Effective Date: February 1, 2025

Last Updated: February 1, 2025

1. Agreement to Terms

These Terms and Conditions constitute a legally binding agreement between you and Rezilienz governing your access to and use of the Rezilienz website (www.rezilienz.com) and services. By accessing our website, engaging our services, or entering into a service agreement with us, you agree to be bound by these Terms and all applicable laws and regulations. If you do not agree with any provision of these Terms, you must not use our website or services.

2. Definitions

"Services" means all cybersecurity services provided by Rezilienz, including Security Operations Center (SOC) services, managed detection and response (MDR/MXDR), SIEM/XDR monitoring, attack surface management, data loss prevention, vCISO advisory, incident response, penetration testing, and related cybersecurity services. "Platform" refers to the technology solutions used to deliver our Services. "Client Data" means all data, information, and materials provided by Client to Rezilienz or collected by Rezilienz in the course of providing Services. "Confidential Information" means all non-public information disclosed by one party to the other, whether orally, in writing, or electronically. "Service Agreement" or "SOW" means the specific contract or Statement of Work executed between Rezilienz and Client for the provision of Services. "Incident" means any security event, breach, compromise, or threat detected or reported through our Services.

3. Services Overview

Rezilienz provides comprehensive managed Security Operations Center services including continuous twenty-four hour, seven day per week, three hundred sixty-five day per year security monitoring and alerting, threat detection and analysis using SIEM/XDR platforms, security incident triage and investigation, incident response coordination, threat intelligence integration, security event correlation and analytics, and compliance monitoring and reporting. Our attack surface management services provide continuous asset discovery and inventory, external attack surface monitoring, vulnerability identification and prioritization, configuration drift detection, and risk assessment and reporting.

We deliver data loss prevention capabilities through sensitive data discovery and classification, data exfiltration monitoring and prevention, policy enforcement and compliance verification, and incident investigation and forensics. Our virtual Chief Information Security Officer (vCISO) services include strategic security advisory, security program development, compliance and risk management, security awareness training, and board-level security reporting. For organizations facing active security threats, we provide cyber emergency response services including incident response planning, active breach containment and remediation, forensic investigation, recovery and restoration support, and post-incident analysis with recommendations for prevention. Additional services include penetration testing and vulnerability assessments, security architecture review, compliance assessments for frameworks including ISO 27001, SOC 2, and PCI DSS, security training and awareness programs, and custom security solutions tailored to your specific needs.

4. Service Agreements

Services are provided pursuant to a separately executed Service Agreement or Statement of Work that specifies the scope of services, service level agreements, pricing and payment terms, term and termination provisions, specific deliverables and timelines, and the roles and responsibilities of each party. In the event of any conflict between documents, the following order of precedence applies: first, the specific Service Agreement or SOW; second, any Master Services Agreement if applicable; third, these Terms and Conditions; and fourth, our Privacy Policy. We reserve the right to modify, suspend, or discontinue any aspect of our Services with reasonable notice to affected clients. Material changes to existing Service Agreements will require mutual written consent from both parties.

5. Client Responsibilities

Clients are responsible for providing necessary access to systems, networks, and data required for effective service delivery. This includes designating authorized representatives and points of contact who can make decisions and provide necessary information, responding promptly to information requests and security alerts so we can take appropriate action, implementing recommended security controls and remediation actions in a timely manner, maintaining accurate and current contact information for all key personnel, and providing access credentials and necessary permissions to our security tools and monitoring systems.

Clients must maintain compatible systems and infrastructure that meet our technical requirements, ensure adequate network connectivity and bandwidth for our monitoring tools, install and maintain required agents or sensors on systems within the monitoring scope, keep systems updated with security patches as we recommend, and provide any necessary hardware and software as specified in the Service Agreement. Clients represent and warrant that all information provided to us is accurate and complete, they have the authority to provide access to systems and data, they own or have appropriate rights to all Client Data, and the Client Data does not violate any laws or infringe on third-party rights.

Clients agree to implement reasonable security controls beyond our monitoring services, follow security recommendations we provide, report suspected incidents to us promptly so we can respond effectively, maintain secure credential management practices, and comply with applicable security standards relevant to their industry and operations.

