Workforce Security & Risk Training Phishing Service Supplemental Terms 0526

These WORKFORCE SECURITY AND RISK TRAINING PHISHING SERVICE SUPPLEMENTAL TERMS ("Terms") govern your subscription to PhishingBox, LLC (“PhishingBox”) through SANS in order to deliver Workforce Phishing Services and constitutes a legal agreement between The Escal Institute of Advanced Technologies, Inc. /dba SANS Institute ("SANS") and you ("End User Customer"). These Terms will take effect when you use the Workforce Phishing Services. Nothing in these Terms modifies or supersedes the Master Training and Services Agreement, End User License Agreement, or Master License and Services Agreement (the "Agreement") between the Parties. Capitalized terms not defined herein shall, unless otherwise indicated, have the same meaning ascribed to such terms in the Agreement. These Terms supplement the Workforce Security and Risk Training Services Supplemental Terms. To the extent of a conflict between these Terms and the Workforce Security and Risk Training Supplemental Terms, these Terms shall govern solely with respect to PhishingBox and the Workforce Phishing Service.

1. DEFINITIONS.

1.1. Campaign means any phishing simulation, awareness exervise, related distribution, reporting workflow, or follow-up educational activity initiated or configured by or on behalf of End User Customer through the Workforce Phishing Service.

1.2. Phishing Platform means the PhishingBox hosted software platform and related documentation, interfaces, reports, analytics, templates, and functionality used by SANS to provide Workforce Phishing Service.

1.3. Target Domain means any email domain, subdomain, or address space to which End User Customer causes or authorizes simulated phishing, social engineering, awareness, or training messages to be sent through the Workforce Phishing Service.

1.4 Workforce Phishing Named User means any individual (i) with a user login account permitting such individual to access and use Workforce Training Materials through the Workforce Training Services or End User Customer LMS, or (ii) designated to be tested in Workforce Phishing Service activities, including administrative users, reporting users, and target recipients of simulated phishing, social engineering, related educational messages, or follow-up training content delivered through PhishingBox.

1.5. Workforce Phishing Service means a SANS tool or service available to End User Customer to test its employees’ ability to withstand phishing/social engineering attacks, including the Phishing Platform and related software, reporting tools, analytics, campaign management functionality, integrations, related training content, and associated support services made available by or through PhishingBox.

2. WORKFORCE PHISHING SERVICE.

2.1. End User Customer is hereby granted a non-exclusive, non-transferable, and non-sublicensable license, to use the Workforce Phishing Service during the Subscription Term set forth in the Price Quote, limited to the number of Workforce Phishing Named Users set forth in the Price Quote, solely for End User Customer’s internal business operations and not for resale, redistribution, sublicensing, service bureau use, managed service delivery to third parties, or other third-party benefit..

2.2. End User Customer grants SANS all necessary rights to authorize SANS and its subprocessors a non-exclusive right to process data solely to provide the Workforce Phishing Service to End User Customer and its Workforce Phishing Named Users, including the right to host, copy, transmit, display, analyze, and otherwise process End User Customer data, Target Domain information, user records, message content, campaign results, and related operational data as necessary to provide, support, secure, and improve the Workforce Phishing Service, including PhishingBox and its affiliates, licensors, and subprocessors.

2.3. A person who is a user only because he or she is designated to be tested through the Workforce Phishing Service will not be counted against End User Customer’s total allotment of Workforce Phishing Named Users until the first phishing message is sent to that Workforce Phishing Named User by the Workforce Phishing Service, at which point the such person will become an Workforce Phishing Named User, unless the applicable Price Quote specifies a different counting methodology or licensing metric.

