BREACHX CLIENT GENERAL TERMS AND CONDITIONS
1. PARTIES AND DEFINITIONS
1.1 Parties and Application
These General Terms and Conditions ("General Terms") apply to and govern the relationship between:
BreachX (hereinafter referred to as "BreachX," "Company," "we," or "us"), (BreachPoint Private Limited) with its principal place of business at VO-015, WeWork, Kalyani Roshni Tech Hub, EPIP Zone, Marathahalli Main Road, Bangalore, KA 560036, and
Any individual or entity (hereinafter referred to as "Client," "you," or "your") that has entered into an agreement with BreachX for services, including but not limited to the Free Account Agreement, One-time Bounty Plan Agreement, Professional Plan Agreement, or Enterprise Plan Agreement (each, a "Service Agreement").
BreachX and Client may be collectively referred to as the "Parties" or individually as a "Party."
These General Terms are incorporated by reference into all Service Agreements between BreachX and Client. In the event of any conflict between these General Terms and a Service Agreement, the terms of the Service Agreement shall control.
1.2 Definitions
In these General Terms, unless the context requires otherwise, the following terms shall have the meanings set forth below:
"Bounty" means the reward (monetary, swag, or recognition) offered to a Security Researcher for successfully identifying a valid security vulnerability.
"Bounty Pool" means the funds allocated by the Client for payment of Bounties to Security Researchers.
"Confidential Information" means any non-public information disclosed by one Party to the other, either directly or indirectly, in writing, orally, or by inspection of tangible objects, which is designated as "Confidential," "Proprietary," or some similar designation.
"Continuous Threat Discovery" or "CTD" means BreachX's proprietary methodology for ongoing security testing and vulnerability identification.
"Non-Identifying Data" means aggregated and anonymized statistical and other information from Security Researcher Submissions, Security Researcher Data, Client Data and Client's use of the Platform and Services.
"Platform" means the BreachX software, website, and related services that enable the security testing and bug bounty program.
"Security Researcher" means an individual or entity that has been vetted and approved by BreachX to participate in identifying security vulnerabilities through the Platform.
"Services" means the security testing, vulnerability management, and related services provided by BreachX to Client as described in the applicable Service Agreement and these General Terms.
"Vulnerability" means a weakness or flaw in Client's systems, applications, networks, or other digital assets that could potentially be exploited to cause harm or unauthorized access.
"Vulnerability Disclosure Guidelines" means the default policy governing Security Researcher Submissions through the Services, which will be applicable to the Services. In the event of a conflict, individual Program Policies supersede BreachX's Vulnerability Disclosure Guidelines.
"Feedback" means any feedback, comments, or suggestions for improvements to the Services.
1.3 Interpretation
In these General Terms: (a) Headings are for convenience only and do not affect interpretation; (b) The singular includes the plural and vice versa; (c) A reference to a document includes any amendment, supplement, or replacement of that document; (d) A reference to a Party includes that Party's permitted successors and assigns; (e) "Including" and similar words do not imply any limitation; (f) No rule of construction applies to the disadvantage of a Party because that Party was responsible for the preparation of these General Terms or any part of them.
2. ACCOUNTS AND ONBOARDING
2.1 Account Types
2.1.1 BreachX offers several types of accounts, including a Free Account and various paid plan options as described in the applicable Service Agreement.
2.1.2 Account features, limitations, and pricing are set forth in the applicable Service Agreement and in the then-current BreachX service descriptions and pricing schedules available on the Platform.
2.1.3 All accounts are subject to these General Terms unless explicitly modified by the applicable Service Agreement.
2.2 Account Management
2.2.1 Client is responsible for maintaining the confidentiality of account credentials and for all activities that occur under Client's account.
2.2.2 Client shall notify BreachX immediately of any unauthorized use of Client's account or any other breach of security.
2.2.3 BreachX reserves the right to suspend or terminate any account that violates these General Terms or the applicable Service Agreement.
2.3 Upgrades and Plan Changes
2.3.1 Client may upgrade, downgrade, or otherwise change its plan type by following the procedures specified on the Platform and subject to the terms of the applicable Service Agreement.
2.3.2 Plan changes may require additional payments, changes in service levels, or other adjustments as specified in the applicable Service Agreement or on the Platform.
2.3.3 Upgrades will become effective within the timeframe specified in the applicable Service Agreement after Client completes the upgrade process and makes any required payments.
2.4 Onboarding Process
2.4.1 Following the execution of a Service Agreement, BreachX will initiate the onboarding process appropriate to the account type selected by Client.
2.4.2 The specific onboarding activities, timelines, and deliverables will vary based on the account type and are detailed in the applicable Service Agreement.
2.4.3 BreachX will provide Client with necessary access credentials, training, and guidance during the onboarding process as specified in the applicable Service Agreement.
2.5 Client Responsibilities During Onboarding
2.5.1 To facilitate successful onboarding, Client shall: (a) Designate a primary point of contact with decision-making authority; (b) Provide accurate information about digital assets to be included in the security scope; (c) Participate in scheduled training sessions; (d) Review and approve security testing parameters; (e) Complete any required technical integrations with Client's systems.
2.5.2 Delays caused by Client's failure to fulfill these responsibilities may extend the onboarding timeline without liability to BreachX.
2.5.3 Client acknowledges that the effectiveness of the Services depends on the accuracy and completeness of information provided during onboarding.
3. SERVICES
3.1 General Service Description
3.1.1 BreachX provides security testing and vulnerability management services to Client as specified in the applicable Service Agreement.
