CyberCX standard terms and conditions of supply

1. Performance of Services

1.1 Provision of the Services

  1. During the Term, CyberCX agrees to perform the Services as set out in a Proposal, quote or SOW (as relevant) and any acceptance and delivery will only be in accordance with the terms of this Agreement, and no other terms and conditions contained in any other Client document will apply or be incorporated. The Client acknowledges and agrees that the Services may be performed and invoiced by CyberCX or any of its Related Bodies Corporate.
  2. CyberCX agrees to:
    1. comply with all reasonable directions of the Client and all applicable laws in connection with the performance of its obligations;
    2. comply with all reasonable health and safety policies of the Client whilst on the Client’s site as provided to CyberCX prior to commencing the work; and
    3. use reasonable endeavours to have any specific personnel identified in a Proposal, quote or SOW available to perform the Services and will provide the Client reasonable if it intends to replace or reassign such personnel.
  3. The Client agrees to cooperate with CyberCX in supplying the Services or any Products, including:
    1. providing CyberCX with safe and timely access and authorisation to access and use the Client’s Systems, personnel, facilities, site and utilities as reasonably required;
    2. providing CyberCX with any requested information relevant to the provision of the Services in a timely and accurate manner;
    3. ensuring its Systems are backed-up and recoverable prior to and at all times during the performance of the Services; and
    4. comply with all reasonable requests or directions of CyberCX for the purpose of facilitating the supply of the Services and Products,
  4. The Client acknowledges and agrees that CyberCX will not be liable or in breach of the Agreement if the Services impact the information or operating Systems of the Client.

1.2 Use of subcontractors

  1. CyberCX will be liable for:
    1. the performance of its subcontractors obligations; and
    2. provision of the Services by its subcontractors.

1.3 Provision of Products

  1. At any time during the Term the Client may request to purchase any Products offered for sale by CyberCX and set out within this Agreement by submitting a purchase order to CyberCX.
  2. The purchase order must explicitly reference this Agreement and set out the type and quantity of the Product/s to be purchased and the desired date for delivery of the Products.
  3. CyberCX will provide the Client written notification of acceptance or rejection of the purchase order, the proposed delivery date along with any variable price changes (including exchange rate, delivery or third party pricing changes) as relevant for the purchase of the Products. Failure by CyberCX to confirm receipt of the purchase order shall not be taken to be an acceptance of that purchase order.
  4. All risk in any Products transfers to the Client upon delivery of the Product to the Client and title passes on payment in full.

1.4 Access and delays

  1. Where CyberCX reasonably requests information or access to any Client premises or systems necessary for the Services at least five (5) Business Days prior to commencement and/or provision of the Services, and that information or access is not available at time of scheduled commencement and/or provision of the Services, CyberCX will be entitled to charge the Client for any resulting delays based on reasonable daily rates until that information or access is provided.
  2. If the Client requests CyberCX to cancel, delay, reschedule or suspend the Services with less than three (3) Business Days’ notice before the commencement of the Services, the Clients must pay CyberCX its reasonable costs associated with such cancelation, delay or rescheduling.  The Client acknowledges that the costs payable under this clause are a genuine pre-estimate of the damages that CyberCX is likely to suffer as a result of the Client’s failure to give CyberCX adequate notice of a cancelation, delay or rescheduling of the start date.

2. Authorisation 

The Client authorises CyberCX and CyberCX’s Personnel to access and use the Client’s networks and systems as reasonably required by CyberCX for the provision of the Services for all purposes, including in connection with the Criminal Code Act 1995 (Cth).

3. Security testing and digital forensic services 

To the extent the Services include:

  1. vulnerability testing, phishing and/or penetration testing, the terms of Attachment A apply; and
  2. digital forensics and incident response services, the terms of Attachment B apply.

