Legal

Terms and Legal

General Terms and Conditions (GTC)

Subject Matter
Creolytix’ Services
Availability, Suspension, Setup, Support and Documentation
Usage Rights, Restrictions and Intellectual Property
Fees
Data Protection
Customer Obligations
Confidentiality
Warranties and Disclaimers
Limitation of Liability
Intellectual Property Indemnification
Term and Termination
Changes to the GTC and Creolytix Security Platform
Miscellaneous

Version: January 2024

1. Subject Matter

1.1. Parties and Subject Matter. This document, referred to as the General Terms and Conditions (“GTC“), sets out the terms governing the relationship between Creolytix and the Customer in the provision of the Services listed in the Order.

1.2. No Deviating Regulations. Any provisions that differ from or extend beyond these GTC do not apply. This specifically includes any general terms and conditions of the Customer. This applies even if Creolytix accepts an order from the Customer that refers to its own terms and conditions, or if such terms are attached to the order, and Creolytix does not expressly reject them.

2. Creolytix’ Services

2.1. Services. Creolytix provides to Customer the Services described in the Order, in particular the Creolytix Security Platform and Professional Services (jointly “Services”).

2.2. Creolytix Security Platform. Creolytix grants Customer access to the Creolytix Security Platform. The Creolytix Security Platform is a managed web-based cloud service which provides aggregated content and complementing services to support the Customer in situational awareness, decision making and responses to potential risks; it includes

a) Security relevant content, in particular in the form of data feeds about security and safety related events, e.g. attacks, nature catastrophes, or brand reputation risks (“Event”) and security analysis, e.g. generic country reports (“Analysis”), such Events and Analysis (“Content”),

b) Functionalities for filtering Events based on the Customer’s specific interests, like geo-locations, travel routes, or brand names (“Interests“), and receiving notifications about Events, e.g. via email or SMS (“Alerts“),

c) A platform for discussing Events and engaging with other users of the Creolytix Security Platform and Creolytix’ security experts on security topics (“Community“), and

d) A service for brokering third-party security products and services, such as specialized data feeds, analysis, and other security services, including personal security services (“Third Party Offerings“), offline on a case by case basis, or by means of an online marketplace (“Marketplace”).

2.3. Content. Creolytix’ service is to collect security information from public sources, including social media and from or via selected data providers (“Source Information”). Creolytix makes this Source Information available on the Creolytix Security Platform through uniform and consolidated Feeds and in the form of Creolytix’ Analysis. Creolytix is not obligated to verify the Source Information and is not responsible for the accuracy or completeness of the Source Information.

2.4. Professional Services. Creolytix may offer additional professional services, such as the initial setup of Interests and Alerts or customized security analysis (“Professional Services“). Professional Services will be provided in a competent manner and performed with reasonable skill, care, and diligence. No rights can be derived from any order or similar type of document stating an expected outcome of the Professional Service performed by Creolytix.

2.5. No-Charge Offerings; Previews. All services or offerings provided as Free Trial or otherwise at no charge to Customer (“No-Charge Offerings”), and (ii) features or services offered at no extra charge as part of Services prior to their general release that are labeled or otherwise communicated to Customer as “preview”, “pre-release”, “demo”, or “beta” (“Previews”), are provided “AS IS” without warranty, indemnity, support, or other commitments. Creolytix may change, limit, suspend, or terminate any Previews at any time. Customer acknowledges that Previews are not ready for production usage, and that Customer’s use of any Previews is at its sole risk and discretion. Customer will only use No-Charge Services identified on an Order as being “demo”, “test”, “evaluation”, “beta”, or similar for internal test and evaluation purposes, and not for security purposes.

2.6. Third Party Offerings. For brokered Third Party Offerings, the Customer’s contractual partner is the respective third party (“Third Party Provider“). The Third Party Offerings are exclusively subject to the terms and conditions of the Third Party Provider. Creolytix will indicate Third Party Offerings by labelling or communicating it as “third party”, “brokered” or “marketplace” content, products, or services or in a similar manner. Creolytix is not required to review Third Party Offerings and is not responsible or liable for them.

3. Availability, Suspension, Setup, Support and Documentation

3.1. Availability. Creolytix will make the Creolytix Security Platform available as set out in the Service Level Agreement (available at www.creolytix.io/legal/sla) (“SLA”).

3.2. Suspension. Creolytix may suspend or limit Customer’s or any Authorized User’s access to and use of the Creolytix Security Platform, in whole or in part, immediately (i) if Creolytix reasonably determines that the use of the Creolytix Security Platform poses a security risk to the Creolytix Security Platform, Creolytix, or any third party, or subjects Creolytix or any third party to liability, (ii) if Customer materially breaches this Agreement, or (iii) upon the occurrence of any of the circumstances that give Creolytix the right to immediate termination. Suspension or limitation will not limit any other rights available to Creolytix under this Agreement, will not relieve Customer of its obligation to pay fees, and will be lifted when the reason for such suspension or limitation no longer exists.

3.3. Setup. The Customer is responsible for the initial setup of the Creolytix Security Platform (e.g. user and roles setup, setting of Interests and Alerts), unless respective Professional Services are ordered.

3.4. Technical Support. Customer may contact Creolytix’ technical support as primary point of contact for support in relation to the technical issues of the Services. Creolytix provides the support services in accordance with the SLA (available at www.creolytix.io/legal/sla)

3.5. Documentation. Creolytix will provide user and admin documentation in Creolytix’ reasonable discretion in the form of online help texts and/or PDFs. Documentation is in English.

4. Usage Rights, Restrictions and Intellectual Property

4.1. Creolytix Security Platform. Creolytix hereby grants the Customer the non-exclusive, non-transferable and non-sublicensable right to access and use the Creolytix Security Platform by Authorized Users for Customer’s own internal business purposes, i.e., to safeguard the security of Customer’s employees, officers, facilities, brands, reputation, products and services (“Customer’s Security Purposes”). This right is limited in time to the Subscription Term.

