Platform Time (CET): 1 Dec 2021 00:23:16

TERMS OF SERVICE FOR
IMMUNIWEB® AI PLATFORM
PROVIDED BY IMMUNIWEB SA

1. Recitals and Scope

ImmuniWeb SA (hereinafter "IW") is a Swiss company registered in the Trade Register of Geneva under Swiss Federal Identification Number CH-660.3.165.019-5 with VAT number CHE-166.613.872, domiciled at:

Quai de l’Ile 13
CH-1204 Geneva
Switzerland

The present Terms of Service (hereinafter “the present agreement”) is a binding contract between IW and your company, governing yours and your company’s (hereinafter jointly "the Customer") usage of the ImmuniWeb® AI Platform provided by IW via the ImmuniWeb® Portal (hereinafter "the Portal").

It is expressly agreed that the parties hereto are independent contractors and that the relationship between the parties shall not constitute any form of partnership, joint venture, employment or agency.

You hereby warrant and represent that you have an undisputed authority, legal competence and capacity to bind your company to the present agreement and all its terms.

By ticking the “I have read and agreed to the Terms of Service & Privacy” checkbox during online registration on the Portal, you agree and accept without any reservations the present agreement. The electronic acceptance of the present agreement by the above-mentioned procedure implies that the Customer has carefully read and understood the entire agreement. Otherwise, you are kindly requested to leave the Portal.

Any usage of the ImmuniWeb® AI Platform or of the ImmuniWeb® Portal in violation of the present Terms of Service shall be considered unauthorized usage and may lead to a legal action.

The present agreement does not govern the relationship between the Customer and Swiss financial company "SIX Payment Services AG" that is in charge of online credit card and PayPal payments processing on behalf of IW. Likewise, the present agreement does not govern usage of the Single Sign-On (SSO) functionality on the Platform if used by the Customer and governed by a separate agreement between the Customer and the SSO provider such as Google, Amazon or Microsoft.



2. ImmuniWeb® AI Platform

2.1 Description

ImmuniWeb® is an internationally registered trademark owned by IW. The ImmuniWeb® AI Platform and the underlying technology are developed and supported by IW who is its sole owner.

The ImmuniWeb® AI Platform is available via the Portal and is designed to provide security assessment, monitoring and asset discovery services (hereinafter “the service”) for web and mobile applications, and other digital or IT assets (hereinafter "the Infrastructure").

The purpose of the service is to discover vulnerabilities, weaknesses and misconfigurations of the Infrastructure operated, managed, owned or lawfully entrusted to the Customer, and to offer general remediation guidelines for the issues discovered.

This service is solely provided to the Platform users who (i) created an account on the Portal via the registration procedure, read and accepted Terms of Service without reservations, (ii) confirmed their identity and activated their account by clicking on special link in account activation email, (iii) confirmed their legitimacy and authorization to run the service, and (iv) paid for the service according to the procedures outlined below in the present agreement. IW retains the right to refuse providing the Customer with the service in case of any reasonable doubt regarding the Customer's identity, legitimacy or authorization to order such service.

To consume the service, the Customer shall login to the Portal under its account and create one of the four ImmuniWeb project types described below.

ImmuniWeb Discovery project consists of four consecutive steps:

  • Enter a company name
  • Select a checkbox if you run Discovery for a third party
  • Select your package, subscription duration and pay for the service
  • Get a continuous or one-time attack surface management

ImmuniWeb On-Demand project consists of five consecutive steps:

  • Configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package and pay for the service
  • Select your assessment date to start
  • Get the remediation report

ImmuniWeb MobileSuite project consists of five consecutive steps:

  • Upload your mobile app and configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package and pay for the service
  • Select your assessment date to start
  • Get the remediation report

ImmuniWeb Continuous project consists of four consecutive steps:

  • Configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package, subscription duration and pay for the service
  • Get continuous web security monitoring and testing

2.2 ImmuniWeb® On-Demand and MobileSuite Security Assessment Report

Upon completion of ImmuniWeb® On-Demand or MobileSuite Security Assessment, the assessment report can be viewed and downloaded by the Customer directly from the Portal. The report becomes available within 1 (one) business day after the Security Assessment completion.

The Customer will be able to view and download the report in HTML, XML or PDF formats directly from the Portal. The report will stay available on the Portal during the next 100 (one hundred) days following the Security Assessment completion, and then will be securely deleted.

The Customer has a possibility to securely delete the report from the Portal at any time before the above-mentioned deadline.

After being deleted, the report cannot be recovered. The Customer is solely and entirely responsible for downloading the report within the aforementioned 100 (one hundred) days deadline, as well as for saving the report on a secure local storage.


2.3 ImmuniWeb® Continuous Dashboard

Within 2 (two) business days after receiving a payment for ImmuniWeb® Continuous subscription, the Customer will be provided with an access to the interactive vulnerability management dashboard designed to manage and monitor the assessment and its results via the Portal.

The data provided to the Customer, including but not limited to assessment results and statuses of detected vulnerabilities, is accessible via the Portal and API functionality during the validity of Customer’s subscription and one hundred (100) days after the subscription expiration.

After the above-mentioned 100 days deadline, or earlier upon the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.