3.1.2 Services may include, but are not limited to: (a) Vulnerability identification through ethical hacking; (b) Vulnerability assessment and validation; (c) Risk prioritization; (d) Remediation guidance; (e) Continuous monitoring and reporting.
3.1.3 The specific services available to Client depend on the account type and plan selected by Client as described in the applicable Service Agreement.
3.2 Service Delivery
3.2.1 BreachX shall deliver the Services in a professional manner consistent with industry standards.
3.2.2 BreachX may use employees, contractors, and third-party service providers to deliver the Services.
3.2.3 BreachX reserves the right to modify its service delivery methods, tools, and technologies from time to time, provided that such modifications do not materially reduce the quality or functionality of the Services.
3.3 Security Testing Scope and Limitations
3.3.1 The scope of security testing shall be limited to the assets and parameters defined in the applicable Service Agreement and during the onboarding process.
3.3.2 BreachX shall establish appropriate security testing limitations to minimize potential disruption to Client's operations.
3.3.3 Unless explicitly authorized in writing, BreachX will not conduct testing that: (a) May cause denial of service conditions; (b) Includes social engineering of Client's employees; (c) Involves physical security breaches; (d) Any other explicitly prohibited activities as agreed upon by the Parties.
3.4 Complimentary Vulnerabilities
3.4.1 BreachX may, at its sole discretion and subject to Security Researcher consent, provide vulnerability information to Client at no additional cost beyond the agreed service fees.
3.4.2 Client acknowledges that complimentary vulnerabilities are provided on an "as-is" basis without any additional warranties or service level commitments.
4. SERVICE LEVELS
4.1 General Service Level Principles
4.1.1 BreachX shall provide Services with reasonable skill and care in accordance with industry standards.
4.1.2 Specific service levels, response times, and performance metrics applicable to Client's selected plan are set forth in the applicable Service Agreement.
4.1.3 In the absence of specific service levels in the applicable Service Agreement, BreachX shall respond to and address issues within a commercially reasonable time.
4.2 Platform Availability
4.2.1 BreachX shall use commercially reasonable efforts to maintain Platform availability, subject to scheduled maintenance and unforeseen technical issues.
4.2.2 Scheduled maintenance shall be communicated to Client in advance whenever possible.
4.2.3 BreachX does not guarantee uninterrupted access to the Platform and Services.
4.3 Validation of Vulnerabilities
4.3.1 BreachX shall validate reported vulnerabilities according to industry-standard practices and timeframes specified in the applicable Service Agreement.
4.3.2 Vulnerability severity levels shall be determined according to industry-standard vulnerability scoring systems, including but not limited to CVSS (Common Vulnerability Scoring System).
4.4 Remediation Support
4.4.1 The level of remediation guidance and support provided by BreachX depends on the plan selected by Client as specified in the applicable Service Agreement.
4.4.2 Client acknowledges that actual vulnerability remediation is Client's responsibility, and BreachX's obligations are limited to identification, validation, and guidance unless otherwise specified in the applicable Service Agreement.
4.5 Service Suspension
4.5.1 Without limiting other remedies, BreachX may suspend Client's access to or use of the Service if: (a) Client's payment of fees is more than sixty (60) days past due; (b) Client's use of the Service results in (or is reasonably likely to result in) damage to or material degradation of the Service which interferes with BreachX's ability to provide access to the Service to other clients; (c) Client breaches this Agreement; (d) Client use of the Services is directly or indirectly linked to illegal activity; (e) Client's failure to pay Bounty funds.
4.5.2 In the case of service degradation: (a) BreachX shall use reasonable efforts to work with Client to resolve or mitigate the damage or degradation in order to resolve the issue without resorting to suspension or limitation; (b) Prior to any such suspension or limitation, BreachX shall use commercially reasonable efforts to provide notice to Client describing the nature of the damage or degradation; and (c) BreachX will reinstate Client's use of or access to the Service, as applicable, if Client remediates the issue within thirty (30) days of receipt of such notice.
5. PAYMENT TERMS
5.1 General Payment Obligations
5.1.1 Client shall pay all fees and charges as specified in the applicable Service Agreement.
5.1.2 All fees are exclusive of applicable taxes. Client shall be responsible for all taxes associated with the Services other than taxes based on BreachX's net income.
5.1.3 Unless otherwise specified in the applicable Service Agreement, all fees are non-refundable.
5.2 Billing and Payment Methods
5.2.1 BreachX shall invoice Client for fees in accordance with the payment schedule specified in the applicable Service Agreement.
5.2.2 Client shall pay all undisputed invoices within thirty (30) days of the invoice date unless otherwise specified in the applicable Service Agreement.
5.2.3 BreachX accepts payment methods as specified on the Platform or in the applicable Service Agreement.
5.3 Bounty Payments
5.3.1 If applicable to Client's selected plan, Client shall provide payment for all bounties awarded to Security Researchers according to the terms of the applicable Service Agreement.
5.3.2 Client acknowledges that failure to fulfill bounty payment obligations may result in: (a) Damage to Client's reputation within the security researcher community; (b) Reduced Security Researcher engagement; (c) Suspension of Services by BreachX; (d) Potential termination of the applicable Service Agreement.
5.4 Late Payments
5.4.1 Any payment not received within the timeframe specified in the applicable Service Agreement shall accrue interest at the rate of 1.5% per month or the maximum rate permitted by applicable law, whichever is less.
