5 Responsibilities

5.1 Responsibilities of Cybercraft (FMA)

Cybercraft is responsible for undertaking the following to deliver the FMA Service:

• Nominating up to three (3) technical resources for Finding Investigations in the Customer Environment

• Investigating Findings, as determined by the Service Level for the subscribed Plan, to establish if an Incident is in progress

• Determining the severity of a Finding based on the type of threat

• Notifying the Customer via the method determined by the Service Level for the subscribed Plan

Acting in a professional manner, utilising our skills, our experience, to the benefit of the Customer

5.2 Responsibilities of the Customer (FMA)

The Customer is Responsible for the following:

• Licenses and Permissions: Providing the required licenses and license levels necessary for Cybercraft to deliver the FMA Service.

Single Points of Contact

• Management Contact: Nominating a ‘Management’ Single Point of Contact for commercial discussions and management escalation.

• Technical Contact: Nominating a ‘Technical’ Single Point of Contact for cybersecurity notifications and technical escalation.

Authorization for Investigations

• Authorizing the Cybercraft-nominated technical resources (the FMA Team) to work with the Customer’s service providers for Finding Investigations.

• Providing timely access and permissions necessary for the FMA Team to perform their duties, specifically for the purposes outlined in this Agreement.

• Environment Access: Authorizing the FMA Team to access the Customer Environment for the purpose of undertaking Triage and Findings Investigations, provided such access is necessary for the delivery of the FMA Service and within the scope of this Agreement.

• Cost Responsibility: Bearing any costs associated with:

• Working with the Customer’s service providers as part of the FMA onboarding process.

• Additional work requested by the Customer that falls outside the scope of the standard FMA Plan, provided Cybercraft obtains prior written authorization from the Customer for any such work.

• Information and Cooperation

• Providing accurate and timely information required for Cybercraft to perform its services.

• Cooperating reasonably with Cybercraft to facilitate the delivery of the FMA Services, including responding to queries and requests within agreed timeframes.

• Security Log Quality: Ensuring the operational management and quality of the security logs transmitted to FMA, to support the effectiveness of the FMA Service. Any required changes to improve the quality of Security Logs should be mutually agreed upon and documented.

6 Out Of Scope

FMA is a threat investigation and validation service only. The purpose of FMA is to validate threats that are detected in the Customer Environment, and the output of FMA is to notify the Customer of a confirmed Incident as quickly as possible so that the Customer can determine what Incident Response and Incident Management measures are required for their business.

The following types of cybersecurity services are not included in the scope of our FMA Service. Cybercraft can provide these services separately on request. Some services require preparation and planning in advance of any Incident to be effective.

6.1 Security Control Assessment

Cybersecurity controls are required to detect and prevent many types of cyber threats and incidents. Organisations require a range of cybersecurity controls to protect their Environment, data, and reduce risk.

● The Customer is responsible for determining which cybersecurity controls are required to protect their organisation to effectively mitigate business & cybersecurity risks.

6.2 Security Control Management

The ongoing lifecycle management of cybersecurity controls, their configuration, maintenance, and determining their effectiveness is the responsibility of the Customer.

● The Customer is responsible for the operational management of their cybersecurity controls, including improving the quality of Security Logs transmitted to FMA.

6.3 Incident Response

Incident Response is a leadership role focussed on the technical & digital aspects of the Incident response process, and undertakes the following actions during an Incident:

a) Minimising technical impacts on the organisation to support a faster recovery

b) Determining actions and priorities for containing threats to protect business systems & data

c) Improving the speed of recovery of the affected business functions in the Customer Environment

● The Incident Response role works closely with the Customers’ service providers to contain the Incident, to mitigate further damage or data loss, remediate and recover the impacted systems, and work to prevent a reoccurrence.

