MSA Vulnerability Assessment Service

CVEHunter Master Services Agreement

Vulnerability Assessment Service

This End Agreement ('Agreement'), effective as of 01.05.2024, governs the provision of vulnerability assessment services by CVEHunter to the client ('Client').

TABLE OF CONTENTS

1. Definitions

2. Statement of the Work

3. Charges and Payment Terms

4. Terms and Termination

5. Indemnification

6. Intellectual Property

7. Warranties and Disclaimers

8. General Provisions

8.1 Client’s Consent to Network Intrusion and Waiver of Claims

8.2 Miscellaneous

8.3 Independent Contractors

8.4 Parties responsibilities

9. Limitation of Liability

10. Confidentiality

11. Governing Law and Jurisdiction

12. Cybersecurity and Data Backup Addendum

12.1 Data Security

12.2 Data Privacy

12.3 Data Handling and Destruction

12.4 Compliance

12.5 Client Responsibilities

12.6 Third-Party Vendors

12.7 Incident Response

1. Definitions

1.1 Customer Data means any of Customer’s data gathered through the provision of the Services or contained in any Deliverable.

1.2 Deliverables means the draft or final reports that are created for Customer as a result of the Services provided hereunder, unless otherwise defined in the individual SOW.

1.3 Services means the consulting, testing, managed, or other services described in an SOW that CVEHunter provides pursuant to Section 2.1 hereof. Services may be Managed Services or Professional Services:

(i) Managed Services means, but not limited to, that CVEHunter manages, maintains, operates, and supports different types of platforms, servers, and third party services for the term and scope indicated in an SOW.

(ii) Professional Services means, but not limited Services where Customer engages CVEHunter to perform specific, identified tasks, either at specific dates and times, or retained for a period of time in order to perform them as needed.

1.4 SOW means: mutually Tagreed upon statement of work, or scope of work, scope of service, or service brief that sets forth and describes the Services to be provided hereunder, the applicable fees to be paid, and as applicable, any delivery schedules, timelines, specifications, and any other terms agreed upon by the parties; in each case as signed or referenced by Customer or its authorised representative.

2. Statement of the Work (SOW) Structure

The structure and content of the Statement of Work (SOW) are outlined herein as a general framework and are subject to customization based on the specific requirements and objectives of each individual engagement with a Customer. While the general format of the SOW is provided below, the actual content, scope, milestones, payment terms, and any other relevant details will be determined and specified in a mutually agreed-upon SOW for each unique engagement.

2.1 Ordering Services

Customer may engage CVEHunter to provide services by executing a mutually agreed upon Statement of Work (SOW). The SOW shall define the scope of services, objectives, goals, timelines, pricing, and any other specific terms related to the engagement.

2.2 Service Execution

CVEHunter commits to delivering the services outlined in the SOW in accordance with the agreed-upon specifications and timelines.

2.3 Amendments and Changes

Any changes or amendments to the SOW must be approved in writing by both parties. This ensures that any modifications to the scope, objectives, or terms are mutually agreed upon and documented.

2.4 Invoicing and Additional Services

CVEHunter will only invoice Customer for services as specified in the approved SOW. Any additional services or work beyond the SOW's scope require the prior written consent of Customer and will be subject to separate billing arrangements.

2.5 Managed Services Software License

In cases where Managed Services involve the use of CVEHunter software, Customer is granted a license to use such software. The terms and conditions of this license are subject to the applicable software license agreement. The license is valid for the duration of the Managed Services engagement.

2.6 Platform Access

Customer will retain access to the CVEHunter platform for the duration of their usage. Access will be provided in accordance with the terms of the individual SOW and may be subject to any relevant subscription or access fees.

2.7 Confidentiality

The parties acknowledge that the SOW may contain confidential information. Both parties agree to maintain the confidentiality of any sensitive information shared during the course of the engagement.

2.8 Termination

The SOW may specify the conditions under which either party may terminate the engagement. The termination process and any associated obligations will be detailed in the SOW.