5.4.2 In addition to interest charges, BreachX may: (a) Suspend Services until outstanding payments are received; (b) Require advance payment for continued Services; (c) Terminate the applicable Service Agreement if payments remain outstanding for more than sixty (60) days.
5.4.3 Client shall reimburse BreachX for all reasonable costs incurred in collecting any late payments, including attorney's fees, court costs, and collection agency fees.
6. SECURITY RESEARCHER ENGAGEMENT
6.1 Security Researcher Network
6.1.1 BreachX maintains a network of vetted Security Researchers who participate in identifying security vulnerabilities through the Platform.
6.1.2 Access to the Security Researcher network is provided in accordance with the plan selected by Client as specified in the applicable Service Agreement.
6.2 Rules of Engagement
6.2.1 BreachX shall establish and enforce rules of engagement that all Security Researchers must follow when testing Client's assets, including: (a) Scope limitations; (b) Prohibited techniques; (c) Responsible disclosure requirements; (d) Confidentiality obligations.
6.2.2 Client may request customized rules of engagement, subject to BreachX's approval and practical implementation capabilities.
6.3 Researcher Privacy Protection
6.3.1 BreachX shall maintain the confidentiality of all Security Researcher information and will not disclose researcher identities, contact information, or personal details to Client unless explicitly permitted by the individual researcher in writing.
6.3.2 This privacy protection applies even in cases where the researcher has discovered critical vulnerabilities.
6.3.3 Client agrees not to attempt to identify, contact, or otherwise engage directly with Security Researchers outside the BreachX platform, unless explicitly facilitated by BreachX with the researcher's consent.
6.4 Researcher Discretion
6.4.1 Client acknowledges that BreachX has no control over Security Researchers who may refuse to share complete vulnerability details if they consider the offered bounty or recognition insufficient.
6.4.2 BreachX shall not be liable for a Security Researcher's decision to withhold information based on bounty or recognition considerations.
7. REPORTING AND DOCUMENTATION
7.1 Vulnerability Reporting Format
7.1.1 BreachX shall provide standardized vulnerability reports that include: (a) Unique vulnerability identifier; (b) Severity rating based on industry-standard scoring methodologies; (c) Detailed technical description of the vulnerability; (d) Steps to reproduce the vulnerability; (e) Supporting evidence (e.g., screenshots, logs, video demonstrations); (f) Potential impact assessment; (g) Recommended remediation actions; (h) References to related vulnerabilities or CWEs (Common Weakness Enumeration).
7.1.2 All vulnerability reports shall undergo verification and quality assurance by BreachX's security team before delivery to Client.
7.1.3 Client may request customizations to the standard reporting format, subject to practical implementation capabilities.
7.2 Reporting Frequency
7.2.1 One-time Bounty Plan: (a) Vulnerability reports shall be delivered as they are validated by BreachX; (b) Summary reports shall be available on-demand through the Platform.
7.2.2 Professional Plan: (a) Individual vulnerability reports shall be delivered as they are validated; (b) Monthly summary reports shall be automatically generated and provided to Client; (c) Quarterly trend analysis reports shall be provided. The final deliverable and outcome is subject to the service agreement signed by the client.
7.2.3 Enterprise Plan: (a) Real-time vulnerability reporting via the Platform dashboard; (b) Weekly summary reports of all security findings; (c) Monthly comprehensive security analysis reports; (d) Quarterly executive briefings on security posture and trends. The final deliverable and outcome is subject to the service agreement signed by the client.
7.2.4 Notification of Critical vulnerabilities shall be reported to Client's designated security contacts immediately upon validation, regardless of the selected plan.
7.3 Executive Dashboard Access
7.3.1 Dashboard access levels shall be based on the plan selected by the Client.
7.3.3 The executive dashboard shall be updated according to the following schedule: (a) Enterprise Plan: Real-time updates; (b) Professional Plan: Daily updates; (c) One-time Bounty Plan: As new vulnerabilities are validated.
7.4 Documentation Requirements
7.4.1 BreachX shall endeavour to maintain comprehensive documentation of all security testing activities.
7.4.2 Documentation shall be maintained for the duration of the Agreement and for a period of one (1) year following termination.
7.4.3 All documentation shall be treated as Confidential Information in accordance with Section 9.
8. INTELLECTUAL PROPERTY RIGHTS
8.1 Ownership of Findings and Reports
8.1.1 All vulnerability reports, security findings, and related documentation provided by BreachX to Client shall become the property of Client upon delivery.
8.1.2 BreachX retains the right to use anonymized, non-identifying information about discovered vulnerabilities for: (a) Improving its security testing methodologies; (b) Developing security best practices; (c) Internal research and development; (d) Aggregate statistical analysis.
8.1.3 Security Researchers retain moral rights to their discoveries but assign all other rights to Client upon acceptance of a bounty.
8.2 Rights to Remediation Recommendations
8.2.1 BreachX grants Client a perpetual, worldwide, non-exclusive license to use, modify, and implement all remediation recommendations provided as part of the Services.
8.2.2 Client may engage third parties to implement remediation recommendations without additional approval from BreachX.
8.2.3 BreachX retains ownership of any proprietary methodologies, tools, or frameworks used in developing remediation recommendations.
8.3 Brand Usage Rights for Marketing
8.3.1 Client hereby grants BreachX an unlimited, perpetual, worldwide, royalty-free license to use Client's name, logo, and trademarks for marketing purposes.
