ImmuniWeb


TERMS OF SERVICE FOR
IMMUNIWEB® AI PLATFORM
PROVIDED BY IMMUNIWEB SA

1. Recitals and Scope

ImmuniWeb SA (hereinafter "IW") is a Swiss company registered in the Trade Register of Geneva under Swiss Federal Identification Number CH-660.3.165.019-5 with VAT number CHE-166.613.872, domiciled at:

Quai de l’Ile 13
CH-1204 Geneva
Switzerland

The present Terms of Service (hereinafter “the present agreement”) is a binding contract between IW and your company, governing yours and your company’s (hereinafter jointly "the Customer") usage of ImmuniWeb® AI Platform provided by IW via ImmuniWeb® Portal (hereinafter "the Portal").

It is expressly agreed that the parties hereto shall be independent contractors and that the relationship between the parties shall not constitute a partnership, joint venture, employment or agency.

You hereby warrant and represent that you have an undisputed authority, legal competence and capacity to bind your company to the present agreement and all its terms.

By ticking the “I have read and agreed to the Terms of Service & Privacy” checkbox during online registration on the Portal, you agree and accept without any reservations the present agreement. The electronic acceptance of the present agreement by the above-mentioned procedure implies that the Customer has carefully read and understood the entire agreement. Otherwise, you are kindly requested to leave the Portal.

Any usage of ImmuniWeb® AI Platform or ImmuniWeb® Portal in violation of the present Terms of Service shall be considered unauthorized usage and may lead to a legal action.

The present agreement does not govern the relationship between the Customer and Swiss financial company "SIX Payment Services AG" that is in charge of online credit card and PayPal payments processing on behalf of IW. Likewise, the present agreement does not encompass functionality or security of Single Sign-On (SSO) on the Platform if used by the Customer, being governed by an independent agreement between the Customer and the SSO provider such as Google, Amazon or Microsoft.



2. ImmuniWeb® AI Platform

2.1 Description

ImmuniWeb® is an internationally registered trademark (Madrid Trademark Number: 1128342) owned by IW. ImmuniWeb and the underlying technology are developed and supported by IW who is its sole owner.

ImmuniWeb® AI Platform is available via the Portal and is designed to provide security assessment, monitoring and discovery services (hereinafter “the service”) for web and mobile applications, and other digital or IT assets (hereinafter "the Infrastructure").

The purpose of the service is to discover vulnerabilities, weaknesses and misconfigurations of the Infrastructure operated, managed, owned or lawfully entrusted to the Customer, and to offer general remediation guidelines for the issues discovered.

This service is solely provided to the users who (i) created an account on the Portal via the registration procedure, read and accepted Terms of Service, (ii) confirmed their identity and activated their account by clicking on the special link in account activation email, (iii) confirmed their legitimacy and authorization to run the service, and (iv) paid for the service according to the procedures outlined below in the present agreement. IW retains the right to refuse providing the Customer with the service in case of any reasonable doubt regarding the Customer's legitimacy or authorization to order such service.

To consume the service, the Customer shall login to the Portal under its account and create one of the four ImmuniWeb project types described below.

ImmuniWeb Discovery project consists of four consecutive steps:

  • Enter a company name
  • Select a checkbox if you run Discovery for a third party
  • Select your package, subscription duration and pay for the service
  • Get a continuous or one-time attack surface management

ImmuniWeb On-Demand project consists of five consecutive steps:

  • Configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package and pay for the service
  • Select your assessment date to start
  • Get the remediation report

ImmuniWeb MobileSuite project consists of five consecutive steps:

  • Upload your mobile app and configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package and pay for the service
  • Select your assessment date to start
  • Get the remediation report

ImmuniWeb Continuous project consists of four consecutive steps:

  • Configure your assessment
  • Confirm your authorization to conduct the assessment
  • Select your package, subscription duration and pay for the service
  • Get continuous web security monitoring and testing

2.2 ImmuniWeb® On-Demand and MobileSuite Security Assessment Report

Upon completion of ImmuniWeb® On-Demand or MobileSuite Security Assessment, the assessment report can be viewed and downloaded by the Customer directly from the Portal. The report becomes available within 1 (one) business day after the Security Assessment completion.

The Customer will be able to view and download the report in HTML, XML or PDF formats directly from the Portal. The report will stay available on the Portal during the next 100 (one hundred) days following the Security Assessment completion, and then will be securely deleted.

The Customer has a possibility to securely delete the report from the Portal at any time before the above-mentioned deadline.

After being deleted, the report cannot be recovered. The Customer is solely and entirely responsible for downloading the report within the aforementioned 100 (one hundred) days deadline, as well as for saving the report on a secure local storage.


2.3 ImmuniWeb® Continuous Dashboard

Within 2 (two) business days after receiving a payment for ImmuniWeb® Continuous subscription, the Customer will be provided with an access to the interactive vulnerability management dashboard designed to manage and monitor the assessment and its results via the Portal.