2.9 Governing Terms

This SOW is governed by the terms and conditions outlined in the publicly available Master Services Agreement (MSA) provided by CVEHunter. By entering into the SOW, Customer acknowledges and agrees to be bound by the MSA and its terms and conditions.

2.10 Entire Agreement

The SOW, in conjunction with the MSA, constitutes the entire agreement between the parties with respect to the specific services outlined therein.

3. Charges and Payment Terms

3.1 Customer may make payments for the services provided by CVEHunter using the payment methods listed and described on CVEHunter's official website. In the event that Customer requests an invoice for their payment, CVEHunter shall provide the invoice to Customer electronically or by other means as mutually agreed upon between the parties.

3.2 Customer agrees to pay the fees, charges, and other amounts on a monthly basis for the duration of the subscription term, as specified in the applicable SOW. In addition to the monthly payments, a fixed setup fee shall be paid upfront upon execution of the SOW, unless otherwise agreed by the parties. All fees are non-refundable, unless otherwise stated herein.

(i) In case an SOW requires travel by CVEHunter to a Customer designated site, Customer shall also reimburse CVEHunter for all reasonable out-of-pocket expenses incurred by CVEHunter in connection with delivery of the Services. The rules and conditions governing reimbursement for expenses and any other financial matters related to the provision of services shall be specified in the individual Statement of Work.

(ii) Customer shall be responsible for remitting all taxes levied on any transaction under this Agreement, including, without limitation, all federal, state, and local sales taxes, levies and assessments, and local withholding taxes in Customer’s jurisdiction, if any, excluding, however, any taxes based on CVEHunter's income.

(iii) In case of Customer is required to withhold taxes from its payment or withholding taxes are subsequently required to be paid to a local taxing jurisdiction, Customer is obligated to pay such tax, and CVEHunter, as applicable, will receive the SOW payment amount as agreed to net of any such taxes. Customer shall provide to CVEHunter written evidence that such withholding tax payment was made.

3.3 Invoice schedule and payment terms will be set forth in the SOW. In the event that Customer delays or postpones an SOW based on a subscription plan for more than five (5) calendar days, CVEHunter may invoice the portion of the subscription fee corresponding to the duration of the delay.

4. Terms and Termination

4.1 Termination of Convenience. Either party may terminate any SOW which is subject to this Agreement, for convenience upon thirty (30) days prior written notice to the other party, unless otherwise prohibited by the terms of this Agreement or SOW. The date of termination won’t be earlier than the date of the end of the subscription, the next of the end of the 30-day period of notice.

4.2 Termination of Cause. Either party may terminate any SOW which is subject to this Agreement, for cause upon written notice to the other party if: (i) the breaching party fails to comply with the terms of this Agreement or applicable SOW, or (ii) the breaching party fails to cure the matter causing the breach within mutually agreed elimination timeline approved by both parties or will delay execution of any elimination timeline items approved by both parties more than thirty (30) days. CVEHunter may suspend performance under the SOW without notice if the customer fails to timely pay for accepted fees (as defined in Section 2 and 3) or other amounts due under the SOW.

4.3 Bankruptcy/Default Payment Terms. If either party becomes insolvent, is unable to pay its debts when due, files for bankruptcy, is subject of involuntary bankruptcy, has a receiver appointed, or has its assets assigned, the other party may terminate any SOW which is subject to this Agreement without notice and may cancel any unfulfilled obligations in any contract or SOW whether or not the contract or SOW may be defined as an Executionary Contract by a Bankruptcy Court. If the customer's payment history with CVEHunter shows late payments, CVEHunter may change payment or credit terms.

4.4 Effect of Termination. Upon termination of a SOW, Customer will pay CVEHunter for all Professional Services previously rendered, Deliverables, Hardware, and or Software provided, and charges and expenses incurred by CVEHunter up through and including the date of termination. CVEHunter will invoice the above mentioned expenses and Customer will be obligatory to pay invoice not less than 7 days before termination of SOW. Delay of the payment the final invoice will be charged.
Customer will receive all work in progress for which Customer has paid. In the event that Customer has prepaid for services that have not been rendered, CVEHunter shall reimburse these prepayments unless otherwise specified in SOW. In the event that the SOW provides a third-party service subscription in which the subscription period extends past the termination date of an SOW, Customer agrees to pay for the remaining subscription as described in the terms defined in the SOW.