6. Service Delivery and Performance

Service level agreements are defined in specific Service Agreements and typically include continuous twenty-four hour, seven day per week, three hundred sixty-five day per year monitoring coverage, alert response times based on severity classification ranging from critical to low priority, platform availability commitments for our monitoring systems, reporting frequency whether daily, weekly, monthly, or as otherwise specified, and incident response time-to-engage commitments for emergency response situations.

Our Services are provided on a best-effort basis using industry-leading technologies and expertise. While we implement comprehensive security measures and employ experienced professionals, no security solution can guarantee one hundred percent protection against all threats. Service effectiveness depends significantly on your environment, configurations, and cooperation with our recommendations. Our Services rely on third-party security platforms and data feeds that may experience outages or limitations beyond our control. We monitor and respond to threats within the agreed scope of your Service Agreement; systems outside this scope are not covered by our monitoring. Security tools may generate false alerts or miss certain threats despite our best efforts to tune and optimize detection capabilities.

We perform regular maintenance on our platforms and services, with scheduled maintenance announced at least forty-eight hours in advance whenever possible. Emergency maintenance may be performed without advance notice when critical security or operational issues require immediate attention. We regularly update our monitoring platforms and security tools to ensure we can detect and respond to emerging threats. Maintenance is typically scheduled during low-impact windows to minimize disruption to your operations.

Our incident response process follows a structured approach beginning with detection and alerting through continuous monitoring and automated systems, followed by triage and analysis to assess the severity and scope of the incident, client notification according to the service level agreements and severity classification, detailed investigation including threat hunting to understand the full extent of the threat, containment recommendations or actions to limit the impact of the incident, remediation guidance on eliminating the threat from your environment, recovery support to restore normal operations, and a post-incident review that provides lessons learned and recommendations for preventing similar incidents.

7. Fees and Payment

Pricing for Services is specified in the applicable Service Agreement or SOW and may be based on fixed monthly retainer fees, per-device or per-user pricing models, project-based fees for specific engagements, hourly rates for professional services, tiered service packages offering different levels of coverage, or usage-based pricing for certain services. Unless otherwise specified in a Service Agreement, invoices for recurring services are issued monthly in advance, payment is due within thirty days from the invoice date, and accepted payment methods include bank transfer, credit card, or other methods as agreed. All fees are stated in United States dollars unless specified otherwise in the Service Agreement.

Late payments are subject to interest at one point five percent per month (eighteen percent annually) on overdue amounts. Services may be suspended for accounts that are more than thirty days past due after appropriate notice to the client. All fees are exclusive of applicable taxes, duties, or similar governmental charges, and clients are responsible for all taxes except those based on Rezilienz's net income. We may adjust fees annually with sixty days' written notice to reflect changes in costs and market conditions. Significant scope changes during the term of a Service Agreement will be documented in an amended SOW with corresponding pricing adjustments agreed upon by both parties. Clients will reimburse reasonable, pre-approved expenses incurred in connection with Services, including travel, accommodations, and third-party costs, upon presentation of appropriate documentation.

8. Intellectual Property Rights

All intellectual property rights in our Services, Platform, website, methodologies, tools, software, documentation, reports, and deliverables, excluding Client Data, remain the exclusive property of Rezilienz or our licensors. This includes our proprietary monitoring and analysis methodologies, security frameworks and playbooks, reporting templates and formats, software tools and scripts, training materials, and threat intelligence and research outputs. Clients retain all rights, title, and interest in Client Data. By engaging our Services, clients grant Rezilienz a limited, non-exclusive license to access, use, and process Client Data solely for the purpose of delivering the agreed Services.

We may collect, use, and retain aggregated and anonymized data derived from Service delivery for security research and threat intelligence, service improvement and development, industry benchmarking and analysis, and statistical reporting. Such data will not identify individual clients or contain confidential information. Any feedback, suggestions, or recommendations provided by clients regarding our Services become the property of Rezilienz and may be used without restriction or compensation to improve our offerings. Clients may not reverse engineer, decompile, or disassemble our Platform or software, copy, modify, or create derivative works from our intellectual property, remove or alter proprietary notices or labels, use our intellectual property for competitive purposes, or sublicense, sell, or distribute our tools or methodologies without explicit written permission.