The data provided to the Customer, including but not limited to assessment results and statuses of detected vulnerabilities, is accessible via the Portal and API functionality during the validity of Customer’s subscription and one hundred (100) days after the subscription expiration.

After the above-mentioned 100 days deadline, or earlier upon the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.


2.4 ImmuniWeb® Discovery Dashboard

After 3 (three) business days after receiving a payment for ImmuniWeb Discovery, discovered applications and other digital assets will appear on the Discovery dashboard.

The dashboard and its functionality remain active while the Customer pays for the subscription. Once the subscription expires, the Customer may request the data from the dashboard within the next 100 (one hundred) days by contacting support.

After the above-mentioned 100 (one hundred) days deadline, or upon earlier the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.


2.5 ImmuniWeb® Security Seal

Some ImmuniWeb® projects may provide the Customer with ImmuniWeb Security Seal designed to confirm the fact and the time of the performed security assessment.

Despite our efforts to identify as many vulnerabilities as possible within the assessment scope and timeframe, the Seal cannot and does not guarantee that the Infrastructure is 100% secure, unbreakable, or totally vulnerability-free.


2.6 ImmuniWeb® Continuous and Discovery Notifications

For the Customers of ImmuniWeb® Continuous and Discovery, instant notification functionality is available to receive alerts about newly detected vulnerabilities, weaknesses or other events via email or SMS, depending on the ImmuniWeb subscription package.

Despite our best commercial efforts to send the above-mentioned notifications in accordance with the Customer’s preferences selected on the Portal, we cannot and do not guarantee that they will arrive in a timely manner. IW declines any responsibility for any delays or omissions related thereto.

IW may replace SMS notifications by email alerts when IW consider such replacement appropriate under the circumstances.

The SMS notification service is operated and maintained by "Twilio, Inc." (CA), USA. IW shall never be liable for any problems, delays or damage related to the SMS notification service.


2.7 ImmuniWeb® Assessment Scope

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The scope of the assessment is always defined by the Customer on the first step of the project creation. The Customer is encouraged to provide as much information and details about the scope as practical under the circumstances. Any omissions or incorrect information provided by the Customer may lead to incomplete, delayed or inaccurate assessment for which IW shall not be accountable or liable in any manner.

Within reasonable, the Customer can provide specific requirements for the scope and methodology of testing on the first step of the project creation. IW will undertake commercially reasonable efforts to follow the instructions and scope defined by the Customer as precisely as practical under the integrity of the circumstances. In case of substantial impossibility to comply with the instructions, or requirement to upgrade the package, IW may pause the project and communicate the issue to the Customer for resolution.


2.8 ImmuniWeb® Discovery Scope

The Customer recognizes that ImmuniWeb® Discovery is based on Open-Source Intelligence (OSINT) meaning that the discovered assets, data and all other information provided to the Customer within the scope of ImmuniWeb Discovery are already accessible, or otherwise visible or cognizable, on the Internet.

For the duration of a Discovery project, the Customers grants IW full authority to monitor various web, cloud and other Internet resources, including so-called Dark Web and Deep Web, on its behalf or on behalf of third parties for which the discovery is being run. The Customer thereby accepts that IW may detect and get its confidential or sensitive data, or data of its subsidiaries or third parties, that has been previously stolen, compromised or leaked. In any case, IW shall promptly bring the relevant data to the attention of the Customer via the Dashboard. IW shall never be liable to the Customer or to any third parties for processing or suppling this data to the Customer. The Customer shall likewise protect and fully indemnify IW for any third-party claims related to the Discovery run by the Customer including all legal costs and reasonable attorneys’ fee.

The Customer understands and hereby accepts that the Discovery process may not detect some of its digital or IT assets, related vulnerabilities, misconfigurations, weaknesses or data leaks due to unreachability of the relevant systems, or the non-intrusive nature of the Discovery process, or inability to attribute the asset or data to the Customer with reasonable certainty, or any other circumstances beyond reasonable control of IW. Therefore, IW shall never be liable for any missed or omitted, mislabeled, wrongly scored or attributed assets, data or information provided to the Customer within the scope of any Discovery project.

The Customer likewise agrees that one Discovery project covers only one brand unless otherwise is expressly authorized by IW in writing. Therefore, websites or other digital assets belonging to other brands, including subsidiaries, shall not be manually added or imported by the Customer into one Discovery project. Violation of the present clause by the Customer may lead to termination of the Discovery subscription without any compensation.


2.9 ImmuniWeb® Methodology of Testing

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW’s application security testing methodology is developed and based on its proprietary technology.

Except if otherwise requested by the Customer, or required by the circumstances of the assessment, the methodology of testing follows globally recognized standards, such as OWASP Web and Mobile Security Testing Guides. IW may, however, at its own discretion and without prior notice, change, expand or amend its methodology of testing if such a change may be beneficial or otherwise preferrable for the Customer or IW under the integrity of circumstances.