5. Indemnification

5.1 You agree to defend, indemnify, and hold us harmless, including our subsidiaries, affiliates, and all of our respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys' fees and expenses, made by any third party due to or arising out of: (1) use of the Services; (2) breach of these Legal Terms; (3) your violation of the rights of a third party, including but not limited to intellectual property rights; or (4) any overt harmful act toward any other user of the Services with whom you connected via the Services. Notwithstanding the foregoing, in case you won't provide the necessary level of defense or we will face with improper level of attention to above mentioned cases (1-4) we reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate, at your expense, with our defense of such claims. We will use reasonable efforts to notify you of any such claim, action, or proceeding which is subject to this indemnification upon becoming aware of it.

5.2 Procedure for Indemnification. A claim for indemnification for any matter not involving a third-party claim may be asserted by notice to the Party from whom indemnification is sought.

6. Intellectual Property Rights

6.1 All copyrights, patents, trademarks, trade secrets, and any other intellectual property rights existing prior to the effective date of the relevant transaction document shall belong to the party that owned such rights immediately prior to the effective date.

6.2 Each Party agrees that it will acquire no right, title or interest in or to the other Party’s information, data, tools, processes or methods, or any copyrights, trademarks, service marks, trade secrets, patents or any other intellectual or intangible property or property rights of the other by virtue of the Services provided or materials delivered pursuant to this Agreement. Neither Party will use the other Party’s trademarks, service marks, trade names nor product names other than as explicitly set forth in this Agreement. During the Term of this Agreement, CVEHunter may not include Client’s name Publicly in a list of Clients on its website or in promotional materials or as a reference in sales presentations, until and unless Client approves such use of Client’s name in advance of CVEHunter’s use.

7. Warranties and Disclaimers

7.1 Mutual. Each Party represents and warrants to the other that it has the right to enter into this Agreement, and that the consent of no other person or entity is necessary for it to enter into and fully perform this Agreement.

7.2 Limited Warranties of CVEHunter. CVEHunter represents and warrants to Client that:

i. All intrusions effected by CVEHunter as part of the Services will be in accord with CVEHunter’s statement of work, and will be performed on devices specified in the statement of work.

ii. The Services will be performed in a workmanlike manner using reasonable care and skill by qualified personnel who are experienced in Provider’s methodology.

iii. The Services will be performed at a level of quality consistent with that provided by the mainstream of experts providing similar services on a commercial basis in the EU.

iv. The Services will not cause to have introduced into Client’s information systems and networks any self-replicating or non-self-replicating computer codes, commands, routines or like data or entries that perform an undesired activity.

7.3 No Other Warranties. Except as otherwise expressly set forth in this agreement, all services and deliverables provided by CVEHunter are provided “ as is” and CVEHunter (1) disclaims all other warranties express or implied, including any warranties of merchantability or fitness for particular purpose, and despite of CVEHunter doesn’t use tools or software that can reduce the level of defense of security (2) CVEHunter does not guarantee that client’s network, computer systems, or any portions thereof are secure. Client acknowledges that impenetrable security cannot be attained in real -world environments and that provider does not guarantee protection against breaches of security.

7.4 No Guarantee of Meeting Client’s Needs. CVEHunter has no way of determining Client’s perceived needs, and therefore does not warrant that the Services will meet Client’s needs, except requirements and quality of service mentioned in SOW explicitly.

7.5 No Warranties to Third Parties. Neither CVEHunter nor Client will make any warranties on behalf of the other to any third party, without the prior written consent of the other Party.