9. Confidentiality

Both parties agree to maintain the confidentiality of all Confidential Information disclosed during the course of our relationship. For Rezilienz, this includes our pricing structures, methodologies, technical architecture, security tools and capabilities, client lists, and business strategies. For clients, this includes their security posture and vulnerabilities, incidents and security events, business operations and strategies, technical infrastructure details, and all Client Data processed through our services.

Each party agrees to protect Confidential Information using reasonable security measures consistent with the protection of their own confidential information, use Confidential Information only for the permitted purposes outlined in our agreement, limit disclosure to employees and contractors with a legitimate need to know who are bound by confidentiality obligations, refrain from disclosing Confidential Information to third parties without prior written consent, and return or destroy Confidential Information upon termination of the relationship or upon request.

Confidentiality obligations do not apply to information that is or becomes publicly available through no breach of this agreement, was rightfully in the receiving party's possession prior to disclosure as evidenced by written records, is independently developed by the receiving party without use of the Confidential Information, is rightfully received from a third party without confidentiality obligations, or must be disclosed pursuant to law or court order, provided that the disclosing party provides notice to the other party when legally permitted. Confidentiality obligations survive for five years after disclosure or until the information no longer qualifies as confidential, whichever period is longer.

If either party suspects or becomes aware of any unauthorized disclosure or use of Confidential Information, they will promptly notify the other party in writing and cooperate in reasonable efforts to mitigate the impact and prevent further unauthorized disclosure.

10. Data Protection and Privacy

Our collection, use, and protection of personal data is governed by our Privacy Policy, which is incorporated into these Terms by reference and available on our website. By using our Services, you acknowledge and consent to the practices described in the Privacy Policy. Where Rezilienz processes personal data on behalf of clients, we act as a data processor and the client acts as data controller. Such processing is governed by a separate Data Processing Agreement that establishes the scope, nature, and purpose of processing, the types of personal data and categories of data subjects involved, our obligations as a processor, the client's rights as a controller, and procedures for handling data subject requests.

We process data only as instructed by clients and as necessary for service delivery, and we implement appropriate technical and organizational security measures aligned with industry standards including ISO 27001 and SOC 2. We comply with applicable data protection laws including the General Data Protection Regulation for European data, the Privacy Act 2020 for New Zealand data, the Digital Personal Data Protection Act 2023 for Indian data, and applicable regulations in the Dutch Caribbean territories where we are headquartered.

Our comprehensive security controls include encryption of data in transit and at rest using industry-standard protocols, strict access controls and authentication mechanisms, continuous security monitoring and incident response capabilities, regular security assessments and audits, and mandatory employee training and background checks for personnel with access to client data. In the event of a data breach affecting Client Data, we will notify the client without undue delay and within seventy-two hours when feasible, provide details of the breach including affected data and potential impact, describe remediation measures taken or planned, cooperate with the client's breach response obligations including regulatory notifications, and assist with any required notifications to data protection authorities or affected individuals.

Upon termination of Services, we will return or securely delete Client Data as instructed by the client, maintain data necessary for legal or regulatory compliance as required by law, retain aggregated and anonymized data for permitted purposes that cannot identify the client or individuals, and provide written certification of deletion upon request by the client.

11. Warranties and Disclaimers

Each party represents and warrants that they have the authority to enter into this agreement, execution and performance of the agreement does not violate any other agreement or applicable law, they will comply with all applicable laws and regulations throughout the term of the agreement, and they have obtained all necessary consents and approvals to fulfill their obligations.

Rezilienz warrants that Services will be performed with professional skill and care consistent with industry standards, Services will materially conform to the descriptions in the applicable Service Agreement, we employ qualified personnel with appropriate cybersecurity expertise and certifications, and we maintain appropriate professional liability and cyber insurance coverage. Clients warrant that they have the legal rights to provide access to all systems and data included in the service scope, Client Data does not violate any laws or infringe on third-party rights, they have implemented basic security controls appropriate for their environment, and all information provided to Rezilienz is accurate and complete to the best of their knowledge.

