the maintenance and support services for the AttackIQ Solution described at Attachment 2 (the “Support Services”) for no additional charge. Only AttackIQ shall have the right to maintain and support the AttackIQ Solution.

Section 5—Customer Data.

5.1 License Grant.

Customer is solely responsible for the content of the Customer Data including any claims related to the Customer Data. Subject to the terms of the Agreement, Customer hereby grants to AttackIQ a non-exclusive, royalty-free, worldwide license to, and to permit AttackIQ’s business partners (including but not limited to its hosting partners) to, use, copy, modify, perform and display the Customer Data during the Term, solely for the Purpose.

5.2 Data Security and Privacy.

(a)  Security. AttackIQ shall maintain appropriate security for the Customer Data, consistent with the security standards AttackIQ uses to protect its Confidential Information and consistent with industry technical and organizational standards to protect against unauthorized processing and accidental loss or damage of the Customer Data.

(b) Limited Use. AttackIQ will use the Customer Data solely for the purpose of providing the Service to Customer. AttackIQ will permanently and irrevocably delete all Customer Data stored by AttackIQ or its cloud hosting provider, or both, within twenty (20) days of a written request to do so from Customer, or as otherwise required by law.

(c)  Personal Data. If Customer provides Personal Data to AttackIQ under this Agreement, then AttackIQ shall comply with U.S. and European Union federal, national and state laws related to data privacy in effect during the Term of this Agreement where the Personal Data data subject resides, including to the extent applicable, the California Consumer Privacy Act of 2018, Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code (“CCPA”) and the laws of the European Union member states under the General Data Protection Regulation (“GDPR”). AttackIQ and its subprocessors are expressly prohibited from: (i) selling Personal Data for monetary or other valuable consideration, (ii) sharing, collecting, retaining, using, or disclosing Customer Personal Data for any purpose, other than the express purpose of providing the Professional Services and AttackIQ Enterprise Report to Customer. AttackIQ acknowledges and confirms that it does not receive any Personal Data as consideration for any services or products that it provides to Customer under this Agreement.

Section 6—Proprietary Rights, Additional License Grants, Obligations and Restrictions.

6.1 Proprietary Rights.

(a)   The AttackIQ Solution and Content Library are the exclusive property of AttackIQ and constitute valuable intellectual property and proprietary materials of AttackIQ. Subject to the limited rights expressly granted in this Agreement, AttackIQ reserves all right, title and interest in and to the AttackIQ Solution and Content Library and all derivative works thereof, including all Intellectual Property Rights. For clarity, AttackIQ owns all enhancements and modifications to the Content Library. No rights are granted to Customer except as expressly set forth in this Agreement.

(b) As between the Parties, the Customer Data is the exclusive property of Customer and constitute valuable intellectual property and proprietary materials of Customer. The AttackIQ Enterprise Report is the exclusive property of Customer and constitute valuable intellectual property and proprietary materials of Customer; provided, however, that AttackIQ retains ownership of generic template text included in the AttackIQ Enterprise Report that AttackIQ makes generally available to AttackIQ customers. Subject to the limited rights expressly granted in this Agreement, Customer reserves all right, title and interest in and to the Customer Data and AttackIQ Enterprise Report, including all Intellectual Property Rights. No rights are granted to AttackIQ except as expressly set forth in this Agreement.

6.2 Feedback.

Customer hereby grants to AttackIQ a non-exclusive, royalty-free, irrevocable, perpetual, worldwide, license to use and incorporate into the Service suggestions, comments, improvements, ideas or other feedback or materials provided by Customer (the “Feedback”). AttackIQ will exclusively own any improvements or modifications to the Service based on or derived from any Feedback including all Intellectual Property Rights in and to the improvements and modifications.

6.3 Trademarks.

AttackIQ owns all right, title and interest in and to the AttackIQ Marks and any goodwill arising out of the use of the AttackIQ Marks will remain with and belong to AttackIQ. Customer may not copy, imitate or use the AttackIQ Marks without the prior written consent of AttackIQ. Customer shall not remove or destroy any proprietary, trademark or copyright markings or notices placed upon or contained within the AttackIQ Solution. Customer will not in any way dispute, challenge or contend the validity of the AttackIQ Marks or any trademark, service mark or copyright registration owned by AttackIQ.