4. Governance Risk and Compliance

  1. To the extent the Services include governance, risk or compliance advice, this clause 3 applies.
  2. The Client shall be solely responsible for ensuring that the specifications relating to the Products and Services, and the use of the Products and Services, satisfies all of the Client’s legal and regulatory obligations and any other Client compliance requirements including, without limitation, compliance by the Client with any statute, regulation, corporate governance matters and internal company policies.
  3. Nothing in the Agreement requires CyberCX to ensure, recommend or facilitate the Client’s compliance with any matter referred to in this clause, except to the extent prescribed in the specifications Proposal, or SOW and the Client acknowledges that it has obtained its own advice on such compliance matters.

5. Term

Unless otherwise terminated in accordance with clause 13, this Agreement commences on the earlier day of CyberCX providing the Services, the acceptance of a Client purchase order or as otherwise agreed in writing and continues for the duration set out in the Proposal, quote or SOW or if no duration is stated, on completion of the Services.

6. Invoices & Payments

  1. The Client must pay CyberCX for the provision of the Services and for the supply of any Products, as set out in a valid tax invoice issued by CyberCX.
  2. CyberCX will issue invoices as set out in the Proposal, quote or SOW, or otherwise at the end of the month in which the Services are delivered, or at milestones or upon acceptance of a Product order.
  3. The Client must pay all invoices within 30 days of the invoice date by electronic funds transfer to an account as specified by CyberCX in the invoice.
  4. All fees and prices are provided exclusive of all applicable taxes, duties, goods and services tax (GST) and government charges. If GST is payable for any supply made by CyberCX under this Agreement, Client must pay any applicable GST or government charges with the amounts due.
  5. If CyberCX does not receive payment strictly in accordance with clause 5(c), CyberCX may charge the Client interest at the Late Payment Rate, compounding daily.
  6. The Client may not set-off, counterclaim or deduct any amount from an amount owing to CyberCX.
  7. The Client must notify CyberCX in writing of any disputed invoices within 5 Business Days of receipt detailing the amount and the reason for the dispute.

7. Intellectual Property

7.1 Intellectual Property in Deliverables and provision of Services

  1. Subject to clauses 2 and 6.3, all intellectual property rights in the Deliverables, the Services and any other material created by CyberCX in delivering the Services remain the property of CyberCX.
  2. Subject to clause 3, CyberCX grants the Client a non-exclusive, non-transferable, non-sub licensable, royalty free license to use in Australia the intellectual property rights in the Deliverables (excluding the Third Party Material and the Client Data), the Services and any other material created by CyberCX in delivering the Services for the sole and limited purpose of enjoying the benefit of the Services as set out in the Proposal, quote or SOW.

7.2 Background IP

Each party at all times retains all title and ownership in its own Background IP.

7.3 Third party intellectual property

  1. In providing the Services, CyberCX may provide the Client with software or Deliverables that are, or include, software or other material which is owned by or is proprietary to a third party (Third Party Material). The Client agrees that:
    1. its use of Third Party Material will be subject to the third party licensor’s licence agreement (Third Party Licence) between the Client and the third party licensor; and
    2. title in any Third Party Material remains at all times with the third party.
  2. Subject to clause 3(a), CyberCX warrants that to the best of its knowledge and belief, all materials and Deliverables created by CyberCX in delivering the Services when used by the Client in accordance with this Agreement, will not infringe any intellectual property rights of any third party.