IW makes its best efforts to avoid any security testing or exploitation techniques that may harm, slowdown, corrupt, partially or entirely destroy Customer’s data or Infrastructure. However, IW may use intrusive testing and vulnerability exploitation techniques if it is necessary for comprehensive testing or is appropriate under the circumstances. If an unexpected and dangerous event occurs during the assessment, IW will contact the Customer within the next 15 (fifteen) minutes after detection of the event to coordinate further activities.


2.10 ImmuniWeb® Quality Assurance

For the most important and critical processes and activities of the assessment, IW relies on the four-eyes principle, which involves at least two people controlling each other.


2.11 ImmuniWeb® Customer Support

IW strives to provide an uninterrupted 24/7 support for the Customers via email and web ticketing system.

IW makes its best commercial efforts to respond to normal-priority support tickets within 4 (four) business hours and within 15 (fifteen) minutes to urgent support tickets. Nevertheless, IW cannot and does not guarantee that a problem will be resolved within the above-mentioned deadline and shall never be liable for any delays or damage caused by such delays.

Urgent support ticket functionality is available only to the Customers who have already paid for at least one assessment project. Abusive, unwarranted or inappropriate usage of urgent support tickets by the Customer may lead to temporary or permanent disablement of urgent ticket functionality on the Portal without any compensation as a counterpart.

IW makes its best reasonable efforts to provide competent and accurate information via Customer Support. However, the Customer shall never rely solely on the information obtained from the support to make its decisions. The Customer hereby acknowledges and agrees that any information obtained from the support is provided “as is” without any warranty of any kind. IW shall not be liable for any damages ensued from any actions performed by the Customer based or derived from the information or recommendations received via support.

When any information, statement or promise provided by IW support or any IW employees under any circumstances materially amends or contradicts the present agreement, the text of the present agreement shall always prevail. Content of support tickets is available on the Portal for one (1) year. After that period tickets are automatically deleted for security purposes.


2.12 ImmuniWeb® Project Sharing and RBAC

The Customer may grant any other Portal user with various Role Based Access Control (RBAC) access permissions to any of its ImmuniWeb® projects.

The Customer shall take all the necessary precautions and due care when granting and/or revoking such access as the grantee will have limited or even full access to the project. The Customer is solely responsible to monitor and timely revoke or adjust access from users who shall not have access to the project anymore.

IW shall not be liable for any incidents or damage caused by project sharing activities performed by the Customer.


2.13 ImmuniWeb® API

On the Portal, the Customer may generate an API key to access its project data in JSON format from the API provided by IW.

The Customer is solely responsible to protect all its API keys, timely revoke and prevent any unauthorized usage of the API keys.

IW shall not be liable for any incidents or damage caused by API usage or API key management performed by the Customer.


2.14 ImmuniWeb® Community Edition

ImmuniWeb Community Edition offers free online tests aimed to improve overall security awareness. It also provides a premium subscription designed to perform a higher number of online tests per day compared to the free version.

The subscription can be purchased online by the Customer for price and duration that are visible online to the Customer. Purchased subscriptions cannot be modified or reimbursed.

All available ImmuniWeb Community Edition subscriptions are provided “as is” without any warranty of any kind.

The Customers, who misuse the subscription and thereby cause material inconvenience or damage to any third party, will be notified, and in case of reoccurrence, may have their subscription immediately terminated without reimbursement. In case of major abuse, the subscription may be terminated without prior notice.


3. ImmuniWeb® Portal

3.1 Registration Procedure

To use ImmuniWeb® AI Platform, the Customer must be registered and authenticated on the Portal. To obtain an account on the Portal, the Customer shall follow the registration procedure. During the registration, the Customer undertakes to provide IW with correct, truthful and up-to-date information required by the procedure.

IW may verify at any time the authenticity and veracity of the information provided by the Customer during the registration. Any accounts with doubtful or dubious information may be temporarily suspended, accounts with deliberately false or fake information may be deleted immediately. Any claims for reimbursement for the projects created under accounts with false or fake information will be refused.

IW can, at its own discretion, deny the registration to any user at any time without any justification of its decision.


3.2 Identification of the Customer

The Customer should identify itself on the Portal with its email address (login) and password (hereinafter "the Credentials").

IW draws particular attention of the Customer that the Credentials are strictly personal and non-transferable.

The Customer undertakes to keep its Credentials strictly confidential. Otherwise, IW retains the right to block the Customer's account and claim any damage occurred. Any claims for reimbursement for the projects created under accounts shared with third parties will be refused.


3.3 Modification of Customer Account Information

The Customer undertakes to keep its account information up-to-date. To do so, it can modify the information directly on the Portal via profile update function. Accounts with outdated information may be suspended for security purposes.


3.4 Customer Data and PII Collection, Processing, Retention and Deletion

IW values privacy of the Customer. IW collects Personally Identifiable Information (PII) of the Customer that is voluntarily submitted by the Customer on the Portal (e.g. name, email address, business phone, etc.) and technical information manually entered by the Customer on the Portal for the purposes of (i) using ImmuniWeb® AI Platform by the Customer, (ii) performing contractual duties owed to the Customer under the present agreement, and (iii) pursuing legitimate interests of IW including but not limited to keeping the Customer informed about Platform news and improvements by weekly newsletter with a one-click opt-out feature. IW also collects ancillary technical information about the Customer and its activities on the Portal, such as IP addresses and other relevant technical details, which are necessary to protect, maintain and improve the Platform or pursue other legitimate interests of IW.