2.4 ImmuniWeb® Discovery Dashboard

After 3 (three) business days after receiving a payment for ImmuniWeb Discovery, discovered applications and other digital assets will appear on the Discovery dashboard.

The dashboard and its functionality remain active while the Customer pays for the subscription. Once the subscription expires, the Customer may request the data from the dashboard within the next 100 (one hundred) days by contacting Customer Support.

After the above-mentioned 100 (one hundred) days deadline, or upon earlier the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.


2.5 ImmuniWeb® Security Seal

Some ImmuniWeb® projects may provide the Customer with ImmuniWeb Security Seal designed to confirm the fact and the time of the performed security assessment.

Despite our efforts to identify as many vulnerabilities as possible within the assessment scope and timeframe, the Seal cannot and does not guarantee that the Infrastructure or any parts of it are 100% secure, unbreakable or vulnerability-free.


2.6 ImmuniWeb® Continuous and Discovery Notifications

For Customers of ImmuniWeb® Continuous and Discovery, instant notification functionality is available to receive alerts about newly detected vulnerabilities, weaknesses or other events via email or SMS, depending on the ImmuniWeb subscription package.

Despite our best commercial efforts to send the above-mentioned notifications in accordance with the Customer’s preferences selected by the Customer on the Portal, we cannot and do not guarantee that they will arrive in a timely manner. IW declines any responsibility for any delays or omissions related thereto.

IW may replace SMS notifications by email alerts when IW consider such replacement appropriate under the circumstances and at its own discretion. No compensation is available for such replacement.

The SMS delivery service is operated and maintained by "Twilio, Inc." (CA), USA. The Customer hereby consents and agrees that if SMS service is activated, the cell phone numbers, provided by the Customer for the purpose of the SMS notifications, will be shared with Twilio whereas Twilio contractually agrees not to use the numbers for any purposes but the notification. IW shall never be liable for any problems, delays or damage related to or caused by the SMS notification service.


2.7 ImmuniWeb® Assessment Scope

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The scope of the assessment is always defined by the Customer on the first step of the project creation. The Customer is encouraged to provide as much information and details about the scope as practical under the circumstances. Any omissions or incorrect information provided by the Customer may lead to incomplete, delayed or inaccurate assessment for which IW shall not be accountable or liable in any manner.

Within reasonable, the Customer can provide specific requirements for the scope and methodology of testing on the first step of the project creation. IW will undertake commercially reasonable efforts to follow the instructions and scope defined by the Customer as precisely as practical under the integrity of the circumstances. In case of substantial impossibility to comply with the instructions, or requirement to upgrade the package, IW may pause the project and communicate the issue to the Customer for resolution.


2.8 ImmuniWeb® Discovery Scope

The Customer recognizes that ImmuniWeb® Discovery is based on Open-Source Intelligence (OSINT) meaning that the discovered assets, data and all other information provided to the Customer within the scope of ImmuniWeb Discovery are already accessible, or otherwise visible or cognizable, on the Internet.

For the duration of a Discovery project, the Customer grants IW a full authority to monitor various web, cloud and other Internet resources and repositories, including resources located in the so-called Dark Web and Deep Web, on its behalf or on behalf of third parties for which the discovery is performed. The Customer hereby accepts and agrees that IW may detect and get its confidential, personal or sensitive data, or such data of its subsidiaries, agents, employees or third parties, that has been previously stolen, compromised or leaked. In any case, IW shall promptly bring the relevant data to attention of the Customer via the Dashboard. IW shall never be liable to the Customer or to any third parties for processing, storing or suppling this data to the Customer. The Customer hereby undertakes to defend, hold harmless and fully indemnify IW, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action or lawsuit against IW in relation to any Discovery project started, initiated or managed by the Customer.

The Customer understands and hereby accepts that the Discovery process may not detect some of its digital or IT assets, related vulnerabilities, misconfigurations, weaknesses or data leaks due to unreachability of the systems, the non-intrusive nature of the Discovery process, inability to attribute the asset or data to the Customer with reasonable certainty or any other circumstances beyond reasonable control of IW. Therefore, IW shall never be liable for any missed or omitted, mislabeled, wrongly scored or attributed assets, data or information provided to the Customer within the scope of any Discovery project.

The Customer likewise agrees that one Discovery project covers only one brand unless otherwise is expressly authorized by IW in writing. Therefore, domains, websites or any other digital assets or resources belonging to other brands, including but not limited to subsidiaries and third parties, must not be manually added or imported by the Customer into Discovery project. Violation of the present clause by the Customer may lead to termination of the Discovery subscription without any compensation for non-used service.


2.9 ImmuniWeb® Methodology of Testing

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW’s application security testing methodology is developed and based on its proprietary technology.

Except if otherwise requested by the Customer, or required by circumstances of the assessment, the methodology of testing follows globally recognized standards, such as OWASP Web and Mobile Security Testing Guides. IW may, however, at its own discretion and without prior notice, change, expand or amend its methodology of testing if such a change may be beneficial or otherwise preferrable for the Customer or IW under the integrity of circumstances.