8.3.2 BreachX may use Client's brand assets on its website, marketing collateral, outreach materials, case studies, presentations, and other promotional channels without additional approval or restriction.
8.3.3 This permission survives the termination of this Agreement unless explicitly revoked in writing by Client.
8.3.4 BreachX agrees to use Client's brand assets in a manner consistent with Client's brand guidelines, if provided.
8.4 Use of Client Assets for Testing
8.4.1 Client grants BreachX and its authorized Security Researchers a limited, non-exclusive license to access and test the digital assets specified in the security testing scope for the sole purpose of identifying security vulnerabilities.
8.4.2 This license includes permission to: (a) Probe, scan, and test the specified assets; (b) Attempt to identify security weaknesses through ethical hacking techniques; (c) Document and report findings related to security vulnerabilities.
8.4.3 This license expressly excludes: (a) Destructive testing that could damage systems or data; (b) Exfiltration of personal or sensitive data; (c) Exploitation of vulnerabilities beyond what is necessary to validate their existence.
8.4.4 The license granted in this section shall terminate automatically upon the termination of this Agreement.
8.5 Feedback License
8.5.1 Client may submit Feedback at any time by emailing BreachX at feedback@breachx.com.
8.5.2 By submitting any Feedback, Client grants to BreachX a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully-paid, and royalty-free license under any and all intellectual property rights that Client owns or controls to use, copy, modify, create derivative works based upon, and otherwise exploit the Feedback for any purpose.
9. CONFIDENTIALITY
9.1 Protection of Vulnerability Information
9.1.1 All vulnerability information discovered through the Services shall be treated as Confidential Information by both Parties.
9.1.2 BreachX shall: (a) Maintain strict confidentiality of all vulnerability findings; (b) Implement technical and organizational measures to secure vulnerability data; (c) Limit access to vulnerability information to personnel with a need-to-know; (d) Require Security Researchers to adhere to confidentiality obligations.
9.1.3 Client shall: (a) Restrict access to vulnerability reports to authorized personnel; (b) Not publicly disclose vulnerabilities until properly remediated; (c) Implement appropriate security controls to protect vulnerability information.
9.1.4 The confidentiality obligations in this section shall survive termination of this Agreement for a period of five (5) years.
9.2 Non-disclosure Provisions
9.2.1 Each Party agrees not to disclose the other Party's Confidential Information to any third party except: (a) To its employees, contractors, or agents who need to know such information to perform under this Agreement; (b) As required by law, regulation, or court order; (c) In accordance with the regulatory disclosure provisions in Section 10.3.
9.2.2 Each Party shall ensure that any person or entity to whom Confidential Information is disclosed is bound by obligations of confidentiality at least as restrictive as those contained in this Agreement.
9.2.3 The receiving Party shall exercise at least the same degree of care to protect the disclosing Party's Confidential Information as it exercises to protect its own Confidential Information, but in no event less than reasonable care.
9.3 Data Handling Procedures
9.3.1 BreachX shall implement and maintain data handling procedures that: (a) Classify information according to sensitivity; (b) Apply appropriate security controls based on classification; (c) Secure data in transit and at rest using industry-standard encryption; (d) Enforce access controls on a need-to-know basis; (e) Include regular security assessments of data storage systems.
9.3.2 Client data shall be processed only to the extent necessary to provide the Services.
9.3.3 Upon termination of this Agreement, BreachX shall: (a) Return or securely destroy all Client data as instructed by Client; (b) Certify compliance with this provision upon Client's request.
9.4 Information Security Requirements
9.4.1 BreachX shall maintain an information security program that includes: (a) Designated security personnel and responsibilities; (b) Risk assessment and management processes; (c) Security awareness training for personnel; (d) Incident response procedures; (e) Regular security testing and auditing.
9.4.2 BreachX shall promptly notify Client of any security incident that affects or may affect Client's Confidential Information.
9.5 Non-Identifying Data and AI Development
9.5.1 Client acknowledges and agrees that: (a) Non-Identifying Data is not Confidential Information and consents to its use by BreachX without restriction, including but not limited to, improving the Platform and Services, and security industry research and collaboration; and (b) BreachX may use Confidential Information to develop and/or improve its Services (for example, to identify trends, and to train AI models) provided such use does not result in disclosure of Confidential Information to unauthorized third parties.
10. COMPLIANCE AND REGULATORY
10.1 Alignment with Relevant Regulations
10.1.1 BreachX shall provide the Services in a manner that facilitates Client's compliance with applicable security and privacy regulations, which may include: (a) Digital Personal Data Protection Act (DPDP Act); (b) Payment Card Industry Data Security Standard (PCI DSS); (c) Reserve Bank of India (RBI) cybersecurity framework; (d) Other industry-specific regulations identified during onboarding.
10.1.2 Client remains ultimately responsible for its own regulatory compliance, and BreachX's Services are provided as tools to assist in that compliance.
10.1.3 BreachX makes no representation or warranty that use of the Services alone will ensure compliance with any specific law or regulation.
10.2 Regulatory Disclosure Provisions
10.2.1 Client acknowledges and agrees that BreachX may share vulnerability information with regulatory bodies and government agencies including but not limited to CERT-In, RBI, NCIIPC, and other relevant authorities in the following circumstances: (a) When required by law, regulation, or court order; (b) When deemed necessary to prevent imminent harm to public safety or security; (c) When the vulnerability affects critical infrastructure or essential services; (d) As part of mandatory security incident reporting requirements.