The information is never shared with third parties except authorized parties for legitimate business purposes (e.g. technology or business partners that provide joint services with IW) that have (i) a valid NDA prohibiting divulgation and inappropriate usage of the information, and (ii) an enacted privacy policy that materially complies with Swiss law of data protection.

The information is securely stored in a dedicated data center located in Canada (recognized by the European Commission as a country providing adequate level of data protection alongside with Switzerland). IW servers are managed and operated by authorized IW employees only.

The information is stored as long as reasonably required to perform the present agreement, pursue legitimate interests of IW, or as long as required by the applicable law.

The Customer can request IW to delete its account on the Portal by submitting the request via Portal Support. The account and Customer-related information will be securely deleted within 15 (fifteen) business days since the receipt of the request unless otherwise is required by the applicable law.

Deleted information is not recoverable. Any claims for reimbursement, indemnification or compensation for the projects created under deleted accounts will be refused.


3.5 Portal Availability

Apart from external interruptions beyond IW's control, the Portal is available 7 days a week, 24 hours a day. In case of reasonable necessity, IW retains the right to temporary interrupt access to the Portal, at any time, for any period of time and at its own discretion. IW shall not be liable for any damages caused by such interruption.


3.6 Portal and Data Security

Special attention is given to security of the Portal and the data it processes and handles. Nevertheless, the Customer hereby recognizes that despite the best commercial efforts undertaken by IW, including risk assessment, threat and vulnerability monitoring, usage of up-to-date software, system hardening, data encryption and adherence to the ISO 27001 security standard, IW cannot and does not guarantee the absolute security of the Portal or the data it processes or handles. The Customer hereby acknowledges and accepts the risks related to the Portal and its data security, and undertakes not to initiate or participate in any legal actions or proceedings against IW related thereto.


3.7 Portal Time Zone

The Portal is operating in the Central European Time (CET/CEST) time zone.


4. Limitations Accepted by the Customer

In addition to all other limitations stated in the present agreement, hereby the Customer unconditionally accepts the limitations of the service provided by IW, which are described below.

IW undertakes its best commercial efforts to provide a broad selection of available assessment dates. Nonetheless, IW cannot and does not guarantee that a specific date will be available, neither provides any guarantee of dates availability. The next available assessment date is always shown on the Portal at the payment step. IW shall never be liable for any delays caused by unavailability of a specific assessment date or report delivery.

During security testing, IW takes appropriate measures not to disturb availability of the Customer’s Infrastructure including various systems, devices, cloud storage, applications or network equipment. Nevertheless, exceptional, unforeseen or unexpected side effects may occur beyond IW’s reasonable control. IW shall never be liable or responsible for any damage, interruption or slowdown of any operations or property of the Customer or any third parties concerned by the testing. The Customer is advised to create a full backup of the tested system and data before starting the assessment, to avoid testing sensitive, previously untested or unstable systems in production, and to avoid testing with real user accounts or with privileged user accounts that may have access to production or confidential data.

IW makes its best efforts to identify all possible vulnerabilities and weaknesses within the scope and during the timeframe of assessment, however IW does not and cannot guarantee that all the vulnerabilities will be detected, and declines any responsibility for missed, undiscovered or unreported vulnerabilities.

The service itself is not intended to prevent, eliminate or fix any vulnerabilities or security weaknesses. The assessment purports to identify vulnerabilities and weaknesses within the Infrastructure, and to propose general remediation solutions for them. The Customer bears the sole responsibility for implementing all necessary corrections for the discovered vulnerabilities and weaknesses.

The Customer understands that vulnerability remediations, proposed in the report or via the interactive dashboard, consist of general guidelines only, provided “as is” without any warranty of any kind.

Assessment results reflect the state of security of the Customer's Infrastructure only at the time of the assessment’s execution, and therefore cannot be considered as permanently up-to-date.

The integrity of the Portal features including but not limited to the user interface functionality, integrations, data import and export, SSO authentication, vulnerability management, alerts and notifications, user management and any related features for all types of projects are provided “as is” without any warranty of any kind.


5. Obligations of the Customer

5.1 Strictly Prohibited Usage

The Customer is strictly prohibited to use ImmuniWeb® AI Platform to conduct penetration testing of any Infrastructure that does not belong to it and/or for which it does not have an explicit, express and undisputed written authorization from the legitimate Infrastructure owner to perform such testing.

The Customer is also prohibited to use ImmuniWeb® AI Platform to knowingly cause any damage or inconvenience to third parties.

The Customer is not allowed to use ImmuniWeb in countries where the legislation or regulatory rules prohibit such usage.

In case of violation of the above-mentioned conditions by the Customer, IW reserves the right to immediately suspend the Customer's account, claim damages and refuse any Customer’s claims for reimbursement, compensation or indemnification for the projects created under this account.

