General Terms and Conditions

Last Updated: 09/01/2023

1. Preamble

The company ARSEN (the "Company") is a simplified joint-stock company registered with the Trade and Companies Register of Orléans under number 881 923 775, with its registered office located at 1 Avenue du Champ de Mars, CS 30019 45074 Orléans Cedex 2, and represented by its President, Mr. Thomas Le Coz, or its General Manager, Mr. Alexandre Esser, both having full authority for the purposes hereof.

The Company provides its customers with Software as a Service (SaaS) (the "SaaS Services") that enable them to design, configure, and implement test campaigns with their employees to assess, over time, their resilience to phishing-type cyberattacks and to raise awareness about the correct behaviors to adopt in the face of such attacks. The Company's customers have a tool that allows them to measure the risk associated with their employees' behaviors and to implement awareness actions to reduce this risk.

The customer is a professional who has shown interest in the SaaS Services offered by the Company after:

  • participating in initial discovery discussions of the SaaS Services with the Company;
  • accessing a trial version of the SaaS Services through a link provided by the Company during the initial discussions and after reading and accepting these general terms and conditions in this context.

The Company then provided the customer with an offer (the "Offer") to meet the customer's needs, specifying in particular:

  • the scope of the subscribed SaaS Services;
  • the volume of recipients for the planned test campaigns;
  • the users of the SaaS Services;
  • the price of the SaaS Services;

After thoroughly reviewing the characteristics of the SaaS Services based on the Offer, the customer ensured, prior to entering into this agreement, that the characteristics chosen for the SaaS Services and said proposal are in line with their needs.

Following the acceptance of the Offer by signing the proposal in the form of a quotation, the Company provided the customer with (i) an invoice and (ii) temporary login credentials for the user designated by the customer, enabling them to accept the terms of this contract and access the SaaS Services through the SaaS portal.

The acceptance of this contract is a prerequisite for accessing and using the trial version of the SaaS Services, as well as the subscribed SaaS Services by the customer, which the customer was informed of through exchanges with the Company and the Offer.

The parties agree to engage in a continuous exchange of information with a view to contributing to the success of this contract and avoiding the generation of difficulties detrimental to the interests of both parties.

2. Definition

The following terms shall have the following meanings between the parties:

  • "Test Campaign": Campaigns designed using the SaaS services and intended to test the resilience of recipients in phishing-type cyberattacks situations. A test campaign starts with the first email sent to a recipient and ends no later than three (3) months after sending the last email to a recipient;
  • "Credential Harvesting": A cyber attack aimed at retrieving login credentials, for example, by simulating a fake login portal for targeted employees of the client;
  • "Cyber Attack": As defined in this contract, it refers to practices of credential harvesting and phishing, excluding all other cyberattacks;
  • "Recipients": The client's employees who are subjected to a test campaign as part of the implementation of the SaaS services;
  • "Documentation": Any documentation related to the SaaS services, including terms of use, description of functionalities, and, in general, technical information necessary or useful for their use, available on the Arsen company's portal or sent by the Arsen company to the client by mail;
  • "Data": All information of any kind provided by the client under their full responsibility, hosted by the Arsen company and intended to be processed as part of the implementation of the SaaS services;
  • "Double Positive Click": The click is the electronic formulation of the client's acceptance; with the first click, the client confirms their order for SaaS services and this contract, including its annexes, and with the second click, the client confirms this acceptance.
  • "Flow": Transmission of information composed of client data and the results of processing by the SaaS services;
  • "Login Credentials": Login ID and password provided to the client and allocated on a personal and confidential basis to the number of users stipulated in the Offer, allowing access by said users to the SaaS Services through a secure connection to the SaaS portal; the client's login credentials will be communicated to them via email to the address provided by the client;
  • "Phishing": A cyber attack aimed at compromising a client's employee by manipulating them, for example, by extracting confidential information belonging to the company in which they work or by getting them to install malicious software on their work tools (computer, tablet, or mobile phone);
  • "SaaS Portal": An interactive electronic service made available online by the Arsen company at the URL app.arsen.co, allowing the client to access the SaaS services;
  • "Services": Services provided by the Arsen company as specified in the "Object" section;
  • "SaaS Services": All services distributed online through the SaaS portal described in the "Description of SaaS Services" annex and subscribed to in whole or in part by the client by accepting the Offer;
  • "User": A natural person employed by the client authorized to access the SaaS Services subject to this contract and being the client's preferred contact on the client's side. The number and identity of users are specified in the Offer. Users must be authorized to represent the client for the purposes of the contract.