6.4 Compiled Data.

AttackIQ may compile statistical information concerning the existence of generic security vulnerabilities and other security risks obtained as a result of the Professional Services that are not specific to Customer or its clients (“Compiled Data”), and may use the Compiled Data to analyze security threat trends and patterns. For clarity, the Compiled Data shall not include any Customer Confidential Information, any references to Customer or its clients or any other information that would identify Customer or its clients.

Section 7—Payments.

7.1 Amount.

In exchange for the right to receive the Service, Customer agrees to pay the amounts specified in the applicable Quote (the “Fee”). The Fee does not include taxes and Customer shall be responsible for all such taxes, levies or duties associated with this Agreement, other than taxes based on AttackIQ’s net income; except that if the Service is taxable in the jurisdiction where Customer is located, and if AttackIQ is registered in this jurisdiction to collect sales tax, then AttackIQ will include Customer’s sales tax on the invoice.

7.2 Payment.

The Fee is payable in full, in advance for the Initial Term and any Renewal Term, unless the Quote provides otherwise. AttackIQ may impose interest on late payments of undisputed invoices at the lower of 1.5% per month, or the maximum rate allowable by applicable law. Customer’s payment of the Fee is not contingent on the delivery of future functionality. All invoices are payable net thirty (30) days from date of invoice in United States Dollars. Except as explicitly provided in this Agreement, all payments are non-refundable.

7.3 Invoice Disputes.

Customer must notify AttackIQ of any invoice dispute within thirty (30) days of the date of the applicable invoice and shall cooperate with AttackIQ in good faith in resolving any such dispute. If the Parties are unable to resolve such dispute within thirty (30) days after Customer’s notice of the dispute each Party shall have the right to seek any remedies it may have under this Agreement, at law or in equity. For clarity, any undisputed amount must be paid in full. AttackIQ may accept any payment in any amount without prejudice to AttackIQ’s right to recover the balance of any amount due or to pursue any other right or remedy. Customer shall pay all of AttackIQ’s reasonable fees, costs and expenses (including reasonable attorneys’ fees) if legal action is required to collect outstanding undisputed balances.

Section 8—Term and Termination; Suspension.

8.1 Term.

This Agreement commences on the Start Date listed on the Quote and shall continue in effect until the End Date listed on the Quote (the “Initial Term”). Thereafter, this Agreement shall automatically renew for successive periods equal to the Initial Term (each, a “Renewal Term”), unless Customer gives written notice of non-renewal to AttackIQ at least thirty (30) days prior to the end of the Initial Term or the then-current Renewal Term, as applicable. The Initial Term and the Renewal Term(s) (if any) are referred to collectively as the “Term”.

8.2 Termination for Material Breach.

If either Party materially breaches any term of this Agreement and fails to cure such breach within thirty (30) days after written notice by the non-breaching Party (fifteen (15) days in the case of non-payment), then the non-breaching Party may terminate this Agreement immediately upon notice.

8.3 Suspension of Hosted Service.

In the event that AttackIQ reasonably concludes that there is a significant threat to the security or functionality of the AttackIQ Solution, then AttackIQ may suspend Customer’s access to the Hosted Service without advanced notice in addition to and without prejudice to any other remedies AttackIQ may have, until AttackIQ identifies the cause of the threat or resolves the threat, but not to exceed ten (10) days.

8.4  Effect of Termination.

(a)      In General. In the event of any termination or expiration of this Agreement: (i) all of Customer’s rights under this Agreement will immediately terminate, (ii) the licenses granted in this Agreement will terminate, (iii) all Users will immediately cease any access or use of the AttackIQ Solution, (iv) Customer promptly shall uninstall the AttackIQ Solution software from each machine; and (v) Customer shall pay in full for the Professional Services performed up to and including the effective date of termination. Customer may retain a reasonable number of copies of reports generated by the AttackIQ Solution solely for its archival purposes after this Agreement terminates or expires, provided that Customer also reproduces any copyright, trademark or other proprietary markings and notices on the report.

(b)   Deletion of Customer Data. Consistent with Section 5.2, AttackIQ will permanently and irrevocably delete all Customer Data stored by AttackIQ or its cloud hosting provider, or both, within twenty (20) days of the date of termination or expiration of this Agreement, if requested to do so in writing by Customer.

(c)    Survival. Provisions of this Agreement that by their nature are intended to survive, will continue to apply in accordance with their terms including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, indemnity obligations, limitations of liability and the miscellaneous provisions of the Section entitled Miscellaneous.