The Customer is strictly prohibited to conduct any automated or manual security testing of any IW infrastructure for any purposes without prior written permission by IW.


5.2 Confirmation of the Infrastructure Ownership

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The Customer unconditionally agrees to use ImmuniWeb® only to assess security of the Infrastructure that belongs to it or for which it has an explicit written authorization from the legitimate Infrastructure owner to do so.

In case of a website security testing, the Customer agrees that, among other things, an email notification about the assessment may be sent to emails obtained from the website domain WHOIS record, or to the official emails provided directly on the website that the Customer wants to assess.

IW also reserves the right to contact the Customer and/or its company by telephone and by any other appropriate means in order to verify Customer's identity and legitimacy to perform assessment of the Infrastructure.


5.3 Correctness and Completeness of Technical Information

During the creation of ImmuniWeb® project on the Portal, the Customer is solely and entirely responsible for submitting correct, complete and up-to-date technical information about the Infrastructure (e.g. URL, authentication and other technical information) and any specific testing requirements.

In case of erroneous, outdated or incomplete technical information submitted to the Portal, the Customer will bear the sole responsibility for all damage, errors and omissions. In this case, IW does not guarantee accuracy, safety or completeness of the assessment and its results. Any claims for reimbursement in such cases will be refused.


5.4 Non-Resistance to Security Assessment

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW’s IP addresses from which the assessment will take place will be communicated to the Customer by email (i) 1 (one) day before the assessment start, and (ii) just before the start of the assessment for all ImmuniWeb® On-Demand and MobileSuite projects. For ImmuniWeb Continuous projects, the IP addresses are constantly visible on the Portal.

The Customer is required to properly authorize or otherwise whitelist IW’s IP addresses on its IPS (Intrusion Prevention System), WAF (Web Application Firewall), and any other hardware, software or cloud solutions that may partially or entirely block or slow down the assessment and thus influence its completeness and accuracy. Otherwise, accuracy of the assessment and of its results are not guaranteed by IW. Any claims for reimbursement in such case will be refused.

The Customer is strongly advised to delete IW’s IP addresses from any whitelists and revoke all temporary permissions and demo accounts created for the purpose of the assessment once the assessment is successfully finished. The Customer is likewise advised to verify any newly created files or records, as the result of the assessment, and delete them if they are not necessary. ImmuniWeb shall never be liable for any files or records created for the assessment purposes.


5.5 Availability of the Infrastructure

The Customer is entirely responsible for accessibility and availability of its Infrastructure during the assessment.

If for any reason the Infrastructure is not fully accessible from any of IW’s IP addresses during the assessment, the Customer will bear the sole responsibility for incompleteness, inaccuracy or non-delivery of the assessment. Any claims for reimbursement in such case will be refused.


5.6 Obligation to Inform Concerned Third Parties

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

The Customer must inform and obtain an explicit authorization to perform the assessment from all the third parties (if any) that are directly or indirectly concerned by the assessment. The Customer must likewise inform competent law enforcement or regulatory agencies about penetration testing if required by the applicable law.

The Customer undertakes to defend and indemnify ImmuniWeb, its employees and agents, including reasonable attorneys’ fees, if any third party brings a lawsuit or indictment against IW in relation to any Customer’s project for violation of any security, privacy, data protection or anti-hacking laws.

This obligation particularly applies if the Customer is not the sole owner of the web, database or any other servers or equipment where Customer’s Infrastructure or its data are located. IW does not bear any responsibility for delays caused by coordination between the Customer and the concerned third parties.


5.7 Obligation to Respect Account Integrity and Confidentiality

The Customer undertakes to take all reasonable measures to protect its account Credentials from unauthorized third parties. If the Customer becomes aware of any illegal, unauthorized, unethical or improper usage of its Portal account, it shall immediately inform IW in writing or another reliable and prompt mean.

The Customer must not share any information obtained under the present agreement with any IW competitors without prior written notification from IW.

The Customer undertakes to be solely responsible and liable to indemnify IW and compensate all damages including reasonable attorneys’ fees incurred by IW, its employees or agents in case of breach of this clause.


5.8 Obligation to Respect Third-Party Rights to Data Privacy

The Customer shall respect all applicable data protection and privacy laws when uploading or submitting any Personally Identifiable Information to IW via the Portal, email or any other means.

The Customer undertakes to be solely responsible and liable to indemnify IW and compensate all damages including reasonable attorneys’ fees incurred by IW, its employees or agents in case of breach of this clause.


5.9 Availability for Emergencies and Communications

The Customer undertakes to provide a valid email and direct phone number in its profile on the Portal, to be contacted in case of emergency (e.g. unexpected event or breach detection).

Failure to do so absolves IW from any responsibility and liability in case of unforeseen emergency when interaction with Customer was required to mitigate damages.

The Customer agrees that IW’s communications by email shall suffice for all purposes including commercial and technical questions where no extreme emergency is present. The Customer undertakes to ensure that IW’s emails are not blocked by any antispam filters and are being responded as fast as practical. The Customer recognizes that its failure to read or respond to email communications from IW in a timely manner invalidates all warranties stated herein and absolves IW from any responsibility for incomplete or delayed service.