IW makes its best efforts to avoid any security testing or exploitation techniques that may harm, slowdown, corrupt, partially or entirely destroy Customer’s data or Infrastructure. However, IW may use intrusive testing and vulnerability exploitation techniques if it is necessary for comprehensive testing or is appropriate under the circumstances. If an unexpected and dangerous event occurs during the assessment, IW will contact the Customer within the next 15 (fifteen) minutes after detection of the event to coordinate further activities.


2.10 ImmuniWeb® Quality Assurance

For the most important and critical processes and activities of the assessment, IW relies on the four-eyes principle, which involves at least two people controlling each other.


2.11 ImmuniWeb® Customer Support

IW strives to provide an uninterrupted 24/7 support for the Customers via email and web ticketing system.

IW makes its best commercial efforts to respond to normal-priority support tickets within 4 (four) business hours and within 15 (fifteen) minutes to urgent support tickets. Nevertheless, IW cannot and does not guarantee that request or problem will be resolved within the above-mentioned deadline and shall never be liable for any delays or damage caused by such delays.

Urgent support ticket functionality is available only to the Customers who have already paid for at least one assessment project. Abusive, unwarranted or inappropriate usage of urgent support tickets by the Customer may lead to temporary or permanent disablement of urgent support ticket functionality on the Portal without any compensation as a counterpart.

IW makes its best reasonable efforts to provide competent and accurate information via the Customer Support. However, the Customer shall never rely solely on the information obtained from the Customer Support to make its decisions. The Customer hereby acknowledges and agrees that any information obtained from the Customer Support is provided “as is” without any warranty of any kind. IW shall never be liable for any damages ensued from any actions performed by the Customer based on, or derived from, the information or recommendations received via the Customer Support.

When any information, statement or promise provided by the Customer Support or any IW employees under any circumstances materially amends or contradicts the present agreement, the text of the present agreement shall always prevail in case of a dispute.


2.12 ImmuniWeb® Project Sharing and RBAC

The Customer may grant any other Portal user with various Role Based Access Control (RBAC) access permissions to any of its ImmuniWeb projects.

The Customer shall take all the necessary precautions and due care when granting, modifying or revoking such access as the grantee will have access to the project and its data. The Customer is solely responsible to monitor and timely revoke or adjust access from all Portal users who shall not have access to the project anymore.

IW shall not be liable for any incidents or damage caused by project sharing activities performed by the Customer or any Portal users empowered to do so by the Customer.


2.13 ImmuniWeb® API

On the Portal, the Customer may generate an API key to access its project data in JSON format from the API provided by IW.

The Customer is solely responsible to protect all its API keys, timely revoke and prevent any unauthorized usage of the API keys.

IW shall never be liable for any incidents or damage caused by the API or API key usage or management performed by the Customer. Likewise, IW shall never be liable if the API key is compromised or misused as a result of Customer’s omission, compromise, error or negligence.


2.14 ImmuniWeb® Community Edition

ImmuniWeb Community Edition offers free online tests aimed to improve overall security awareness at no cost. It also provides a premium subscription designed to perform a higher number of online tests per day compared to the free version.

The subscription can be purchased online by the Customer for the price and duration that are visible online to the Customer. Purchased subscriptions cannot be modified, cancelled or reimbursed for non-usage or early termination.

All available ImmuniWeb Community Edition subscriptions are provided “as is” without any warranty of any kind.

The Customers, who misuse subscription and thereby cause inconvenience or damage to any third party, will be notified, and in case of re-occurrence, may have their subscription immediately terminated without any reimbursement or compensation. In case of deliberate abuse, the subscription may be terminated without a prior notice and with no compensation.

The Customer hereby undertakes to defend, hold harmless and fully indemnify IW, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action or lawsuit against IW in relation to the Customer’s usage of the Community Edition.


3. ImmuniWeb® Portal

3.1 Registration Procedure

To use the ImmuniWeb® AI Platform, the Customer must be registered and authenticated on the Portal. To obtain an account on the Portal, the Customer shall follow the registration procedure. During the registration, the Customer undertakes to provide IW with correct, truthful and up-to-date information.

IW may verify, at any time, the authenticity and veracity of the information provided by the Customer during the registration. Any accounts with doubtful or dubious information may be temporarily suspended, accounts with deliberately false or fake information may be deleted immediately. Any claims for reimbursement or compensation for any projects created under accounts with false or fake information will be refused.

IW can, at its own discretion, deny registration to any user at any time without any justification of its decision.


3.2 Identification of the Customer

The Customer should authenticate itself on the Portal with its email address (login) and password (hereinafter "the Credentials"). The Customer may request to use a third-party SSO for its account. The Customer agrees that it uses the SSO at its own risk and that IW shall never be liable for any events or damage caused by or related to the SSO.

IW draws particular attention of the Customer that the Credentials are strictly personal and non-transferable.

The Customer undertakes to keep its Credentials strictly confidential. Otherwise, IW retains the right to block the Customer's account and claim any damage occurred. Any claims for reimbursement or compensation for any projects created under compromised accounts or accounts shared with third parties will be refused.


3.3 Modification of Customer Account Information

The Customer undertakes to keep its account information up-to-date. To do so, it can modify the information directly on the Portal via profile update function. Accounts with outdated information may be suspended for security purposes.