8. Confidentiality

  1. Each party agrees that where it, its Personnel, or its Related Bodies Corporate, are the recipient of Confidential Information (Recipient) of the other party (Disclosing Party), the Recipient must:
    1. subject to clause 7(b), treat all Disclosing Party’s Confidential Information as confidential and not use it except as reasonably necessary for the purposes of this Agreement;
    2. ensure that the Disclosing Party’s Confidential Information is held in strict confidence and is not disclosed to any third party (subject to any legal requirement on the Recipient to disclose the Disclosing Party’s Confidential Information) without the Disclosing Party’s prior written consent, and then only under conditions of confidentiality approved in writing by the Disclosing Party;
    3. immediately notify the Disclosing Party in writing if the Recipient suspects that any Disclosing Party’s Confidential Information may have been accessed by any unauthorised party;
    4. use, at a minimum, the same degree of care with respect to its obligations to protect the confidentiality of the Disclosing Party’s Confidential Information under this Agreement as it employs with respect to its own confidential or proprietary information, but in no event less than reasonable care; and
    5. upon request by the Disclosing Party or termination of this Agreement, promptly deliver to the Disclosing Party all written documents or other physical embodiments containing the Disclosing Party’s Confidential Information then in its custody, control or possession and must deliver within 10 days after such termination or request a written statement to the Disclosing Party certifying to such action.
  2. The restrictions in this clause 8 do not apply to the extent that any Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of either party on any recognised stock exchange. Nothing in this Agreement is intended to oblige the Recipient to return or destroy any document, data or information incorporated into or annexed to anything which must be retained for compliance purposes, contained in systems, archives or backups which cannot be practicably deleted or information which must be retained as required by Law, any accounting standard or the rules of any stock exchange or for sound corporate governance purposes.
  3. Unless otherwise agreed in writing by the Disclosing Party, the obligations of confidentiality in clause 7(a)(i) do not apply to the extent the Confidential Information:
    1. has been lawfully disclosed to the Recipient by a third party free from obligations of confidentiality; or
    2. is in the public domain (other than through a breach of this Agreement).
  4. The provisions of this clause 8 shall continue in force indefinitely following the termination of this Agreement.

9. Privacy

  1. Both parties agree to comply with the Privacy Laws in relation to the provision and use of the Services.
  2. Without limiting clause 8(a), the Client must only disclose Personal Information in its control to CyberCX, or allow CyberCX to access such Personal Information, if:
    1. the Client is authorised to do so by applicable Privacy Laws and any privacy policy or code of the Client;
    2. the Client has the requisite consent from the individual to whom the Personal Information relates; and
    3. the Client notifies CyberCX of the provision of such information and will take any relevant steps as reasonably requested by CyberCX to mark, tag or append information to such data for ease of identification and tracking.
  3. The Client acknowledges and agrees that:
    1. it may be necessary for CyberCX to access Personal Information held by the Client in order to provide the Services;
    2. it will do all things necessary to prevent CyberCX being in breach of its obligations under the Privacy Laws and its Privacy Policy.
  4. The Client will be liable for all actions, claims, proceedings, demands, liabilities, losses, damages, expenses and costs (including legal costs on a full indemnity basis) that may be brought against CyberCX or its Related Bodies Corporate or which CyberCX may pay, sustain or incur as a direct or indirect result of any breach or non‑performance of the Client’s obligations under this clause 8, except that the Client’s liability will be proportionally reduced to the extent caused or contributed to by the negligent or wilful acts or omissions of CyberCX.
  5. Each party shall promptly notify the other of any breach of any confidentiality, data or security obligations, laws, requirements or standards, and provide reasonable assistance to the other in managing such breach and/or handling any requests in relation to personal information.

10. Warranties

  1. CyberCX warrants:
    1. it has the power, capacity and authority to enter into and observe its obligations under this Agreement;
    2. the Services will be provided by exercising the same degree and skill, care and diligence that would be exercised by a professional services provider in the same industry in similar circumstances;
    3. it and its personnel are appropriately trained and experienced to provide the Services; and
    4. any Products sold to the Client or supplied in the performance of the Services substantially meet the relevant specifications or descriptions set out in the Proposal, quote or SOW.
  2. Any representation, warranty, condition or undertaking that would be implied in this Agreement by legislation, common law, equity, trade, custom or usage is excluded to the maximum extent permitted by law.
  3. Nothing in this Agreement excludes, restricts or modifies any condition, guarantee, warranty, right or remedy conferred on the parties by the Competition and Consumer Act 2010 (Cth) or any other applicable law that cannot be excluded, restricted or modified by agreement.
  4. To the fullest extent permitted by law, the liability of CyberCX for a breach of a non‑excludable condition, guarantee, warranty right or remedy referred to in clause 10(c) is limited, at CyberCX’s option, to:
    1. the replacement, resupply or repair of the relevant Products;
    2. the resupply of the relevant Services; or
    3. the payment of the cost of having the relevant Services or Products resupplied or repaired.