8.5  Remedy.

If Customer terminates this Agreement due to material breach by AttackIQ under Subsection 8.2, then AttackIQ shall refund any pre-paid fees on a pro rata basis for the remaining Term within thirty (30) days of Customer’s termination. However, this remedy shall not apply in the case of a breach of the Subsection entitled Support and Professional Services Warranty.

Section 9—Confidential Information.

9.1 Confidentiality Generally.

If the Parties have entered into a Non-Disclosure Agreement (“NDA”), this Agreement incorporates the NDA. If the Parties have not signed an NDA, then the Recipient will protect Confidential Information of the Discloser against any unauthorized use or disclosure to the same extent that the Recipient protects its own Confidential Information of a similar nature against unauthorized use or disclosure, but in no event will use less than a reasonable standard of care to protect such Confidential Information; provided that the Confidential Information of the Discloser is conspicuously marked or otherwise identified as confidential or proprietary upon receipt by the Recipient or the Recipient otherwise knows or has reason to know that the same is Confidential Information of the Discloser. All Customer Data and Personal Data is the Confidential Information of Customer. The Recipient will use any Confidential Information of the Discloser solely for the purposes for which it is provided by the Discloser.

9.2 Exceptions.

This Section 9 will not be interpreted or construed to prohibit: (a) any use or disclosure which is necessary or appropriate in connection with the Recipient’s performance of its obligations or exercise of its rights under this Agreement, (b) any use or disclosure required by applicable law (for example, pursuant to applicable securities laws or legal process), provided that the Recipient uses reasonable efforts to give the Discloser reasonable advance notice thereof (to afford the Discloser an opportunity to intervene and seek an order or other appropriate relief for the protection of its Confidential Information from any unauthorized use or disclosure), or (c) any use or disclosure made with the written consent of the Discloser.

Section 10—Limited Warranties and Remedies.

10.1 Mutual Warranties.

Each Party hereby represents and warrants to the other Party that (a) the individual executing this Agreement on behalf of such Party is duly authorized to execute this Agreement on its behalf, and (b) this Agreement is a valid and binding obligation of such Party and enforceable against such Party in accordance with its terms.

10.2 AttackIQ Solution Warranty.

AttackIQ warrants to Customer that during the first thirty (30) days of the Initial Term the AttackIQ Solution will perform in all material respects in accordance with the Documentation. Customer’s sole and exclusive remedy and AttackIQ’s entire liability for any breach of the foregoing warranty is to repair or replace any nonconforming component of the AttackIQ Solution so that the affected component operates as warranted or, if AttackIQ is unable to do so, terminate the license for the AttackIQ Solution and refund any pre-paid fees for the AttackIQ Solution on a pro rata basis for the remaining Term.

10.3 Support and Professional Services Warranty.

AttackIQ represents and warrants that during the Term, the Support Services and Professional Services will be performed in a professional and workmanlike manner in accordance with generally prevailing industry standards. Customer’s sole and exclusive remedy and AttackIQ’s entire liability for a breach of the foregoing warranty is to reperform the Support Services or Professional Services.

10.4 No Malicious Code Warranty.

AttackIQ warrants to Customer that during the Term: (a) AttackIQ applies industry standard tools to identify and eliminate viruses and other malware prior to delivering the Agent software to Customer; and (b) to AttackIQ’s knowledge, all Agent software delivered to Customer shall be free of: (i) functions or routines that are designed to surreptitiously delete or corrupt data in such a manner as to interfere with the normal operation of the AttackIQ Solution, (ii) undisclosed “time bombs”, time-out or deactivation functions or other means designed to terminate the operation of the AttackIQ Solution (other than at the direction of the user), (iii) “back doors” or other means designed to allow remote access and/or control a Customer’s networks; and (iv) any codes or keys designed to have the effect of disabling or otherwise shutting down all or any portion of the AttackIQ Solution or limiting its functionality.

10.5 Exceptions.

The warranties in Subsections 10.2 through 10.4 do not apply to: (a) any component of the AttackIQ Solution that has been used in a manner other than as set forth in the Documentation and authorized under this Agreement, to the extent such improper use causes the AttackIQ Solution, Support Services or Professional Services to be nonconforming or (b) Force Majeure or any other type of catastrophic damage. Any claim submitted under Subsections 10.2 through 10.4 must be submitted in writing to AttackIQ during the warranty period.