3.4 Customer Data and PII Collection, Processing, Retention and Deletion

IW values privacy of the Customer. IW collects Personally Identifiable Information (PII) of the Customer that is voluntarily submitted by the Customer on the Portal (e.g. name, email address, business phone, etc.) and technical information manually entered by the Customer on the Portal (e.g. website URLs) for the purposes of (i) using ImmuniWeb® AI Platform by the Customer, (ii) performing contractual duties owed to the Customer under the present agreement, and (iii) pursuing legitimate interests of IW including but not limited to keeping the Customer informed about the Platform news and improvements by weekly newsletter with a one-click opt-out feature. IW also collects ancillary technical information about the Customer and its activities on the Portal, such as IP addresses and other relevant technical details, which are necessary to protect, maintain or improve the Platform or pursue other legitimate interests of IW.

The foregoing information is never shared with third parties except authorized parties (e.g. technology or business partners that provide joint services with IW) for performance of legitimate business purposes for the benefit of the Customer or for the performance of the present agreement. The authorized parties are required to have (i) a non-disclosure agreement with IW prohibiting divulgation or inappropriate use of the entrusted information, and (ii) a privacy policy that complies with the Swiss law of data protection.

The information is securely stored in a dedicated data center located in Canada (recognized by the European Commission as a country providing adequate level of data protection alongside with Switzerland). IW servers are managed and operated by authorized IW employees only.

The information is stored as long as reasonably required to perform the present agreement, pursue legitimate interests of IW or as long as required by applicable law.

The Customer can request IW to delete its account on the Portal by submitting a request via the Customer Support. The account and Customer-related information will be securely deleted within 15 (fifteen) business days since the receipt of the request unless otherwise is required by applicable law.

Deleted information is not recoverable. Any claims for reimbursement or compensation for the projects created under deleted accounts will be refused.


3.5 Portal Availability

Apart from external interruptions beyond IW's control, the Portal is available 7 days a week, 24 hours a day. In case of reasonable necessity, IW retains the right to temporary interrupt access to the Portal, at any time, for any period of time and at its own discretion. IW shall not be liable for any damages caused by such interruption.


3.6 Portal and Data Security

Special attention is given to security of the Portal and the data it processes and handles.

Nevertheless, the Customer hereby recognizes that despite the best commercial efforts undertaken by IW, including risk assessment, threat and vulnerability monitoring, usage of up-to-date software, system hardening, data encryption and adherence to the ISO 27001 security standard, IW cannot and does not guarantee the absolute security of the Portal, any related devices, systems or the data that they process or handle.

The Customer hereby acknowledges and accepts all risks related to data breaches and security incidents, and undertakes not to initiate, file, encourage or participate in any legal actions or judicial proceedings against IW related thereto.


3.7 Portal Time Zone

The Portal is operating in the Central European Time (CET/CEST) time zone.


4. Limitations Accepted by the Customer

In addition to all other limitations stated in the present agreement, hereby the Customer unconditionally accepts the limitations of the service provided by IW, which are described below.

IW undertakes its best commercial efforts to provide a broad selection of available assessment dates. Nonetheless, IW cannot and does not guarantee that a specific date will be available, neither provides any guarantee of date availability. The next available assessment date is always shown on the Portal at the Payment step. IW shall never be liable for any delays caused by unavailability of a specific assessment or report delivery date.

During security testing, IW takes appropriate measures not to disturb availability of the Customer’s Infrastructure. Nevertheless, exceptional, unforeseen or unexpected side effects may occur beyond IW’s reasonable control. IW shall never be liable or responsible for any damage, interruption or slowdown of any operations or property of the Customer or any third parties concerned by the testing. The Customer is advised to create a full backup of the tested system and data before starting the assessment, to avoid testing previously untested and unstable systems in production, and to avoid testing with real user accounts or with privileged user accounts that may have access to production or confidential data.

IW makes its best efforts to identify all possible vulnerabilities and weaknesses within the scope and during the timeframe of assessment, however IW does not and cannot guarantee that all the vulnerabilities will be detected, and declines any responsibility for missed, undiscovered or unreported vulnerabilities.

The service itself is not intended to prevent, eliminate or fix any vulnerabilities or security weaknesses. The assessment purports to identify vulnerabilities and weaknesses within the Infrastructure and to propose general remediation solutions for them. The Customer bears the sole responsibility for implementing all necessary patches and corrections for the discovered vulnerabilities and weaknesses.

The Customer understands that vulnerability remediations, proposed in the report or via the interactive dashboard, consist of general guidelines only and are provided “as is” without any warranty of any kind.

Assessment results reflect the state of security of the Customer's Infrastructure only at the time of the assessment’s execution and therefore cannot be considered as permanently up-to-date.

The integrity of the Portal features including but not limited to the user interface functionality, integrations, data import and export, vulnerability management, alerts and notifications, user management and any related features for all types of projects are provided “as is” without any warranty of any kind.


5. Obligations of the Customer

5.1 Strictly Prohibited Usage

The Customer is strictly prohibited to use ImmuniWeb® AI Platform to conduct penetration testing of any Infrastructure that does not belong to it and/or for which it does not have an explicit, express and undisputed written authorization from the legitimate Infrastructure owner to perform such testing.

The Customer is also prohibited to use ImmuniWeb® AI Platform to knowingly cause any damage or inconvenience to any third parties.