11. Liability

  1. CyberCX indemnifies the Client for any direct Loss suffered by the Client arising from or related to third party Intellectual Property claims against the Client caused or contributed to by CyberCX, except to the extent caused or contributed to by the Client’s or its Personnel’s acts or omissions and subject to:
    1. the indemnification that CyberCX receives from an owner in relation to any relevant third party intellectual property;
    2. the Client taking all reasonable steps (and ensuring its employees, agents, officers and contractors take all reasonable steps) to mitigate their loss; and
    3. the Client (and its employees, agents, officers and contractors where relevant) permitting CyberCX to manage any relevant claim or action in the name of the Client (or any relevant employee, agent, officer or contractor of the Client).
  2. CyberCX’s total aggregate liability to the Client in respect of any and all Losses incurred by the Client (whether for breach of contract, in tort (including negligence) or otherwise) arising out of or in connection with the carrying out of the Services or supply of the Products under this Agreement is limited to twice the amount paid by the Client to CyberCX under a Proposal, quote or SOW in the 12 months preceding the event giving rise to the Loss, to a maximum of $250,000.
  3. CyberCX’s limit on liability in clause 11(b) does not apply to clause 11(a)(i) or the following Losses:
    1. personal injury or death of a party or person; or
    2. damage to tangible property,

    to the extent caused by CyberCX’s negligent acts or omissions.

  4. To the maximum extent permitted by law, CyberCX is not responsible and excludes all liability for any Loss or corruption to the Client’s Systems or any data or information of the Client arising from or in connection with the supply of the Services or the Products by CyberCX.
  5. Notwithstanding anything to the contrary in this Agreement, under no circumstances will CyberCX be liable to the Client for any indirect or consequential loss that does not arise naturally (that is, according to the usual course of things) from the event giving rise to the loss or any loss of profits, loss of production, loss of revenue, loss of business, loss of goodwill, damage to reputation, loss of opportunity, loss or corruption of data or wasted overheads.

12. Australian Consumer Law

  1. If the Client is a deemed a Consumer:
    1. Clause 11 does not apply to any liability of CyberCX for failure to comply with a Consumer Guarantee;
    2. in respect of any goods supplied under this agreement, subject to clause 12(a)(iv), unless the goods are goods ‘of a kind ordinarily acquired for personal, domestic or household use or consumption’ (as that expression is used in section 3 of the Australian Consumer Law), the liability of CyberCX for Loss, however caused (including by the negligence of CyberCX), suffered or incurred by the Client because of a failure to comply with a Consumer Guarantee is limited to (at CyberCX’s election):
      1. replacing the goods or supplying equivalent goods;
      2. repairing the goods;
      3. paying the cost of replacing the goods or of acquiring equivalent goods; or
      4. paying the cost of having the goods repairs;
    3. in respect of the Services supplied under this agreement, subject to clause 12(a)(iv), unless the Services are ‘services of a kind ordinarily acquired for personal, domestic or household use or consumption’, as that expression is used in section 3 of the Australian Consumer Law, the liability of CyberCX for Loss, however caused (including by the negligence of the Service Provider ), suffered or incurred by the Client because of a failure to comply with a Consumer Guarantee is limited to (at CyberCX’s election):
      1. resupplying the Services; or
      2. paying the cost of having the Services supplied again; and
    4. clauses 12(a)(ii) and 12(a)(iii) do not apply in relation to a guarantee pursuant to any of sections 51, 52 or 53 of the Australian Consumer Law or if it is not ‘fair or reasonable’ for the purposes of section 64A of the Australian Consumer Law for CyberCX to rely on them.
  2. Nothing in this agreement is intended to exclude, restrict or modify rights which the Client may have under the Australian Consumer Law which may not be excluded, restricted or modified.

