IMPORTANT – READ THIS CAREFULLY BEFORE INSTALLING, USING OR ELECTRONICALLY ACCESSING THIS PROPRIETARY PRODUCT.

THIS EVALUATION AGREEMENT (THE “AGREEMENT”) IS A LEGAL DOCUMENT BETWEEN PHISHLINE, LLC (“PHISHLINE”) AND THE BUSINESS ENTITY ON WHOSE BEHALF YOU (“YOU”) ARE ACTING (“CUSTOMER”) AS THE END USER OF THE PHISHLINE SOLUTION AND SETS FORTH THE TERMS AND CONDITIONS BY WHICH CUSTOMER MAY EVALUATE THE PHISHLINE SOLUTION.   (PHISHLINE AND CUSTOMER MAY EACH BE REFERRED TO AS A “PARTY” OR COLLECTIVELY AS THE “PARTIES). BY ACCESSING AND USING THE PHISHLINE SOLUTION, YOU HEREBY AGREE TO THE TERMS AND CONDITIONS SET FORTH IN THIS AGREEMENT WITHOUT MODIFICATION OR RESERVATION.

YOU AGREE THAT YOU ARE AN EMPLOYEE OR AGENT OF CUSTOMER AND ARE ENTERING INTO THIS AGREEMENT TO EVALUATE THE PHISHLINE SOLUTION FOR CUSTOMER’S OWN BUSINESS PURPOSES. YOU HEREBY AGREE THAT YOU ENTER INTO THIS AGREEMENT ON BEHALF OF CUSTOMER AND THAT YOU HAVE THE AUTHORITY TO BIND CUSTOMER TO THE TERMS AND CONDITIONS OF THIS AGREEMENT.

OVERVIEW

PhishLine is a security awareness software platform hosted by PhishLine. Customers provide PhishLine with employee email addresses and/or phone numbers that it owns.  No further information is necessary.  Using the PhishLine Software and wide range of templates offered by PhishLine, the Customer (or PhishLine on Customer’s behalf) may then conduct simulated security attacks against the Customer’s selected email and/or phone recipients. These “security campaigns” typically consist of emails, but may also consist of text messages and pre-recorded voice messages.  These messages will either simulate social engineering attacks, direct employees to security awareness training resources, or both.  The Customer can then review reports that contain information that allow the Customer to take steps to better improve its overall security posture with respect to these types of attacks.

AGREEMENT

1.Definitions
a. “Affiliate” as it relates to a party shall mean any other entity that directly or indirectly controls, or is controlled by, or is under common control with that party, where “control” means the direct or indirect ownership of more than 50% of the voting securities of such entity or party.
b. “Aggregated Data” shall mean the analytical metadata collected by PhishLine from Customer’s use of the PhishLine Solution that does not contain personally identifiable information or information that may identify Customer or its Confidential Information.
 c. “Customer Data” shall mean information generated or created by Customer, its Affiliates, or their respective customers or clients (or prepared on any of their behalves) as well as any reports generated by PhishLine for Customer, its Affiliates, or any of their respective customers or clients through the PhishLine Solution, except that Customer Data shall not include Aggregated Data. All Customer Data is Customer’s Confidential Information and the Customer retains all ownership rights to the Customer Data.
 d. “Documentation” shall mean the documents that describe the functionality and features of the Software and Services, any user instructions or specifications related to the Software and Services as may be updated and revised from time to time by PhishLine, including without limitation the specifications set forth in a Quotation.
 e. “PhishLine Solution” shall mean the Software, the Services and all security awareness training materials, messages, landing pages, surveys, templates, URL’s and Documentation developed or created by PhishLine or transmitted to Customer in order to provide any of the Services under this Agreement.
 f.  “Security Campaign” shall mean a set of electronic messages that may involve sending training, surveys, announcements, or phishing-style messages to Customer designated recipients. Unless otherwise stated in a Quotation, all recipients shall be Customer employees.
 g. “Software” shall mean the PhishLine software accessible through the password protected PhishLine Solution portal.
2.