3. Object

The purpose of this contract is to define the conditions under which the Company:

  • grants the client who accepts it a right of access and use of the SaaS Services;
  • provides technical support services and corrective and evolutionary maintenance of the SaaS Services.

Any other service not provided for in this contract will be subject to a separate quotation and contract.

4. Documents

The contractual documents, in decreasing order of priority, are:

  • the Offer
  • this contract and its annexes, excluding the annex on financial terms

The parties expressly exclude the application of any other document to the provision of the SaaS Services.

In case of contradiction between documents of different nature or rank, it is expressly agreed between the parties that the provisions contained in the higher-ranking document will prevail for conflicting interpretation obligations.

In case of contradiction between the terms of documents of the same order, the latest documents will prevail over the others.

Notwithstanding the contract interpretation rules defined in the Civil Code, criteria of rank will be applied according to the following principles:

  • obligation by obligation;
  • or, failing that, paragraph by paragraph;
  • or, failing that, article by article.

5. Access to SaaS Services

This contract is an electronic contract entered into between the Company and the client, both of whom are professionals. Consequently, in accordance with Article 1127-3 of the Civil Code, the parties expressly agreed to deviate from the provisions:

  • of Articles 1° to 5° of Article 1127-1 of the Civil Code, with the content of the Offer being specified at the beginning of this contract;
  • of Article 1127-2 of the Civil Code, with the process of accepting the Offer and therefore the conclusion of this contract being as follows:

Access to the SaaS Services provided in the Offer presupposes, beforehand:

  • Acceptance of these general terms and conditions by the client, accessible at the address https://arsen.co/cgv, through a process called Double Positive Click;
  • Creation by the client of access to the customer portal of the SaaS portal at the aforementioned address, by providing all the information required by the Company;
  • Acceptance of the Offer by the client, communicated by email.

To this end, the client undertakes to designate a user with full authority to bind the client to these terms.

The "double click" consists of the user checking the box corresponding to each of the aforementioned documents and then confirming this choice by clicking on the button "By clicking on this button, I acknowledge having read the entire SaaS Services contract and its annexes."

6. Applicability

The version of the contract applicable to the client is the one accepted by the client under the conditions provided for in the "Access to SaaS Services" article.

This version is permanently accessible to the client on their customer portal of the SaaS portal.

7. Duration

This contract is concluded for the duration specified in the Offer.

The contract is automatically renewed for one-year periods on the anniversary date of the contract, unless terminated by either party with one (1) month's notice before the anniversary date of the contract, notified by registered letter with acknowledgment of receipt.

Any contractual year begun is due in its entirety.

8. Specifications of SaaS Services

8.1 Scope

The scope of the SaaS Services is detailed in the "Description of SaaS Services" annex.

8.2 Hosting

The SaaS Services and the SaaS portal are hosted on servers outsourced to a provider designated by the Company and presenting equivalent levels of guarantees and security.

The provider responsible for hosting said servers is Google Cloud Platform. The hosting centers are located in the following locations:

  • Paris, France;
  • Frankfurt, Germany;

The Company only provides the client with remote access to the SaaS Services and the SaaS portal, in order to allow the processing of data transmitted by the client to the Company via this access.

The Company ensures the routing of flows to the hosted SaaS Services via a connection to the SaaS portal.

The Company will host the client's data on its servers, as well as their processing, within the volumetric limits defined in the "Financial Terms" annex and in the Offer.

In case of an increase in the available space required for hosting the client's data, the parties will work together to define the conditions, including financial conditions, for the Company to provide additional space for hosting the client's data.

8.3 Hosting and Backup of Client Data

The client's data necessary for the execution of the SaaS Services will be periodically backed up on the servers hosting said services and the SaaS portal.

After a period of three (3) months from the end of the contractual relationship between the parties, for any reason whatsoever, the backups of the client's data made by the Company will be destroyed, with the Company committing not to keep any copies.

The Company cannot be held responsible for any damaging consequences for the client or third parties resulting from the loss, deterioration, or destruction of the client's data.

It is therefore the client's responsibility to make backup copies of their data entrusted to the Company and the results obtained during each test campaign and, more generally, through the implementation of the SaaS Services.

8.4 Documentation

Documentation related to the SaaS Services is available online at https://support.arsen.co.

8.5 Hardware Recommendations

The client undertakes to comply with the Company's recommendations regarding hardware and devices (especially in terms of telecommunications) necessary for the use of the services defined in the "Scope" article.

The Company may, if necessary and at the client's request, conduct an audit of the client's installations prior to any deployment, in order to assess the adequacy of these installations with the hardware recommendations and to propose, if necessary, modifications or developments to comply with the prerequisites. This technical audit will be subject to additional billing.