The Customer is not allowed to use ImmuniWeb in countries where the legislation or regulatory rules prohibit such usage.

In case of violation of the above-mentioned conditions by the Customer, IW reserves the right to immediately suspend the Customer's account, claim damages and refuse any Customer’s claims for reimbursement or compensation for the projects created under this account.

The Customer is strictly prohibited to conduct any automated or manual security testing of any IW infrastructure for any purposes without a prior written permission by IW.


5.2 Confirmation of the Infrastructure Ownership

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The Customer unconditionally agrees to use ImmuniWeb only to assess security of the Infrastructure that belongs to it or for which it has an explicit written authorization from the legitimate Infrastructure owner to do so.

In case of a website security testing, the Customer agrees that, among other things, an email notification about the assessment may be sent to emails obtained from the website domain WHOIS record, or to the official emails provided directly on the website that the Customer wants to assess.

IW also reserves the right to contact the Customer and/or its company by telephone and by any other appropriate means in order to verify Customer's identity and legitimacy to perform assessment of the Infrastructure.


5.3 Correctness and Completeness of Technical Information

During a creation of ImmuniWeb project on the Portal, the Customer is solely and entirely responsible for submitting correct, complete and up-to-date technical information about the Infrastructure (e.g. URL, authentication and all other technical information) and any specific testing requirements.

In case of erroneous, outdated or incomplete technical information submitted to the Portal, the Customer will bear the sole responsibility for all damage, errors and omissions. In this case, IW does not guarantee accuracy, safety or completeness of the assessment and its results. Any claims for reimbursement or compensation in such cases will be refused.


5.4 Non-Resistance to Security Assessment

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW’s IP addresses from which the assessment will take place will be communicated to the Customer by email (i) 1 (one) day before the assessment start, and (ii) just before the start of the assessment for all ImmuniWeb® On-Demand and MobileSuite projects. For ImmuniWeb Continuous projects, the IP addresses are constantly visible on the Portal.

The Customer is required to properly authorize or otherwise whitelist IW’s IP addresses on its IPS (Intrusion Prevention System), WAF (Web Application Firewall), and any other hardware, software or cloud solutions that may partially or entirely block or slow down the assessment and thus impact its completeness and accuracy. Otherwise, accuracy of the assessment and of its results are not guaranteed by IW. Any claims for reimbursement or compensation in such cases will be refused.

The Customer is strongly advised to delete IW’s IP addresses from any whitelists, revoke all temporary permissions and suspend demo accounts created for the purpose of the assessment once the assessment is successfully finished. The Customer is likewise advised to verify any new files, accounts, database entries or other online records created as the result of the assessment and delete them if they are not necessary. IW shall never be liable for any of the foregoing online records or any other artifacts created during the assessment.


5.5 Availability of the Infrastructure

The Customer is entirely responsible for uninterrupted accessibility and unhindered availability of its Infrastructure during the assessment.

If for any reason the Infrastructure is not freely accessible from any of IW’s IP addresses during the assessment, the Customer will bear the sole responsibility for incompleteness, inaccuracy or non-delivery of the assessment. Any claims for reimbursement or compensation in such cases will be refused.


5.6 Obligation to Inform Concerned Third Parties

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The Customer must inform and obtain an explicit authorization to perform the assessment from all the third parties (if any) that are directly or indirectly concerned by the assessment. The Customer must likewise inform competent law enforcement or regulatory agencies about penetration testing if required by law.

This obligation particularly applies if the Customer is not the sole owner of the web, database or any other servers or equipment where Customer’s Infrastructure or its data are located. IW does not bear any responsibility for delays caused by coordination between the Customer and the concerned third parties.

The Customer hereby undertakes to defend, hold harmless and fully indemnify IW, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action, lawsuit or indictment against IW in relation to any Customer’s project for violation of any security, privacy, data protection or anti-hacking laws.


5.7 Obligation to Respect Account Integrity and Confidentiality

The Customer undertakes to take all reasonable measures to protect its account Credentials from unauthorized third parties. If the Customer becomes aware of any illegal, unauthorized, unethical or improper usage of its Portal account, it shall immediately inform IW in writing or via another reliable and prompt mean.

The Customer hereby undertakes to defend, hold harmless and fully indemnify IW, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action, lawsuit or indictment against IW as a consequence of breach of the Customer and/or its account.


5.8 Obligation to Respect Third-Party Rights to Data Privacy

The Customer shall respect all applicable data protection and privacy laws when uploading or submitting any Personally Identifiable Information to IW via the Portal, by email or any other means.

The Customer hereby undertakes to defend, hold harmless and fully indemnify IW, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action, lawsuit or indictment against IW in relation to violation of this clause.


5.9 Availability for Emergencies and Communications

The Customer undertakes to provide its individual email and direct phone number in its profile on the Portal to be contacted in case of emergency (e.g. unexpected event or breach detection).

Failure to do so absolves IW from any responsibility and liability in case of unforeseen emergency when interaction with Customer is required to mitigate damages or properly deliver the service under the present agreement.