10.6 Disclaimers.

AttackIQ does not warrant that the AttackIQ Solution is free from bugs, errors, defects or deficiencies. AttackIQ does not provide any warranties regarding the Content Library and disclaims all liability for the Content Library and actions taken in connection with the Content Library by any party other than AttackIQ. EXCEPT AS EXPRESSLY PROVIDED IN THIS SECTION 10, ATTACKIQ MAKES NO WARRANTY OR GUARANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL OTHER WARRANTIES, WHETHER IMPLIED OR STATUTORY, INCLUDING ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. CUSTOMER ACKNOWLEDGES THAT THE DISCLAIMERS IN THIS SECTION 10 ARE A MATERIAL PART OF THIS AGREEMENT, AND ATTACKIQ WOULD NOT HAVE ENTERED INTO THIS AGREEMENT BUT FOR SUCH DISCLAIMERS.

Section 11—Indemnification.

11.1 IP Indemnification by AttackIQ.

(a) AttackIQ will, at its expense, either defend Customer from or settle any claim, suit or proceeding (“Claim”) brought by a third party against Customer alleging that Customer’s use of the portions of the AttackIQ Enterprise Report provided by AttackIQ in accordance with this Agreement or Customer’s use of the AttackIQ Solution in accordance with this Agreement infringes or misappropriates such third party’s United States patent, copyright, trademark or trade secret intellectual property rights.

(b)  AttackIQ will indemnify Customer from and pay: (i) all damages, costs and attorneys’ fees finally awarded against Customer in a Claim under Subsection 11.1(a), (ii) all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by Customer in connection with the defense of a Claim under Subsection 11.1(a) (other than attorneys’ fees and costs incurred without AttackIQ’s consent after AttackIQ has accepted defense of the Claim); and (iii) all amounts that AttackIQ agrees to pay to any third party to settle a Claim under Subsection 11.1(a). Further, should the AttackIQ Solution or AttackIQ Enterprise Report become, or in AttackIQ’s opinion is likely to become, the subject of a claim of infringement or misappropriation AttackIQ may, at its option and expense: (i) obtain a license to permit Customer to continue using the AttackIQ Solution or AttackIQ Enterprise Report according to the terms of this Agreement, (ii) modify or replace the relevant portion(s) of the AttackIQ Solution or AttackIQ Enterprise Report with a non-infringing or non-misappropriating alternative having substantially equivalent performance within a reasonable period of time, or (iii) terminate this Agreement by providing notice to Customer, and provide Customer with a refund of any pre-paid fees for the AttackIQ Solution or AttackIQ Enterprise Report on a pro rata basis for the remaining Term.

(c) AttackIQ’s indemnity obligation will not apply to the extent any infringement or misappropriation arises as a result of: (i) Customer Data included in the AttackIQ Enterprise Report, (ii) a combination of the AttackIQ Solution with software or systems not provided by AttackIQ, (iii) any failure of Customer to comply with this Agreement, (iv) modification of the AttackIQ Enterprise Report by any party other than AttackIQ or (v) Client’s use of a superseded version of a AttackIQ Enterprise Report, if the infringement could have been avoided by using the latest version of the AttackIQ Enterprise Report.

11.2 Indemnification by Customer.

(a) Customer will, at its expense, either defend AttackIQ from or settle any Claim brought by a third party against AttackIQ caused by or arising out of: (i) Customer Data or (ii) an assertion that Customer has violated Subsection 2.7 (Restrictions).

(b)  Customer will indemnify AttackIQ from and pay: (i) all damages, costs and attorneys’ fees finally awarded against AttackIQ in a Claim under Subsection 11.2(a), (ii) all out-of-pocket costs (including reasonable attorneys’ fees) reasonably incurred by AttackIQ in connection with the defense of a Claim under Subsection 11.2(a) (other than attorneys’ fees and costs incurred without Customer’s consent after Customer has accepted defense of the Claim); and (iii) all amounts that Customer agrees to pay to any third party to settle a Claim under Subsection 11.2(a).

11.3 Process.

The indemnified Party will promptly notify the indemnifying Party of any claim subject to this Section 11, but the indemnified Party’s failure to promptly notify the indemnifying Party will only affect the indemnifying Party’s obligations under this Section 11 to the extent that such failure prejudices the indemnifying Party’s ability to defend the Claim. The indemnifying Party may: (a) use counsel of its own choosing to defend against any Claim; and (b) settle the Claim as the indemnifying Party deems appropriate (except that the indemnifying Party may not settle any Claim unless the settlement unconditionally releases the indemnified Party of all liability related to the Claim). The indemnified Party shall provide the indemnifying Party, at the indemnifying Party’s expense, with all assistance, information and authority reasonably required for the defense and settlement of the Claim.