8.6 Identification

As of the entry into force of these terms and conditions and subject to payment corresponding to the subscribed SaaS Services, the Company will grant the client the right to use the SaaS portal, the SaaS Services, and the creation of a database containing all the data corresponding to the implementation of the SaaS Services requested by the Company.

To do this, the Company will provide the client with an identifier and password allowing the users designated by the client to access the SaaS services covered by these terms.

The identification of the client's users using the identifier and password sent to them is irrefutably attributable to the operations carried out using this password and identifier.

The identification and password provided by the Company to the client are confidential, unique, and personal. The client is solely responsible for their use by the users they have designated and guarantees that these users will comply with basic security and confidentiality rules.

8.7 Use of SaaS Services

The Company will use its best efforts to keep the SaaS Services accessible to the Client, subject to the provisions set out in the "Service Level Commitments" annex.

However, the Company reserves the right to restrict, in whole or in part, access to the SaaS Services in order to carry out maintenance, as part of scheduled services, of its computer configuration and the infrastructures implemented for the provision of the SaaS Services.

To the extent possible, the Company will attempt not to make the SaaS Services unavailable for an excessive period of time and to carry out maintenance services outside of normal working hours and on weekends.

In the absence of transmission by the client of the data necessary to perform the services under this contract, the Company's liability cannot be engaged in the event of delay.

8.8 Evolution of Services

The Company reserves the right to evolve the SaaS Services accessible via the SaaS portal in order to improve its services.

In general, the Company reserves the right to make and implement any technical decision aimed at improving the SaaS Services, subject to ensuring continuity and upward compatibility.

8.9 Termination of SaaS Services

In the event that the Company needs to carry out scheduled interventions on the portal, the Company will endeavor to inform the client by electronic message, at least 24 hours before the scheduled date for these interventions, and will attempt to avoid making access to the service unavailable for more than 5 working days.

The Company is not responsible for damages of any kind that may result from a temporary unavailability of all or part of the SaaS service distribution portal.

8.10 Suspension of SaaS Services

In the event of non-compliance with its obligations by the client or in the event of suspected fraudulent use of the SaaS Services, the Company reserves the right to suspend, automatically and without notice, access to all or part of the SaaS services.

Access to the services will be suspended for the time necessary to carry out the verifications and until the cause of the suspension has disappeared.

8.11 Telecommunications

The client is responsible for accessing the Company's SaaS portal.

Telecommunications specifications necessary for the use of the software applications are included in the online documentation on the portal.

Access costs to the Company's server will be the exclusive responsibility of the client, who is responsible for subscribing to the necessary telecommunications subscriptions.

8.12 Proof

The computerized records, kept in the Company's computer systems under reasonable security conditions, will be considered as evidence of communication and sending of registration forms, as well as the various transmissions of information by the client to the Company enabling it to carry out the processing requested by the client.

The archiving of various registration and information forms must be carried out on a faithful and durable medium.

In the event of a conflict between the computerized records of the Company and any document on written media or electronic file of the client, it is expressly agreed between the parties that the computerized records of the Company will prevail over the client's documents and will be the only ones admitted as evidence.

8.13 Service Level Commitments

The Company undertakes to use its best efforts to carry out the services described under the conditions provided for herein.

The service level commitments (SLAs) relating to the accessibility and performance of the SaaS Services are set out in the "Service Level Commitments" annex.

9. Personal Data

9.1 Separate Data Controllers

Each of the parties undertakes to comply with the applicable legislation and regulations regarding the processing of personal data, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or "GDPR"), which applies from 25 May 2018, and French Law No. 78-17 of 6 January 1978 on information technology, data files, and civil liberties, as amended (hereinafter referred to as the "applicable data protection regulations"). In this regard, each party is free to determine the purposes and means of the processing they carry out, independently of the other party, as a data controller within the meaning of the applicable data protection regulations.

The processing covered by this article has the following purposes:

  • for the Company, managing contractual relations with the client, managing access to and use of the SaaS Services by the client's users, as well as their requests in the context of technical support and corrective maintenance as specified in the "Service Level Commitments" appendix (name, first name, email address, user IDs at the client).
  • for the client: managing contractual relations with the Company, carrying out all processing based on the results obtained through the implementation of the SaaS Services.

The personal data collected concern the contacts of a party involved in the execution of this contract (including, but not limited to, name, first name, email address, phone number). This data is retained for the duration strictly necessary for the performance of this contract. The personnel of each party, its control services (including auditors), and its subcontractors may have access to the personal data collected.