6.4 Incident Management

Incident Management is a business crisis management leadership role that is typically activated when a critical cyber incident is identified and where there is potential for business reputational impact, requiring solid business risk decision making and executive level communications to internal and external parties.

a) Protecting business value through preparation and planning

b) Establishing cyber incident management teams and processes

c) Leading cyber incidents where business impact is anticipated

● The Incident Manager works closely with the business to manage business risk, and in conjunction with the Customer’s Executiveteam, minimise reputational damage, and provide guidance for any regulatory and compliance issues.

6.5 Cyber & Information Security Office

Incidents often require additional support due to the specific nature of the attack, or introduction of a significant risk where the business may have a regulatory, commercial, or reputational impact. The Cyber & Information Security Office compromises of a team of specialists that provide advisory for specific types of incidents.

● The CISO role is to provide cybersecurity and cyber risk advisory to the Customer, the Incident Response role and the Incident Manager.

6.6 Any Preparation for Incident Response or Management

Effective Incident Response and Management requires discovery, planning, preparation, staff training, and testing to provide an effective response across a range of potential cyber-incidents.

● Any activity undertaken to support Incident Response or Management is out-of-scope of the FMA service.

6.7 Response to Customer or Third-Party Enquiries on Findings

Each Triage or Finding Investigation includes a comprehensive report that provides an assessment of the Finding, and information to support the Incident Response process.

● Any support required for response or interactions after a Finding Notification has been sent to the Customer is out of scope of the FMA Service as these relate to the Incident Response process.

7 Explanation of Fees

7.1 General Fees

This section outlines the Fees for the Services provided under this Agreement.

Subscription Fee (Plan)

• Annual Fee: The Customer can pay for the Service Plan as an Annual fee, attracting a 20% discount; or

• Monthly Fee: The Customer will pay a recurring Monthly fee for the Service Plan.

Onboarding Fee

The Customer will pay a one-time fee for Onboarding services, which includes initial setup and configuration (integration) of the FMA Service into the Customer’s Environment.

7.2 Other Fees

‘Other Fees’ may be incurred to support the effective delivery of the FMA Service.

Authorisation

• Additional work for Onboarding: The Customer agrees to authorise any additional work reasonably required for the initialsetup and configuration of the FMA Service into the Customer’s Environment.

• If any additional work is required to support the effectiveness of the FMA Service, Cybercraft will obtain authorisation from the Customer prior to any work being conducted.

Types of Additional Work

Incident Response Testing: The Customer will be charged for any Incident Response testing initiated by the Customer as this requires planned work, customised analysis and reporting for the exercise.

Security Control Improvements: The Customer is responsible for any costs incurred as result of any changes to the Customercybersecurity controls required to provide the FMA Service, including, but not limited to, configuration changes or Security Logging improvements.

Third-party Costs: The Customer is responsible for any costs incurred by third-party service providers that are necessary for the provision or configuration of the Services.

Additional Triage Requests

Where the number of Findings per month exceeds the number of Triages (and Findings Investigations) provided in the FMA Plan that the customer subscribed to, the Customer may purchase additional Triage Packs for a monthly fee and request and authorise subsequent Findings Investigations.

8 Standard Terms & Conditions

The following Common Terms shall apply in respect of all work carried out by Cybercraft, except to the extent otherwise agreed with you in writing.

8.1 Fees

• The Customer will pay the Fees and any other agreed charges to Cybercraft in accordance with the relevant FMA Plan into a bank account nominated by Cybercraft or via a payment method such as Stripe, provided by Cybercraft. 

If the Parties agree that any additional Services or work over and above that set out in this Agreement is required in relation to any Services, then the charges will be based on the latest FMA rates or charge-out rates.

Cybercraft will issue invoices for additional Services or work required to deliver the FMA Service, and the Customer will pay each invoice without any deduction or set-off of any kind within 10 days of the date of the invoice.  

Unless specifically indicated, all amounts payable under the Agreement are to be paid in United States Dollars (USD) via the preferred payment method. 

All fees and any other amounts payable under this Agreement do not include taxes, duties or charges levied in the Customer jurisdiction in connection the Agreement.

The Customer agrees to pay any tax that is required for Cybercraft to collect in their jurisdiction on all taxable supplies made by Cybercraft to the Customer under this Agreement. 