10.2.2 BreachX shall: (a) Limit such disclosures to the minimum necessary information; (b) Notify Client of the disclosure when legally permitted to do so; (c) Cooperate with Client to minimize potential adverse impacts.
10.2.3 Such disclosures may be made without prior notification to Client when legally required or in emergency situations.
10.3 Compliance Reporting Obligations
10.3.1 BreachX shall provide documentation and reports to assist Client in meeting its compliance reporting obligations based on the plan they have. These may be including: (a) Security assessment summary reports; (b) Vulnerability management metrics; (c) Remediation status tracking; (d) Attestations regarding security testing activities.
10.3.2 Reports shall be provided in formats suitable for submission to relevant regulatory authorities.
10.3.3 For Enterprise Plan clients, BreachX shall provide quarterly compliance alignment reports that map security findings to relevant regulatory frameworks.
10.4 Sharing with Government Agencies
10.4.1 In addition to the regulatory disclosures outlined in Section 10.2, BreachX may share anonymized threat intelligence derived from the Services with government agencies for the purpose of: (a) Improving national cybersecurity posture; (b) Contributing to industry-wide security initiatives; (c) Assisting in the development of security best practices and standards.
10.4.2 Such shared intelligence shall not identify Client unless: (a) Client has provided explicit written consent; or (b) Such identification is required by law.
10.4.3 BreachX shall maintain relationships with relevant government agencies, including CERT-In, to facilitate coordinated vulnerability disclosure when appropriate.
11. DATA PROTECTION AND PRIVACY
11.1 Data Handling Procedures
11.1.1 BreachX shall process Client data only as necessary to provide the Services and in accordance with this Agreement.
11.1.2 BreachX shall implement technical and organizational measures to protect Client data, including: (a) Encryption of data in transit and at rest; (b) Access controls and authentication mechanisms; (c) Regular security testing and assessments; (d) Employee training on data protection; (e) Secure development practices.
11.1.3 BreachX shall maintain a record of all processing activities carried out on behalf of Client as required by applicable data protection laws.
11.1.4 Client shall ensure that it has the necessary rights and permissions to share any data with BreachX for the purpose of providing the Services.
11.2 Privacy Protections
11.2.1 BreachX shall maintain the confidentiality of all Security Researcher information and will not disclose researcher identities, contact information, or personal details to Client unless explicitly permitted by the individual researcher in writing.
11.2.2 BreachX shall process personal data in compliance with applicable privacy laws and regulations.
11.2.3 BreachX shall not: (a) Use Client data or Security Researcher information for purposes outside the scope of this Agreement; (b) Sell, rent, or otherwise make available personal data to third parties for marketing purposes; (c) Process personal data in a manner that would violate applicable privacy laws.
11.2.4 BreachX shall notify Client promptly if it becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
11.3 Privacy Act Compliance Measures
11.3.1 BreachX shall not engage another processor without prior authorization from Client.
11.4 Privacy and Cookies Policy
11.4.1 BreachX's Privacy Policy, which describes how BreachX collects, uses, and discloses information from BreachX's Clients and Security Researchers, will be applicable to the Services.
11.4.2 For specific detail on BreachX's practices and types of cookies that BreachX may use, please refer to BreachX's Cookies Policy available on the BreachX platform.
12. LIABILITY AND INDEMNIFICATION
12.1 Limitation of Liability
12.1.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOST PROFITS, LOST REVENUES, LOST BUSINESS OPPORTUNITIES, LOSS OF USE, OR LOSS OF DATA, REGARDLESS OF THE LEGAL THEORY, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12.1.2 BreachX's total liability arising out of or related to this Agreement shall not exceed the total amount paid by Client to BreachX in the twelve (12) months preceding the event giving rise to the claim.
12.1.3 The limitations of liability in this section shall not apply to: (a) Either Party's indemnification obligations; (b) Breaches of confidentiality obligations; (c) Violations of intellectual property rights; (d) Damages arising from willful misconduct or gross negligence.
12.1.4 Client acknowledges that BreachX has no control over Security Researchers who may refuse to share complete vulnerability details if they consider the offered bounty insufficient, and BreachX shall not be liable for a researcher's decision to withhold information based on bounty considerations.
12.2 Indemnification Provisions
12.2.1 BreachX shall defend, indemnify, and hold harmless Client from and against any third-party claims, actions, suits, proceedings, and demands, and any resulting damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) BreachX's breach of this Agreement; (b) BreachX's violation of applicable laws or regulations; (c) Allegations that the Services, when used as authorized, infringe or misappropriate any third-party intellectual property right.
12.2.2 Client shall defend, indemnify, and hold harmless BreachX from and against any third-party claims, actions, suits, proceedings, and demands, and any resulting damages, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) Client's breach of this Agreement; (b) Client's violation of applicable laws or regulations; (c) Client's use of the Services in a manner not authorized by this Agreement.
12.2.3 The indemnifying Party's obligations under this section are conditioned upon the indemnified Party: (a) Promptly notifying the indemnifying Party in writing of the claim; (b) Giving the indemnifying Party sole control of the defense and settlement of the claim; (c) Providing reasonable cooperation to the indemnifying Party at the indemnifying Party's expense.
12.2.4 Client expressly agrees not to initiate legal proceedings, lawsuits, or any form of legal action against BreachX or its affiliated Security Researchers for activities conducted within the scope of this Agreement. This provision does not apply in cases of willful misconduct or gross negligence as defined by applicable law.