4.2. User Limits. The usage right is granted to “Authorized Users” in the form of individual use licenses. An “Authorized User” is an employee of Customer authorized to use the Creolytix Security Platform in accordance with this Agreement, and who has been supplied a username and password (“Authentication Credentials”). Customer shall be fully responsible for each Authorized User’s use of the Creolytix Security Platform. Authentication Credentials are personal to each Authorized User and may not be shared with or used by more than one person. Customer may transfer an individual use license from one Authorized User to another from time to time, provided that the number of Authorized Users shall not exceed the maximum number of Authorized Users set forth in the Order. Authorized Users must be located in the User Territory. If use by Affiliates is included according to the Order, Authorized Users may also be employees of Customer’s Affiliates. “Affiliate” means any entity that controls, is controlled by, or is under common control with either Party; in this context, “control” means ownership, directly or indirectly, of a majority of the outstanding equity of an entity.

4.3. Interests and Alerts Limit. The total number of Interests and Alerts concurrently set by all Authorized Users in total may not exceed the maximum number of Interests and maximum number of Alerts specified in the Order and Creolytix Service Description. “Interests” shall mean assets, locations, points of interest, areas or travel routes selected by Customer. “Alert” shall mean a setting by an Authorized User that lets the Creolytix Security Platform generate notifications to Authorized Users via selected channels, e.g. email or SMS, along Customer‘s Interests.

4.4. Content and Professional Services. Creolytix hereby grants the Customer the non-exclusive, non-transferable and non-sublicensable right to use the Content and any work results of Professional Services (e.g. bespoke security analysis) for Customer’s Security Purposes. The rights granted in Content is limited in time to the Subscription Term. The rights granted in work results of Professional Services are perpetual. If use by Affiliates is included according to the Order, rights in Content are also granted to Customer’s Affiliates.

4.5. General Use Restrictions. Except as expressly authorized in this Agreement, Customer will not, and will not permit any person or entity to, resell, transfer, sublicense, publish, loan, or lease any Service, or use any Service for the benefit of any third party without the prior written consent of Creolytix, (ii) modify, alter, tamper with, repair, or create derivative works of any Services, (iii) reverse engineer, disassemble, decompile, or otherwise attempt to discover the source code of any Services, (iv) use any Services in a manner that could subject such Service to any open source software license that conflicts with this Agreement or that does not otherwise apply to such Service, (v) use any Service for the purpose of developing or enhancing any product or service that is competitive with such Service, or (vi) remove any proprietary notices or legends contained in or affixed to any Service. Customer may copy software or documentation only as required to support use of the Services as expressly authorized in this Agreement. The restrictions set out in this section do not apply to the extent they conflict with mandatory applicable law. The Customer will not use the Services in connection with or for the operation of critical infrastructure such as power plants, military or defense facilities, medical devices or other equipment whose failure or impairment would result in unforeseeable economic or physical damage, including but not limited to critical infrastructure as defined by European Directive 2008/114/EC.

4.6. Third Party Technology. Software contained in the Services (e.g. code executed locally on user devices) may contain third-party software, technology, and other materials, including open-source software, licensed by third parties (“Third-Party Technology”) under separate terms (“Third-Party Terms”). Third-Party Terms are made available to Customer upon request. In the event of a conflict with the terms of this Agreement, the Third-Party Terms control with respect to Third-Party Technology. If Third-Party Terms require Creolytix to furnish Third-Party Technology in source code form, Creolytix will provide it upon written request.

4.7. Reservation of Right. All Services, including software, analysis and non-public documentation are trade secrets of Creolytix and its licensors. Creolytix or its licensors retain title to and ownership of Services and any Creolytix IP. “Creolytix IP” means all patents, copyrights, trade secrets, and other intellectual property rights in, related to, or used in the provision or delivery of, any Service or technical solution underlying any Service, and any improvement, modification, or derivative work of any of the foregoing. Creolytix reserves all rights in Services and Creolytix IP not expressly granted in this Agreement.

4.8. Customer Content. Customer grants Creolytix the right to use content submitted by Customer or Customer’s Authorized Users when using the Services, e.g. comments in the Community or uploads to the Creolytix Security Platform (“Customer Content”) for the provision of the Creolytix’ services. This right shall be worldwide, non-exclusive, unlimited in time, sublicensable, transferable and free of charge and include the right to store, copy, analyze (also by means of artificial intelligence) and translate or otherwise reasonably edit Customer Content. If Customer Content is not marked as Customer internal (e.g. forum posts or public comments) Creolytix may use the Customer Content for the provisioning of the services to other customers of Creolytix and disclose it to other customers accordingly.

4.9. Feedback. If Customer provides any ideas or feedback regarding any Service, including suggestions for changes or enhancements, support requests (including any related information), and error corrections, such Feedback may be used by Creolytix without condition or restriction.

4.10. Third Party Offerings. For Third Party Offerings usage rights are solely granted by the Third Party Provider to the Customer in accordance with terms and conditions of the Third Party Provider.

5. Fees

5.1. Payment. Customer will pay the fees set forth in the Order within 30 days after receipt of the invoice. Creolytix will invoice Customer for Subscription Services annually in advance and for Professional Services on a monthly basis as charges are incurred. Invoices may be issued in electronic form.

5.2. Default of payment. If the Customer defaults on payment of the fees Creolytix may, after a respective warning and a 14 days grace period, block access to or stop delivery of the Services and/or terminate the Agreement for cause.

5.3. Taxes. All amounts to be paid to Creolytix are exclusive of taxes and any other charges. Customer agrees to pay or reimburse Creolytix for any applicable taxes, duties, or other charges imposed by any government authority on Customer’s use or receipt of the Services. If Customer is required by law to make any income tax deduction or to withhold income tax, the amount payable to Creolytix shall be increased so that Creolytix receives a net amount equal to the amount invoiced. Customer will promptly provide all tax receipts in connection with the respective Order.

6. Data Protection

6.1. Data Processing Agreement. To the extent Creolytix acts as a data processor in providing the Services and Customer as data controller, each within the meaning of the EU General Data Protection Regulation (“GDPR”), the provisions of the “Data Processing Agreement” (available at www.creolytix.io/legal/dpa) shall apply.

6.2. Systems Information. Creolytix may collect and derive information, statistics, and metrics regarding usage, operation, support, and maintenance of Services or from Customer Content (“Systems Information”), and may use Systems Information to support, maintain, monitor, operate, develop, and improve its products and services or enforce its rights.

6.3. Independent Controllers. Where Creolytix and Customer act as independent data controllers (e.g. billing purposes, delivery of country reports, use of System Information) each party shall independently comply with applicable laws on the protection of personal data.