 

Evaluation License. PhishLine hereby grants to Customer, and Customer hereby accepts, a non-exclusive, non-transferable, limited license to use the PhishLine Solution for evaluation purposes on behalf of Customer’s own internal business purposes only for a period of thirty (30) days (the “Evaluation Period”), subject to the terms and conditions set forth in this Agreement.
3.Restrictions. Customer shall have no right to license, re-license, lease or sell the Software or Services to any individual or entity that is not an Affiliate, agent, officer, director or employee of Customer. Customer shall have no right to share, license, lease sell, publish, distribute or otherwise provide security awareness services to any third party using the PhishLine Solution or Aggregated Data. Customer and its Affiliates shall not: (i) modify, disassemble, decompile or reverse engineer the Services or PhishLine Solution; and Customer shall take commercially reasonable care not to permit any third party to do so; or (ii) copy the Software or Documentation. Customer shall require that its contractors, consultants and Affiliates accessing the PhishLine Solution on Customer’s behalf comply with the terms of this Agreement and Customer shall ensure that any login and password information provided to Customer by PhishLine shall not be disclosed or used by any third party other than Customer’s Affiliates or designated consultants or contractors performing services on Customer’ behalf.
 4.Conduct. Customer and its Affiliates, contractors and consultants shall not use the Services for any unlawful purpose or any purpose not directly related to Customer’s own internal business security analysis, including but not limited to (i) conducting unauthorized phishing schemes or attacks using the Software or Services, (ii) redirecting recipients to connect to non-PhishLine resources; (iii) data mining of personal or proprietary information or otherwise; (iv) harassing or attempting to cause distress or inconvenience to any third party; or (v) sending messages that contain content that may be deemed obscene, offensive, lewd, defamatory or discriminatory. Customer shall comply with all applicable laws and regulations for the jurisdiction(s) in which the Services are provided (including without limitation to all federal, state, and international laws pertaining to the Customer use of electronic communications such as the CAN-SPAM Act, Lanham Act, Telephone Consumer Protection Act (TCPA), FTC regulations and similar laws or agencies). Subject to the availability of lawful appropriations and consistent with Section 8 of the State Court of Claims Act.
 5.Simple Message Services (SMS) texting and telephone restrictions. If Customer contracts with PhishLine to provide Services that utilize SMS/texting, automated or manual telephone calls, or similar telecommunications technology, Customer shall be solely responsible for obtaining prior approval from the owner of any device that may receive such messages from PhishLine in strict compliance with the Telephone Consumer Protection Act of 1991 (TCPA) or any similar law or regulation in any country; and Customer shall be solely responsible for, and shall indemnify PhishLine, for any charges or fees charged by any carrier to Customer or the device owner.
 6.Availability. Customer acknowledges and agrees that Customer’s access to and use of the PhishLine Solution may not be available at certain times as a result of routine maintenance, technical difficulties, equipment malfunctions or due to circumstances beyond PhishLine’s reasonable control. If the PhishLine Solution is unavailable for a period of 24 hours or more Customer may request an extension of the Evaluation Term for the period of such unavailability.
 7.Termination. Either party may terminate this Agreement immediately upon written notice to the other party.
 8.Survival. The provisions of this Agreement which by their nature are intended to survive the termination, cancellation, completion or expiration of the Agreement shall continue as valid and enforceable obligations of the parties notwithstanding any such termination, cancellation, completion or expiration. Without limiting the foregoing, the provisions regarding confidentiality, indemnity, and limitations of liability shall survive the expiration or termination of this Agreement.
 9.Confidential Information. Upon execution of this Agreement, the following terms and conditions as they relate to confidentiality shall supersede and replace any previously executed non-disclosure agreement or confidentiality agreement.
a. Definition. The parties agree that all information and know‑how, whether or not in writing, relating to the business, technical or financial affairs of either party that is generally understood in the industry as being a trade secret, confidential and/or proprietary, whether or not designated as being confidential and/or proprietary information by the party disclosing such information (“Disclosing Party”), or as representing trade secrets of the Disclosing Party (collectively, “Confidential Information”), is and shall be the exclusive property of the Disclosing Party. The party to which the Disclosing Party provides or grants access to shall be referred to hereafter as the “Receiving Party.” For purposes of this Agreement, Confidential Information includes, but is not limited to, the following types of information and other information of a similar nature whether or not reduced to writing: (i) discoveries, ideas, concepts, research, development, processes, operating procedures, “know-how” (whether or not patentable and whether or not copyrightable), trade secret, software, technology, personnel information, marketing techniques, procedures and materials, marketing and development plans, client names and other information related to clients, employee information, vendor information, account fees, pricing and policies, and financial information; (ii) any personally identifiable information, defined as information that can be identified to a particular person without unreasonable effort, such as names and social security numbers (“PII”); and (iii) any other information received from or on behalf of the Disclosing Party that the Receiving Party could reasonably be expected to know is confidential. Confidential Information also includes any information described above obtained from a third party, which either party treats as proprietary or designates as Confidential Information.
