5. Responsibilities  

1. Responsibilities of Cybercraft

Cybercraft is responsible for the following:

1. Validating Findings to determine if an Incident is in progress, the severity, and to notify the Customer

2. Nominating three technical resources for investigating Findings in the Customer Environment

3. Acting in a professional manner, utilising our skills, our experience, to the benefit of the Customer

2. Responsibilities of the Customer

The Customer is Responsible for the following:

1. Nominating a ‘Management’ Single Point of Contact for commercial discussions & management escalation  

2. Nominating a ‘Technical’ Single Point of Contact for Cybersecurity notifications & technical escalation  

3. Authorising Cybercraft to work with the Customer’s Providers for configuration and investigations

3. Initial Onboarding  

The Customer will provide:

1. The required licenses for Cybercraft to access cloud services or systems for event logging

2. The FindMyAttacks team with administrator access to specified systems to deliver the FindMyAttacks service

3. Where unique credentials are required for the FindMyAttacks team, the Customer will provide the required licenses  

4. Any costs incurred for Cybercraft working with the Customer’s Providers for FindMyAttacks configuration & investigations

6. Out of Scope

The following types of cybersecurity services are not included in the scope of the Agreement or our FindMyAttacks deliverables. Cybercraft provides these services separately.

1. Security Control Assessment

Security controls are required to detect and prevent many types of cyber threats and incidents. Organisations require a range of cybersecurity controls to protect their Environment, data, and reduce risk. The Customer is responsible for determining which security controls are required to protect their organisation to effectively mitigate risk.

2. Security Control Management

The ongoing lifecycle management of security controls, their configuration, maintenance, and determining their effectiveness is the responsibility of the Customer. The Customer is also responsible for the fine tuning of security controls to improve the quality of security events logged to FindMyAttacks.  

3. Incident Response Management

The Incident Response Management is a leadership role focussed on the technical & digital aspects of the incident response process, and undertakes the following actions during an incident:

• Minimising technical impacts on the organisation to support a faster recovery
• Determining actions and priorities for containing threats to protect business systems & data
• Improving the speed of recovery of the digital systems.

The Incident Response Manager works closely with the Customer service providers to contain the incident, to prevent further damage or data loss, eradicate the compromise, recover the systems, and work to prevent a reoccurrence.

4. Incident Management  

Incident Management is a business crisis management leadership role that is typically activated when a critical cyber incident is identified and where there is business reputational impact, requiring solid business risk decision making and executive level communications to internal and external parties.

• Protecting business value through preparation and planning;
• Establishing cyber incident management teams and processes;  
• Leading cyber incidents where business impact is anticipated;

The Incident Manager works closely with the business to manage business risk, and in conjunction with the Customer’s Executive team, minimise reputational damage, and provide guidance for any regulatory and compliance breaches.

5. Cyber & Information Security Office

Incidents often require additional support due to the specific nature of the attack, or introduction of a significant risk where the business may have a regulatory, commercial, or reputational impact. The Cyber & Information Security Office compromises of a team of specialists that provide advisory for specific types of incidents.

• Advisory to the Incident Response Manager and the Incident Manger roles

6. Any Preparation for Incident Response or Management

Effective Incident Response and Management requires planning, preparation, staff training, and testing to provide an effective response across a range of potential cyber incidents.  

7. Standard Terms & Conditions

The following terms and conditions shall apply in respect of all work carried out by Cybercraft, except to the extent otherwise agreed with you in writing.

1. Fees

1. The Customer will pay the Fees and any other agreed charges to Cybercraft in accordance with the relevant FindMyAttacks Service into a bank account nominated by Cybercraft or via a payment method such as Stripe, provided by Cybercraft.  

2. If the Parties agree that any additional Services or work over and above that set out in this Agreement is required in relation to any Services, then the charges will be based on the latest FindMyAttacks subscription rates or charge-out rates.

3. Cybercraft will issue invoices for additional Services or work required to deliver the FindMyAttacks Service, and the Customer will pay each invoice without any deduction or set-off of any kind within 10 days of the date of the invoice.   

4. Unless specifically indicated, all amounts payable under the Agreement are to be paid in United States Dollars (USD) via the preferred payment method.  

5. All fees and any other amounts payable under this Agreement do not include taxes, duties or charges levied in the Customer jurisdiction in connection the Agreement.  

6. The Customer agrees to pay any tax that is required for Cybercraft to collect in their jurisdiction on all taxable supplies made by Cybercraft to the Customer under this Agreement.  

7. If the Customer fails to pay any amount due, Cybercraft may without prejudice to its other rights or remedies under this Agreement, suspend the provision of the Services under this Agreement without liability to the Customer. 

2.   Term & Expiry

Agreed Term

1. The ‘Initial Term’ for FindMyAttacks BRONZE Service is 12 MONTHS.

2. All FindMyAttacks Services and certain products from our vendors have an agreed back-to-back term for the operating length of the Service. This reflects the Term agreed to by the Customer when subscribing to the Service.

