The following terms apply only to the extent Client has ordered the applicable Solutions as specified in an Order Form. In the event of any conflict between these Solution-Specific Terms and the main Terms, these Solution-Specific Terms shall control with respect to the applicable Solutions.
CLOUD ASSESSMENTS
Applicability: This Section applies if Client subscribes to cloud assessment Solutions as specified in an Order Form.
Client shall provide Drawbridge with the relevant permissions and access credentials necessary to complete the cloud assessment on Client’s cloud environment(s) as specified in the applicable Order Form. Client represents and warrants that it has all necessary authorizations to grant such access, including any consents required by third-party cloud providers. Drawbridge shall not be liable for any delays or inability to perform the Cloud Assessment resulting from Client’s failure to provide the required permissions or access. Cloud Assessment findings reflect conditions observed at the time the assessment is performed and do not guarantee that all potentially risky or adverse configurations have been identified. Client is solely responsible for determining whether and how to remediate any issues identified.
CYBERSECURITY TRAINING AND AWARENESS
Applicability: This Section applies if Client subscribes to cybersecurity awareness training or phishing simulation Solutions as specified in an Order Form.
Client acknowledges that these services may be delivered through a third-party platform. Client agrees to comply with any applicable third-party terms of use or acceptable use policies. Drawbridge will provide or make available such terms upon request. Client is responsible for: (i) providing accurate employee information for enrollment; (ii) ensuring employees complete assigned training within applicable deadlines; and (iii) notifying Drawbridge of any changes to enrolled users. Drawbridge may change such third-party services without notice, provided that such change does not materially diminish the quality of the Solutions. Drawbridge makes no representations or warranties with respect to the third-party platform. Drawbridge shall not be liable for any acts, omissions, or service interruptions of the third-party provider. To the extent the Solution is subject to a license count as specific on an Order Form, during the Term and for one (1) year thereafter, Drawbridge may audit Client’s records to verify compliance with license-count provisions. If an audit reveals excess usage, Client shall pay the applicable Fees for such excess, prorated through the end of the then-current Term.
EQUIPMENT
Applicability: This Section applies if Client orders Equipment and/or subscribes to a Solution that requires Client to loan or purchase Equipment as specified in an Order Form.
Purchased Equipment. If Client purchases Equipment, Client becomes the owner upon payment in full and is responsible for: (i) installing the Equipment at the location(s) specified by Drawbridge; and (ii) implementing appropriate data protection practices for any information stored on such Equipment. If Client installs or uses the Equipment at a location other than as agreed, the Solutions may fail to function properly. Client shall promptly notify Drawbridge of any Equipment relocation.
Loaned Equipment. If Drawbridge provides Equipment on a loaned basis, such Equipment remains Drawbridge’s property. Client shall: (i) use loaned Equipment solely for the purposes specified in the applicable Order Form; (ii) not modify, disassemble, or attempt to repair loaned Equipment; (iii) maintain loaned Equipment in good working condition, ordinary wear and tear excepted; (iv) return loaned Equipment within ten (10) business days following completion of the applicable Solutions or termination of the Agreement; and (v) be responsible for any loss or damage while in Client’s possession. Drawbridge may invoice Client for the replacement cost of any loaned Equipment not returned or returned in damaged condition.
If the Solutions require Equipment, Client shall timely install such Equipment in accordance with Drawbridge’s instructions to enable Drawbridge to perform the Solutions. Drawbridge shall not be liable for any delays or inability to perform the Solutions resulting from Client’s failure to install Equipment.
PENETRATION TESTING
Applicability: This Section applies if Client subscribes to penetration testing Solutions as specified in an Order Form.
Penetration testing will be performed only on the systems and within the scope specified in the applicable Order Form. Any changes to scope require mutual written agreement. Client represents and warrants that it has all necessary consents and authorizations to permit Drawbridge to perform penetration testing on the systems identified in the applicable Order Form, including any systems hosted by third-party providers. Client shall obtain any required consents from third parties (e.g., cloud providers, co-location facilities) prior to testing.
Client acknowledges that Drawbridge may use third-party tools or platforms to perform penetration testing. Client acknowledges that penetration testing may temporarily impact system performance, and Drawbridge disclaims all liability related to any disruption. Drawbridge may change such tools without notice, provided that such change does not materially diminish the quality of the Solutions.Penetrationtesting results reflect conditions observed during the specific testing window and do not guarantee that all vulnerabilities have been identified. Client is solely responsible for determining whether and how to remediate any issues identified.
POLICIES
Applicability: This Section applies if Client subscribes to policy drafting Solutions as specified in an Order Form.