 b. Obligations. The Receiving Party will use the same care and discretion to avoid disclosure of Confidential Information as it uses with its own similar information that it does not wish disclosed, but in no event less than a reasonable standard of care and no less than is required by law. The Receiving Party may only use and disclose Confidential Information of the Disclosing Party as necessary for the following “Permitted Purposes”: (i) performing its obligations under this Agreement; (ii) in the case of Customer, deriving the reasonable and intended benefit from the Services provided under this Agreement; and (iii) as otherwise specifically permitted in writing by the Disclosing Party in this Agreement or elsewhere. The Receiving Party may disclose Confidential Information to its employees and employees of permitted subcontractors and Affiliates who have a need to know, but only to the extent required to perform any obligations under this Agreement; and any other party with the Disclosing Party’s prior written consent. Before disclosure to any such individuals, the Receiving Party will have a written agreement with such individual sufficient to require that person to treat Confidential Information in accordance with the requirements of this Agreement, and the Receiving Party will remain responsible for any breach of this Section 7 by any individuals or entities to which it discloses the other party’s Confidential Information. No obligation of confidentiality applies to any Confidential Information that: (A) the Receiving Party already possesses without obligation of confidentiality, develops independently without reference to Confidential Information of the Disclosing Party, or rightfully receives without obligation of confidentiality from a third party; or (B) is or becomes publicly available without the Receiving Party’s breach of this Agreement. However, the foregoing exceptions shall not excuse either party from its obligations to comply with applicable law. The obligations of these confidentiality provisions shall survive termination or expiration of this Agreement.
 c. Each party agrees that its obligation not to disclose or to use Confidential Information also extends to such types of information, know‑how, records and tangible property of employees, customers or potential customers of either party, suppliers or potential suppliers to either party, or other third parties who may have disclosed or entrusted the same to a party.
 d. The Receiving Party may disclose Confidential Information to the extent required by law or legal process, provided that (i) the Receiving Party gives the Disclosing Party prompt notice, if legally permissible, so that the Disclosing Party may seek a protective order, (ii) the Receiving Party reasonably cooperates with the Disclosing Party (at Disclosing Party’s expense) in seeking such protective order, and (iii) all Confidential Information shall remain subject to the terms of this Agreement in the event of such disclosure. At the Receiving Party’s option, Confidential Information will be returned to the Disclosing Party or destroyed (except as may be contained in back-up files created in the ordinary course of business that are recycled in the ordinary course of business over an approximate 30- to 90-day period or such longer period as required by applicable law) promptly upon the Disclosing Party’s request and at the termination or expiration of this Agreement and the Receiving Party will certify to the Disclosing Party in writing that it has complied with the requirements of this sentence.
10.Ownership.
a. Ownership of Customer Data. PhishLine acknowledges and agrees that Customer is the sole and exclusive owner of all rights, title and interest in and to the Customer Data.
b. Ownership of PhishLine Solution and Aggregated DataCustomer acknowledges and agrees that PhishLine is the sole and exclusive owner of all rights, title and interest in and to the PhishLine Solution. Nothing contained in this Agreement shall grant Customer title to or ownership of the PhishLine Solution.
 11.Security of Customer Data.
 a. PhishLine shall have the right to (i) access Customer Data for the purpose of generating reports on Customer’s behalf.   PhishLine will use the Customer Data only as necessary for the operation of the PhishLine Solution.
 b. Access Controls. Because the Customer Data constitutes Customer’s Confidential Information, PhishLine acknowledges and agrees that all obligations imposed on it by this Agreement with respect to Confidential Information apply with equal force to the Customer Data. In addition to the provisions regarding Confidential Information in this Agreement, PhishLine will take commercially reasonable steps to protect the Customer Data in PhishLine’s possession from unauthorized use, access, disclosure, alteration or destruction. Security measures shall include reasonable access controls, including passwords and other measures to authenticate and permit access only to authorized individuals, as well as encryption or other means, where appropriate.
 c. Security Monitoring. PhishLine shall (i) maintain an intrusion detection system to monitor the Data Center which is consistent with industry standards, (ii) use commercially reasonable efforts to detect the occurrence of attacks against the Data Center, the network of which the Data Center is a part (the “Network”), or the Software; (iii) implement and follow a procedure to ensure all Security Incidents are appropriately reported and escalated once detected; (iv) immediately report to Customer any confirmed unauthorized access to Customer Data (a “Security Incident”), and (v) cooperate with Customer to immediately alleviate any continued threat to the privacy or security of the Customer Data, respond to and mitigate the harm arising from a Security Incident, and prevent foreseeable future threats to the security or privacy of the Customer Data.
 d. Personal Information. With the exception of employee email addresses and/or phone numbers, the PhishLine Solution does not require any personal data or information to perform the Services, including without limitation, information (i) that identifies or can be used to identify, contact, or locate the person to whom such information pertains, such as name, address, phone number, fax number, social security number or other government-issued identifier, and credit card information, (ii) from which identification or contact information of an individual person can be derived, or (iii) which constitutes “non-public personal information,” as defined by Title V of the Gramm-Leach-Bliley Act and the regulations issued thereunder (“Personal Information”).   PhishLine covenants that it shall not access or attempt to access Personal Information of Customer or its Affiliates or of their respective employees, customers, agents or contractors, and if PhishLine inadvertently receives such information, it shall treat all such information as Confidential Information under the Agreement and in accordance with all applicable laws and regulations.
 e. Customer acknowledges that PhishLine will exercise no control whatsoever over the content of the Customer Data passing through the PhishLine Solution (e.g. network, email, messaging systems, or website). Customer acknowledges and agrees that PhishLine shall not be liable to Customer or any other third party the disclosure of Confidential Information or Customer Data by Customer, its Affiliate or its employees, officers, directors.
12.Customer Warranties. Customer represents and warrants that the Customer Data does not, to the best of Customer’s knowledge, infringe upon the rights of any third party and, to the best of Customer’s knowledge, is not intended to violate, or to be used to violate, any laws or regulations.
 