8. General Provisions

8.1 Client’s Consent to Network Intrusion and Waiver of Claims.

i. Some of the techniques CVEHunter will employ in providing the Services would constitute improper and unauthorized access, absent the consent thereto given by Client to CVEHunter herein. Accordingly, on the condition that CVEHunter performs the Services in accordance with the terms of this Agreement, Client provides its consent to CVEHunter’s employment of such invasive and/or intrusive techniques as being part of the Services to be performed at Client’s request pursuant to this Agreement.

ii. Client acknowledges that, notwithstanding CVEHunter’s performance of the Services in accordance with the terms of this Agreement, the impact of CVEHunter’s tools may inadvertently cause Client’s System to suffer degraded performance or responsiveness. To prevent the loss of data CVEHunter will recommend making a backup and redundancy of the Client's services. On the condition that CVEHunter performs the Services in accordance with the terms of this Agreement, Client agrees to waive any and all claims against CVEHunter and CVEHunter’s Related Parties for any such damage, including damage that may be caused by CVEHunter actually gaining access to such System. Also, Client agrees to waive any and all claims against CVEHunter and CVEHunter’s Related Parties for lost profit in case of degradation or break of Client's services during some specific tasks or while restoring from backups.

iii. Client’s conditional consent to CVEHunter’s actions and conditional waiver of claims are based on Client’s understanding of its own System as well as its understanding of the Services to be provided pursuant to this Agreement. Client further warrants and represents that it has had the opportunity to question CVEHunter regarding the Services and the techniques involved in implementing the Services, and therefore agrees that its conditional consent and waiver constitute an informed conditional consent and waiver.

8.2 Miscellaneous

Non-Exclusivity - The services to be provided by the parties under this MSA are non-exclusive. Each party shall be free to engage in similar business activities with other parties.

Compliance with Laws - Each party shall comply with all applicable laws, rules, and regulations in connection with its activities under this MSA.

No Employee Benefits - The parties acknowledge and agree that the relationship between them is that of independent contractors and that neither party is entitled to employee benefits provided by the other party, including but not limited to, workers' compensation, unemployment insurance, or health insurance.

Severability - If any provision of this MSA is held to be invalid, illegal, or unenforceable, such provision shall be severed from this MSA and the remaining provisions shall remain in full force and effect. The parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid provision that achieves to the greatest extent possible the original economic, legal, and commercial objectives of the severed provision.

Non-Waiver - No failure or delay by either party in exercising any right, power, or privilege under this MSA shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power, or privilege preclude any other or further exercise thereof or the exercise of any other right, power, or privilege under this MSA. No term or condition of this Agreement will be deemed waived, and no breach will be deemed excused, unless such waiver or excuse is in writing and is executed by the Party from whom such waiver or excuse is claimed.

8.3 Independent Contractors
The parties to this MSA are independent contractors and nothing contained in this MSA shall be construed to create a joint venture, agency, partnership, or employment relationship between the parties.

8.4 Parties responsibilities

8.4.1 Cooperation and Communication. Both parties shall cooperate and maintain open and timely communication throughout the duration of this Agreement. They shall work collaboratively to achieve the objectives outlined in the Statement of Work (SOW) and to resolve any issues or disputes that may arise during the course of the engagement.

8.4.2 Compliance with Laws and Regulations. Each party agrees to comply with all applicable laws, regulations, and industry standards relevant to the services provided under this Agreement. This includes but is not limited to data protection and privacy laws, intellectual property rights, and any other legal requirements that may pertain to the provided service.

8.4.3 The parties shall collectively take reasonable measures to protect data, information, and assets shared during the engagement. Both parties are responsible for safeguarding the confidentiality, integrity, and availability of such data.

8.4.4 The Client agrees to make timely payments in accordance with the payment terms outlined in the Agreement and associated SOWs. CVEHunter is responsible for providing accurate and complete invoices for the services rendered.

8.4.5 In the event of a dispute, both parties shall make good faith efforts to resolve the matter through negotiation, mediation, or other alternative dispute resolution methods outlined in the Agreement.

8.4.6 Termination and Transition. Upon termination of the Agreement or an individual SOW, both parties shall fulfill their respective obligations related to termination, including the return of materials, payment of outstanding fees, and the transfer of data or assets, as applicable.