7. Customer Obligations

7.1. Lawful Use. Customer will comply with this Agreement and any applicable laws and will not violate any third party rights when using the Service. In particular Customer will comply with applicable copyright laws, competition laws, data protection laws and not violate contractual confidentiality obligations.

7.2. Export Control. Customer shall comply with all applicable sanctions, embargoes and (re-)export control, laws, and regulations, and, in any event, with those of the European Union, the United States of America and any locally applicable jurisdiction.

7.3. Acceptable Use Policy. Customer will comply, and ensure that all Authorized Users comply, with the Acceptable Use Policy (available at www.creolytix.io/legal/aup). In particular, Customer must ensure that content posted in the Community, namely content accessible to other customers, does not include material where usage rights are restricted to Customer’s internal use, such as it may be the case for Third Party Offerings.

8. Confidentiality

8.1. Confidential Information. “Confidential Information” means all information disclosed by one party or any of its users, affiliates or subcontractors to the other party under this Agreement that is marked as confidential or the confidential nature of which is evident to a reasonable person. Creolytix’ Confidential Information includes the terms of this Agreement and any Order, Content, Community content, work results of Professional Services and Creolytix IP.

8.2. Confidentiality Obligations. The receiving party will

a) use Confidential Information only as required for the purposes of this Agreement including to exercise or e nforce rights or perform obligations under this Agreement, and

b) not disclose Confidential Information, except (a) on a need-to-know basis to its and its affiliates’ employees, consultants, contractors, and financial, tax, and legal advisors that are bound by confidentiality obligations and use restrictions at least as restrictive as those in this Agreement, or (b) as otherwise authorized by the disclosing party or this Agreement,

c) use reasonable care to protect against unauthorized use and disclosure of the disclosing party’s Confidential Information.

The confidentiality obligations shall survive the termination of this Agreement, and shall last for five years after the Agreement Term ends. Statutory confidentiality obligations shall remain unaffected.

8.3. Exclusions. The obligations in Section 8.2 will not apply to any Confidential Information that

a) is or becomes generally available to the public other than as a result of disclosure by the receiving party in violation of this Agreement,

b) becomes available to the receiving party from a source other than the disclosing party, provided that the receiving party has no reason to believe that such source is itself bound by a legal, contractual, or fiduciary obligation of confidentiality,

c) was in the receiving party’s possession without an obligation of confidentiality prior to receipt from the disclosing party,

d) is independently developed by the receiving party without the use of, or reference to, the disclosing party’s Confidential Information, or

e) is required to be disclosed by a government authority or law, so long as the receiving party promptly provides the disclosing party with written notice of the required disclosure, to the extent such notice is permitted by law, and cooperates with the disclosing party to limit the scope of such disclosure.

8.4. Reference. Customer hereby grants Creolytix the right to use Customer’s name, trademarks, and logos for the purpose of identifying the Customer as a reference customer in the Creolytix’ marketing, promotional materials, and other business-related communications. Creolytix agrees to use Customer’s trademarks and logos in a manner that is consistent with Customer’s brand guidelines, if provided to Creolytix by Customer. This permission shall survive the Term of this Agreement. Customer is entitled to withdraw this permission at any time but withdrawal shall not be exercised in an unreasonable manner.

9. Warranties and Disclaimers

9.1. Creolytix Security Platform Warranty. Creolytix warrants that the Creolytix Security Platform will perform substantially in accordance with the features and functionalities described in the Order and Creolytix Service Description. To the extent permissible under applicable law, as Creolytix’ entire liability and Customer’s sole and exclusive remedy for a breach of this warranty, at Creolytix’ option (i) Creolytix will use commercially reasonable efforts to restore the non-conforming Services so that they comply with this warranty, or (ii) if such restoration would not be commercially reasonable, Creolytix may terminate the Order for the non-conforming Services and refund any prepaid fees for such Services on a pro- rata basis for the remainder of the Subscription Term for that Services. The warranty for Creolytix Security Platform excludes (a) No-Charge Offerings and Previews, and (b) issues, problems, or defects arising from Customer Content, Third Party Offerings, or use of Services not in accordance with the terms of this Agreement.

9.2. Remedies for not meeting the Availability. Remedies for not meeting the availability of the Creolytix Security Platform is set out in the Service Level Agreement (available at www.creolytix.io/legal/sla)

9.3. Disclaimers. Creolytix makes only the limited warranties expressly stated in this Agreement, and disclaims all other warranties including, without limitation, the implied warranties of merchantability and fitness for a particular purpose. Creolytix does not warrant or otherwise guarantee that Content (e.g. Feeds) is uninterrupted available, accurate, complete or error free. Representations about services or features or functionality in any communication with Customer (e.g. website, e-mail) constitute technical information, not a warranty or guarantee. Creolytix gives guarantees only in writing and only if expressly named as “guarantee”.

10. Limitation of Liability

10.1. Cap. The entire, aggregate liability of Creolytix related in any way to this Agreement is limited as follows: (i) for liability arising from a Service provided for a Subscription Term, the fees paid to Creolytix for that Service during the 12-month period immediately preceding the first event giving rise to the claim, provided that the aggregate liability for any Service will not exceed the amount paid for that Service during the Subscription Term, or (ii) in all other cases, the fees paid to Creolytix for that Service. The foregoing limitation does not apply to Creolytix’ indemnity obligation in Section 11.

10.2. Exclusion. In no event will Creolytix be liable for (i) any indirect, incidental, consequential, special, exemplary, or punitive damages, loss of production or data, interruption of operations, or lost revenue or profits, even if such damages were foreseeable, or (ii) any No-Charge Offerings or Previews, respectively except in case of intent.

10.3. Statue of Limitation. Creolytix will not be liable for any claim in connection with this Agreement if such claim is brought more than two years after the first event giving rise to such claim is or should have been discovered by Customer.

10.4. Scope. The foregoing limitations and exclusions apply (i) to the benefit of Creolytix and its affiliates, and their respective officers, directors, licensors, subcontractors, and representatives, and (ii) regardless of the form of action, whether based in contract, statute, tort (including negligence), or otherwise.

10.5. Applicable Law. The foregoing limitations and exclusions will not apply to the extent that liability cannot be limited or excluded according to applicable law.