These processes may lead the data subjects to exercise their rights, including (i) the right to obtain access to and, where applicable, rectification or erasure of their data, (ii) the right to request the restriction of processing, (iii) the right to object to processing on legitimate grounds, (iv) the right to data portability, to retrieve and retain their data, and (v) the right to lodge a complaint with a competent supervisory authority.

To learn more about the processing carried out by the Company as a data controller, the client is invited to consult the Privacy Policy accessible here.

Each of the parties guarantees the other that it has implemented the necessary legal prerequisites for this contract and allowing the communication of data in compliance with applicable data protection regulations, including formalities, information of data subjects, and, if necessary, obtaining consent when required.

One party shall not in any way interfere with the processing carried out by the other party, except in the case of data processing subcontracting as referred to in this "Personal Data" article.

Each of the parties is responsible for all legal and regulatory obligations concerning the protection of personal data. One party cannot be held responsible for the other party's failure to comply with its obligations. Each party shall personally handle any potential sanctions or financial consequences it may incur due to non-compliance with data protection regulations.

9.2 Subcontracting

In accordance with the applicable data protection regulations, the client is designated as the "Data Controller," and the Company, which processes personal data on behalf of and according to the client's instructions, is referred to as the "Processor."

The "Personal Data" appendix to this contract describes the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data processed, as well as the categories of individuals concerned by the processing carried out by the Company on behalf of the client under this contract.

As the Data Controller, the client is responsible for ensuring the accuracy, integrity, and legality of the personal data for which it is responsible, including the data to which the Company may have access in the course of performing these services.

The client also commits to: document in writing any instructions regarding data processing by the Company; provide the personal data specified in the "Personal Data" appendix to this contract, excluding any personal data that is irrelevant, disproportionate, or unnecessary, and excluding any "special" data within the meaning of applicable data protection regulations unless justified by the processing, with the client being responsible for establishing such justifications and taking all appropriate measures, including prior information, obtaining consent, and security measures, for such special data; lawfully, fairly, and transparently collect, under its responsibility, the personal data provided to the Company for the execution of its services, ensuring the legal basis for this collection and the information due to data subjects; ensure compliance with the obligations of applicable data protection regulations and, more generally, applicable law, particularly in terms of labor law, before and throughout the processing; keep a record of processing activities and, more generally, comply with the principles of the applicable Regulation.

The Company may only act on the client's instructions and undertakes to take all necessary measures to ensure compliance with these obligations, and, unless otherwise instructed by the client, to:

  • only process personal data for the purposes listed in the "Personal Data" appendix to this contract and in accordance with the client's documented instructions, including regarding the transfer of data outside the European Union;
  • not disclose, in any form whatsoever, all or part of the data concerned, without the prior consent of the client;
  • immediately inform the client if, in its opinion, an instruction clearly constitutes a violation of the applicable data protection regulations.

In this regard, the Company reserves the right to suspend, without any liability on its part, the processing until the client modifies the instruction so that it no longer violates the aforementioned regulations. This suspension does not entitle the client to a refund of the price of the SaaS Services under this contract for the suspension period.

The parties agree to define the concept of instruction as acquired when the Company acts in the execution of this contract. Furthermore, any new instruction from the Data Controller shall be communicated in writing to the Processor.

The Company ensures that authorized persons processing personal data commit to respecting the confidentiality of the data or are subject to an appropriate legal obligation of confidentiality.

Considering the nature of the data and the risks posed by the processing, and taking into account the state of knowledge, implementation costs, and the nature, scope, context, and purposes of the processing, as well as the risks to the rights and freedoms of natural persons, the Company undertakes to take appropriate technical and organizational measures to preserve data security, preventing any accidental or unlawful distortion, alteration, destruction, loss, unauthorized disclosure, and/or access by unauthorized third parties beforehand.

The Company commits to maintaining adequate security measures to ensure data confidentiality throughout the execution of this agreement.

The Company undertakes to notify the client, within 48 hours of becoming aware of it, of any personal data breach or any security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. Communication regarding this security incident must remain strictly confidential and should only be made to persons formally identified within the Company's organization and should be reported solely to the client's specified email address below.

This notification must include a description of the nature of the incident, including, to the extent possible, the categories and number of individuals affected, as well as the categories and an estimate of the volume of personal data concerned, and the consequences of the data breach, measures already taken, or proposed to address it. The Company commits to providing the client with any additional relevant information to clarify the content of the initial notification and to actively collaborate with the client so that they can meet their contractual and regulatory obligations. It is the sole responsibility of the client, as the data controller, to report this data breach to the competent supervisory authority and, if necessary, to the data subjects.