12.3 Warranty Disclaimers
12.3.1 THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." BREACHX HEREBY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
12.3.2 BreachX does not warrant that: (a) The Services will meet Client's specific requirements; (b) The Services will be uninterrupted, error-free, or completely secure; (c) All vulnerabilities will be identified through the Services; (d) The results obtained from the use of the Services will be accurate or reliable; (e) Any errors or defects will be corrected.
12.3.3 Client acknowledges that no security testing can guarantee the discovery of all security vulnerabilities, and that the Services are intended to reduce, not eliminate, security risks.
12.4 Force Majeure Clauses
12.4.1 Neither Party shall be liable for any failure or delay in performance under this Agreement to the extent such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, pandemic, epidemic, war, terrorism, riots, civil disorder, fire, explosion, accidents, governmental actions, strikes or labor disputes, Internet service provider failures or delays, or denial of service attacks ("Force Majeure Event").
12.4.2 The Party affected by a Force Majeure Event shall: (a) Promptly notify the other Party; (b) Use reasonable efforts to minimize the impact of the Force Majeure Event; (c) Resume performance as soon as reasonably practicable.
12.4.3 If a Force Majeure Event continues for more than thirty (30) consecutive days, either Party may terminate this Agreement upon written notice to the other Party.
13. TERM AND TERMINATION
13.1 Term
13.1.1 These General Terms shall remain in effect for as long as any Service Agreement between BreachX and Client remains in effect.
13.1.2 The specific term of each Service Agreement shall be as set forth in that Service Agreement.
13.2 Termination of Service Agreements
13.2.1 Either Party may terminate a Service Agreement in accordance with the termination provisions in that Service Agreement.
13.2.2 In the absence of specific termination provisions in a Service Agreement, either Party may terminate the Service Agreement: (a) For convenience upon thirty (30) days' written notice to the other Party; (b) For cause upon thirty (30) days' written notice to the other Party of a material breach if such breach remains uncured at the expiration of such period.
13.3 Termination for Cause
13.3.1 Without limiting other remedies, BreachX may suspend or terminate any Service Agreement immediately without notice if: (a) Client fails to pay any amount when due under the Service Agreement; (b) Client violates the terms of use of the Platform; (c) Client's use of the Services poses a security risk to BreachX or other clients; (d) Client's use of the Services may adversely impact the integrity of BreachX's systems; (e) Client breaches any material term of these General Terms or the applicable Service Agreement.
13.3.2 Either Party may terminate any Service Agreement immediately upon written notice if the other Party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.
13.4 Effect of Termination
13.4.1 Upon termination or expiration of a Service Agreement: (a) Client shall immediately cease all use of the Services covered by that Service Agreement; (b) Client shall pay all outstanding amounts due to BreachX; (c) BreachX shall provide Client with access to download any Client data for a period of thirty (30) days; (d) Each Party shall return or destroy all Confidential Information of the other Party.
13.4.2 The following sections of these General Terms shall survive termination or expiration of any Service Agreement: Confidentiality, Intellectual Property Rights, Liability and Indemnification, Effect of Termination, Dispute Resolution, and General Provisions.
14. DISPUTE RESOLUTION
14.1 Escalation Procedures
14.1.1 The Parties shall attempt in good faith to resolve any dispute arising out of or relating to these General Terms or any Service Agreement promptly by negotiation between executives who have authority to settle the controversy.
14.1.2 Either Party may give the other Party written notice of any dispute. Within fifteen (15) days after delivery of the notice, the receiving Party shall submit a written response.
14.1.3 Within thirty (30) days after delivery of the initial notice, the executives shall meet at a mutually acceptable time and place, and thereafter as often as they reasonably deem necessary, to attempt to resolve the dispute.
14.2 Mediation and Arbitration
14.2.1 Any dispute that has not been resolved by negotiation or mediation within sixty (60) days of the initial notice, either Party may initiate binding arbitration as the exclusive means of resolving any dispute between the Parties.
14.2.2 The arbitration shall be conducted by a single arbitrator in Karnataka, India and in the English language.
14.2.4 The arbitrator shall have the authority to award any remedy or relief that a court could order or grant in accordance with these General Terms and the applicable Service Agreement.
14.3 Legal Action Limitation
14.3.1 Client expressly agrees not to initiate legal proceedings, lawsuits, or any form of legal action against BreachX or its affiliated Security Researchers for activities conducted within the scope of these General Terms and any applicable Service Agreement.
14.3.2 All disputes shall be resolved through the dispute resolution process outlined in this section.
14.3.3 This legal action limitation does not apply in cases of willful misconduct or gross negligence as defined by applicable law.
14.4 Governing Law and Jurisdiction
14.4.1 These General Terms and all Service Agreements shall be governed by and construed in accordance with the laws of Karnataka, India, without giving effect to any choice or conflict of law provision or rule.
14.4.2 Subject to the dispute resolution provisions of this section, each Party irrevocably submits to the exclusive jurisdiction of the courts of Karnataka for any legal action, suit, or proceeding arising out of or in connection with these General Terms or any Service Agreement that is not subject to arbitration.
14.5 Class Action Waiver
14.5.1 CLASS ACTION WAIVER: EACH CLIENT WAIVES ANY RIGHT TO ASSERT ANY CLAIMS AGAINST BREACHX AS A REPRESENTATIVE OR MEMBER IN ANY CLASS OR REPRESENTATIVE ACTION, EXCEPT WHERE SUCH WAIVER IS PROHIBITED BY LAW OR DEEMED BY A COURT OF LAW TO BE AGAINST PUBLIC POLICY.