11. Intellectual Property Indemnification

11.1. Infringement Claim Indemnity. Creolytix will indemnify and defend, at its expense, any action brought against Customer to the extent that it is based on a claim that the Service infringes any copyright, any trade secret, or a patent or trademark issued or registered by the United States, Japan, or a member of the European Patent Organization, and will pay all damages finally awarded against Customer by a court of competent jurisdiction or agreed in a settlement, provided that Customer gives Creolytix (i) prompt written notice of the claim, (ii) all requested information and reasonable assistance related to the claim and (iii) sole authority to defend or settle the claim. Creolytix will not admit liability or incur obligations on Customer’s behalf without Customer’s prior written consent, which will not be unreasonably withheld.

11.2. Injunction. If a permanent injunction is obtained against Customer’s use of a Service due to an infringement claim, Creolytix may, at its sole option, obtain for Customer the right to continue using the Service, or replace or modify the Service to become non-infringing. If such remedies are not reasonably available: (i) Creolytix will refund prepaid fees for the enjoined Service on a pro-rata basis for the remainder of the Subscription Term for that Service; (ii) any applicable licenses to such Service will automatically terminate; and (iii) Customer will immediately cease to use the enjoined Service and return all related software in its possession. Creolytix may, in its sole discretion, provide any of the foregoing remedies to mitigate infringement prior to the issuance of an injunction.

11.3. Exclusions. Notwithstanding anything to the contrary in this Agreement, Creolytix will not have any liability or obligation to Customer to the extent that an infringement claim arises out of (i) use of No-charge Services or Previews, (ii) work results resulting from Professional Services, (iii) any adjustment, modification, or configuration of the Service not made by Creolytix, or (iv) instructions, assistance, or specifications provided by Customer.

11.4. Sole and Exclusive Remedy. Section 11 sets forth Creolytix’ entire liability and Customer’s sole and exclusive remedy for infringement of third-party intellectual property rights.

12. Term and Termination

12.1. Subscription Term. Unless otherwise agreed in the Order, Subscription Services begin on the Commencement Date and have an Initial Term of 12 months. The Subscription Services shall automatically renew for 12 months Renewal Terms unless terminated by Customer or Creolytix to the end of the Initial Term or any Renewal Term with a Termination Notice Period of 3 months (“Subscription Term”). Subscription terms for different items of the Order form (e.g. different Add-Ons) may be terminated independently.

12.2. Agreement Term. The term of this Agreement (“Agreement Term”) shall begin on the Effective Date and terminate upon termination of the last Subscription Term or the complete delivery of Professional Services, whichever event occurs later.

12.3. Termination. Termination must be made in writing, including text form (e.g. e-mail) and may be directed to the Primary Contact indicated in the Order Form. The right to terminate for cause shall remain unaffected.

12.4. Free Trial Period. If the Order provides a Free Trail Period, the Initial Term shall begin with the Free Trial Period and the Initial Term shall be extended by the term of the Free Trial Period. Each party may freely terminate the Subscription Services during the Free Trail Period at any time without any notice period.

13. Changes to the GTC and Creolytix Security Platform

13.1. Changes to the GTC. Creolytix may update these GTC during a Subscription Term, provided any such update does not (i) have a material adverse effect on Customer’s rights (e.g. with respect to usage rights or service levels or by otherwise materially negatively impacting the equivalent ratio of performance and consideration for the customer) or (ii) result in a material degradation of the security measures maintained by Creolytix regarding the Creolytix Security Platform or Customer Content. The foregoing shall not limit Creolytix’ ability to make changes to these Creolytix GTCs (i) to comply with applicable law, (ii) address a material security risk, (iii) to reflect changes made to the Services in accordance with any change provision in the Agreement, or (iv) that are applicable to new features, supplements, enhancements, capabilities or additional services provided as part of Customer’s Subscription Services at no extra charge. If an update of the GTCs during a Subscription Term applies to Customer, Creolytix will notify Customer at least 90 days prior to such change. If the Customer does not object to the change within six weeks, the updated GTCs shall be agreed. Creolytix will inform the Client within the notification about this effect of not objecting to the GTC change.

13.2. Changes to the Creolytix Security Platform. The Creolytix Security Platform including all Subscription Services may be modified or discontinued by Creolytix from time to time. During the Subscription Term, Creolytix will not materially degrade core features or functionalities of the Creolytix Security Platform or discontinue the Creolytix Security Platform without making available substitute Services, except as necessary to address (i) new legal requirements, (ii) changes imposed by Creolytix’ vendors or subcontractors (e.g. the termination of Creolytix’ relationship with a provider of software or services which are required for the provision of the Creolytix Security Platform), or (iii) security risks that cannot be resolved in a commercially reasonable manner. Creolytix will notify Customer of any such material degradation or discontinuation of the Creolytix Security Platform as soon as reasonably practicable, and Customer may terminate the Order for the applicable Service by providing Creolytix with written notice within 30 days after Customer’s receipt of notice of degradation or discontinuation. In the event of such termination or discontinuation of the Creolytix Security Platform, Creolytix will refund any prepaid fees for the applicable Service on a pro-rata basis for the remainder of the Subscription Term for that Service.

14. Miscellaneous

14.1. Service Specific Terms and Conditions. For certain types of Services of Creolytix (e.g. for specific Feeds, or analysis) service specific terms and conditions (“SSTC”) may apply in addition to these GTC. SSTC are available at www.creolytix.io/legal/sstc or otherwise made accessible to the Customer within the Order.

14.2. Force Majeure. Neither party will be liable for delay or failure to perform any obligations under this Agreement (except with respect to any payment obligations) due to any cause beyond its reasonable control. The delayed party will promptly notify the other party of any such event.

14.3. Notices. Creolytix may notify Customer under this Agreement by (i) posting a notification on the Creolytix Security Platform or on the administrative user account that Customer maintains with Creolytix to manage subscriptions to Services, (ii) sending an email or other text message to the address or contact number provided by Customer as Primary Contact on the Order (iii) sending an email to relevant Authorized Users. Notwithstanding the foregoing, notices regarding claims or disputes will always be sent to the party’s postal address or to the Primary Contact specified in the Order.

14.4. Language. If Creolytix provides a translation of the English language version of an Agreement, the English language version of the respective Agreement will control in the event of any conflict.