13. Termination

  1. Either party may terminate the Agreement with immediate effect if the other party is:
    1. in material breach of the Agreement and where the breach is remediable that defaulting party fails to remedy the breach within 14 days of receiving notice of the breach;
    2. subject to an Insolvency Event; or
    3. subject to an Event of Force Majeure which continues for a period of more than 90 days.
  2. Upon termination of this Agreement for any reason:
    1. CyberCX will cease providing the Services and Products; and
    2. the Client must pay to CyberCX all outstanding amounts for Services actually performed or Products ordered by the Client or amounts that CyberCX has paid or owes to third parties that it cannot reasonably get out of paying in connection with this Agreement.
  3. Termination of this Agreement does not affect a liability or any obligation of a party arising prior to termination nor affect any damages or other remedies which a party may be entitled under this Agreement.
  4. On expiry or termination of this Agreement:
    1. Clauses 7 (Confidentiality), 8 (Privacy), 9(Data Security), 10 (Warranties), 11 (Liability), 12(b) (Termination) and 13 (Non-solicitation) continue in full force and effect; and
    2. all rights, obligations and liabilities a party has accrued before expiry or termination continue.

14. Non-solicitation

During the Term and for a period of 12 months after completion of the Term, the Client must not, and must procure its affiliates do not, offer work to, solicit or induce for employment, employ, or contract with, CyberCX’s Personnel who are involved with the provision of the Services, without first obtaining the written consent of CyberCX (which may be withheld by CyberCX at its absolute discretion).

15. Miscellaneous

  1. If any provision of this Agreement is deemed to be unenforceable, invalid or illegal, the interpretation is to be applied to reflect the intention of the parties as far as possible whilst not affecting the validity of the remainder of the Agreement.
  2. Neither party may assign its rights under this Agreement without the other party’s prior written consent, provided however CyberCX can assign its rights under this Agreement to a Related Body Corporate if it wants for so long as it requires to do so.
  3. The Client acknowledges and agrees that (i) some or all of the Services may be provided by CyberCX Pty Ltd and /or its Related Bodies Corporates, and (ii) client data may be stored or accessed from locations outside of Australia.
  4. All notices and consents must be sent by email to the email addresses on the front page of this Agreement.
  5. This Agreement is governed by the laws of the State of Victoria, Australia.
  6. CyberCX will not be liable for any delay or failure to supply the Services or Products if such a delay or failure was due to an Event of Force Majeure.
  7. Any dispute relating to the subject matter of this Agreement shall be submitted to mediation prior to any other dispute resolution process being invoked. The parties will agree a mediator within 21 days of either party giving the other written notice of intention to invoke mediation. If the parties cannot agree on a mediator then the dispute will be referred to the Australian Disputes Centre (ADC). All mediation proceedings will be conducted in accordance with the ADC’s ADR Guidelines.
  8. No party is authorised to bind another party and nothing in this Agreement is construed as creating a relationship of principal and agent, partners, trustee and beneficiary, or employer and employee.
  9. This Agreement may only be amended or replaced with the written agreement of all parties.
  10. This Agreement constitutes the entire agreement between the parties and supersedes any prior conduct, arrangement, agreement or understanding in relation to its subject matter.
  11. This Agreement can be signed in counterparts. If an electronic signature is used, it shall have the same effect as a handwritten signature.

16. Definitions and interpretation

16.1 Definitions

All capitalised terms have either the meanings given to that term in the Proposal, quote or SOW, the definitions in this clause 14.1 or where otherwise set out in the Agreement:

Agreement means these general terms and conditions and as relevant; the Proposal, quote or SOW to which they are attached (including any agreed written variation);

Australian Consumer Law is as set out in schedule 2 to the Competition and Consumer Act 2010 (Cth); and the corresponding provisions of the Australian Consumer Law and Fair Trading Act 2012 (Vic) as applicable (and each of its equivalents in the Australian States and Territories).

Background IP means a party’s intellectual property rights in any materials developed independently of, or prior to, the provision of the Services and the Deliverables and includes any third party licensed intellectual property;

Business Day means a day that is not a Saturday, Sunday, public holiday or bank holiday in the location where the Services are being provided;

Client means the customer who has requested the Services to be performed by CyberCX.