 13.No Software Warranty. Customer acknowledges that the PhishLine Solution System is provided to Customer for evaluation purposes only. LICENSOR MAKES NO WARRANTIES AND EXPRESSLY DISCLAIMS AND ALL OTHER WARRANTIES, EXPRESSED OR IMPLIED, WITH RESPECT TO THE PRODUCT INCLUDING (BUT NOT LIMITED TO) IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 
 14.Warranty Disclaimer. CUSTOMER EXPRESSLY ACKNOWLEDGES AND AGREES THAT THE FOREGOING WARRANTIES ARE IN LIEU OF ANY AND ALL OTHER IMPLIED WARRANTIES. EXCEPT AS OTHERWISE SET FORTH ABOVE, PHISHLINE DISCLAIMS ANY AND ALL OTHER REPRESENTATIONS AND IMPLIED WARRANTIES OF ANY KIND WHATSOEVER, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. PHISHLINE DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED OR ERROR FREE.
 
 15.Limitation of Liability. IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, OR PUNITIVE DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT OR THE USE OR PERFORMANCE OF THE SOFTWARE OR THE SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, AND WHETHER OR NOT EITHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE EXCEPT THAT THE FOREGOING LIMITATION SHALL NOT APPLY TO PHISHLINE’S INDEMNIFICATION OBLIGATIONS. NOTWITHSTANDING THE FOREGOING, IN NO EVENT SHALL PHISHLINE BE LIABLE TO CUSTOMER UNDER SECTION 12 OR OTHERWISE IN AN AMOUNT BEYOND THE LIMITS ON ITS INSURANCE (PLUS ANY DEDUCTIBLE OR RETENTION PAYABLE BY PHISHLINE) AS SET FORTH IN SECTION 12(D). CUSTOMER ACKNOWLEDGES AND AGREES THAT BECAUSE THE PHISHLINE SOLUTION IS A TOOL TO TEST SECURITY AWARENESS AMONG EMPLOYEES AND A SECURITY AWARENESS EDUCATIONAL TOOL, RATHER THAN A MISSION CRITICAL NETWORK SECURITY APPLICATION, THE LIMITATION OF LIABILITY SET FORTH IN THIS SECTION IS REASONABLE.
 16.Remedies. If Customer is dissatisfied with the performance of the PhishLine solution, Customer’s sole remedy shall be to cease using the PhishLine Solution and terminate this Agreement.
 
 17.Use of Trade NamesPhishLine shall not be permitted to use Customer’s name or image or refer to Customer in any marketing or similar materials without the prior written consent of Customer to such use.
 