14.5. Governing Law and Jurisdiction, Place of Jurisdiction. The validity, interpretation and performance of this Agreement shall be controlled by and construed in accordance with the substantive law of Germany without reference to the substantive law of any other country. If the Customer is a merchant, a legal entity under public law or a special fund under public law, the exclusive place of jurisdiction shall be the courts at Munich, Germany. The application of the United Nations Convention on Contracts for the International Sale of Goods of 11 April 1980 shall be excluded.

14.6. No Waiver; Validity and Enforceability. The failure to enforce any provision of this Agreement will not be construed as a waiver of such provision. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions will not be affected, and such provision will be deemed to be restated to reflect the original intentions of the parties as nearly as possible in accordance with applicable law. The parties agree that electronic signatures or acceptance of this Agreement via an electronic system specified by Creolytix will have the same force and effect as manual signatures.

14.7. Entire Agreement. This Agreement constitutes the full and complete agreement between the parties with respect to the subject matter thereof and supersedes any previous or contemporaneous agreements or communications, whether written or verbal, relating to such subject matter. This Agreement may not be varied except as set out in this Agreement or otherwise in writing executed by manual signatures or electronic signatures of authorized representatives of both parties or via an online mechanism. No other terms and conditions will apply. The terms of any purchase order or similar Customer document are excluded and such terms will not apply to any Order, and will not supplement or modify this Agreement irrespective of any language to the contrary in such document.

Version: January 2024

1. Creolytix Security Platform Availability

1.1. Availability. Creolytix will make the Creolytix Security Platform available 99.5 % per calendar month (“Target Availability”). The availability will be calculated as follows:

Uptime (in seconds) during a calendar month
/ Total Time (in seconds) during a calendar month.

The Creolytix Security Platform is considered “Uptime” if an Authorized User is able to successfully log in and access the user interface of the Creolytix Security Platform. Creolytix provides the Creolytix Security Platform at the connection point of the data centre to the Internet used by Creolytix.

a) “Total Time” means all the time during a calendar month (24/7), less any Exclusive Downtime.

b) “Exclusive Downtime” means all Downtime during a calendar month that is attributable to: (i) Scheduled Downtime within a Regular Maintenance Window; (ii) any other Scheduled Downtime where Customer has received at least 24 hours’ notice prior to such Scheduled Downtime; or (iii) unavailability caused by factors outside of Creolytix’ reasonable control, such as unpredictable and unforeseeable events that could not have been avoided even if reasonable care had been exercised; or (iv) unavailability caused by actions or inactions of Customer or any third party; (v) unavailability caused by any equipment, software or other technology not provided by Creolytix; or (vi) unavailability caused due to suspension or termination of Services in accordance with the Agreement.

c) “Downtime” means all the time in a calendar month during which the Creolytix Security Platform is not Uptime (as defined above), except for Exclusive Downtime.

d) “Scheduled Downtime” means Downtime for the Creolytix Security Platform that is scheduled by Creolytix. Creolytix will use commercially reasonable efforts to notify the Customer at least 24 hours prior to the occurrence of a Scheduled Downtime.

e) “Regular Maintenance Window” means the period every week from 6:00pm on Friday to 8:00am on Monday, Central European Time, during which time Creolytix may schedule Downtime for maintenance to or upgrade of the Creolytix Security Platform. Creolytix reserves the right to extend or change the times of the Regular Maintenance Window.

Service Credits. If the Target Availability is not met within a calendar month, the Customer is entitled to a reduction of the Fees for the respective calendar month (the annual fee divided through twelve) as follows (“Service Credits”):

5% if uptime is 95% to < 99.5%
10% if uptime is 90 to <95%
20% if uptime is 80 to <90%
50% if uptime is below 80%

Service Credits are deducted from the next invoice, remaining Service Credits at the end of the term of the Agreement are refunded by Creolytix. Customer must submit to Creolytix a support case within 30 days after the end of each relevant calendar month in which Creolytix did not meet the Target Availability and claim the Service Credit. Any claims not submitted by Customer within the specified time period may be denied by Creolytix, and Creolytix will have no further obligation to Customer with respect to such failure.

1.2. Right to Termination. If Creolytix is unable to meet the Target Availability contained three or more times in a calendar year, then Customer will have the right to terminate the Service for the non-conforming Service. In the event of such termination, Creolytix will refund any prepaid fees for the applicable Service on a pro-rata basis for the remainder of the Subscription Term.

1.3. Exclusive remedy. The remedies set forth in this Service Level Agreement shall be the sole and exclusive remedies of the Customer in case of non-availability of the Creolytix Security Platform. Any other claims, e.g., for rectification, damages or compensation, are excluded, except in case of intent.

2. Support Services

2.1. Support Services. Creolytix provides the following technical support services for the Creolytix Security Platform:

a) acceptance of reports regarding technical malfunctions of the Creolytix Security Platform, including non-availability,

b) acceptance of technical use problems by Authorized Users of Customer.

Support does not include security consultancy services, security analyses or configuration services (initial setting of Alerts or Interest). These services must be ordered as Professional Support services.

2.2. Support Channels. All support inquiries must be made by e-mail and sent to support@creolytix.io. Creolytix will respond to Customer’s support inquiry at Creolytix’ sole discretion via e-mail or hotline. The technical support is available in English and German.

2.3. Support Times. Creolytix is available to receive support inquiries 24/7 via email or through the Creolytix website. Customer support services via e-mail are 24/7 for Category 1 Errors and for the remaining Error Categories from Monday to Friday, 7am to 10pm (CET, CEST), excluding national and local holidays in Germany.

2.4. Error Categories

Creolytix classifies support requests in accordance with the following categories:

a) Category 1 (High): The Creolytix Security Platform is wholly unavailable, or material parts of the Creolytix Security Platform are inoperative, so that it is impossible to work with the Creolytix Security Platform (e.g., the server cannot be reached, no Content available).

b) Category 2 (Medium): Parts of the Creolytix Security Platform do not function without errors (e.g., certain Feeds are not available, Alerts are not working properly), but it is still possible to use the Creolytix Security Platform, using workarounds where applicable.

c) Category 3 (Low): The Creolytix Security Platform has errors which impact work only slightly (e.g., display errors, occasional longer response times of the server).