Section 12—Limitations of Liability.

12.1 By Type.

EXCEPT FOR EITHER PARTY’S BREACH OF SECTION 9 (CONFIDENTIALITY) OR VIOLATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, OR A PARTY’S OBLIGATIONS UNDER SECTION 11 (INDEMNIFICATION) IN NO EVENT WILL A PARTY HAVE ANY LIABILITY TO THE OTHER PARTY or any third party FOR ANY consequential, INDIRECT, SPECIAL, INCIDENTAL, REMOTE, SPECULATIVE, COVER, PUNITIVE or exemplary DAMAGES, (including loss of use, data, business or profits) regardless of the theory of liability or whether the liable Party HAS BEEN ADVISED OF THE POSSIBILITY OF THESE TYPES OF DAMAGES.

12.2 By Amount Generally.

EXCEPT FOR EITHER PARTY’S BREACH OF SECTION 9 (CONFIDENTIALITY) OR VIOLATION OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, OR A PARTY’S OBLIGATIONS UNDER SECTION 11 (INDEMNIFICATION) IN NO EVENT will either Party be liable for aggregate damages in excess of the fees PAID OR PAYABLE BY CUSTOMER TO ATTACKIQ UNDER THIS AGREEMENT, regardless of the theory of liability or whether the liable Party HAS BEEN ADVISED OF THE POSSIBILITY OF such DAMAGES.

12.3 By Amount for Certain Matters.

EACH PARTY’S AGGREGATE LIABILITY FOR BREACH OF SECTION 9 (CONFIDENTIALITY) AND ITS OBLIGATIONS UNDER SECTION 11 (INDEMNIFICATION) SHALL NOT EXCEED FIVE HUNDRED THOUSAND DOLLARS ($500,000).

12.4  Exclusions.

No limitation of liability in this Agreement, whether through the exclusion of certain types of damages, a cap on the amount of damages, or other limitation, applies to either Party’s liability for violation of the other party’s intellectual property rights, gross negligence, intentional misconduct, death or personal injury.

12.5 Allocation of Risk.

The Parties agree that the limitations specified in this Section 12 will survive and apply even if any limited remedy specified in this Agreement is found to have failed of its essential purpose. Each Party acknowledges that the foregoing limitations are an essential element of this Agreement and a reasonable allocation of risk between the Parties and that in the absence of such limitations the pricing and other terms set forth in this Agreement would be substantially different.

Section 13—Disputes.

13.1 Informal Dispute Resolution.

If a dispute arises between the Parties, then the Parties will use reasonable efforts to resolve the dispute through negotiation. If such negotiations result in an agreement in principle to settle the dispute, the Parties shall cause a written settlement agreement to be prepared, signed and dated, whereupon the dispute shall be deemed settled, and not subject to further dispute resolution.

13.2 Unresolved Disputes; Waiver of Jury Trial.

Upon the Parties’ mutual written agreement, any dispute under the Agreement may be submitted for resolution to mediation to occur at a mutually agreed upon location. The Parties reserve all rights to adjudicate any dispute not submitted to mediation hereunder, in any court of competent jurisdiction located in in Santa Clara County, State of California, USA; provided, however, that each Party hereby waives the right to a trial by jury in any such action.

13.3 Exception for Injunctive Relief.

The Parties acknowledge that any breach of the confidentiality provisions or the unauthorized use of a Party’s intellectual property may result in serious and irreparable injury to the aggrieved Party for which damages may not adequately compensate the aggrieved Party. The Parties agree, therefore, that, in addition to the dispute resolution process described above and any other remedy that the aggrieved Party may have, it shall be entitled to seek equitable injunctive relief without being required to post a bond or other surety or to prove either actual damages or that damages would be an inadequate remedy.

Section 14—Miscellaneous.

14.1 Logo Use.

AttackIQ may use Customer’s name and logo in listings of AttackIQ’s customers on the website located at www.AttackIQ.com and in other public statements or disclosures for the purposes of marketing the AttackIQ Solution. Customer may request that AttackIQ cease or modify any use of Customer’s name or logo that is misleading or tends to dilute Customer’s brand.