The Customer agrees that IW’s communications by email shall suffice for all purposes including commercial and technical questions where no extreme emergency is present. The Customer undertakes to ensure that IW’s emails are not blocked by any antispam filters and are responded as fast as practical. The Customer recognizes that its failure to read or respond to email communications from IW in a timely manner invalidates all warranties stated herein and absolves IW from any responsibility for incomplete, delayed or non-delivered service.


6. Measures Against Abuse and Improper Usage

In case of any illegal, unlawful, unethical, improper or unauthorized by the present agreement usage (hereinafter “abuse”) of the ImmuniWeb® AI Platform, the Customer unconditionally agrees to be solely liable and responsible for all direct, incidental and consequential damages suffered by IW.

The Customer hereby undertakes to defend, hold harmless and fully indemnify ImmuniWeb, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action, lawsuit or indictment against IW in relation to Customer’s abuse.

In case of abuse by the Customer, IW also retains the right to:

  • Take any technical measures it deems appropriate; and
  • Inform competent law enforcement agencies; and
  • Inform third parties concerned by the abuse; and
  • Take a legal action against the Customer; and
  • Demand indemnification for all costs and damages suffered with applicable interest.

7. Limited Liability of IW Accepted by the Customer

In addition to all other limitations of liability stated in the present agreement, the Customer unconditionally accepts the limited liability of IW described below.

7.1 Access to the Portal and the Service

IW makes its best commercial efforts to provide the Customer with an uninterrupted access to the Portal. However, IW does not guarantee a permanent access, availability or uninterrupted operation of the Portal and all of the related services. IW shall never be liable for any interruptions or slowdowns of the Portal’s availability.


7.2 Security Assessment Interruption

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW retains the right to interrupt the assessment at any time in case of any risk related to the security or stability of the Infrastructure or any of the related system(s).

IW shall not be liable for any direct or other damage caused by this kind of interruption. IW's liability is also excluded in case of interruption of the assessment by IW due to a Force Majeure.


7.3 Inappropriate Usage by the Customer

IW shall never bear any responsibility or liability for any direct, incidental or consequential damages resulting from any inappropriate, unethical, illegal, unwarranted or abusive usage of ImmuniWeb® AI Platform by the Customer, particularly for the damage caused by Customer’s breach of the present agreement or of the instructions indicated on the Portal.


7.4 Damage Caused to Third Parties

In no case IW shall bear responsibility for any direct, incidental or consequential damages caused to any third parties during the performance of Customer’s project or related tasks under the present agreement.

In the unlikely case when IW is liable for any damage caused to any third parties, the Customer hereby undertakes to defend, hold harmless and fully indemnify ImmuniWeb, its directors, employees and agents, including compensating all reasonable attorneys’ fees, if any third party brings a legal action, lawsuit or indictment against IW in relation to or under the present agreement.


7.5 Damage Caused to the Customer

Except for the case of deliberate and willful misconduct, IW shall not bear any responsibility or liability for any direct, incidental or consequential damages (including but not limited to loss of confidentiality, integrity, availability or accessibility of any data or information, destruction of any information, files, databases or archives, or damage caused to any software, cloud, hardware or network equipment, or damage to the Customer’s reputation or goodwill) incurred by the Customer in relation to ImmuniWeb® AI Platform or any service provided by IW under the present agreement.

By accepting the present agreement, the Customer unconditionally agrees not to undertake, encourage, assists, facilitate, join or file any legal actions, lawsuits or judicial procedures against IW, its employees, directors or agents in relation to any IW services except for deliberate and willful misconduct by IW.


7.6 Liability Cap

In all and any cases, IW's total liability, in relation to the ImmuniWeb® AI Platform or any service provided hereunder or related to the present agreement, is limited to the total net price paid by the Customer during the previous 12 (twelve) months for the service in question.

By accepting the present agreement, the Customer unconditionally and without reservation accepts the aforementioned IW's liability limit.


7.7 No Liability for Any Third-Party Solutions

IW shall never be liable for any dysfunction, problems or damages caused by or related to any integrations or features available with or within any third-party products or solutions, including but not limited to Web Application Firewalls, DevSecOps and SIEM tools, that are all provided "as is" without any warranty of any kind.


7.8 Disclaimer of All Warranties

EXCEPT FOR THE EXPRESS WARRANTIES STATED ABOVE IN THE PRESENT AGREEMENT, IW MAKES NO PROMISES, REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY OF TITLE, MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.


8. Payment Conditions

8.1 Price, Currencies and VAT

The price of the services available on the ImmuniWeb® AI Platform is fixed in USD (US Dollars) and varies depending on the selected package. The online price is always displayed on the Portal on the Payment Step of project creation.

The price of any ImmuniWeb package may be changed at any time at IW’s own discretion. All projects that are prepaid prior to the price change will not be affected by such change.

Payment can be made in US Dollars (USD), Euros (EUR) and Swiss Francs (CHF). A currency conversion commission or other fee may be applied by your bank and/or by card processing center. IW shall never be liable for such extra costs.

Online payment processing may increase the price by a commission or transaction fee charged by processing company, bank and/or their subsidiaries. IW has absolutely no relation or influence over these fees and shall never be liable to reimburse or compensate them.

The prices are indicated without VAT (Value Added Tax). The Swiss VAT of 7.7% will be charged if the Customer resides in Switzerland and is not exempted from VAT, or in the exceptional case when the Customer resides abroad but is obliged to pay VAT in Switzerland.