If the Customer fails to pay any amount due, Cybercraft may without prejudice to its other rights or remedies under this Agreement, suspend the provision of the Services under this Agreement without liability to the Customer. 

8.2 Termination

Termination by Either Party on Notice 

1 SLA Non-Compliance: If any SLA defined in the FMA Service are not met for three consecutive months, the Customer may terminate the Services immediately, having provided Cybercraft written notice on each of the prior months.

2 Material Breach: Cybercraft may terminate the FMA Services if the Customer is materially in breach of these terms or if Cybercraft ceases to provide the Services for any reason it believes is appropriate to do so.

Termination Due to Supplier Changes

3 Supplier Service Changes: Cybercraft reserves the right to terminate this Agreement and any services provided hereunder, at any time, if a supplier of Cybercraft changes their service or ceases to provide a service in a manner that materially impacts Cybercraft's ability to deliver the agreed-upon services to the Customer. Cybercraft will provide the Customer with as much advance notice as practicable, outlining the reasons for termination and the impact on the services provided.

4 Alternative Supplier: In the event of a supplier service change, Cybercraft will make reasonable efforts to find an alternative supplier that provides a similar service. The Customer agrees to accept the alternative supplier as long as the service delivery is not impacted.

5 Shared Onboarding Costs: If an alternative supplier is found and accepted, the Customer agrees to share the costs associated with onboarding the alternative service provider into the Customer Environment. The specific costs and the sharing arrangement will be mutually agreed upon by both Parties.

Consequences of Termination

6 Consequences of Termination: If the termination is a result of a breach by the Customer or cancellation by the Customer, the Customer agrees to pay Cybercraft the charges in total owed to Cybercraft for the remainder of the FMA Service Term. Termination will not affect our other rights and remedies. If the Services are terminated, you must immediately pay us all money due.

7 Refunds on Termination: Upon termination due to supplier changes, Cybercraft will refund any prepaid fees for the period following the termination date on a pro-rata basis. The Customer agrees that such termination shall not constitute a breach of this Agreement by Cybercraft.

8.3 Confidentiality

1 Definition of Confidential Information

• "Confidential Information" means the terms of this Agreement and any information relating to the business or affairs of the other Party, including but not limited to designs, drawings, manufacturing know-how, object code, source code, planned modifications to hardware/equipment or software, planned enhancements to hardware/equipment or software, product knowledge, quality standards, research and development, unpublished specifications, technical information, pricing, manipulated data, business plans, road maps, business processes, methodologies, techniques, general know-how, costs and margins, customer lists, financial data, internal price information, market research, marketing plans, sales forecasts, and trade secrets, and any information designated as confidential.

2 Obligations of Confidentiality

• Each Party agrees to treat as confidential all Confidential Information obtained from the other pursuant to this Agreement. Neither Party will divulge Confidential Information to any person without prior written consent from the other Party, except to the FMA Team and as required by law.

3 Exceptions to Confidentiality

• This clause does not apply to information which:

a) Can be established by written records to be already known to the recipient at the time of disclosure;

b) Is in or enters the public domain through no fault of the recipient;

c) Is disclosed to the recipient by a third party having no obligation of confidentiality with respect thereto;

d) Is independently developed by the recipient without reference to or reliance upon the Confidential Information of the disclosing Party.

4 Required Disclosures

• If one Party is required by any applicable law, court, authority, or the rules of any stock exchange to disclose Confidential Information to any person, it will:

a) To the extent permitted by law, give the other Party prompt written notice of the disclosure, where practicable before it occurs, so that the other Party has sufficient opportunity to prevent the disclosure through appropriate legal means;

b) Disclose only that part of the Confidential Information which the Cybercraft legal advisers consider is legally required to be disclosed; and

c) Use all reasonable endeavors to obtain an assurance that the Confidential Information disclosed will be treated confidentially by any third-party recipient.

5 Duration of Confidentiality Obligations

• The obligations of confidentiality will survive termination of this Agreement and will continue for a period of five (5) years from the date of termination.