Client acknowledges that policies and documentation created by Drawbridge are based on the information available to Drawbridge at the time such policies are created. Client shall provide Drawbridge with accurate and complete information reasonably necessary to develop the applicable policies. Drawbridge shall not be liable for any deficiencies in policies resulting from Client’s failure to provide accurate or complete information. Client is responsible for: (i) promptly informing Drawbridge of any changes that may affect the accuracy or applicability of policies developed by Drawbridge; and (ii) enforcement and execution of its own policies. Policies developed by Drawbridge do not guarantee compliance with applicable legal, regulatory, or industry requirements, and Client is solely responsible for ensuring that its policies satisfy such requirements.
SOFTWARE
Applicability: This Section applies if Client orders Software (e.g., agent-based scanning software) as specified in an Order Form.
Client may install and use the Software only up to the number of licenses specified in the applicable Order Form. Client shall not exceed the licensed quantity without Drawbridge’s prior written consent and payment of applicable Fees. During the Term and for one (1) year thereafter, Drawbridge may audit Client’s records to verify compliance with license-count provisions. If an audit reveals excess usage, Client shall pay the applicable Fees for such excess, prorated through the end of the then-current Term.Upon termination of the applicable Order Form, Client remains solely responsible for removing any agent-based Software from their devices.
VENDOR RISK ASSESSMENTS
Applicability: This Section applies if Client subscribes to vendor risk assessment Solutions as specified in an Order Form.
Client shall provide Drawbridge with vendor contact information and any other information reasonably necessary to conduct the vendor risk assessments. Drawbridge shall not be liable for delays or incomplete assessments resulting from Client’s failure to provide such information or from a vendor’s failure to respond. Client acknowledges that: (i) Drawbridge may collect information directly from Client’s vendors, including confidential information and third-party audit reports (e.g., SOC 2 reports); (ii) such vendor-provided information may be subject to confidentiality obligations or use restrictions imposed by the applicable vendor; (iii) Drawbridge’s ability to share certain vendor information with Client may be limited by such third-party restrictions; and (iv) Client shall comply with any use restrictions communicated by Drawbridge with respect to vendor-provided information and treat all vendor-provided information as confidential. Vendor risk assessment deliverables are based on information provided by the applicable vendors. Drawbridge does not independently verify the accuracy or completeness of vendor-provided information and shall have no liability for any inaccuracies therein or for any use of such deliverables.
VULNERABILITY SCANNING
Applicability: This Section applies if Client subscribes to vulnerability scanning Solutions as specified in an Order Form.
Scanning will be performed at the frequency specified in the applicable Order Form. Client acknowledges that scanning may temporarily impact system performance. Client represents and warrants that it has all necessary authorizations to permit Drawbridge to perform vulnerability scanning on the systems or network identified in the applicable Order Form. If there is a change to Client’s network or systems, Client should notify Drawbridge as soon as feasible. Vulnerability scanning results reflect conditions observed at the time of scanning and do not guarantee that all vulnerabilities have been identified. If purchased or loaned Equipment is utilized in connection with the vulnerability scanning Solutions, the terms relating to Equipment set forth in this Exhibit shall also apply.
PORTFOLIO COMPANY SOLUTIONS
Applicability: This Section applies if Client subscribes to any Solutions on behalf of its Portfolio Companies, as specified in an Order Form.
Upon mutual agreement during the Term, Client may cause one or more portfolio companies under itscontrol (“Portfolio Companies”) to subscribe to Solutions by executing a Drawbridge Solutions Order Form (“PC Agreement”). Client shall pay all Fees under each PC Agreement and shall cause each Portfolio Company to comply with all applicable terms of this Agreement. Client is responsible for any acts or omissions of its Portfolio Companies as if they were acts or omissions of Client, and a breach by any Portfolio Company shall be deemed a breach by Client. Portfolio Companies shall not be considered Affiliates as defined in the Agreement. By executing a PC Agreement, Client represents and warrants that it has obtained all necessary rights, consents, and authorizations from each Portfolio Company to: (i) permit Drawbridge to access Portfolio Company’s systems, networks, and data as necessary to perform the Solutions; (ii) permit Drawbridge to share Portfolio Company’s Confidential Information, Client Data, and deliverables with Client; and (iii) bind the Portfolio Company to the terms of this Agreement. Client shall use Portfolio Company information solely for Client’s internal business purposes related to oversight of its portfolio and shall not disclose such information to third parties except as permitted under the Agreement.
Client or the applicable Portfolio Company shall promptly notify Drawbridge in writing if Client no longer has the right to access a Portfolio Company’s Confidential Information or Client Data, including upon the sale, divestiture, or other disposition of a Portfolio Company. Upon receipt of such notice, Drawbridge will terminate Client’s access to the applicable Portfolio Company’s information. Drawbridge shall have no liability for Client’s continued access to or use of Portfolio Company information prior to receipt of such notice. Client shall indemnify and hold harmless Drawbridge from any claims arising from: (i) Client’s failure to obtain the authorizations required under this Section; (ii) Client’s access to or use of Portfolio Company information; or (iii) any dispute between Client and a Portfolio Company, including claims that Client or Drawbridge lacked authorization to access Portfolio Company systems or data.