8.2 Online Payment

The entire online payment procedure via credit and debit cards or PayPal is managed and operated by Swiss financial company "SIX Payment Services AG" in accordance with their Terms and Conditions.

IW declines any responsibility or liability for any delay, problems, loss or damages incurred by the Customer in relation to the online payment procedure.


8.3 Terms of Payment

All projects are started only after receiving a full prepayment for a package selected by the Customer. The Customer shall bear all transaction fees and costs including any withholding taxes.

The Customer can either pay online on the Portal, via an authorized partner of IW or just generate invoice on the Portal and then make the payment via bank transfer. If paid via bank transfer or authorized partner, within the next 5 (five) business days after the receipt of the funds on IW’s bank account, the Customer will receive a 100% Discount Code to be entered on the Payment step of the project to skip the online payment procedure.

For direct payments, the corresponding invoice in PDF format becomes available for download on the Portal immediately after a successful payment for On-Demand, MobileSuite or Continuous projects. The invoice will be available on the Portal for the next 12 (twelve) months after the payment. After the above-mentioned deadline, the invoice will be automatically deleted without notification to the Customer.

For ImmuniWeb Discovery and ImmuniWeb Community Edition the invoice is generated by online payment processing system and will be emailed to the Customer after a successful online payment.

The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. IW does not provide any backups or copies of the invoices.

No subscription can be cancelled, amended or terminated before the end of the purchased duration period. No compensation or reimbursement of any kind is provided in case of non-use of any subscription.


8.4 False-Positives Reimbursement

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW makes its best efforts to ensure zero false positives for every security assessment. In case when the Customer finds a false-positive (i.e. a reported vulnerability that (i) does not exist and (ii) did not exist at the time of the assessment) in the assessment report or on the dashboard, the Customer may claim a reimbursement.

If the false-positive is confirmed by IW, the Customer shall receive full net amount paid for ImmuniWeb® On-Demand or MobileSuite package purchased by the Customer, or the net amount paid for one (1) week of assessment in pro rata for ImmuniWeb Continuous package.

The present clause is valid only for the false positives among security vulnerabilities with assigned (i) CVSSv3 score and (ii) CWE-ID.


8.5 Reimbursement Claims and Limitations

Any reimbursement claims must be made by the Customer via Support within 10 (ten) business days after an incident that triggered the claim has occurred. Any reimbursement claims received after the aforementioned deadline will be denied.

In case of reimbursement claim approval by IW, the reimbursement amount corresponding to the gravity and other relevant circumstances of the incident and within the aforementioned cap shall be paid to the Customer within the next 30 (thirty) days following the approval. The amount of the reimbursement can never exceed the total amount paid by the Customer for the assessment during which the incident occurred.


8.6 Deferred Payments and Overdue Penalties

Under exceptional circumstances, IW may grant the Customer a deferred payment deadline up to thirty (30) days or longer. In this case, the Customer will receive a 100% discount code to be entered on the payment step in order to skip the online payment procedure and start the project. The Customer will also be provided with an invoice for a wire transfer of the amount due to IW’s bank account.

IW retains the right to add any reasonable fees to the online prices including but not limited to 10% (ten percent) extra for non-online payment and 10% (ten percent) for any amendments of the terms of service or any additional paperwork requested by the Customer.

Hereby, the Customer expressly agrees that if the deferred payment regime is partially or entirely granted by IW, the Customer unconditionally and without reserve agrees to:

(a) timely make the payment of the exact amount due without any deduction of any kind including but not limited to transactional fees, bank charges or withholding taxes;

(b) recognize an annual 10% (ten percent) interest for the overdue regardless the reason of the overdue;

(c) compensate IW all reasonable administrative, accounting, legal and debt collecting fees IW may incur for overdue amounts collection;

(d) be transferred to a full prepayment regime for repetitive delays in payments.

The Customer likewise accepts that, in case of overdue, all its accounts may be blocked, delivery of service interrupted, and the Customer’s data be retained by IW as a lien until the Customer pays the overdue with all applicable interest. For the subscription-based services, a sixty (60) days overdue will lead to service termination while the Customer will be bound and liable to pay the full amount of the subscription without any deductions.

By accepting the present agreement, the Customer expressly agrees not to challenge the aforementioned provisions.


9. Confidentiality and Privacy

9.1 Customer’s Data Protection

When providing services under the present agreement, IW and its employees undertake best efforts to handle the non-public information related to, or received from, the Customer in a confidential manner and in compliance with IW’s ISO 27001 certification, related security policies and procedures.

The customer-related data is accessible only to authorized IW’s employees, who are required to have access to this data in order to perform their professional duties. IW’s employees are internally vetted and required to sign a Non-Disclosure Agreement (NDA) before obtaining access to the customer-related data. IW’s technical personnel is required to act in conformity with CREST Code of Conduct for Individuals that covers confidentially, ethics, honesty and integrity.

Unless requested by the Customer in writing, IW undertakes not to disclose, share or transfer the customer-related data (e.g. personal, technical, operational or vulnerability data) to any unauthorized third parties for any purposes unless such action is demanded by a valid court order or warrant of a judicial authority in Switzerland.