8.4.7 Notices: Both parties shall provide all official notices, communications, or changes in contact information in writing, in accordance with the notice provisions as outlined in the Agreement.

8.4.8 Governing Law. The parties acknowledge and agree that the Agreement shall be governed by the laws and regulations of the jurisdiction specified in the Agreement.

8.4.9 Entire Agreement. Both parties acknowledge that this Agreement, along with any attached SOWs or addendums, constitutes the entire understanding and agreement between the parties with respect to the subject matter, superseding any prior or contemporaneous agreements, whether written or oral.

9. Limitation of Liability

Neither party will be liable under this agreement for lost revenues or indirect, special, incidental, consequential, exemplary, or punitive damages, even if the party knew or should have known that such damages were possible. The total liability of either party for all claims under this agreement, whether in contract, tort, or otherwise, shall not exceed the total amount paid or payable by the customer to CVEHunter hereunder during the two months immediately prior to the event giving rise to liability, except for (i) violations of a party’s intellectual property rights by the other party.

10. Confidentiality

10.1 Confidential Information “Confidential Information” means information provided by one party to the other party which is designated in writing as confidential or proprietary, as well as information which a reasonable person familiar with the disclosing party’s business and the industry in which it operates would know is of a confidential or proprietary nature. A party will not disclose the other party’s Confidential Information to any third party without the prior written consent of the other party, nor make use of any of the other party’s Confidential Information except in its performance under this Agreement. Each party accepts responsibility for the actions of its agents or employees and shall protect the other party’s Confidential Information in the same manner as it protects its own Confidential Information, but in no event with less than reasonable care. The parties expressly agree that the terms and pricing of this Agreement are Confidential Information. A receiving party shall promptly notify the disclosing party upon becoming aware of a breach or threatened breach hereunder and shall cooperate with any reasonable request of the disclosing party in enforcing its rights.

10.2 Exclusions Information will not be deemed Confidential Information if such information: (i) is known prior to receipt from the disclosing party, without any obligation of confidentiality; (ii) becomes known to the receiving party directly or indirectly from a source other than one having an obligation of confidentiality to the disclosing party; (iii) becomes publicly known or otherwise publicly available, except through a breach of this Agreement; or (iv) is independently developed by the receiving party without use of the disclosing party’s Confidential Information. The receiving party may disclose Confidential Information pursuant to the requirements of applicable law, legal process or government regulation, provided that, unless prohibited from doing so by law enforcement or court order, the receiving party gives the disclosing party reasonable prior written notice, and such disclosure is otherwise limited to the required disclosure.

11. Governing Law and Jurisdiction

These Legal Terms are governed by and interpreted following the laws of Finland, and the use of the United Nations Convention of Contracts for the International Sales of Goods is expressly excluded. CVEHunter and Customer both agree to submit to the non-exclusive jurisdiction of the courts of Helsinki, which means that Customer may make a claim to defend their consumer protection rights in regards to these Legal Terms in Finland.

12. Cybersecurity and Data Backup Addendum

12.1 Data Security

CVEHunter shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate:

the pseudonymization and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; or
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

12.2 Data Privacy

12.2.1 Customer Data. CVEHunter may use Customer Data solely as necessary to: (i) provide the Services to Customer; (ii) in anonymized and aggregated form that does not or cannot be used to identify Customer or any Customer Data, generate statistics and produce reports; and (iii) collect data and analytics about use of the Services in order to continue to improve the development and delivery of the Services.

12.2.2 Data Privacy. Customer represents and warrants that Customer has obtained all necessary rights to permit CVEHunter to collect and process Customer Data from Customer, including, without limitation, data from endpoints, servers, cloud applications, and logs.

12.3 Data Handling and Destruction

Confidentiality of Processing. CVEHunter shall ensure that any person that it authorizes to Process the Personal Data (including CVEHunter's staff, agents and subcontractors) (an "Authorized Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. CVEHunter shall ensure that all Authorized Persons Process the Personal Data only as necessary for the Permitted Purpose.