Expiry of Initial Term

3. Upon expiry of the Initial Term, the Agreement will automatically extend on the same terms and conditions for successive 12-month periods (‘Renewal Term’) unless either Party provides written notice to the other party stating that it does not wish to extend this Agreement no later than 90 days prior to the end of the Initial Term or Renewal Term.

3. Termination

Termination by Either Party on Notice  

1. If any SLA defined in the FindMyAttacks Service are not met for three consecutive months, the Customer may terminate the Services immediately, having provided Cybercraft written notice on each of the prior months. 

2. Cybercraft may terminate the FindMyAttacks Services if the Customer is materially in breach of these terms or if Cybercraft ceases to provide the Services for any reason it believes is appropriate to do so.  

Consequences of Termination  

3. If the termination is a result of a breach by the Customer or cancellation by the Customer, the Customer agrees to pay Cybercraft the charges in total owed to Cybercraft for the remainder of the FindMyAttacks Service Term.  

4. Termination will not affect our other rights and remedies. If the Services are terminated, you must immediately pay us all money due.  

4. Confidentiality

1. Each Party will treat as confidential all Confidential Information obtained from the other pursuant to this Agreement.  Neither Party will divulge Confidential Information to any persons without prior written consent from the other Party, except to the FindMyAttacks team.  

2. For the purposes of this clause, Confidential Information means the terms of this Agreement and any information relating to the business or affairs of the other Party and includes its designs, drawings, manufacturing know how, object code, source code, planned modifications to hardware/equipment or software, planned enhancements to hardware/equipment or software, product knowledge, quality standards, research and development, unpublished specifications, technical information, pricing, manipulated data, business plans, road maps, business processes, methodologies, techniques, general know-how, costs and margins, customer lists, financial data, internal price information, market research, marketing plans, sales forecasts and trade secrets, and any information it designates as confidential.   

3. Clause (7.4) does not apply to information which:  

1. can be established by written records to be already known to the recipient at the time of disclosure; or  

2. is in or enters the public domain through no fault of the recipient.

4.  If one Party is required by any applicable law, court, authority or the rules of any stock exchange to disclose Confidential Information to any person, it will:  

1. to the extent permitted by law, give the other Party prompt written notice of the disclosure, where practicable before it occurs, so that the other Party has sufficient opportunity to prevent the disclosure through appropriate legal means;  

2. disclose only that part of the Confidential Information which the Cybercraft legal advisers consider is legally required to be disclosed; and  

3. use all reasonable endeavours to obtain an assurance that the Confidential Information disclosed will be treated confidentially by any third-party recipient.  

5. This clause will survive termination of this Agreement.  

5. Warranties

1.  Cybercraft warrants to the Customer that:  

1. to the best of its knowledge and belief the provision of the FindMyAttacks Service to the Customer does not, and will not, infringe the copyright of any third party.   

2. the FindMyAttacks Services will meet, function, and perform substantially in accordance with the Core Objectives of the specified Subscription Plan that the Customer has subscribed to.  

2. Except as expressly set out in this Agreement, all representations, conditions, and warranties (whether express or implied, statutory, or otherwise) and including warranties as to the fitness of the Services are expressly excluded.  

3. Unless specifically provided for in this Agreement, Cybercraft provides no warranties or indemnities to the Customer in relation to the Service, and will not be liable to the Customer for any failure of or defects in any Third Party Products provided as part of the Service.  

4. If a claim for a breach of warranty is brought against Cybercraft, Cybercraft will, at its election, either:  

1. ensure or procure a continuing lawful right for Customer to use the relevant Services;   

2. replace or modify the Services with equivalent functionality and performance; or  

3. if the remedies in paragraphs (a) or (b) are not commercially feasible, Cybercraft may terminate this Agreement and refund any Fees paid by the Customer in respect of the alleged or actual infringing Services.  

6. This clause sets out Customer’s sole and exclusive remedy in respect of any claim of copyright infringement.  

7. The Customer warrants to Cybercraft that to the best of its knowledge and belief, any Customer pre-existing IP provided to Cybercraft will not infringe any Intellectual Property Rights of any third party.

6. Dispute Resolution

1. If a dispute arises out of or relates to this Agreement (Dispute), a Party may not commence any court or arbitration proceedings relating to the Dispute unless it has complied with the following provisions of this clause, except where the party seeks urgent interlocutory relief.  

2. A party claiming the Dispute has arisen must give written notice to the other party specifying the nature of the Dispute.  

3. On receipt of that notice, the parties will use all reasonable endeavours to resolve the Dispute by discussion, consultation, negotiation or other informal means.  