14.2 Force Majeure.

AttackIQ shall not be responsible for any failure to perform under this Agreement which is due to causes beyond its control including, without limitation, problems with the Internet or Customer’s hardware or software, third-party interference, network failure, wars, civil disturbance, court order, legislative or regulatory action, catastrophic weather conditions, pandemic, power or utility failure, or acts of God.

14.3 Export.

The AttackIQ Solution and related technology are subject to applicable United States export laws and regulations. Customer must comply with all applicable United States and international export laws and regulations with respect to the AttackIQ Solution and related technology. Without limitation, Customer may not export, re-export or otherwise transfer the AttackIQ Solution or related technology, without a United States government license: (a) to any person or entity on any United States export control list, (b) to any country subject to United States sanctions, or (c) for any prohibited end use.

14.4 Anti-corruption.

Customer has not received or been offered any bribe, kickback, illegal or improper payment, gift, or thing of value from any AttackIQ personnel or agents in connection with this Agreement, other than reasonable gifts and entertainment provided in the ordinary course of business. If Customer becomes aware of any violation of the above restriction, Customer will promptly notify AttackIQ at [email protected].

14.5 Independent Contractors.

Each Party is an independent contractor and not a partner or agent of the other. This Agreement will not be interpreted or construed as creating or evidencing any partnership or agency between the Parties or as imposing any partnership or agency obligations or liability upon either Party. Further, neither Party is authorized to, and will not, enter into or incur any agreement, contract, commitment, obligation or liability in the name of or otherwise on behalf of the other Party.

14.6 No Third Party Beneficiaries.

This Agreement does not create any third party beneficiary rights in any individual or entity that is not a Party to this Agreement.

14.7 Assignment.

Except as set forth in this Subsection, neither Party shall assign, delegate, or otherwise transfer this Agreement or any of its rights or obligations to a third party without the other Party’s prior written consent. Either Party may assign, without such consent but upon written notice, its rights and obligations under this Agreement to: (i) its corporate affiliate, or (ii) any entity that acquires all or substantially all of its capital stock or its assets related to this Agreement, through purchase, merger, consolidation, or otherwise. Any other attempted assignment shall be void. Subject to the foregoing, this Agreement will be fully binding upon, inure to the benefit of and be enforceable by any permitted assignee.

14.8 Applicable Law.

This Agreement will be interpreted, construed and enforced in all respects in accordance with the laws of the State of California, U.S.A., as applied to agreements entered into and to be performed entirely within California between California residents, without regard to conflicts of law principles. In such case, the sole and exclusive personal jurisdiction and venue for any legal proceedings in connection with this Agreement shall be in the California State Courts located in Santa Clara County and the U.S. District Court for the Northern District of California. The Parties waive any objections related to such jurisdictions and venues. The 1980 UN Convention on Contracts for the International Sale of Goods or its successor will not apply to this Agreement.

14.9 Notice.

Ordinary day-to-day operational communications may be conducted by email or telephone communications. Any other notices required by this Agreement will be in writing and given by personal delivery, by pre-paid first class mail or by overnight courier to the address specified on the Quote (or such other address as may be specified in writing in accordance with this Subsection).

14.10 Additional Definitions.

See Attachment 1.

14.11 Entire Agreement.

This Agreement, including any attachments and exhibits constitutes the complete and exclusive statement of all mutual understandings between the Parties with respect to the subject matter hereof, superseding all prior or contemporaneous proposals, communications and understandings, oral or written. In the event of any conflict or inconsistency among the following, the order of precedence shall be: (i) the Quote, (ii) this  AttackIQ Enterprise Agreement and (iii) the Documentation. No modification, amendment, or waiver of any provision of this Agreement will be effective unless it exists in writing and is signed by the Party against whom the modification, amendment, or waiver is to be asserted. If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of this Agreement will remain in effect.

Attachment 1

Additional Definitions

 “Agent” means Authoriz

AttackIQ Marks” means any trademarks, service marks, service or trade names, logos, and other designations of AttackIQ.

“AttackIQ Solution” means the AttackIQ proprietary threat intelligence solution for computer software and systems described on the Quote. The AttackIQ Solution is comprised of the Agent, the Hosted Service, the Documentation and any Updates to the foregoing.