2.5. Reaction Times.

Creolytix will respond (as defined below) to reported support requests during the support times as follows:

Error Category	Maximum Reaction Time (during support times)	Workaround Target (during support times)
1	4 hours	6 hours
2	12 hours	24 hours
3	48 hours	36 hours

The response time commences upon receipt of the Customer´s report via the prescribed communication method of Creolytix. If this is outside of support times, it is deemed as received once the support time starts again.

2.6. Response. The Customer will receive a qualified statement from an employee of Creolytix during the response time. A qualified statement contains at least an initial assessment of the request and to the extent possible and reasonable, information about the further process. In case of Category 1, resolution works will commence within the response time. Creolytix will take commercially reasonable efforts to solve or mitigate the impact of a reported technical malfunction within the Workaround Target.

Data Processing Agreement (DPA)

Annex I: List of parties
Annex II: Description of the processing
Annex III: Technical and organizational measures including technical and organizational measures to ensure the security of the data
Annex IV: List of sub-processors

Creolytix and Customer have entered into an Agreement on the provision of the Creolytix Security Platform and Professional Services.

If and to the extent Customer’s processing is subject to the EU General Data Protection Regulation (“GDPR”) Creolytix and Customer hereby agree on the Standard Contractual Clauses between controllers and processors under Art. 28 (7) GDPR” ((EU) 2021/915 of 4 June 2021) (“Art. 28 Standard Contractual Clauses”) in order to comply with the requirements of Art. 28 GDPR (this agreement hereinafter, “DPA”).

The Art. 28 Standard Contractual Clauses are published in the Official Journal of the European Union L 199/18 and is accessible at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915

To complete and adjust the Art. 28 Standard Contractual Clauses Creolytix and Customer hereby agree as follows:

For the purpose of the Art. 28 Standard Contractual Clauses, Customer shall be the “controller” and the Creolytix shall be the “processor”.
Option 1) shall be chosen in clauses 1 lit. a, 8 lit. c Nr. 4, 9.1 lit. b und lit. c and 9.2 para 3 of the Art. 28 Standard Contractual Clauses.
The optional clause 5 of the Art. 28 Standard Contractual Clauses (docking clause), shall not be applicable.
In clause 7.7 of the Art. 28 Standard Contractual Clauses (use of sub-processors), option 2) (general written authorization) shall be chosen parties and thirty (30) calendar days shall be the specified time period for changes to the list of sub-processors. In addition, the Creolytix and Customer hereby agree that if Customer objects to any sub-processor change, Customer and Creolytix shall work together in good faith to agree on a reasonable solution regarding the engagement of the new sub-processor and that if no agreement can be reached Creolytix is entitled to terminate the Service to the extend it depends on the new sub-processor. In such case Creolytix shall pro-rata refund any fees already paid for the future, and such refund shall be the exclusive remedy of Customer.
Clause 2.a and clause 7.7.e and clause 10.b of the Art. 28 Standard Contractual Clauses shall not apply.
The information to complete Annex I-IV of the Art. 28 Standard Contractual Clauses is set out in the Annex I-IV of this DPA, which shall be an integral part of this DPA.

Annex I: List of parties

Controller shall be the Customer and Processor shall be Creolytix, each with their respective Primary Contacts as set out on the Order.

Annex II: Description of the processing

1. Categories of data subjects whose personal data is processed:

Customer’s Authorized Users
Recipients of notifications (Alerts), e.g., employees (designated by Customer)
Contractors, suppliers, business partners or other individuals whose personal data is stored by or as requested by the Customer on the Service and/or is processed in the context of providing the Service

2. Categories of personal data processed:

contact and user information, including name, address data, phone number, email address, and time zone
configuration data, e.g., Interests, Alerts, traveler locations
data uploaded or entered into the Service by Authorized Users of the Customer (e.g., internal comments to Events)
data made available by Customer to Creolytix in course of the Service (e.g., data provided for onboarding Professional Services)
data included in web monitoring queries requested by the Customer or in results from such monitoring
system access, usage, authorization data, operating data and system log-files

3. Sensitive data processed (if applicable)

The Services are not intended for the processing of sensitive personal data.

4. The frequency of the transfer

Ongoing / continuous during the Subscription Term or provision of Professional Services.

5. Nature of the processing and purpose(s)

Provision and management of access to the Creolytix Security Platform
social media, deep and dark web monitoring as instructed by the Customer
Provision of Professional Services that involve the processing of personal data as instructed by Customer

6. Duration of the processing

Personal Data will be retained for the period of the Subscription Term and with regard to Professional Services as long as required for their provision.

7. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing by sub-processors are specified per subprocessor in Annex III.

Annex III: Technical and organizational measures including technical and organizational measures to ensure the security of the data

This Annex describes the technical and organizational measures (TOMs) implemented by Creolytix and its sub-processors to protect Creolytix’ and sub-processors’ IT-systems and applications. Some Services may be protected by different or additional TOMs, as set forth in the respective Agreement.

Scenario 1: TOMs applicable to the Creolytix Security Platform.

Scenario 2: TOMs applicable to Professional Services provided and controlled by Creolytix.