8.4 Data Privacy

1 Scope of Data Collection

• Cybercraft collects and processes limited personal data, specifically business email addresses and names (first name and last name) of customer representatives, solely for the purpose of business communications and service delivery.

2 Use of Data

• The personal data collected will be used exclusively for communication, service provision, and fulfilling the terms of this Agreement. Cybercraft will not use this data for any other purposes without the Customer’s prior written consent.

3 Data Protection

• Cybercraft will implement appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

4 Data Sharing

• Cybercraft will not share the personal data with third parties, except as necessary to provide the services under this Agreement or as required by law.

5 Data Retention

• The personal data will be retained only for as long as necessary to fulfill the purposes outlined in this clause or as required by applicable laws.

6 Customer Rights

• The Customer representatives whose personal data is processed may request access to their data, correction of any inaccuracies, or deletion of their data, subject to applicable laws and regulations.

8.5 Intellectual Property

1 Ownership of Pre-existing Intellectual Property

• Each Party retains all rights, title, and interest in and to their respective pre-existing intellectual property. For the purposes of this Agreement, "pre-existing intellectual property" includes any intellectual property that is owned or controlled by a Party before the effective date of this Agreement, or that is developed by a Party independently of the services provided under this Agreement.

2 Ownership of Developed Intellectual Property

• Any intellectual property, including but not limited to software, algorithms, documentation, reports, methodologies, tools, and any other materials developed by Cybercraft in the course of providing the FMA services, shall be owned exclusively by Cybercraft. The Customer shall have no rights, title, or interest in such developed intellectual property, except as expressly provided in this Agreement.

3 License to Use

• Cybercraft grants the Customer a non-exclusive, non-transferable, revocable license to use any reports, findings, and related materials provided to the Customer as part of the FMA services, solely for the Customer's internal business purposes and in accordance with the terms of this Agreement.

4 Customer Data and Intellectual Property

• The Customer retains all rights, title, and interest in and to any data and information provided to Cybercraft for the purposes of delivering the FMA services ("Customer Data"). Cybercraft will use Customer Data only as necessary to provide the FMA services and will not disclose Customer Data to any third party without the Customer’s prior written consent, except as required by law.

5 Confidentiality of Intellectual Property

• Both Parties agree to treat any intellectual property disclosed under this Agreement as Confidential Information, subject to the confidentiality obligations set forth in Section 8.3 of this Agreement.

6 Infringement Indemnity

• Cybercraft shall indemnify, defend, and hold the Customer harmless from and against any claims, damages, liabilities, and expenses (including reasonable attorneys' fees) arising out of any third-party claim that the use of the FMA services, as provided by Cybercraft and used in accordance with this Agreement, infringes any intellectual property rights of such third party.

7 Feedback

• Any feedback, suggestions, or recommendations provided by the Customer to Cybercraft regarding the FMA services ("Feedback") shall be non-confidential and Cybercraft shall have the right to use such Feedback for any purpose without any obligation to the Customer. The Customer hereby assigns to Cybercraft all rights, title, and interest in and to any Feedback.

8.6 Warranties

1  Cybercraft warrants to the Customer that: 

a) to the best of its knowledge and belief the provision of the FMA Service to the Customer does not, and will not, infringe the copyright of any third party.  

b) the FMA Services will meet, function, and perform substantially in accordance with the FMA Plan and Service levels of the Plan that the Customer has subscribed to. 

2 Except as expressly set out in this Agreement, all representations, conditions, and warranties (whether express or implied, statutory, or otherwise) and including warranties as to the fitness of the Services are expressly excluded. 

3 Unless specifically provided for in this Agreement, Cybercraft provides no warranties or indemnities to the Customer in relation tothe Service and will not be liable to the Customer for any failure of or defects in any Third-Party products provided as part of the FMA Service. 