Except as expressly provided in these Terms or a Service Agreement, Services are provided on an "as is" and "as available" basis. To the maximum extent permitted by law, Rezilienz disclaims all warranties, express or implied, including implied warranties of merchantability, implied warranties of fitness for a particular purpose, warranties of non-infringement, warranties of accuracy or completeness, and warranties arising from course of dealing or usage of trade. Rezilienz does not warrant that Services will be uninterrupted, error-free, or completely secure, that Services will detect or prevent all security threats or attacks, that results will meet client's specific requirements or expectations, that all defects will be corrected, or that Services are free from vulnerabilities or malicious code. No oral or written information or advice given by Rezilienz or its representatives creates any additional warranty beyond those expressly stated in these Terms.

12. Limitation of Liability

To the maximum extent permitted by law, neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, revenue, or business opportunities, loss of data or information, business interruption or downtime, loss of goodwill or reputation, or costs of substitute services. This exclusion applies regardless of the legal theory, whether contract, tort, negligence, strict liability, or otherwise, and whether or not the party was advised of the possibility of such damages.

Rezilienz's total cumulative liability arising out of or related to these Terms or any Service Agreement shall not exceed the total fees paid by the client to Rezilienz in the twelve months preceding the event giving rise to liability, or ten thousand United States dollars, whichever amount is greater. These limitations do not apply to death or personal injury caused by negligence, fraud or fraudulent misrepresentation, gross negligence or willful misconduct, breach of confidentiality obligations, intellectual property infringement claims, indemnification obligations under these Terms, or matters that cannot be excluded or limited under applicable law.

Clients acknowledge that Rezilienz is not an insurer and does not guarantee prevention of all security incidents, clients are ultimately responsible for their own security posture and risk management, clients assume all risk of loss or damage resulting from cyber threats and attacks, clients should maintain appropriate cybersecurity insurance to cover potential losses, and our recommendations and findings are advisory in nature and implementation decisions rest with the client. These limitations reflect the allocation of risk between the parties and the fees charged for Services, and they will apply even if any limited remedy fails its essential purpose.

13. Indemnification

Clients agree to indemnify, defend, and hold harmless Rezilienz, its affiliates, officers, directors, employees, agents, and partners from and against any claims, damages, losses, liabilities, costs, and expenses, including reasonable attorneys' fees, arising from or related to the client's use of Services in violation of these Terms, Client Data or the client's systems and infrastructure, breach of client's representations, warranties, or obligations under these Terms, violation of applicable laws or regulations by the client, third-party claims related to the client's business operations, or negligence or willful misconduct of the client or its personnel.

Rezilienz agrees to indemnify, defend, and hold harmless clients from and against any claims, damages, losses, liabilities, costs, and expenses, including reasonable attorneys' fees, arising from claims that our Services infringe third-party intellectual property rights, breach of Rezilienz's representations, warranties, or obligations under these Terms, gross negligence or willful misconduct of Rezilienz or its personnel, or violation of applicable data protection laws by Rezilienz in its capacity as a data processor.

The indemnified party must promptly notify the indemnifying party of any claim in writing, provide reasonable cooperation and assistance in the defense of the claim, grant the indemnifying party sole control of the defense and settlement negotiations, and refrain from settling or compromising the claim without the indemnifying party's prior written consent. The indemnifying party's obligations are expressly conditioned on receiving such cooperation and control. If Services become subject to an infringement claim, Rezilienz may, at its option and expense, obtain a license for the client to continue using the Services, modify the Services to be non-infringing while maintaining substantially equivalent functionality, replace the Services with non-infringing alternatives, or terminate the affected Services and refund any prepaid fees for the terminated portion on a pro-rata basis.

14. Term and Termination

These Terms are effective upon your acceptance and continue until terminated as provided herein. Service Agreements specify the term for specific Services, which may be month-to-month with notice requirements, fixed term agreements for periods such as twelve or twenty-four months, project-based engagements lasting until completion, or automatically renewing agreements unless terminated with proper notice. Either party may terminate month-to-month agreements with thirty days' written notice. Fixed term agreements may be terminated at the end of the term by providing sixty days' notice prior to the renewal date. Project-based agreements generally cannot be terminated for convenience except as specified in the SOW.