2.4. End User Customer shall:

2.4.1. ensure that its Workforce Phishing Named Users comply with the terms of the Agreement and shall be responsible for the acts or omissions of any Workforce Phishing Named User, or person using an Workforce Phishing Named User’s login, in connection with their use of the Workforce Phishing Services not in conformity with the Agreement;

2.4.2. notify SANS within five (5) business days of any known unauthorized use of End User Customer’s account, and promptly notify SANS of any suspected misuse, security incident, unauthorized Campaign, unauthorized domain targeting, or other known or suspected breach involving the Workforce Phishing Service;

2.4.3. not attempt to gain unauthorized access to or reverse engineer the Workforce Phishing Service;

2.4.4. not use any SANS Confidential Information to build a competitive service or product, nor copy any feature, function or graphic for competitive purposes;

2.4.5. not sell, resell, rent or lease the Workforce Phishing Service; and

2.4.6. only conduct simulated phishing emails to domains and recipients for whom End User Customer has authorization, and End User Customer represents and warrants that it has all necessary rights, permissions, notices, and internal approvals to target such domains and recipients;

2.4.7. not copy, reproduce, distribute, publish, display, modify, adapt, create derivative works of, benchmark, or disclose the features, functionality, reports, templates, workflows, analytics, or documentation of the Workforce Phishing Service except as expressly permitted by SANS in writing;

2.4.8. not use the Workforce Phishing Service to send messages, create templates, or run Campaigns that are unlawful, deceptive in a manner prohibited by law or industry standard acceptable use practices, abusive, defamatory, infringing, harassing, discriminatory, malicious, or otherwise likely to create material legal, regulatory, reputational, deliverability, blacklisting, or operational risk for SANS, PhishingBox, its service providers, or End User Customer;

2.4.9. not use the Workforce Phishing Service for development, prototype, or competitive intelligence purposes;

2.4.10. not permit any third party other than End User Customer’s authorized personnel and service providers acting on End User Customer’s behalf in connection with its own internal business operations to access or administer the Workforce Phishing Service without SANS’ prior written consent;

2.4.11. cooperate with SANS in investigating misuse, unauthorized access, abuse, suspected unlawful use, blacklisting events, complaints, regulatory inquiries, or enforcement actions relating to the Workforce Phishing Service; and

2.4.12. comply with all usage limits, account types, seat metrics, trial limitations, and feature limitations stated in the applicable Price Quote or related product documentation.

2.5. PhishingBox services or applications are provided to End User Customer as part of the Workforce Phishing Service, End User Customer shall protect the confidential and proprietary information of PhishingBox to the same degree as it is obligated to protect other Confidential Information under the Agreement, and End User Customer acknowledges that such PhishingBox services may be subject to additional technical limitations, operational dependencies, feature constraints, support processes, service levels, or restrictions communicated by SANS from time to time.

2.6. Neither Party shall utilize any phishing practices or templates that would create a significant risk of claims, liabilities, administrative actions, internet service provider blacklisting, or other consequences adverse to either SANS or End User Customer, such as identification of the sender as the Internal Revenue Service or another government agency or violations of industry standard acceptable use policies. SANS and its service providers may, but are not obligated to, take action to prevent and stop transmission of any such content provided by End User Customer, including suspension, blocking, deletion, disabling, quarantine, Campaign interruption, or related remediation measures without prior notice where reasonably necessary to protect the service, other customer, or third parties.

2.7. End User Customer acknowledges that SANS may rely on PhishingBox to host, operate, support, and secure the Workforce Phishing Service, and that SANS may take any action reasonably necessary to comply with its obligations to such provider, including enforcing usage limits, requiring corrective action, suspending access, or restricting templates, Campaigns, or domains.

3. OWNERSHIP AND INTELLECTUAL PROPERTY.

3.1. End User Customer acknowledges that, as between End User Customer and SANS and PhishingBox, the Workforce Phishing Service, the Phishing Platform, and related software, documentation, templates, reports, analytics, workflows, interfaces, and all improvements, updates, enhancements, and derivatives thereof are owned by SANS, PhishingBox, or their respective licensors, and no ownership rights therein are transferred to End User Customer.

3.2.End User Customer retains ownership of its own trademarks, logos, and materials provided by it to SANS for use in connection with permitted branding, white-labeling, or campaign customization, subject to the limited rights granted to SANS to provide the Workforce Phishing Service.