6. Measures Against Abuse and Improper Usage

In case of any illegal, unlawful, unethical, improper or unauthorized by the present agreement usage of ImmuniWeb® AI Platform, the Customer unconditionally agrees to be solely liable and responsible for all damages suffered by IW. The Customer undertakes to fully indemnify IW, its employees or agents for all direct, incidental and consequential damages including reasonable attorneys’ fees, as well as for any other costs or liabilities that IW could owe to any third parties, in the result of such usage by the Customer.

In case of abuse IW retains the right to:

  • Take any technical measures it deems appropriate
  • Inform competent law enforcement agencies
  • Inform third parties concerned by the abuse
  • Take a legal action against the Customer
  • Demand indemnification for all the damages suffered with applicable interest.

7. Limited Liability of IW Accepted by the Customer

In addition to all other limitations of liability stated in the present agreement, the Customer unconditionally accepts the limited liability of IW described below.

7.1 Access to the Portal and the Service

IW makes its best commercial efforts to provide the Customer with an uninterrupted access to the Portal. However, IW does not guarantee a permanent access, availability or uninterrupted operation of the Portal and all of the related services. IW shall never be liable for any interruptions or slowdowns of the Portal’s availability.


7.2 Security Assessment Interruption

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW retains the right to interrupt the assessment at any time in case of any risk related to the security or stability of the Infrastructure or any of the related system(s).

IW shall not be liable for any direct or other damage caused by this kind of interruption. IW's liability is also excluded in case of interruption of the assessment by IW due to a Force Majeure.


7.3 Inappropriate Usage by the Customer

IW shall never bear any responsibility or liability for any direct, incidental or consequential damages resulting from any inappropriate, unethical, illegal, unwarranted or abusive usage of ImmuniWeb® AI Platform by the Customer, particularly for the damage caused by Customer’s breach of the present agreement or of the instructions indicated on the Portal.


7.4 Damage Caused to Third Parties

In no case IW shall bear responsibility for any direct, incidental or consequential damages caused to any third parties during the performance of Customer’s project or related tasks.

In the unlikely case when IW is liable for any damage caused to any third parties, the Customer hereby undertakes to fully indemnify IW for the amount that IW may be obliged to pay in relation thereto, as well as to reimburse IW all reasonable expenses incurred while defending its interests in courts including but not limited to legal costs and reasonable attorneys’ fees.


7.5 Damage Caused to the Customer

Except for the case of deliberate and willful misconduct, IW shall not bear any responsibility or liability for any direct, incidental or consequential damages (including but not limited to loss of confidentiality, integrity, availability or accessibility of any data or information, destruction of any information, files, databases or archives, or damage caused to any software, cloud, hardware or network equipment, or damage to the Customer’s reputation or goodwill) incurred by the Customer in relation to ImmuniWeb® AI Platform or any service provided by IW under the present agreement.

By accepting the present agreement, the Customer unconditionally agrees not to undertake, encourage, assists, join or file any legal actions, lawsuits or procedures against IW, its employees, directors or agents in relation to any ImmuniWeb services except for deliberate and willful misconduct by IW.


7.6 Liability Cap

In any case, IW's total liability, in relation to ImmuniWeb® AI Platform or any service provided under or related to the present agreement, is limited to the total net price paid by the Customer during the previous 12 (twelve) months for the service in question.

By accepting the present agreement, the Customer unconditionally and without reservation accepts the aforementioned IW's liability limit.


7.7 No Liability for Any Third-Party Solutions

IW shall not bear any responsibility or liability for any damages caused by any joint solutions, implementations or integrations with any third-party technology products of solutions, including but not limited to Web Application Firewalls, DevSecOps tools or SIEMs that are all provided "as is" without any warranty of any kind.


7.8 Disclaimer of Warranties

EXCEPT FOR THE EXPRESS SERVICE OR PRODUCT WARRANTIES EXPLICITLY STATED ABOVE IN THE PRESENT AGREEMENT, IW MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


8. Payment Conditions

8.1 Price, Currencies and VAT

The price of the services available on the ImmuniWeb® AI Platform is fixed in USD (US Dollars) and varies depending on the selected package. The price of a package is always displayed on the Portal on the Payment Step of project creation.

The price of any ImmuniWeb package may be changed at any time at IW’s own discretion. All projects that were fully prepaid prior to the price change will not be affected by such change.

Payment can be made in US Dollars (USD), Euros (EUR) and Swiss Francs (CHF). When paying in EUR or CHF a currency conversion commission or fee may be applied by your bank and/or by card processing center.

Online payment processing may increase the price by a commission or transaction fee charged by the processing company, bank and/or their subsidiaries. IW has absolutely no relation or influence over these fees and shall never be liable to reimburse or compensate them.