Confidential Information” means any information that is proprietary or confidential to the Discloser or that the Discloser is obligated to keep confidential (e.g., pursuant to a contractual or other obligation owing to a third party). Confidential Information may be of a technical, business or other nature (including, but not limited to, information which relates to the Discloser’s technology, software documentation, research, development, products, services, pricing of products and services, customers, employees, contractors, marketing plans, finances, contracts, legal affairs, or business affairs). However, Confidential Information does not include any information that: (a) was known to the Recipient prior to receiving the same from the Discloser in connection with this Agreement, (b) is independently developed by the Recipient, (c) is acquired by the Recipient from another source without restriction as to use or disclosure, or (d) is or becomes part of the public domain through no fault or action of the Recipient. All Customer Data and Personal Data is the Confidential Information of Customer.

“Content Library” means a library of attack scenarios and behaviors used with the AttackIQ Solution to test the security of Customer’s software and systems.

“Customer Data” means: (a) data generated by Customer’s endpoint that is delivered to the AttackIQ Solution, (b) any other information that Customer is permitted to input into the AttackIQ Solution data fields, (c) other data, including Personal Data, Customer provides to AttackIQ under this Agreement and (d) the contents of the AttackIQ Enterprise Report that are specific to Customer, including information regarding Customer’s network security vulnerabilities and security threats.

Discloser” means a Party that discloses any of its Confidential Information to the other Party.

“Documentation” means the documentation describing the AttackIQ Solution accompanying the AttackIQ Solution.

“Hosted Service” means the software-as-a-service portion of the AttackIQ Solution hosted on machines owned or controlled by AttackIQ, as further described on the Quote.

Intellectual Property Rights” means any patent, copyright, trademark, service mark, trade name, trade secret, know-how, moral right or other intellectual property right under the laws of any jurisdiction, whether registered, unregistered, statutory, common law or otherwise (including any rights to sue, recover damages or obtain relief for any past infringement, and any rights under any application, assignment, license, legal opinion or search).

Party” means AttackIQ or Customer.

“Personal Data” means any information provided by Customer to AttackIQ used to identify a specific natural person, either alone or when combined with other information that is linkable by AttackIQ to a specific natural person. Personal Data also includes other information provided by Customer to AttackIQ about a specific natural person where the data protection laws in effect in the region where such person resides define this information as Personal Data.

Professional Services” means the consulting services described at Attachment 3 (AttackIQ Enterprise Professional Services).

“Purpose” means the limited purpose of evaluating and validating the effectiveness of Customer’s own computer network security infrastructure in connection with Customer’s ordinary, internal business operations.

Recipient” means a Party that receives any Confidential Information of the other Party.

“Service” means the AttackIQ Solution and the AttackIQ Enterprise Report.

“Updates” means corrections, updates, patches and other modifications to the AttackIQ Solution that AttackIQ makes generally commercially available during the Term.

“User” means Customer’s current employees, independent contractors, agents and consultants who are authorized or permitted by Customer to access and use the Service on behalf of Customer; provided that each individual is not: (a) a resident of any country subject to a United States embargo or other similar United States export restrictions, (b) on the United States Treasury Department’s list of Specifically Designated Nationals, (c) on the United States Department of Commerce’s Denied Persons List or Entity List, or (d) on any other United States export control list.

Attachment 2

Priority Support Services

Basic service level agreement:  AttackIQ provides Support Services 24 x 7 x 365

  • Unlimited Service Requests and Case Management
  • Email, Web & Phone support with Remote Desktop Sessions
  • 4 Hour Response Time for Severity 1 Tickets
  • 8 Hour Response Time for Severity 2 Tickets
  • 2 Business Day Response Time for Severity 3 & 4 Tickets
  • Access to all current Hot Fixes and Service Packs
  • Access to Major Upgrades and Enhancements
  • Proactive Escalation
  • Access to In-App Knowledge Base and FAQ
  • Identify up to 4 Authorized Contacts
LevelDescription
Severity 1Major Impact
An issue that cannot be reasonably circumvented and which is an emergency condition that significantly restricts Customer’s ability to perform necessary business functions.
Severity 2Moderate Impact
An issue that restricts Customer’s ability to use one or more features.
Severity 3Minor Impact
(Performance/Operational Impact). An issue that restricts the Customer’s ability to use one or more features to perform a necessary business function, but which can be reasonably circumvented.
Severity 4No Issue
A request for general support, installation questions or new feature requests.

Attachment 3

AttackIQ Enterprise Professional Services

{provided separately}