#	Measures	Scenario
#	Measures	1	2
1. Physical and Environmental Security
	Creolytix implements suitable measures to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers and related hardware).	X	X
2. Access Control (IT-Systems and/or IT-Application)
	2.1 Creolytix implements an authorization and authentication framework to IT-systems and data including, but not limited to, role-based access, logged access, appropriate authentication requirements and methods, least-privilege principle, password policy, time-outs if idle, removal of access rights upon end of employment/contract.	X	X
	2.2 Creolytix implements a roles and responsibilities concept.	X	X
	2.3 IT systems and applications lock down automatically or terminate the session after exceeding a reasonably defined idle time limit.	X	X
	2.4 Creolytix maintains log-on procedures on IT systems with safeguards against suspicious login activity (e.g., against brute-force and password guessing attacks).	X	X
3. Availability Control
	3.1 Creolytix defines, documents, and implements a backup concept for IT systems, including the following technical and organizational elements:	X
	3.2 Creolytix stores backups in a physical location different from the location where the productive system is hosted.	X	–
	3.3 Creolytix implements state-of-the-art anti-malware solutions to protect its systems and applications against malicious software.	X	X
	3.4 IT systems and applications in non-production environments are logically or physically separated from IT systems and applications in production environments.	X	–
	3.5 Data centers in which Personal Data is stored or processed are protected against natural disasters, physical attacks or accidents.	X	–
	3.6 Supporting equipment in IT areas and data centers, such as cables, electricity, telecommunication facilities, water supply, or air conditioning systems are protected from disruptions and unauthorized manipulation.	X	–
4. Operations Security
	4.1 Creolytix maintains and implements a company-wide Information Security Framework which is regularly reviewed and updated.	X	X
	4.2 Creolytix logs security-relevant events, such as user management activities (e.g., creation, deletion), failed logons, changes to the security configuration of the system on IT systems and applications.	X	X
	4.3 Creolytix continuously analyzes the respective IT systems and applications log data for anomalies, irregularities, indicators of compromise and other suspicious activities.	X	X
	4.4 Creolytix scans and tests IT systems and applications for security vulnerabilities on a regular basis.	X	X
	4.5 Creolytix implements and maintains a change management process for IT systems and applications.	X	X
	4.6 Creolytix maintains a process to update and implement vendor security fixes and updates on the respective IT systems and applications.	X	X
	4.7 Creolytix irretrievably erases data or physically destroys the data storage media before disposing or reusing of an IT system.	X	X
5. Transmission Controls
	5.1 Creolytix continuously and systematically monitors IT systems, applications and relevant network zones to detect malicious and abnormal network activity by e.g., firewalls, proxy servers, intrusion detection.;	X	X
	5.2 Creolytix documents and updates network topologies and its security requirements on a regular basis.	X	X
	5.3 Creolytix administers IT systems and applications by using state-of-the-art encrypted connections.	X	X
	5.4 Creolytix protects the integrity of content during transmission by state-of-the-art network protocols, such as TLS.	X	X
	5.5 Creolytix encrypts, or enables its customers to encrypt, customer data that is transmitted over public networks.	X	X
	5.6 Creolytix uses secure Key Management Systems (KMS) to store secret keys in the cloud.	X	–
6. Security Incidents
	Creolytix maintains and implements an incident handling process.	X	X
7. Asset Management, System Acquisition, Development and Maintenance
	7.1 Creolytix implements an adequate security patching process.	X	X
	7.2 Creolytix identifies and documents information security requirements prior to the development and acquisition of new IT systems and applications as well as before making improvements to existing IT systems and applications.	X	X
	7.3 Creolytix establishes a formal process to control and perform changes to developed applications.	X	X
	7.4 Creolytix plans and incorporates security tests into the System Development Life Cycle of IT systems and applications.	X	X
8. Human Resource Security
	8.1 Creolytix implements the following measures in the area of human resources security:
	a) employees with access to Personal Data are bound by confidentiality obligations; and.	X	X
	b) employees with access to Personal Data are trained regularly regarding the applicable data protection laws and regulations	X	X
	8.2 Creolytix implements an offboarding process for Creolytix employees and external vendors.	X	X

Annex IV: List of sub-processors

This Annex lists approved sub-processors and data center locations.

In case of data transfers by Creolytix to sub-processors outside the EEA without adequacy decision of the EU Commission (“Restricted Transfer”), Creolytix shall implement the transfer safeguards (“Transfer Safeguards”) identified in this Annex. Creolytix shall have the right to replace the Transfer Safeguard with alternative adequate Transfer Safeguards.

1. Subprocessor(s) engaged in the storage/hosting of content

To the extent the provision of the Services includes the hosting of personal data, Creolytix shall store the personal data in the data center locations specified below (“Data Center Location”). Creolytix shall not transfer personal data from the respective Data Center Location without Customers’ consent.

Entity Name, registered address and contact person	Data Center Location	Regions served from Data Center Location	Transfer Safeguards in case of Restricted Transfers
Entity name: Microsoft Nederlands (Azure) Register Address: Evert van de Beekstraat 354, 1118 CZ Schiphol, Netherlands	EU	worldwide	No Restricted Transfer

2. Subprocessors engaged in the processing for non-storage/-hosting purposes.

Entity Name, registered address and contact person	Country/Region where processing is performed	Regions served by the subprocessor	Description of processing	Transfer Safeguards in case of Restricted Transfers
Entity name: Secure Link Services AGRegister Address: The Circle 37, 8058 Zürich-Flughafen, Switzerland	Switzerland	worldwide	Operations and maintenance of the Creolytix native software applications part of the Services	No Restricted Transfer
Entity name: med con team GmbHRegister Address: Gerhard-Kindler-Str. 6, 72770 Reutlingen, Germany	Germany	worldwide	Hotline/Emergency response and travel assistance and related documentation.	No Restricted Transfer
Entity name: Twilio Ireland Ltd. Register Address: 3 Dublin Landings, North Wall Quay, Dublin 1, Ireland	EU/Ireland, US	worldwide	Service to manage in/outbound SMS, WhatsApp and voice messages between Creolytix and Customer contacts.	Processor BCR
Entity name: WhatsApp Ireland Limited Register Address: Merrion Road Dublin 4 D04 X2K5, Ireland	EU/ worldwide	worldwide	ONLY if WhatsApp channel selected by Customer for notifications. Message delivery in/outbound between Creolytix and Customer contacts.	Standard Contractual Clauses
Entity name: Social Navigator Inc Register Address: 8-155 Chain Lake Drive Halifax, Nova Scotia B3S 1B3, Canada	Canada	worldwide	Keyword-based worldwide web, deep and dark web investigation and monitoring on behalf of Customer	Standard Contractual Clauses
Entity name: Microsoft Azure Register Address: Microsoft Schweiz GmbH The Circle,Postfach 8058 Zürich-Flughafen, Switzerland	Switzerland	worldwide	Authentication Service if used by Customer	Standard Contractual Clauses /Adequacy Decision
Entity name: Google Ireland Ltd Register Address: Gordon House, Barrow Street, Dublin 4, Irland	EU/worldwide	worldwide	Authentication Service if used by Customer	Standard Contractual Clauses, Processor BCR
Entity name: AWS – Amazon SES Register Address: Eschborner Landstraße 100, 60489 Frankfurt am Main, Germany	EU	worldwide	Email service to distribute notifications / alerts	Standard Contractual Clauses
Entity name: Intercom R&D Unlimited Company Register Address: 124 St Stephen’s Green Co. Dublin D02 N960, Ireland	United States of America	worldwide	In App customer support and help center.	Data Privacy Framework, Standard Contractual Clauses
Entity Name: PostHog Inc Register Address: 2261 Market Street #4008, San Francisco, CA 94114 USA	EU/ Germany	worldwide	Product Analytics	Data Privacy Framework, Standard Contractual Clauses
Entity Name: Productboard, Inc. Register Address: 333 Bush Street, 20th floor San Francisco, CA 94104 USA	United States of America	worldwide	In App Customer Support	Data Privacy Framework, Standard Contractual Clauses
Entity Name: Functional Software Inc (“Sentry.io”) Register Address: 45 Fremont Street, 8th Floor, San Francisco, CA 94105 USA	United States of America	worldwide	Product Analytics, error tracking	Data Privacy Framework, Standard Contractual Clauses