The Company is authorized to engage subcontractors (the "Subsequent Processor") listed in the "Personal Data" appendix to perform specific processing activities and to transfer personal data to these listed Subsequent Processors, in the context of this contract, to countries located outside the European Union, subject to the implementation of appropriate safeguards as defined by the applicable data protection regulations. In the event of a change in the list of Subsequent Processors, the Company shall inform the client in writing in advance. This information must clearly indicate the subcontracted processing activities, the identity and contact details of the Subsequent Processor. The client has a period of fifteen (15) days from the date of receipt of this information to raise legitimate and reasoned objections. In the absence of objections raised after this period, the client will be deemed to have accepted the use of the new Subsequent Processor. The Subsequent Processor is required to comply with the obligations of this contract on behalf of and according to the instructions of the client. It is the responsibility of the Company to ensure that the Subsequent Processor provides the same adequate guarantees regarding the implementation of appropriate technical and organizational measures to ensure that the processing complies with the requirements of the applicable data protection regulations. If the Subsequent Processor fails to fulfill its data protection obligations, the Company remains fully responsible to the client for the performance of the Subsequent Processor's obligations.

The Company provides reasonable assistance to the client:

  • in managing requests from data subjects regarding the exercise of their rights;
  • in conducting any impact assessments that the client may decide to carry out to assess the risks that a processing poses to the rights and freedoms of individuals and to identify measures to address these risks, as well as in consulting the supervisory authority;
  • more generally, in ensuring compliance with the client's obligations under the applicable data protection regulations, such as its obligations to notify the supervisory authority and communicate a data breach to data subjects.

The client shall bear the reasonable costs incurred by this assistance, within the limits of the assistance imposed by the GDPR and provided that the assistance requires more than one person-day of work.

At the end of the services, the Company must return or delete all personal data. The Company must ensure that no copies are retained, except where required by the applicable data protection regulations.

The Company provides the client, upon request, with all the information and documents necessary to demonstrate compliance with its obligations and to enable audits. The client has the possibility to carry out audits once (1) per year and at its own expense to verify the Company's compliance with the obligations set out in this article. The client will inform the Company of the audit with a minimum notice of two (2) weeks. The Company reserves the right to refuse the identity of the auditor if they belong to a competing company. The audit must be carried out during the Company's business hours and in a manner that disrupts its activities as little as possible. The audit shall not in any way affect (i) the technical and organizational security measures implemented by the Company, (ii) the security and confidentiality of the data of other clients of the Company, and (iii) the proper functioning and organization of the Company's production. To the extent possible, the Parties shall agree in advance on the scope of the audit.

The audit report shall be sent to the Company to allow it to make any written observations or remarks, which shall be annexed to the final version of the audit report. Each audit report shall be considered confidential information.

10. Security

10.1 Logical Security

The Company undertakes to implement all technical and organizational means in accordance with the state of the art, necessary to ensure the logical security of access to the SaaS Services and hosted data and to prevent any intrusion by unauthorized persons, regardless of the nature or technique used.

The client agrees to comply with the security procedures and rules outlined in the documentation.

The Company shall not be held liable for any failure by the client to comply with the security procedures and rules.

10.2 Physical Security

The Company undertakes to limit access to the server center, its secure platform, and to implement an internal procedure to ensure that no person outside the service can access this location.

The Company shall not be held liable for any failure by the telecommunications operator.

11. Service Maintenance

11.1 Technical Support

Users may ask the Company questions regarding the operation of the SaaS Services, excluding anyone else, including recipients of test campaigns.

Therefore, the client commits to appoint competent and qualified individuals for using the SaaS Services.

The Company provides users with an email address for contacting technical support during its business hours, Monday to Friday, excluding holidays, from 9 am to 5 pm.

Questions posed by users should be clear, precise, and, if necessary, documented to facilitate proper handling by technical support. Users should also refer to the documentation for the SaaS Services available online before seeking technical assistance.

Responses will be provided by the Company via email.

Details of technical support are outlined in the "Service Level Commitments" appendix.

11.2 Corrective Maintenance

Corrective maintenance involves correcting any reproducible anomalies that occur in the use of remote access to the SaaS Services, as well as in the various processes that can be performed by them.

It is the client's responsibility to consult the documentation before each phone call to be able to describe the encountered problems precisely and comprehensively.

Details of corrective maintenance are outlined in the "Service Level Commitments" appendix.

11.3 Evolutionary Maintenance

Updates to the SaaS Services may be installed by the Company on its server as they become available.

These updates, unilaterally decided upon by the Company, will be provided to the client via remote access from their server at no additional cost.

11.3 Regulatory Maintenance

The various updates are intended to make all necessary modifications due to legal or regulatory changes corresponding to the processing related to the implementation of the SaaS Services.