4. If the Dispute is not resolved within 15 Business Days of the notice being given, either party may, by giving written notice to the other party, require the Dispute to be determined by the arbitration of a single arbitrator.  The arbitrator will be appointed by the parties or, failing agreement within 5 Business Days of the notice requiring arbitration, by the President of the New Zealand Law Society on application of either party. The arbitration will be conducted as soon as possible and in accordance with the provisions of the Arbitration Act 1996.  

7. Liability

Neither party will be liable to the other party under the law of tort, contract or otherwise for any indirect or consequential loss arising out of, or in connection with, this Agreement; and  

1. loss of revenue, loss or profit, data loss, liquidated damages, penalties, fines, development delays, cost of restoring data or computer systems, arising out of, or in connection with, this Agreement.    

2. Cybercraft’s total liability to the Customer in respect of all losses suffered or incurred will not exceed $10,000 USD, or if not set out, the Fees paid by the Customer to Cybercraft under the relevant Services.  

3. Customer’s total liability to Cybercraft in respect of all losses suffered or incurred will not exceed the amount stated in the relevant Proposal. 

4. Cybercraft will not be liable to the Customer for any loss suffered by Customer: 

1. as a result of any default, breach of this Agreement, or any negligent act or omission of Customer, including any unpermitted use of the Services or any component of them.  

2. as a result of the Customer modifying the Environment that the FindMyAttacks Service is monitoring, following the completion of Onboarding; or due to any delay in the provision of any Deliverables and/or where that delay was (in whole or in part) the fault of Customer in any material way.  

5. Customer acknowledges that:  

1. FindMyAttacks may rely on the provision of services by third parties in order to provide the Services, and that the Services and/or may be subject to limitations, delays and other problems inherent in the use of such services provided by Third Party Providers; and  

2. FindMyAttacks will not be responsible for any delays, delivery failures, penalties, liquidated damages, or any other loss or damage arising out of or in connection with any services provided by Third Party Providers, including any delays, delivery failures, penalties, liquidated damages, or any other loss or damage resulting from the transfer of data over communications networks and facilities (including the internet).  

8. Non-Compete

1. During the term of this Agreement and for a period of [one (1) year] following its termination, the Customer agrees not to directly or indirectly engage in, own, manage, operate, control, or participate in the ownership, management, operation, or control of any business that competes with Cybercraft's business or any of its products or services, including but not limited to the FindMyAttacks Service, without the prior written consent of Cybercraft.

2. The Customer acknowledges that any breach of this non-compete clause would cause significant harm to Cybercraft and agrees that Cybercraft shall be entitled to seek any and all remedies available to it in law or equity, including but not limited to injunctive relief, to prevent such competition.

9. Non-Solicitation of Employees

1. During the term of this Agreement and for a period of [one (1) year] following its termination, the Customer agrees not to directly or indirectly solicit, hire, employ, or engage any current or former employee or contractor of Cybercraft who has been involved in the provision of services under this Agreement, without the prior written consent of Cybercraft.

2. The Customer acknowledges that any breach of this non-solicitation clause would cause significant harm to Cybercraft and agrees that Cybercraft shall be entitled to seek any and all remedies available to it in law or equity, including but not limited to injunctive relief, to prevent such solicitation.

8. Explanation of Fees

1. General Fees

This section outlines the Fees for the Services provided under this Agreement.

Service Plan Fee

1. Annual Fee: The Customer can pay for the Service Plan as an Annual fee, attracting a 20% discount; or

2. Monthly Fee: The Customer will pay a recurring Monthly fee for the Service Plan.

Onboarding Fee

3. The Customer will pay a one-time fee for Onboarding services, which includes initial setup and configuration of the FindMyAttacks Service into the Customer’s Environment.

2. Other Fees

‘Other Fees’ may be incurred to support the effective delivery of the FindMyAttacks Service.  

Authorisation

1. Additional Work for Onboarding: The Customer agrees to authorise any additional work reasonably required for the initial setup and configuration of the FindMyAttacks Service into the Customer’s Environment.

2. Additional Work: If any additional work is required to support the effectiveness of the FindMyAttacks Service, Cybercraft will obtain authorisation from the Customer prior to any work being conducted.

Types of Additional Work

3. Incident Response Testing: The Customer will be charged for any Incident Response testing initiated by the Customer as this requires planned work and customised analysis and reporting for the exercise.

4. Security Control Improvements: The Customer is responsible for any costs incurred as result of any changes to the Customer cybersecurity controls required to provide the FindMyAttacks Service, including, but not limited to, configuration changes, supporting third-party service providers, security event logging improvements.

5. Third-party Costs: The Customer is responsible for any costs incurred by third-party service providers that are necessary for the provision or configuration of the Services.

Additional Triage Requirements

6. Where the number of Findings per month exceeds the number of Triages provided in the Service Plan that the customer subscribed to, the Customer may purchase additional Triage Packs for a monthly fee, for the FindMyAttacks Service.