Service Specific Terms and Conditions

Subject Matter
Dragonfly

1. Subject Matter

The following Service Specific Terms and Conditions apply if the Customer orders certain specific Services procured by Creolytix from third parties, in particular additional Content.

2. Dragonfly

2.1. Applicability. The terms of this section apply if the Customer orders from Creolytix content that is procured from Dragonfly Eye Limited (England) (“Dragonfly”). Dragonfly is a provider of an online terrorism incident and plots database called the “Terrorism Tracker” and a security intelligence and analysis service (SIAS).

2.2. Dragonfly EULA. The Customer agrees towards Creolytix to the following EULA with regard to the Content procured by Creolytix from Dragonfly and made available to Customer as part of the Service (“Dragonfly Content”). “You” refers to the Customer and “Dragonfly Products” to the Dragonfly Content:

a) You acknowledge and accept that you shall at all times respect all safety alerts and instructions and in addition take all relevant precautions and comply with general rules on safety. Nothing in the content or the service is intended to replace your own risk assessment, common sense or general principles on good safety and personal security. You further acknowledge and accept that even though there may not be any active alerts for an area that does not mean that the area is safe, and general safety should always be a concern.

b) The content and the service constitutes a tool to be used for risk management and risk assessment e.g. for travellers. Dragonfly is unable to warrant that all information and updates are complete, adequate and error free. Users should always evaluate output and data from service on an individual basis.

c) Except as expressly set out in this Licence or as permitted by any local law, you undertake:

d) not to copy the Dragonfly Products except where such copying is incidental to normal use of the Service, or where it is necessary for the purpose of back-up or operational security;

e) not to rent, lease, sub-license, loan, translate, merge, adapt, or modify the Dragonfly Products;

f) You acknowledge that all intellectual property rights in the Dragonfly Products anywhere in the world belong to Dragonfly, that rights in the Dragonfly Products are licensed (not sold) to you, and that you have no rights in, or to, the Dragonfly Products other than the right to use them in accordance with the terms of this Licence.

2.3. Audits. Creolytix may disclose to Dragonfly information about the provision of Dragonfly Content to Customer, to the extent reasonably necessary for Dragonfly to audit compliance with agreements between Dragonfly and Creolytix. Such information shall not comprise any personal data of Authorized Users.

Acceptable Use Policy

Version: January 2024

This Acceptable Use Policy (“AUP”) sets out terms you, the Customer, and those acting on your behalf, including Authorized Users, must comply with when using our Services, in particular the Creolytix Security Platform.

1. Credentials

You will:

not use a false identity to gain access;
not gain access to Cloud Services by any means other than your user account or other means permitted by us;
ensure that any access credentials are not shared with other individuals and used only by the individual who was granted the credentials.

2. No Illegal, Harmful, or Offensive Use or Content

You will not use, or encourage, promote, facilitate, or instruct others to use, Services for any illegal, harmful, or offensive use or to transmit, store, display, distribute or otherwise make available content that is illegal, harmful, fraudulent, infringing, or offensive. Your use of the Services and your content stored within the Cloud Services will not:

violate any laws or regulations, or rights of others;
be harmful to others, or to our reputation
enter, store, or send hyperlinks, or enable access to external websites or data feeds, including embedded widgets or other means of access, in or as part of your content, for which you have no authorization or which are illegal;
be defamatory, obscene, abusive, or invasive of privacy.

3. No violation of use restrictions

You will not:

resell, transfer, sublicense, loan, lease or publish Services, or use Services in the operation of a business process outsourcing or other outsourcing or a time-sharing service (unless expressly permitted by us);
reverse engineer, disassemble, decompile, or otherwise modify, create derivative works based on, merge, tamper with, repair, or attempt to discover the source code of, Services or the underlying technology (except to the extent this restriction conflicts with the applicable law of your jurisdiction);
access Services from any location prohibited by or subject to sanctions or license requirements according to applicable sanctions and/or (re-)export control laws and regulations, including those of the European Union, the United States of America and/or any other applicable countries.

4. No Abusive Use

You will not:

use Services in a way intended to avoid or work around any use limitations and restrictions placed on such Services (such as access and storage restrictions), monitoring, or to avoid incurring fees;
access or use Services for the purpose of conducting a performance test, building a competitive product or service, or copying its features or user interface;
interfere with the proper functioning or security of any of our systems;
distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations, including commercial advertising and informational announcements.

5. No Security Violations

You will not use Cloud Services in a way that could result in or facilitate a threat to the security of Services or the underlying technology. You will in particular:

take reasonable precautions against security attacks, viruses and malicious code on your system, on-site hardware, software, or services that you use to connect to and/or access Services;
not perform any penetration test of or on Services or the underlying technology without obtaining our express prior written consent;
not use devices to access or use Services that do not comply with industry standard security policies (e.g., password protection, virus protection, update, and patch level).

6. Our Monitoring; Reporting

You acknowledge that we and our subcontractors may monitor your compliance with this AUP through cloud services. We reserve the right to investigate any violation of this AUP. If you become aware of any violation of this AUP, you will immediately notify us and provide us with assistance, as requested by us, to stop, mitigate or remedy the violation. We may remove, disable access to, or modify any content or resource that violates this AUP or any other agreement we have with you for use of the Services. We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. If a party that claims that your use of the Services or your content violates such third party’s rights or any law or regulation, we may share appropriate customer information.