4 If a claim for a breach of warranty is brought against Cybercraft, Cybercraft will, at its election, either: 

a) ensure or procure a continuing lawful right for Customer to use the relevant Services;  

b) replace or modify the Services with equivalent functionality and performance; or 

c) if the remedies in paragraphs (a) or (b) are not commercially feasible, Cybercraft may terminate this Agreement and refund any Fees paid by the Customer in respect of the alleged or actual infringing Services. 

This clause sets out Customer’s sole and exclusive remedy in respect of any claim of copyright infringement. 

The Customer warrants to Cybercraft that to the best of its knowledge and belief, any Customer pre-existing IP provided to Cybercraft will not infringe any Intellectual Property Rights of any third-party.

8.7 Dispute Resolution

1 If a dispute arises out of or relates to this Agreement (Dispute), a Party may not commence any court or arbitration proceedings relating to the Dispute unless it has complied with the following provisions of this clause, except where the party seeks urgent interlocutory relief. 

2 A Party claiming the Dispute has arisen must give written notice to the other party specifying the nature of the Dispute. 

3 On receipt of that notice, the Parties will use all reasonable endeavours to resolve the Dispute by discussion, consultation, negotiation or other informal means. 

4 If the Dispute is not resolved within 15 Business Days of the notice being given, either Party may, by giving written notice to the other Party, require the Dispute to be determined by the arbitration of a single arbitrator.  The arbitrator will be appointed by the Parties or, failing agreement within 5 Business Days of the notice requiring arbitration, by the President of the New Zealand Law Society on application of either party. The arbitration will be conducted as soon as possible and in accordance with the provisions of the Arbitration Act 1996. 

8.8 Liability

1 Neither party will be liable to the other party under the law of tort, contract or otherwise for any indirect or consequential loss arising out of, or in connection with, this Agreement; and 

• loss of revenue, loss or profit, data loss, liquidated damages, penalties, fines, development delays, cost of restoring data or computer systems, arising out of, or in connection with, this Agreement.   

• Cybercraft’s total liability to the Customer in respect of all losses suffered or incurred will not exceed $5,000 USD, or if not set out, the monthly charge paid by the Customer to Cybercraft for the relevant subscription or Services. 

• The Customer’s total liability to Cybercraft in respect of all losses suffered or incurred will not exceed the monthly amount stated for the subscribed Plan.

2 Cybercraft will not be liable to the Customer for any loss suffered by Customer:

• as a result of any default, breach of this Agreement, or any negligent act or omission of Customer, including any unpermitted use of the Services or any component of them. 

• as a result of the Customer modifying the Environment that the FMA Service is monitoring, following the completion of Onboarding; or due to any delay in the provision of any Deliverables and/or where that delay was (in whole or in part) the fault of Customer in any material way. 

3 The Customer acknowledges that: 

• The FMA Service may rely on the provision of services by third parties in order to provide the Services, and that the Services and/or may be subject to limitations, delays and other problems inherent in the use of such services provided by Third Party Providers; and 

• Cybercraft will not be responsible for any delays, delivery failures, penalties, liquidated damages, or any other loss or damage arising out of or in connection with any services provided by Third Party Providers, including any delays, delivery failures, penalties, liquidated damages, or any other loss or damage resulting from the transfer of data over communications networks and facilities (including the internet). 

8.9 Non-Compete

The Customer acknowledges that any breach of this non-compete clause would cause significant harm to Cybercraft and agrees that Cybercraft shall be entitled to seek any and all remedies available to it in law or equity, including but not limited to injunctive relief, to prevent such competition.

• During the term of this Agreement and for a period of [one (1) year] following its termination, the Customer agrees not to directly or indirectly engage in, own, manage, operate, control, or participate in the ownership, management, operation, or control of any business that competes with Cybercraft's business or any of its products or services, including but not limited to the FindMyAttacks Service, without the prior written consent of Cybercraft.

8.10 Non-Solicitation of Employees

The Customer acknowledges that any breach of this non-solicitation clause would cause significant harm to Cybercraft and agrees that Cybercraft shall be entitled to seek any and all remedies available to it in law or equity, including but not limited to injunctive relief, to prevent such solicitation.