The prices are indicated without VAT (Value Added Tax). Swiss VAT of 7.7% will be charged if the Customer resides in Switzerland and is not exempted from VAT, or in the exceptional case when the Customer resides abroad but is obliged to pay VAT in Switzerland.


8.2 Online Payment

The entire online payment procedure via credit and debit cards or PayPal is managed and operated by Swiss financial company "SIX Payment Services AG" in accordance with their Terms and Conditions.

IW declines any responsibility or liability for any delay, loss or damages incurred by the Customer in relation to the online payment procedure.


8.3 Terms of Payment

All projects are started only after receiving a full prepayment for a package selected by the Customer. The Customer shall bear all transaction fees and costs including any withholding taxes.

The Customer can either pay online on the Portal, via an authorized partner of IW or just generate invoice on the Portal and then make the payment via bank transfer. If paid via bank transfer or authorized partner, within the next 5 (five) business days after the receipt of the funds on IW’s bank account, the Customer will receive a 100% Discount Code to be entered on the Payment step of the project to skip the online payment procedure.

For direct payments, the corresponding invoice in PDF format becomes available for download on the Portal immediately after a successful payment for On-Demand, MobileSuite or Continuous projects. The invoice will be available on the Portal for the next 12 (twelve) months after the payment. After the above-mentioned deadline, the invoice will be automatically deleted without notification to the Customer.

For ImmuniWeb Discovery and ImmuniWeb Community Edition the invoice is generated by online payment processing system and will be emailed to the Customer after a successful payment.

The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. IW does not provide any backup or copies of the invoices.

No subscription can be cancelled, amended or terminated before the end of the purchased duration period.


8.4 False-Positives Reimbursement

The present clause applies solely to ImmuniWeb On-Demand, MobileSuite and Continuous.

IW makes its best efforts to ensure zero false positives for every security assessment. In case when the Customer finds a false-positive (i.e. a reported vulnerability that (i) does not exist and (ii) did not exist at the time of the assessment) in the assessment report or on the dashboard, the Customer may claim a reimbursement.

If the false-positive is confirmed by IW, the Customer shall receive full net amount paid for ImmuniWeb® On-Demand or MobileSuite package purchased by the Customer, or the net amount paid for one (1) week of assessment in pro rata for ImmuniWeb Continuous package.

The present clause is valid only for the false positives among security vulnerabilities with assigned (i) CVSSv3 score and (ii) CWE-ID.


8.5 Reimbursement Claims and Limitations

Any reimbursement claims must be made by the Customer via Support within 10 (ten) business days after an incident that triggered the claim has occurred. Any reimbursement claims received after the aforementioned deadline will not be reimbursed.

In case of reimbursement claim approval by IW, the reimbursement amount corresponding to the gravity and other relevant circumstances of the incident and within the aforementioned cap shall be paid to the Customer within the next 30 (thirty) days following the approval. The amount of the reimbursement can never exceed the total amount paid by the Customer for the assessment during which the incident occurred.


8.6 Deferred Payments and Overdue Penalties

Under exceptional circumstances, IW may grant the Customer a deferred payment deadline up to thirty (30) days or longer. In this case, the Customer will receive a 100% discount code to be entered on the payment step in order to skip the online payment procedure and start the project. The Customer will also be provided with an invoice for a wire transfer of the amount due to IW’s bank account.

Hereby, the Customer expressly agrees that if the deferred payment regime is partially or entirely granted by IW, the Customer unconditionally and without reserve agrees to:

(a) timely make the payment of the exact amount due without any deduction of any kind including but not limited to transactional fees, bank charges or withholding taxes;

(b) recognize an annual 10% (ten percent) interest for the overdue regardless the reason of the overdue;

(c) compensate IW all reasonable administrative, accounting, legal and debt collecting fees IW may incur for overdue amounts collection;

(d) be transferred to a full prepayment regime for repetitive delays in payments.

The Customer likewise accepts that, in case of overdue, its accounts may be blocked, delivery of service interrupted, and the Customer’s data be retained by IW as a lien. For the subscription-based services, a sixty (60) days overdue will lead to service termination while the Customer will be bound to pay the full amount of the subscription.

By accepting the present agreement, the Customer expressly agrees not to challenge the aforementioned provisions.


9. Confidentiality and Privacy

9.1 Customer’s Data Protection

When providing its services under to the present agreement, IW and its employees undertake best efforts to handle the information related to, or received from, the Customer in a confidential manner and in compliance with IW’s ISO 27001 certification, related security policies and procedures.

All customer-related data is accessible only to authorized IW’s employees, required to have access this data to perform their professional duties. IW’s employees are internally vetted and required to sign a Non-Disclosure Agreement (NDA) before obtaining access to customer-related data. IW’s technical personnel is required to act in conformity with CREST Code of Conduct for Individuals that covers confidentially, ethics, honesty and integrity.

IW undertakes not to disclose, share or transfer any customer-related data (e.g. technical, operational or vulnerability data) to any unauthorized third parties for any purposes unless such action is demanded by a valid order of a Swiss or other competent court or requested by the Customer in writing.