3.3. Except as expressly permitted by SANS in writing, End User Customer shall not remove, obscure, or alter proprietary notices, branding notices, copyright notices, or other notices appearing in or on the Workforce Phishing Service.

4. SUPPORT AND SERVICE MANAGEMENT.

4.1. SANS, unless otherwise agreed in writing, will act as the first level of support for End User Customer in connection with the Workforce Phishing Service. End User Customer shall direct all support requests to SANS and shall not contact any third-party provider directly unless expressly authorized by SANS.

4.2. SANS may escalate appropriate issues to its third-party provider, but does not guarantee direct access, direct response, or direct contractual rights between End User Customer and PhishingBox.

4.3. End User Customer is responsible for its internal administration of the Workforce Phishing Service, including designation of administrators, internal authorization for campaigns, management of target populations, and review of campaign settings before launch.

5. USAGE METRICS, TRIALS, AND FEATURE LIMITATIONS.

5.1. The Workforce Phishing Service is subject to the user counts, seat allocations, trial limits, account types, subscription durations, and feature limitations as set forth in the applicable Price Quote.

5.2. Where SANS provides End User Customer with a trial account or promotional access, such access is limited to evaluation purposes only and may be subject to restricted features, shorter duration, user caps, and “as is” treatment. Unless expressly stated otherwise by SANS in writing, trial access may be terminated automatically at the end of the applicable trial period.

5.3. End User Customer acknowledges that certain training-related or learning management functionality made available through the Workforce Phishing Service may be limited, capped, or restricted in scope and may not be equivalent to SANS’ primary Workforce training platform.

6. SUSPENSION.

6.1. In addition to any suspension rights in the Agreement, SANS may suspend or restrict End User Customer’s access to all or any portion of the Workforce Phishing Service immediately upon notice, or without prior notice where reasonably necessary, if SANS determines that: i) End User Customer or any user is in breach of these Terms or the Agreement; ii) any Campaign, template, domain, or message creates material legal, reputational, operational, security, or deliverability risk; iii) continued use may result in blacklisting, abuse complaints, or violation of acceptable use policies; iv) suspension is required to protect the service or third parties; or v) suspension is necessary for SANS to comply with its obligations to PhishingBox or with applicable law.

7. DISCLAIMER, THIRD-PARTY PLATFORM RISK ALLOCATION.

7.1. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PHISHING PLATFORM IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS EXCEPT TO THE EXTENT EXPRESSLY STATED OTHERWISE IN THE AGREEMENT OR APPLICABLE PRICE QUOTE.

7.2. SANS MAKES NO REPRESENTATION OR WARRANTY ON BEHALF OF PHISHINGBOX EXCEPT TO THE EXTENT SANS EXPRESSLY STATES OTHERWISE IN WRITING.

7.3. WHERE ANY FEATURE, FUNCTIONALITY, SERVICE LEVEL, SUPPORT TERM, ROADMAP ITEM, OR PLATFORM COMPONENT DEPENDS ON PHISHING BOX, SANS SHALL NOT BE LIABLE FOR FAILURE OR DELAY EXCEPT TO THE EXTENT CAUSED BY SANS INDEPENDENT OF PHISHINGBOX AND SUBJECT TO THE LIMITATIONS OF THE AGREEMENT.

8. CONDIFENTIALITY OF THIRD-PARTY PLATFORM INFORMATION.

8.1. For purposes of the Agreement and these Terms, Confidential Information of SANS includes non-public information of PhishingBox disclosed or made available in connection with the Workforce Phishing Service, including documentation, support procedures, pricing structures, product roadmaps, technical information, and non-public reports or analytics.

9. ENFORCEMENT.

9.1. End User Customer acknowledges that SANS may be required to enforce these Terms to protect the intellectual property, confidentiality, service integrity, and operational interests of SANS and PhishingBox. End User Customer shall take such corrective action as SANS reasonably requests in connection with any actual or suspected misuse, infringement, confidentiality breach, or prohibited Campaign activity.