• During the term of this Agreement and for a period of [one (1) year] following its termination, the Customer agrees not to directly or indirectly solicit, hire, employ, or engage any current or former employee or contractor of Cybercraft who has been involved in the provision of services under this Agreement, without the prior written consent of Cybercraft.

8.11 Use of Customer Logo and Branding

1 Marketing Permission

• Cybercraft is hereby granted permission to use the Customer's logo and branding for marketing purposes. This includes, but is not limited to, displaying the Customer's logo on Cybercraft's website, in promotional materials, case studies, press releases, and presentations.

2 Sensitivity Considerations

• Cybercraft acknowledges the sensitivity surrounding the use of logos and branding in the cybersecurity sector. Therefore, Cybercraft agrees to use the Customer's logo in a manner that does not disclose or imply any specific security details or vulnerabilities of the Customer's environment.

3 Opt-Out

• The Customer has the right to opt out of this marketing clause. To do so, the Customer must notify Cybercraft in writing. Upon receipt of such notification, Cybercraft will cease to use the Customer's logo and branding in any future marketing materials within 30 days.

4 Duration of Use

• This permission is granted for the duration of the Service Agreement and shall continue until the Customer provides written notice to opt out.

5 Representation and Warranty

• The Customer represents and warrants that it has all necessary rights and permissions to grant Cybercraft the use of its logo and branding as specified in this clause.

6 Indemnity

• The Customer agrees to indemnify and hold Cybercraft harmless from any claims, damages, liabilities, and expenses (including reasonable attorneys' fees) arising out of or in connection with any third-party claim that the use of the Customer's logo and branding as permitted by this Agreement infringes any intellectual property rights or other rights of such third party.

8.12 Governing Law and Jurisdiction

• Governing Law

This Agreement shall be governed by and construed in accordance with the laws of New Zealand, without regard to its conflict of law principles.

• Jurisdiction

Any disputes arising out of or in connection with this Agreement, including any questions regarding its existence, validity, or termination, shall be subject to the exclusive jurisdiction of the courts of New Zealand. Each Party irrevocably submits to the jurisdiction of such courts in any such dispute or legal action.

• Venue

The venue for any legal proceedings arising out of or related to this Agreement shall be in Auckland, New Zealand.

• Compliance with Local Laws

Both Parties agree to comply with all applicable laws and regulations of New Zealand in the performance of their obligations under this Agreement.

8.13 Force Majeure

Neither Party shall be liable for any failure or delay in performance under this Agreement (other than for delay in the payment of money due and payable hereunder) to the extent said failures or delays are proximately caused by causes beyond that Party’s reasonable control and occurring without its fault or negligence, including, without limitation, acts of God, strikes or other labourdisturbances, electrical or power outages, utilities or other telecommunications failures, earthquake, storms or other elements of nature, blockades, embargoes, riots, acts or orders of government, acts of terrorism, or war.

The affected Party shall promptly notify the other Party in writing of the existence of the Force Majeure event and shall use commercially reasonable efforts to resume performance as soon as practicable. If a Force Majeure event continues for more than thirty (30) days, either Party may terminate the Agreement upon written notice to the other Party.

8.14 General Terms

1 Entire Agreement

• This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous oral or written agreements concerning such subject matter.

2 Amendments

• Unless otherwise specified, any amendment or modification of this Agreement must be in writing and signed by authorized representatives of both Parties.

3 Severability

• If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect, and the Parties agree to negotiate in good faith a substitute, valid and enforceable provision that most nearly effects the Parties' intent in entering into this Agreement.

4 Waiver

• The failure of either Party to enforce any right or provision of this Agreement will not be deemed a waiver of such right or provision.

5 Assignment

• Neither Party may assign or transfer this Agreement, in whole or in part, without the prior written consent of the other Party, except that either Party may assign this Agreement in its entirety, without consent of the other Party, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.

6 Notices

• All notices required or permitted under this Agreement will be in writing and delivered by courier, certified mail, or electronic mail (with confirmation of receipt) to the addresses specified by the Parties.