Client Data means the data owned or supplied by the Client which is accessed by CyberCX (including its Related Bodies Corporate) or its subcontractors in the course of performing the Services;

Confidential Information means all and any information (in any form or media) of a confidential nature that is made available directly or indirectly, and before, on or after the date of this Agreement  including financial, client, employee and supplier information, product specifications, policies and procedures, processes, statements, formulae, trade secrets, Client Data, drawings and data which is not in the public domain (except by virtue of a breach of the confidentiality obligations arising under this Agreement);

Consumer has the same meaning as in section 3 of the Australian Consumer Law.

Consumer Guarantee means a Consumer guarantee applicable to this Agreement under the Australian Consumer Law.

CyberCX means CyberCX Pty Ltd and any of its Related Bodies Corporate;

Deliverables means the materials, reports and other deliverables to be provided by CyberCX in performing the Services, as set out in the relevant Proposal, quote or SOW;

Deliverables Date means the date upon which the Deliverables are to be provided to the Client, if any;

Event of Force Majeure means any event or circumstance, or a combination of events or circumstances, which is beyond the reasonable control of a party (but does not excuse any obligation to make payment).;

Insolvency Event means:

  1. bankruptcy proceedings are commenced against the relevant party, or the relevant party is declared bankrupt;
  2. any step is taken to appoint a receiver, a receiver and manager, a trustee in bankruptcy, a liquidator, a provisional liquidator, an administrator or other like person to the relevant party or to the whole or any part of the relevant party’s assets or business;
  3. if the relevant party is in a partnership, the partnership is dissolved or an application is made to dissolve the partnership;
  4. the relevant party is or becomes unable to pay its debts when they are due or either party is or is presumed to be insolvent for the purposes of any provision of the Corporations Act 2001 (Cth);

Late Payment Rate means a fixed interest rate of 2% above the overdraft rate charged on overdraft accounts over $100,000 by the Commonwealth Bank of Australia from time to time;

Loss means any loss, cost, liability or damage, including reasonable legal costs on a solicitor/client basis;

Personal Information has the meaning given to that term in the Privacy Act;

Personnel means, in relation to a party, its employees, Related Bodies Corporate, secondees, advisers and contractors;

Privacy Act means the Privacy Act 1988 (Cth);

Privacy Laws means the Privacy Act and all other applicable privacy and data protection laws as may be in force from time to time which regulate the collection, use, disclosure, storage of and granting of access rights to Personal Information;

Privacy Policy means the documented policy of CyberCX, as amended from time to time, located at : www.cybercx.com.au/privacy/.

Product means any products or goods supplied pursuant to the Agreement

Proposal means the proposal for Services to be provided to the Client by CyberCX;

Rates means the hourly or daily rates payable by the Client for the provision of Services by CyberCX, as set out in a Proposal, quote or SOW;

Related Body Corporate of an entity means a body corporate that is related to that entity in any of the ways specified in the Corporations Act 2001 (Cth);

Security Breach has the meaning given to that term in clause 9(a);

Services means the services to be provided to the Client by CyberCX, as set out in a relevant Proposal, quote, or SOW;

Statement of Work or SOW means a document setting out the Services and/or products to be provided to the Client by CyberCX;

Systems includes networks, software, applications, computers, servers, mobile devices, cloud services (including storage, software, platforms and infrastructure as a service), industrial control systems, and any other IT systems or equipment.

Third Party Licence has the meaning given to that term in clause 6.3(a)(i); and

Third Party Material has the meaning given to that term in clause 6.3(a).

16.2 Interpretation

In this Agreement, unless the context requires otherwise:

  1. clause and subclause headings are for reference purposes only;
  2. the singular includes the plural and vice versa;
  3. words denoting any gender include all genders;
  4. a reference to a person includes any other entity recognised by law and vice versa;
  5. where a word or phrase is defined, its other grammatical forms have a corresponding meaning;
  6. any reference to a party to this Agreement includes its successors and permitted assigns;
  7. any reference to any agreement or document includes that agreement or document as amended at any time;
  8. the use of the word includes or including is not to be taken as limiting the meaning of the words preceding it;
  9. the expression at any time includes reference to past, present and future time and performing any action from time to time; and
  10. No provision of this Agreement will be construed adversely to a party because that party was responsible for the preparation of this agreement or that provision.
  11. an agreement, representation or warranty by two or more persons binds them jointly and severally and is for the benefit of them jointly and severally.