Either party may terminate immediately upon written notice if the other party materially breaches these Terms or a Service Agreement and fails to cure such breach within thirty days of receiving written notice specifying the breach, becomes insolvent, files for bankruptcy protection, or ceases business operations, engages in fraud, gross negligence, or willful misconduct affecting the relationship, or violates laws or regulations in a manner that materially impacts the business relationship or creates legal liability for the non-breaching party.

Rezilienz may suspend Services immediately without liability if the client's account is more than thirty days past due after receiving notice of the overdue amount, the client's use poses a security risk to our Platform or other clients as determined in our reasonable judgment, we are required to suspend services to comply with law or court order, or the client materially breaches security or acceptable use provisions of these Terms. We will provide notice before suspension when reasonably practicable under the circumstances.

Upon termination, the client must pay all fees accrued through the termination date including fees for the notice period, all rights and licenses granted to the client terminate immediately, the client must cease using our Services and Platform, provisions that by their nature should survive will remain in effect, we will provide final reports and return or delete Client Data as instructed by the client, and early termination fees may apply as specified in the Service Agreement. The following provisions survive termination: all payment obligations incurred prior to termination, confidentiality obligations for the specified duration, intellectual property rights and restrictions, limitation of liability provisions, indemnification obligations, dispute resolution procedures, and any other provision that by its nature should survive to give effect to its meaning.

15. Acceptable Use Policy

Clients agree not to use our Services or website to violate any applicable laws or regulations, infringe intellectual property or other rights of third parties, transmit malware, viruses, or malicious code, attempt unauthorized access to systems or networks, interfere with or disrupt Services or our infrastructure, engage in fraudulent or deceptive practices, harass, abuse, or harm others, distribute spam or unsolicited communications, conduct competitive intelligence gathering or reverse engineering of our systems, or violate export control or sanctions laws.

Clients represent that their systems and data do not contain illegal content and comply with applicable laws including those governing their specific industry. We reserve the right to refuse service or terminate access if we reasonably believe a client is engaged in illegal activity or activities that pose unacceptable risks to our platform or other clients. Clients agree to comply with applicable industry regulations such as PCI DSS for payment card data, HIPAA for healthcare information, or other sector-specific requirements, implement reasonable security controls appropriate for their environment and data sensitivity, report security incidents involving our Services promptly so we can respond effectively, follow our security recommendations in a timely manner, and use Services only for lawful business purposes.

Violation of this Acceptable Use Policy may result in immediate suspension or termination of Services without refund, notification to law enforcement authorities if illegal activity is suspected, legal action to enforce these Terms and recover damages, and client liability for all damages, costs, and expenses we incur as a result of the violation.

16. Dispute Resolution

Before initiating formal legal proceedings, the parties agree to attempt to resolve disputes through good-faith negotiations. A party must provide written notice of the dispute describing the issue in detail and allow thirty days for senior executives of both parties to meet and negotiate a resolution. These Terms are governed by the laws of Curaçao, without regard to conflict of law principles. For clients in other jurisdictions, mandatory consumer protection laws and regulations of the client's location may also apply to the extent they cannot be waived by agreement.

Subject to arbitration provisions that may be included in specific Service Agreements, the parties submit to the exclusive jurisdiction of courts located in Curaçao for resolution of disputes. Each party irrevocably waives any objection to venue in Curaçao or claim that such courts constitute an inconvenient forum. For enterprise clients, Service Agreements may include provisions requiring disputes to be resolved through binding arbitration under rules of the International Chamber of Commerce, Caribbean Court of Justice, or other arbitration body as mutually agreed. Such arbitration provisions, if applicable, will be specified in the Service Agreement and will govern the resolution of disputes arising under that agreement.

Either party may seek injunctive or equitable relief in any court of competent jurisdiction for breach of confidentiality obligations, infringement of intellectual property rights, unauthorized access or use of systems or data, or other matters requiring urgent relief to prevent immediate and irreparable harm. To the extent permitted by law, disputes must be brought on an individual basis and neither party may bring claims as a plaintiff or class member in any class action, consolidated proceeding, or representative action. The prevailing party in any litigation or arbitration may recover reasonable attorneys' fees and costs as determined by the court or arbitrator, unless prohibited by law or the Service Agreement.