12.4 Compliance

12.4.1 Conflict of Interest. Both parties acknowledge that, during the term of this Agreement, conflicts of interest may arise. The following provisions shall apply to prevent and address conflicts of interest:

(i) Any worker, employee, or representative of CVEHunter shall not seek personal financial gain by providing services to the Client without the knowledge and consent of CVEHunter. CVEHunter Customer shall not engage in direct work with the Client's staff, bypassing the terms of this Agreement or any contact with CVEHunter.

(ii) In the event the Client becomes aware of a potential violation of this provision, the Client shall promptly inform CVEHunter about the incident. CVEHunter shall conduct a thorough investigation into the matter and take appropriate actions as necessary to address any conflicts of interest and maintain the integrity of the professional relationship between the parties.

12.4.2 Impartiality. The Client affirms that their decision to enter into this Agreement is solely based on their interest in the services provided by CVEHunter and not influenced by personal relationships with CVEHunter's staff or affiliates.

12.4.3 Gifts and Favors. The parties shall adhere to the following principles regarding gifts, presents, and invitations: Gifts, presents, and invitations extended by Customer to the CVEHunter for events, restaurants, personal meetings, or other purposes should not be accepted as an incentive or reward for services, a discount, or an improvement in the service. (i) Such offers must be of a gift nature only and accepted in accordance with reasonable rules, accepted and operating in the society of the Client's culture and/or as required by local law.

12.4.4 End-to-end responsibility. During the setting of the platform or/and services Client can face the need to make a tuning or installation of some software or/and hardware that is out of the scope of SOW or other existing agreements. The Client shall follow only official recommendations from CVEHunter and refrain from following some private recommendations from the staff about partners or/and companies for the mentioned tasks.

12.5 Client Responsibilities

The Client shall have certain responsibilities related to cybersecurity and data management, which may include but are not limited to the following:

1. Implementing and maintaining appropriate security measures to safeguard their data and systems.

2. Complying with all policies and procedures related to the secure use of the services provided.

3. Promptly notifying CVEHunter of any suspected security breaches, unauthorised access, or data incidents.

4. The customer is solely responsible for backing up and safeguarding any data received from the vulnerability assessments performed by CVEHunter. This includes data downloaded from our platform. CVEHunter is not liable for any loss, corruption, or security breaches related to the data provided to the customer. It is the customer's responsibility to ensure the security and integrity of the data obtained through our services.

12.6 Third-Party Vendors

The Client acknowledges that CVEHunter may engage third-party vendors or service providers to deliver certain aspects of the services. CVEHunter shall use reasonable efforts to ensure that such third-party vendors meet the required cybersecurity and data protection standards. However, the Client understands that, in some cases, third-party vendors may have their own terms and conditions, and their compliance is not directly under the control of CVEHunter. CVEHunter will notify the Client when third-party vendors are engaged, and any specific terms and conditions related to their services will be outlined in the relevant SOW or agreement.

12.7 Incident Response

12.7.1 Upon becoming aware of a Security Incident, CVEHunter shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. CVEHunter shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.

12.7.2 In the event of a cyberattack, security breach, or data loss CVEHunter will not be liable for any special, incidental, or consequential damages, including but not limited to, lost profits or revenue, loss of use of equipment, lost data, cost of substitute equipment, services, downtime, third party fees related to recovery or restoration of data, or claims of customer for such damages, whether the claims be in contract, tort, strict liability, negligence, or otherwise, even if CVEHunter had been advised of such potential damages. CVEHunter will not have any liability for damages, monetary or otherwise, by customer, or any other affected party, in the event of a security breach or security-related outages, damages, data losses, etc. Customer shall save and hold harmless CVEHunter from any such claims. The parties agree and acknowledge as a material term of this agreement that the total liability of CVEHunter for claims related to cyberattack, security breaches, or loss of data arising as a result of or related directly or indirectly to this agreement or the services provided hereunder, or to any act or omission of CVEHunter, whether in contract, tort, or otherwise, shall not exceed an amount equal to that actually paid by customer to CVEHunter in the 2 months preceding the claim.