Retention of the customer-related technical data (e.g. vulnerability data) is described in the articles 2.2, 2.3 and 2.4 of the present agreement. Customer’s account removal, described in the article 3.4 of the present agreement, implies secure deletion of all projects and the related data created by the Customer unless otherwise is required by applicable law.

The Customer is solely responsible for using ImmuniWeb in accordance with any concerned third party's right to data protection.

9.2 Personally Identifiable Information (PII)

PII data collection, processing, retention and removal are performed according to the procedures outlined by the article 3.4 of the present agreement.

IW’s Data Protection Officer is conducting privacy audits as imposed by applicable law.


10. Intellectual Property and Non-Competition

All rights, titles and interests in and to all trademarks, trade names, service marks and logos adopted, whether registered or not, used or considered for use by IW to identify its business, products or services, together with the goodwill appurtenant thereto, shall be owned exclusively by IW. The present agreement does not convey to the Customer any licenses, titles or rights of ownership in, or related, to ImmuniWeb® AI Platform or any other intellectual property rights owned by IW.

IW shall be the exclusive owner of all rights, titles and interests including but not limited to trade secrets, copyrights, patents and all other intellectual property rights in and to ImmuniWeb® AI Platform, related products, services and the underlying software, network architecture, databases, big data, source code, algorithms, concepts, processes, methodologies, designs, user interfaces, features or any improvements thereto.

The Customers acknowledges that IW invests significant resources and efforts to continuously improve and develop the ImmuniWeb® AI Platform. The Customer thus agrees to never use, leverage or otherwise implement the above-mentioned intellectual property of IW to compete with IW or share it with any IW competitors or their agents. For any violation of the present paragraph, the Customer hereby agrees to compensate IW 50,000 USD (fifty thousand US dollars) per violation in addition to any direct, accidental or consequential damage including loss of revenue, depreciation of IW brand value, legal costs and reasonable attorneys’ fee.

IW shall likewise own all rights, titles and interests, including all related intellectual property rights, in and to any improvements or ameliorations of the ImmuniWeb® AI Platform, products or services developed by IW upon receipt of a suggestion, feedback, idea or any other input from the Customer or any third party. The Customer agrees that no compensation will be provided for any of the suggested improvements or ameliorations.


11. Entire Agreement

The present agreement supersedes all previous agreements with the Customer, including the agreements that seek to preempt, invalidate or modify the present Terms of Service.

The present agreement is intended by IW and the Customer to be the final expression of their agreement. The present agreement is likewise intended to be a complete and exclusive statement of the agreement and understanding in respect of the subject matter contained herein, and supersedes all prior and contemporaneous agreements, understandings, inducements, promises and conditions, express or implied, oral or written, of any nature whatsoever with respect to the subject matter hereof. The express terms hereof control and supersede any course of performance and/or usage of the trade inconsistent with any of the terms hereof.


12. Severability

If any provision of the present agreement is found to be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected unless the agreement reasonably fails in its essential purpose. Such provision shall be replaced by one or more valid and enforceable provisions approximating the original provision as closely as possible.


13. Modifications

The present agreement can be modified without prior notification and at any time by IW at its own discretion. The modified agreement shall be effective only for the projects started after the modification.

The modified version of the agreement shall be immediately published on the Portal with the modification date. If a modification impairs confidentiality or privacy rights of the Customer, IW undertakes to promptly notify the Customer about such change by the most practical mean including email, support message or conspicuously visible notice on the Portal.

The present Terms of Service agreement was last updated on October 13, 2021.


14. No Waiver

A failure of IW to insist upon strict adherence of the Customer to any term of the present agreement on any occasion shall not be considered a waiver of IW’s rights for any of the available remedies or deprive IW of the right thereafter to insist upon strict adherence to that term or any other term of the present agreement.


15. Assignment

The Customer may not transfer, delegate or assign any of its duties under the present agreement, in whole or in part, to a third party by change in control, operation of law or otherwise, without a prior written consent of IW.

IW may delegate its duties and assign its rights arising out of the present agreement upon a written notification to the Customer and in case if such transfer of rights will not materially impact Customer’s rights under the present agreement.


16. No Third-Party Rights

Nothing expressed or referred to in the present agreement shall be construed or interpreted to give any person or entity, other than the parties to the present agreement, any legal or equitable right, remedy or claim hereunder or with respect to the present agreement. The present agreement and all of its provisions are for the sole and exclusive benefit of the parties hereto.


17. Force Majeure

IW shall be excused from all liability for failure or delay in performance of any obligation under the present agreement by the reason of any event beyond its reasonable control including but not limited to fire, flood, earthquake and all other natural disasters, blackout and power supply accident, explosion, act of war, terrorist attack, civil unrest, pandemic, major accident, strike or other labor disturbance, newly enacted law or embargoes.


18. Governing Law and Venue

The present Terms of Service agreement applies worldwide and is exclusively governed by and construed in accordance with Swiss law. Application of any international treaties or conventions is expressly excluded.

The Customer irrevocably agrees to the exclusive jurisdiction and venue of a competent Swiss court in Geneva in connection with any legal action, suit, proceeding or claim arising under or related to the present agreement.