17. General Provisions

These Terms, together with the Privacy Policy and any Service Agreement, constitute the entire agreement between the parties regarding the subject matter herein and supersede all prior agreements, understandings, negotiations, and communications, whether written or oral. We may update these Terms from time to time by posting updated Terms on our website with a new "Last Updated" date, sending email notification to active clients regarding material changes, or requiring acceptance for continued use of Services following significant modifications. Continued use of Services after changes become effective constitutes acceptance of the updated Terms. Material changes to existing Service Agreements require mutual written consent from authorized representatives of both parties.

Failure to enforce any provision of these Terms does not constitute a waiver of that provision or the right to enforce it in the future. Any waiver must be in writing and signed by an authorized representative of the waiving party. If any provision of these Terms is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions remain in full force and effect, and the invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

Clients may not assign or transfer these Terms or any Service Agreement without our prior written consent, which will not be unreasonably withheld. We may assign our rights and obligations to affiliates or subsidiaries under common control, successors in a merger, acquisition, or sale of substantially all assets related to the Services, or third-party service providers for specific functions only and subject to confidentiality obligations. Any attempted assignment in violation of this provision is void.

Neither party is liable for failure or delay in performance due to causes beyond its reasonable control, including natural disasters, epidemics, pandemics, war, terrorism, civil unrest, government actions or regulations, internet or telecommunications failures not caused by the affected party's negligence, major cyber attacks affecting critical infrastructure, or labor disputes or strikes. The affected party must provide prompt notice of the force majeure event and use reasonable efforts to minimize its impact and resume performance as soon as practicable.

The parties are independent contractors and nothing in these Terms creates a partnership, joint venture, employment, or agency relationship. Neither party may bind the other or make commitments on the other's behalf without express written authorization. These Terms are for the benefit of the parties and their permitted successors and assigns, and there are no third-party beneficiaries except as expressly stated herein.

All notices must be in writing and delivered to the addresses specified in the Service Agreement or, if none specified, to our registered office in Curaçao. Notices may be delivered via email to legal@rezilienz.com for Rezilienz or to the client's primary contact email, via confirmed courier service, or via registered mail with return receipt requested. Notices are effective upon receipt as confirmed by email delivery confirmation, courier signature, or postal service records. These Terms are prepared in English, and any translation is provided for convenience only. In case of conflict between the English version and any translation, the English version prevails.

Service Agreements may be executed in counterparts, each of which is deemed an original and all of which together constitute one complete instrument. Electronic signatures and electronically delivered copies are valid and binding to the same extent as original signatures and paper documents. Clients agree to comply with all applicable export control laws and regulations and represent that they are not located in, under the control of, or acting on behalf of entities in countries subject to trade sanctions or embargoes imposed by the United States, European Union, or United Nations.

18. Contact Information

For questions about these Terms and Conditions, please contact us through the following channels. For general inquiries regarding our services or these Terms, email info@rezilienz.com or call our main business line. For legal matters, contracts, and terms-related questions, email legal@rezilienz.com. For service-specific questions or technical support, email support@rezilienz.com or call our support line during business hours. For security incidents or emergencies, email security@rezilienz.com or call our twenty-four hour SOC emergency line.

Our business address is:

Rezilienz

Dokweg 19

Curaçao

Regional contacts are available for Caribbean operations through our Curaçao office and for Asia-Pacific operations through our New Zealand joint venture partner office.

19. Acknowledgment

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by these Terms and Conditions in their entirety. If you are entering into this agreement on behalf of an organization, company, or other legal entity, you represent and warrant that you have the legal authority to bind that entity to these Terms. If you are acting on behalf of an organization, references to "you" and "your" in these Terms refer to both you as an individual and the organization you represent. If you do not agree to these Terms or do not have the authority to bind your organization, do not access or use our Services and contact us immediately to discuss alternative arrangements.

_______________________________________________________________________________

Document Control:

Version: 2.0

Effective Date: February 1, 2025

Next Review: August 1, 2025

Owner: Legal Department

Classification: Public

Approved By: [Executive Signature]