11.5 Exclusions

Maintenance services not explicitly mentioned herein are not included in the scope of maintenance services.

Maintenance will not be provided in the following cases without:

  • absence of prior user training;
  • use of a version that does not correspond to the current or previous version;
  • client's refusal to accept an update proposed by the Company;
  • use of remote access in a manner inconsistent with the documentation;
  • unauthorized intervention by the client or a third party;
  • anomaly generated by the client's hardware or access equipment.

In these cases, the client cannot claim any compensation or reimbursement of amounts already paid under this contract.

12. Client Obligations

The client agrees to:

  • use the SaaS Services in accordance with these terms and applicable law, especially regarding personal data protection and labor law;
  • provide complete data sets to the Company at the start of SaaS Services and keep them updated;
  • verify the legality of the data entrusted to the Company under this contract;
  • cooperate with the Company, including by providing all information and data necessary for the proper execution of this contract;
  • monitor the results provided.

In general, the client is responsible for their use of the services and any information they share in this context. They agree to use the services personally and not allow any third party to use them on their behalf.

The client must not misuse the services for purposes other than their intended use, including:

  • engaging in illegal or fraudulent activities,
  • violating public order and good morals,
  • infringing on third parties or their rights in any way,
  • violating contractual, legislative, or regulatory provisions,
  • engaging in any activity that interferes with a third party's computer system, especially with the intent to compromise its integrity or security,
  • conducting activities to promote their services and/or websites or those of a third party,
  • assisting or encouraging a third party to commit one or more of the above acts or activities.

The client must also not:

  • copy, modify, or divert any element owned by the Company or any concept it operates within the services,
  • engage in any behavior that interferes with or bypasses the Company's computer systems or compromises its cybersecurity measures,
  • infringe on the financial, commercial, or moral rights and interests of the Company,
  • market, transfer, or provide access in any way to the Services, information hosted on the Platform, or any element owned by the Company.

The client indemnifies the Company against any claims and/or actions that may be taken against it due to the client's breach of any obligations. The client will compensate the Company for any damages incurred and reimburse any sums it may have to bear as a result.

13. Compliance

The client agrees to test the SaaS Services covered by these terms before any professional use, and in any case within a maximum period of one month from the date the Company provides login credentials.

The use of the SaaS Services for purposes other than verifying compliance with the documentation constitutes final acceptance of said services.

14. Financial Terms

14.1 Pricing and Billing

Pricing and billing terms are defined in the "Financial Terms" appendix.

Prices are quoted excluding taxes and are subject to taxes, including VAT, in effect at the time of invoicing.

14.2 Price Revision

Prices are revised annually according to the following formula: P(t) = P(t-1) x [(S(t)/S(t-1)], in which:

  • P(t-1) is the base price or the price corresponding to the last revision;
  • P(t) is the price after revision;
  • S(t-1) is the last known Syntec index as of the signing date;
  • S(t) is the Syntec index published on the signing date of the contract, where the index corresponds to the date of the last revision.

In the event of the disappearance of the revision index and in the absence of agreement on a new index, explicit authority is granted to the President of the competent court to define an index that will be incorporated into the revision formula.

This index must be chosen in such a way that it is as close as possible to the disappeared index and respects the intent of the parties when establishing this revision clause.

14.3 Late Interest and Collection Expenses

Any delay or non-payment of all or part of an invoice issued by the Company within thirty (30) days following its issuance, without the need for any reminder, will result in the enforceability of late penalties. The interest rate will be the one applied by the European Central Bank to its most recent refinancing operation, increased by 10 percentage points. This rate is in effect on January 1st of the year in question for the first half of the relevant year. For the second half of the relevant year, it is the rate in effect on July 1st of the relevant year.

These penalties will be calculated on the VAT-inclusive amount on the invoice, without prejudice to the Company's right to claim compensation for its damage due to the delay or non-payment. Penalties will be due from the day following the due date of the invoice until it is collected by the Company.

Finally, any client in a situation of payment delay is automatically liable for a flat-rate indemnity for collection costs, set at 40 euros. If the collection costs were higher, the Company could request additional compensation with justification. However, the Company cannot claim the benefit of these indemnities when the opening of a safeguard, recovery, or judicial liquidation procedure prohibits payment of the due receivable at its maturity.

15. Guarantees

15.1 Arsen Company Guarantees

The Company guarantees the client the ability to access computer applications remotely, according to the availability rate and service levels defined in the "SaaS Service Specifications" article.

Unless otherwise specified in this contract or in the Offer, the Company provides no other express or implied warranties, written or oral, regarding the suitability or proper functioning of the SaaS Services for a particular use, even if the Company has been informed of such use.