15. CHANGE MANAGEMENT
15.1 Process for Changing Scope
15.1.1 Either Party may request changes to the scope of Services by submitting a written change request to the other Party.
15.1.2 Change requests shall include: (a) A detailed description of the proposed change; (b) The reason for the proposed change; (c) Any anticipated impact on timeline, fees, or deliverables; (d) Requested implementation date.
15.1.3 Upon receipt of a change request, the receiving Party shall review the request and respond within ten (10) business days with: (a) Approval of the request; (b) Rejection of the request with reasons; (c) Request for additional information; or (d) A counterproposal.
15.1.4 No change shall be effective until both Parties have agreed to the change in writing through a formal change order amendment to this Agreement.
15.2 Additional Services Requests
15.2.1 Client may request additional services not included in the original scope by submitting a request through the Platform or contacting their designated BreachX representative.
15.2.2 BreachX shall evaluate such requests and provide Client with: (a) Confirmation that the requested services are included in the current plan; (b) A proposal for providing the services as an add-on to the current plan; or (c) Notification that the requested services require an upgrade to a different plan.
15.2.3 Additional services may incur extra fees as specified in the then-current pricing schedule or as quoted by BreachX.
15.2.4 Client shall confirm acceptance of any additional fees in writing before BreachX proceeds with providing the additional services.
15.3 Change Order Procedures
15.3.1 All agreed changes shall be documented in a change order that includes: (a) Reference to this Agreement; (b) Detailed description of the changes; (c) Impact on pricing, if any; (d) Impact on timeline, if any; (e) Signatures of authorized representatives of both Parties.
15.3.2 Change orders shall be numbered sequentially and become an amendment to this Agreement upon execution by both Parties.
15.3.3 BreachX shall implement the changes according to the timeline specified in the executed change order.
15.3.4 In emergency situations where immediate changes are necessary to protect Client's systems, BreachX may implement changes without a formal change order, provided that: (a) BreachX notifies Client as soon as reasonably practicable; (b) The Parties document the changes in a change order as soon as the emergency allows.
16. REPRESENTATIONS AND WARRANTIES
16.1 Service Quality Assurances
16.1.1 BreachX represents and warrants that: (a) It has the expertise, experience, and resources necessary to provide the Services in accordance with industry standards; (b) The Services will be performed in a professional and workmanlike manner; (c) It will employ qualified personnel to perform the Services; (d) It will comply with all applicable laws and regulations in performing the Services.
16.1.2 BreachX will make commercially reasonable efforts to ensure that: (a) Security Researchers follow established rules of engagement; (b) Vulnerability reports meet quality standards before delivery to Client; (c) The Platform remains available in accordance with the Service Level Agreement.
16.1.3 If the Services fail to conform to the assurances in this section, Client's exclusive remedy shall be for BreachX to re-perform the non-conforming Services at no additional cost to Client.
16.2 Client Warranties
16.2.1 Client represents and warrants that: (a) It has the legal right and authority to enter into this Agreement; (b) It has the legal right and authority to grant BreachX and Security Researchers access to the assets specified in the security testing scope; (c) It owns or has licensed the assets specified in the security testing scope; (d) It will comply with all applicable laws and regulations in its use of the Services.
16.2.2 Client warrants that it will: (a) Provide accurate and complete information about the assets to be tested; (b) Maintain adequate backup systems and data backups during security testing; (c) Promptly review and respond to vulnerability reports; (d) Not use the Services for any illegal or unauthorized purpose.
16.2.3 Client acknowledges that security testing may reveal previously unknown vulnerabilities that could potentially be exploited by malicious actors if not promptly addressed.
16.3 Disclaimer of Implied Warranties
16.3.1 EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." BREACHX HEREBY DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
16.3.2 BreachX does not warrant that: (a) The Services will meet Client's specific requirements; (b) The Services will be uninterrupted, error-free, or completely secure; (c) All vulnerabilities will be identified through the Services; (d) The results obtained from the use of the Services will be accurate or reliable; (e) Any errors or defects will be corrected.
16.3.3 Client acknowledges that no security testing can guarantee the discovery of all security vulnerabilities, and that the Services are intended to reduce, not eliminate, security risks.
16.3.4 BreachX makes no warranty regarding third-party products or services, including the security or performance of any remediation measures implemented by Client or third parties based on BreachX's recommendations.
17. INSURANCE REQUIREMENTS
17.1 Cybersecurity Insurance Requirements for Paid Clients
17.1.1 BreachX shall maintain, at its own expense, cyber liability insurance coverage with limits not less than 100,000 USD for all occurrences put together during a year with valid subscription of client.
17.1.2 Such insurance shall cover liability arising from critical assets identified by client during sign-up with BreachX.
17.1.3 Client shall maintain appropriate cyber liability insurance coverage based on its industry and risk profile, with limits sufficient to cover potential security incidents.
17.2 Professional Liability Coverage for paid clients
17.2.1 BreachX shall maintain professional liability (errors and omissions) insurance with limits not less than 100,000 USD per claim and 1 Million USD in the aggregate.
17.2.2 Such insurance shall cover liability arising from errors, omissions, or negligent acts in the performance of professional services under this Agreement.
17.2.3 This coverage shall remain in effect for the duration of this Agreement and for a period of one (1) year following termination.
17.3 Proof of Insurance Provisions
17.3.1 Upon request, each Party shall provide the other with certificates of insurance evidencing the coverage required by this Agreement.