18. Indemnification.
 a. By Customer. Customer shall indemnify, defend, and hold harmless PhishLine, its Affiliates, and their respective directors, officers, members, employees, customers, agents, successors and assigns (each, a “PhishLine Indemnitee”) from and against, any and all third party claims and the judgments, awards, losses, costs, expenses, liabilities, and damages of every kind and nature (including, without limitation, reasonable attorney fees) resulting therefrom, incurred by a PhishLine Indemnitee to the extent arising from or in connection with: (i) Customer’s breach of Sections 3 (Restrictions), 4 (Conduct), 5 (SMS Restrictions), 9 (Confidentiality) or 12 (Warranty); or (ii) Customer’s intentional or negligent misuse of the PhishLine Solution in violation of any law or regulation.
  b. By PhishLine. PhishLine shall indemnify, defend, and hold harmless each of Customer, its Affiliates, and their respective directors, officers, members, employees, customers, agents, successors and assigns (each, a “Customer Indemnitee”) from and against, any and all third party claims and the judgments, awards, losses, costs, expenses, liabilities, and damages of every kind and nature (including, without limitation, reasonable attorney fees) resulting therefrom, incurred by any Customer Indemnitee to the extent arising from or in connection with: (i) PhishLine’s breach of Sections 7 (Confidentiality), 9 (Security and Customer Data) or (ii) infringement or alleged infringement of a U.S. patent, trademark or copyright brought by any individual or entity relating to the Software, Services or PhishLine Solution or (iii) PhishLine’s intentional or negligent misuse of the PhishLine Solution in violation of any law or regulation. Notwithstanding the above, PhishLine shall not have any duty to indemnify Customer against a third party claim of intellectual property infringement, or alleged infringement if and to the extent such claim is based on Customer’s use of the Software, Services or PhishLine Solution in a manner that is in violation of this Agreement or inconsistent with the Documentation, as may be amended from time to time by PhishLine.
  c. Indemnification Procedures. In the event a claim for which indemnification is available under this section (a “Claim”) is filed against a PhishLine Indemnitee or Customer Indemnitee (collectively, an “Indemnitee“), the Indemnitee shall promptly notify the indemnifying party in writing of the Claim. No delay on the part of the Indemnitee in notifying the indemnifying party shall relieve the indemnifying party from any obligations hereunder unless, and then solely to the extent that, the indemnifying party is materially prejudiced thereby. The indemnifying party shall assume the defense of, compromise or settle the Claim at its expense, provided, however, that the indemnifying party shall have no right to settle any Claim that in any way assesses blame against any Indemnitee or that provides a remedy other than the payment of money without the Indemnitee’s prior written consent. After the indemnifying party assumes the defense of the Claim, the Indemnitee shall have the right to retain separate counsel, at its own expense, for the purpose of participating in the defense and/or settlement of the Claim. The Indemnitee shall provide to the indemnifying party all information, assistance and authority reasonably requested in order to evaluate any Claim and effect any defense, compromise or settlement thereof at the expense of the indemnifying party.
19.General.
 a. Severability; Governing Law; Waiver. If any provision of this Agreement is held to be unenforceable, the provision shall be deemed stricken herefrom ab initio, and the enforceability of the remaining provisions shall in no way be affected or impaired thereby. This Agreement and any disputes arising hereunder shall be governed by the laws of the State of Wisconsin without regard to its conflicts of laws principles. The parties hereby consent to the exclusive jurisdiction and venue within Milwaukee County of the State of Wisconsin. A failure by any party to exercise or any delay in exercising a right or power conferred upon it in this Agreement shall not operate as a waiver of any such right or power.
 b. Merger. This Agreement, the Schedules and each Quotation constitute the entire agreement between Customer and PhishLine regarding the subject matter hereof and supersede all prior writings, discussions and negotiations, including any Customer standard terms and conditions. No discussions, writings, communications or parole evidence indicating the parties’ intent with respect to any provision of any of such documents shall be admissible evidence for purposes of interpreting such provisions.
 c. Assignment; Successors and Assigns. Notwithstanding anything in this Agreement to the contrary, during the Evaluation Term, Customer may not assign this Agreement to any other party without prior written consent of PhishLine.
 d. Relationship of the Parties. PhishLine and Customer are independent of one another and neither party’s employees will be considered employees, agents or contractors of the other party for any purpose. Nothing contained in this Agreement shall be deemed to create the relationships of employer and employee, master and servant, franchisor and franchisee, partnership or joint venture between the parties. Neither party has the authority to bind the other to any third party. Customer shall have no right to direct or control PhishLine with respect to PhishLine activities hereunder. PhishLine shall have no right to direct or control Customer with respect to Customer activities hereunder.
 e. Notices. All notices required or permitted under this Agreement shall be in writing and shall be given by (i) registered or certified mail, return receipt requested, postage prepaid, or (ii) nationally recognized overnight courier service to the other party at the addresses listed below or to such other address or person as a party may designate in writing, or (iii) electronic mail.