Likewise, any warranty of hidden defects and any warranty of compliance with the state of the art or compliance of the SaaS Services with the client's (in France or abroad) regulatory or sector-specific standards are expressly excluded.

15.2 Client Guarantees

The client guarantees the Company that it has all the rights associated with its data.

The client guarantees the Company against any actions, claims, demands, oppositions, by any person asserting any right of any kind over the client's data that may have been affected by the execution of this contract.

In this case, the indemnities and expenses of any kind incurred by the Company to defend itself, including advisory fees, as well as any damages that may be awarded against it, will be borne by the client.

16. Liability

16.1 Arsen Company Liability

By mutual agreement, the parties expressly agree that:

  • The Company is bound by an obligation of means under this contract, and
  • Its liability can only be incurred by the client in case of proven fault.

Notwithstanding the above and any contrary provision, the Company, as a Personal Data Processor:

  • is bound by a reinforced obligation of means;
  • its liability may be incurred in case of non-compliance, by itself and/or by its subsequent subcontractor, with the documented and lawful instructions of the data controller and its obligations under applicable regulations (including, in particular, Article 28 of the GDPR)
  • this liability can only be excluded in whole or in part if the Company demonstrates that the act giving rise to liability is in no way attributable to it and/or its subsequent subcontractor

The Company's liability shall not be incurred due to disruptions or damages inherent to the internet and presenting the characteristics of a force majeure event.

16.2 Client Liability

The client agrees to use the SaaS Services under its sole responsibility. The client is solely responsible for the proper use of the SaaS Services in accordance with the terms of this contract, the documentation provided by the users, and applicable law, particularly regarding personal data and labor law.

In the context of using the SaaS Services, the client enters its own data into the SaaS portal. The Company only provides the technical tool. Therefore, the client is responsible for the data it enters, their processing, and the use of the results of this processing, as well as any direct or indirect consequences that may arise. In any case, the client is responsible for:

  • the suitability of the SaaS Services for its specific needs, based in particular on the indications provided in the documentation and in the Offer;
  • the compatibility of its hardware and software environment with the SaaS Services;
  • the legality of the data transmitted and/or made available to the Company and hosted by the Company under this contract.
  • the operations it conducts on the platform and the processing settings applied by the client via the platform.

The client also indemnifies the Company against any action by a user or third party based on the operation of the SaaS Services.

The client and the Company undertake to implement technical means to suspend access to the SaaS Services by users in case of unauthorized access or attempted access, security breach, or violation of contractual commitments by the beneficiary or user. The parties undertake to immediately suspend access when they become aware of a violation or attempted violation by a beneficiary of the intellectual property rights attached to the SaaS Services.

The client acknowledges that the Company cannot be held liable and no compensation can be requested for delays or harmful consequences resulting in particular from:

  • disruptions or damages inherent to an electronic communications network;
  • material damage that may be suffered by any client equipment connected to the SaaS Services, which is entirely the responsibility of the client;
  • the client's compliance with its legal and regulatory obligations. In this regard, it is reminded that it is the client's responsibility to verify, in accordance with the practices of its profession, the results obtained using the SaaS Services and to develop operating procedures, implement control points, and appropriate security mechanisms for the processing of personal data in the context of its activities;
  • the exclusive fault of the client or a third party, especially in the following cases:
  • destruction or accidental damage to the client's data by the client or a user using the identification data provided to the client;
  • transmission of inaccurate or incomplete information provided by the client to the Company;
  • misuse of the SaaS Services by a user, fault, negligence, omission, or failure on their part, failure to follow the given advice, fault, negligence, or omission of a third party over which the Company has no control or supervision;
  • request for temporary or permanent cessation of activity by a competent administrative or judicial authority;
  • contamination by viruses or other harmful elements of the client's data and/or software, as soon as the security measures incumbent on the Company and implemented by the Company comply with the contract;
  • damage suffered by a third party due to data transmitted, over which the client has sole control.

17. Damage

By mutual agreement, the parties agree that the Company's liability is only incurred for the consequences of direct damages, and compensation for indirect damages is excluded.

Indirect damages include data loss, time loss, loss of profits, turnover, margins, loss of orders, customers, operations, revenue, business actions, damage to brand image, expected results, and actions by third parties.

The Company's damage is, by mutual agreement, limited to the amounts actually paid by the client.

This clause remains applicable in the event of nullity, resolution, termination, expiration, or annulment of the contractual relationship.

18. Insurance

Each party certifies that it has taken out an insurance policy with a financially sound insurance company for all financial consequences of its professional civil, tortious, and/or contractual liability for bodily, material, and immaterial damage caused to the other party and any third parties in the context of the execution of this contract.