Retention of technical data (e.g. vulnerability data) is described in the articles 2.2, 2.3 and 2.4 of the present agreement. Customer account removal, described in the article 3.4 of the present agreement, implies secure deletion of all projects created by the Customer.

The Customer is solely responsible for using ImmuniWeb in accordance with any concerned third party's right to data protection.

9.2 Personally Identifiable Information (PII)

PII data collection, processing, retention and removal are performed according to the procedures outlined by the article 3.4 of the present agreement.

IW’s Data Protection Officer is conducting privacy audits as imposed by the applicable law.


10. Intellectual Property and Non-Competition

All right, title and interest in and to all trademarks, trade names, service marks and logos adopted, whether registered or not, used or considered for use by IW to identify its business, products or services, together with the goodwill appurtenant thereto, shall be owned exclusively by IW. The present agreement does not convey to the Customer any licenses or rights of ownership in or related to ImmuniWeb® AI Platform or any other intellectual property rights owned by IW.

IW shall be the exclusive owner of all rights, titles and interests including but not limited to related trade secrets, copyrights, patents and all other intellectual property rights in and to ImmuniWeb® AI Platform, products or services and the underlying software, network architecture, databases and big data, source code, algorithms, concepts, processes, methodologies, designs, user interfaces, features or any improvements thereto.

The Customers acknowledges that IW invests significant resources and efforts to continuously improve and develop the ImmuniWeb® AI Platform. The Customer thus agrees to never use, leverage or otherwise implement the above-mentioned technical or technological intellectual property of IW to compete with IW or share it with any IW competitors or their agents. For any violation of the present paragraph, the Customer hereby agrees to compensate IW 50,000 USD (fifty thousand US dollars) per violation in addition to any direct, accidental or consequential damage including loss of revenue, depreciation of IW brand value, legal costs and reasonable attorneys’ fee.

IW shall likewise own all right, title and interest, including all related intellectual property rights, in and to any improvements or ameliorations of the ImmuniWeb® AI Platform, products or services developed by IW upon receipt of a suggestion, feedback, idea or any other input from the Customer or any third party.


11. Entire Agreement

The present agreement supersedes all previous agreements with the Customer, including the agreements that seek to preempt or modify the present Terms of Service.

The present agreement is intended by IW and the Customer to be the final expression of their agreement. The present agreement is likewise intended to be a complete and exclusive statement of the agreement and understanding in respect of the subject matter contained herein, and supersedes all prior and contemporaneous agreements, understandings, inducements, promises and conditions, express or implied, oral or written, of any nature whatsoever with respect to the subject matter hereof. The express terms hereof control and supersede any course of performance and/or usage of the trade inconsistent with any of the terms hereof.


12. Severability

If any provision of the present agreement is found to be invalid or unenforceable, the validity and enforceability of the remaining provisions shall not be affected unless the agreement reasonably fails in its essential purpose. Such provision shall be replaced by one or more valid and enforceable provisions approximating the original provision as closely as possible.


13. Modifications

The present agreement can be modified without prior notification and at any time by IW at its own discretion. The modified agreement shall be effective only for the projects started after the modification.

The modified version of the agreement shall be immediately published on the Portal with the modification date. If a modification impairs confidentiality or privacy rights of the Customer, IW undertakes to promptly notify the Customer about such change by the most practical mean including email, support message or conspicuously visible notice on the Portal.

The present Terms of Service agreement was last updated on February 12, 2021.


14. No Waiver

A failure of IW to insist upon strict adherence of the Customer to any term of the present agreement on any occasion shall not be considered a waiver of IW’s rights for any of the available remedies or deprive IW of the right thereafter to insist upon strict adherence to that term or any other term of the present agreement.


15. Assignment

The Customer may not transfer or assign the present agreement, in whole or in part, or delegate any of its duties hereunder, to a third party by change in control, operation of law or otherwise, without a prior written consent of IW.

IW may delegate its duties and assign its rights arising out of the present agreement upon a written notification to the Customer and in case if such transfer of rights will not impact, diminish or negatively affect Customer’s rights stemming from the present agreement.


16. No Third-Party Rights

Nothing expressed or referred to in the present agreement shall be construed or interpreted to give any person or entity other than the parties to the present agreement any legal or equitable right, remedy or claim under or with respect to the present agreement. The present agreement and all of its provisions are for the sole and exclusive benefit of the parties hereto.


17. Force Majeure

IW shall be excused from all liability for failure or delay in performance of any obligation under the present agreement by the reason of any event beyond its reasonable control including but not limited to fire, flood, earthquake and all other natural disasters, blackout and power supply accident, explosion, act of war, terrorist attack, civil unrest, pandemic, major accident, strike or other labor disturbance, newly enacted law or embargoes.


18. Governing Law and Venue

The present Terms of Service agreement applies worldwide and is exclusively governed by and construed in accordance with Swiss law. Application of any international treaties or conventions is excluded.

The Customer irrevocably agrees to the exclusive jurisdiction and venue of a competent Swiss court in Geneva in connection with any legal action, suit, proceeding or claim arising under or related to the present agreement.