17.3.2 Each Party shall provide the other with at least thirty (30) days' written notice prior to any cancellation, non-renewal, or material change in coverage.
18. GENERAL PROVISIONS
18.1 Notices
18.1.1 All notices and other communications required or permitted under these General Terms or any Service Agreement shall be in writing and shall be deemed given when: (a) Delivered personally; (b) Sent by registered or certified mail, return receipt requested; (c) Sent by email with confirmation of receipt; or (d) Delivered by a nationally recognized overnight courier service.
18.1.2 Notices to BreachX shall be addressed to the address specified on the Platform or in the applicable Service Agreement.
18.1.3 Notices to Client shall be addressed to the address specified in the applicable Service Agreement or to the email address associated with Client's account.
18.1.4 Any notices or other communications provided by BreachX under the Terms, including those regarding modifications to the Terms, may be given via email or by posting to the BreachX Site.
18.2 Relationship of the Parties
18.2.1 The relationship between the Parties is that of independent contractors. Nothing in these General Terms or any Service Agreement shall be construed as creating any agency, partnership, joint venture, or other form of joint enterprise between the Parties.
18.2.2 Neither Party shall have authority to bind the other Party or make any representations or warranties on behalf of the other Party.
18.3 Assignment
18.3.1 Neither Party may assign or transfer any of its rights or delegate any of its obligations under these General Terms or any Service Agreement, in whole or in part, without the prior written consent of the other Party, which consent shall not be unreasonably withheld.
18.3.2 Notwithstanding the foregoing, either Party may assign these General Terms and any Service Agreement in their entirety, without the other Party's consent, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets.
18.4 Severability
18.4.1 If any provision of these General Terms or any Service Agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.
18.4.2 The Parties shall negotiate in good faith to replace any invalid, illegal, or unenforceable provision with a valid, legal, and enforceable provision that achieves, to the extent possible, the economic, business, and other purposes of the invalid, illegal, or unenforceable provision.
18.5 Amendments
18.5.1 BreachX reserves the right to modify these General Terms at any time. BreachX will provide notice of material changes through the Platform or by email to the address associated with Client's account.
18.5.2 Client's continued use of the Services after the effective date of any modification constitutes acceptance of the modified General Terms.
18.5.3 Any Service Agreement may only be amended, modified, or supplemented by a written instrument executed by authorized representatives of both Parties, unless otherwise specified in that Service Agreement.
18.6 Entire Agreement
18.6.1 These General Terms, together with any applicable Service Agreement and all exhibits, schedules, and attachments thereto, constitute the entire agreement between the Parties with respect to the subject matter thereof and supersede all previous agreements, whether written or oral, relating to the same subject matter.
18.6.2 No purchase order, acknowledgment, confirmation, correspondence, or other document issued by Client shall modify or supplement these General Terms or any Service Agreement unless specifically agreed to in writing by an authorized representative of BreachX.
18.7 Waiver
18.7.1 No waiver of any provision of these General Terms or any Service Agreement shall be effective unless in writing and signed by the Party against whom the waiver is sought to be enforced.
18.7.2 No failure or delay by either Party in exercising any right, power, or remedy under these General Terms or any Service Agreement shall operate as a waiver of such right, power, or remedy.
18.8 Force Majeure
18.8.1 Neither Party shall be liable for any failure or delay in performance under these General Terms or any Service Agreement to the extent such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, pandemic, epidemic, war, terrorism, riots, civil disorder, fire, explosion, accidents, governmental actions, strikes or labor disputes, Internet service provider failures or delays, or denial of service attacks.
18.9 Links to Third Party Websites or Resources
18.9.1 The Services may contain links to third party websites or resources. BreachX provides these links only as a convenience and is not responsible for the content, products, or services on or available from those websites or resources or links displayed on such websites.
18.9.2 Client acknowledges sole responsibility for and assumes all risk arising from Client's use of any third party websites or resources.
18.10 Publicity
18.10.1 BreachX may use Client's name and/or logo in any publicity or advertising describing the relationship between the parties.
19. VULNERABILITY DISCLOSURE GUIDELINES
19.1 BreachX's Vulnerability Disclosure Guidelines, which describe the default policy governing Security Researcher Submissions through the Services, will be applicable to the Services.
19.2 In the event of a conflict, individual Program Policies created by the Client supersede BreachX's Vulnerability Disclosure Guidelines.
19.3 Client acknowledges that BreachX has established Vulnerability Disclosure Guidelines to promote responsible disclosure practices and protect both Client and Security Researchers.
20. COMPLIANCE WITH LAWS/COPYRIGHT POLICY
20.1 Each party shall comply with all Applicable Law in connection with the performance of its obligations and the exercise of its rights in the Services.
20.2 Without limiting the foregoing, BreachX respects copyright law in all jurisdictions in which it does business and expects its Clients and Security Researchers to do the same.
20.3 It is BreachX's policy to terminate, in appropriate circumstances, Clients and Security Researchers which infringe or are believed to be infringing the rights of copyright holders.
21. DATA & INFORMATION SECURITY POLICY
21.1 BreachX's Data & Information Security Policy, which describes the security of the BreachX Platform, will be applicable to the Services.
22. BINDING ON CLIENT
The terms and conditons of this document shall be acceptable and binding on all clients.
23. CONTACT INFORMATION
If there are any questions about the Terms or the Services, please contact BreachX at info@breachx.com