ATTACHMENT A: SECURITY TESTING TERMS

1. Application of this Attachment A


The terms of this Attachment A apply if and to the extent CyberCX is providing security testing and assurance services to the Client.

2. Security Testing Services


In this Agreement, “Security Testing Services” may include:

  1. penetration testing and red teaming;
  2. code reviews;
  3. security advisory;
  4. security threats and risks assessment; and
  5. and any other security testing or security assessment activities contemplated in a Proposal.

3. Sensitive nature of the services


The Client warrants that it is aware of the nature of the Security Testing Services, and in particular that the Security Testing Services may include:

  1. security testing activities, including:
    1. simulating or performing controlled Cyberattacks on the Client’s Systems;
    2. deliberate attempts to penetrate the security Systems of the Client, which may be provided by a third party;
    3. red teaming (including, but not limited to, deliberately masquerading as a hostile attacker with the intention of detecting vulnerabilities) activities in relation to the Client and its premises and Systems; or
    4. deliberately allowing unauthorised access to the Client’s network or Systems for the purpose of analysing threat vectors and origination;
  2. acts that may be considered unethical; or
  3. acts that may put the Client in breach of its agreements including, but not limited to, its third party supplier’s terms of supply,

and the Client further acknowledges that CyberCX cannot be compelled by the Client to explain or reveal its methods of undertaking the Services.

4. Authorisation


The Client expressly asks and authorises CyberCX to provide the Security Testing Services (including the activities of a nature contemplated in clause 3 of this Attachment A) in relation to the Client and its Systems.

5. Acknowledgment and liability


The Client acknowledges and agrees that:

  1. Security Testing Services:
    1. are sample testing activities only and cannot account for all possible ways a third party could breach the Client’s security measures or Systems; and
    2. are not security services and do not implement any security measures, and are not designed to prevent security breaches or Cyberattacks;
  2. CyberCX does not guarantee that the Security Testing Services will prevent the Client from being affected by any security breach or Cyberattack; and
  3. subject to clause 11(b) of the Agreement, CyberCX is not liable to the Client in the event that the Client is affected by any security breach or Cyberattack, except where and to the extent such security breach or Cyberattack is directly caused by CyberCX misfeasance.

6. Publicity


If the Client is affected by any kind of security breach or Cyberattack, the Client (or its employees, officers or contractors) must not:

  1. in any way link such security breach or Cyberattack to CyberCX’s failure to provide the Security Testing Services in any announcement, publication, declaration or other communication; or
  2. otherwise mention or refer to CyberCX in relation to such security breach or Cyberattack in any announcement, publication, declaration or other communication,

without CyberCX’s prior written consent.

7. Specific indemnity


  1. The Client indemnifies CyberCX from and against any damage or loss (however caused) that CyberCX suffers or incurs in connection with:
    1. any claim by a third party that CyberCX is not or has not been asked or authorised to:
      1. provide the Security Testing Services (including Security Testing Services of a nature contemplated in clause 3 of this Attachment A) in relation to the Client; or
      2. where applicable, access and interact with the Systems of the Client (including Systems provided to the Client by a third party), as contemplated in in clause 3 of this Attachment A;
    2. any claim by a third party in relation to any act by CyberCX of the nature described in clause 3 of this Attachment A; or
    3. any breach of this Attachment A by the Client or its officers, employees, contractors or agents.
  2. Nothing in the Agreement will restrict the indemnification obligations set out in this Attachment A.
  3. The indemnification obligations set out in this Attachment A survive termination or expiry of this Agreement.

8. Definitions


In this Agreement, the terms set out below have the following meaning:

Attachment A means clauses 1 to 5 of this Attachment A.

Cyberattacks mean any breach of (or attempted or threatened breach of) or unauthorised access to the Client’s Systems, including identity or intellectual property theft, exploitation of ICT systems, phishing, spamming, denial-of-service (including distributed), stolen hardware, or website defacement.

Security Testing Services has the meaning given to it in clause 2 of this Attachment A.

ATTACHMENT B:DIGITAL FORENSIC SERVICES

1. Application of this Attachment B


The terms of this Attachment B apply if and to the extent CyberCX is providing digital forensic services to the Client.

2. Digital Forensic Services


In this Agreement, “Digital Forensic Services” may include:

  1. forensic investigation;
  2. forensic analysis;
  3. forensic reporting and opinions;
  4. threat hunting;
  5. cyber threat intelligence and risks assessment; and
  6. and other activities contemplated in a Proposal.

3. Independence


The Client warrants that it is aware of the nature of the Digital Forensic Services and that under Australian law, should CyberCX form a reasonable belief, or identify evidence of a serious criminal conduct during our engagement, including but not limited to evidence of major indictable offences, national security or secrets, CyberCX may be obliged to see that the matter is referred to relevant enforcement or authorities.

4. Authorisation


The Client expressly asks and authorises CyberCX to provide the Digital Forensic Services, and does so in compliance with all relevant laws, legislation and regulations; including but not limited to the NSW Workplace Surveillance Act 2005 (NSW), the Commonwealth Privacy Act (1988) (Cth) and the European Union General Data Protection Regulation 2016 (GDPR).

5. Acknowledgment and liability


The Client acknowledges and agrees that:

  1. Digital Forensic Services:
    1. are intended only for the designated recipient and CyberCX is not responsible or liable for any other use;
    2. outputs may not be provided to any third party without CyberCX prior written consent;
    3. are not intended to provide any specific results other than to identify factual findings, analysis of evidence, and responses to specific questions related to the provision of our expert opinion;
    4. are not legal advice or legal opinions and not output constitutes legal advice;
    5. are provided as-is and CyberCX does not warrant or provide any advice as to the outcome of any proceedings; and
    6. are not delivered against any standards or guidelines unless otherwise agreed.
  2. CyberCX will rely on the information provided as true and correct, and that unless otherwise agreed, CyberCX will not undertake any review, validation or audit to ascertain the completeness or accuracy of information provided. The Client accepts all responsibility for any errors or omissions that such information may contain the of any errors or omissions resulting from the use of such erroneous or incomplete information. Upon becoming aware of any errors or omissions in such information, the Client must advise CyberCX as soon as possible;
  3. In circumstances where CyberCX is required to provide work to a third party, such as a law enforcement or regulatory agency, the Client remains responsible for the cost of any additional work required to be performed in our meeting any such requirement, including additional data collection, copying and verification, forensic analysis, reporting, liaison with third parties, provision of evidence in proceedings and any associated expenses.
  4. Through the course of our work, CyberCX may collect cyber threat intelligence related to cyber incidents and attacks, including information on attacker tactics, techniques and procedures, as well as specific indicators of compromise (CTI). CyberCX uses this CTI to enhance our incident response and related services. Although this CTI will be used with other clients and third parties, it will not include any information which may identify the Client organisation, networks, systems, sensitive information, staff, customers, related parties, or include any Client confidential information.

6. Publicity


The Client (or its employees, officers or contractors) must not mention CyberCX in any announcement, publication, declaration or other communication, without CyberCX’s prior written consent.

7. Specific indemnity


  1. The Client indemnifies CyberCX from and against any damage or loss (however caused) that CyberCX suffers or incurs in connection with:
    1. any claim by a third party that CyberCX is not or has not been authorised to:
      1. provide the Digital Forensic Services as contemplated in clause 4 of this Attachment B; or
      2. where applicable, access and interact with the systems directed or authorised by the Client (including systems provided to the Client by a third party).
    2. any breach of this Attachment B by the Client or its officers, employees, contractors or agents.
  2. Nothing in the Agreement will restrict or apply to the indemnification obligations set out in this Attachment B.
  3. The indemnification obligations set out in this Attachment B survive termination or expiry of this Agreement.

CyberCX standard terms and conditions of supply Version 2.4 is effective from the 8th June 2021