To this end, each party undertakes to pay the premiums and contributions related to said insurance policy and, in general, to comply with all obligations in order to cover all activities related to this contract.

19. Ownership

19.1 Ownership of Services

The SaaS Services, the SaaS portal, and the related documentation are the property of the Company, in accordance with the provisions of the Intellectual Property Code.

All elements comprising the SaaS Services, the SaaS portal, including the interfaces made available to the client in the execution of these, the documentation, and any other information provided by the Company to the client are and remain the exclusive property of the Company or its partners.

Consequently, the client shall refrain from any action or act capable of directly or indirectly infringing the intellectual property rights over the computer applications, and, in general, the associated trademarks.

The Company grants the client, who accepts it, a personal, non-exclusive, and non-transferable license to use the SaaS Services, the SaaS portal, and the associated documentation, for the number of users specified in the Offer, for the entire duration of this contract.

This right of use is exercised by remote access from the client's connection to the Company's server from its server and solely for the use of the functionalities of the SaaS portal hosted in the context of the use of the SaaS Services and for the client's use of the processing results.

Any use not expressly authorized by the Company under these terms is unlawful, in accordance with the provisions of Article L.122-6 of the Intellectual Property Code.

Thus, it is notably prohibited for the client to:

  • any representation, dissemination, or distribution of the SaaS Services and the SaaS portal, whether for consideration or free of charge, and in particular any networking;
  • any use of the SaaS Services and the SaaS portal in any way for the purpose of designing, producing, distributing, or marketing similar services or substitute equivalents;
  • adaptation, modification, transformation, or arrangement of the SaaS Services and the SaaS portal, for any reason, including error correction;
  • any direct or indirect transcription or translation into other languages of the SaaS Services and the SaaS portal;
  • any unauthorized use by the client;
  • any modification or circumvention of protection codes, including access codes or identifiers.

19.2 Know-how

The Company shall retain ownership of the methods and know-how or tools that are specific to it and have been used to perform the services.

20. Subcontracting

The Company may use subcontractors in the execution of the services, who are subject to the same obligations as its own in the context of their intervention.

21. Commercial References

The Company may cite the client's name as a commercial reference in accordance with commercial practices.

22. Confidentiality

In the context of these, the SaaS Services of the Company, including the proposed functionalities, data model, graphical interface, as well as the ideas, principles, know-how, and methods behind the SaaS Services, algorithms, data organization, navigation, and any other element included in the SaaS Services, hereinafter referred to as "confidential information," are deemed confidential.

The client undertakes that confidential information:

  • shall be protected and kept strictly confidential;
  • shall be treated with the same degree of protection as it accords to its own confidential information of equal importance;
  • shall not be disclosed, directly or indirectly, to any third party;
  • shall be disclosed internally only to those of its personnel who need to know the content;
  • shall be used solely for the purpose of executing this contract exclusively and shall never be used to create a competing or similar service;
  • shall not be copied, reproduced, or duplicated in whole or in part.

The client also undertakes to:

  • not infringe, in any way, intellectual property rights;
  • maintain copyright and other ownership notices on the various elements and documents provided, whether originals or copies.

For its part, the Company undertakes to respect the confidentiality of the client's data in accordance with the provisions of this contract and its annexes.

23. Non-Competition

The client undertakes, with respect to the Company, not to develop, directly or indirectly, a similar or competing service to the SaaS Services covered by this contract, for the entire duration of the contract and for a period of one (1) year following its termination, regardless of the cause, within the territory of metropolitan France and the overseas territories.

Both parties acknowledge that this obligation is not disproportionate and corresponds to their express will.

In the event of a breach of this obligation, the client agrees to pay the Company an indemnity in the amount of 150,000 euros.

This indemnity is due, regardless of any damages and interest resulting from the incurred loss.

24. Modification of General Terms and Conditions

The Company may modify its general terms and conditions at any time and will inform the client by any written means (including email).

The modified general terms and conditions come into effect upon contract renewal.

If the client does not accept these modifications, they must terminate the contract in accordance with the provisions of the "Termination of Services" article.

25. Termination of SaaS Services

In order to terminate the provision of SaaS Services, the contract must be terminated no later than one (1) month before the next contract anniversary date, by:

  • the client, by sending a registered letter with acknowledgment of receipt to the Company for this purpose, at the address indicated at the beginning of these terms;
  • the Company, by sending an email to the client;
  • The client will no longer have access to their account from the end of the services.

26. Resolution-Termination

In the event of a breach by one of the parties of any obligation herein not remedied within thirty (30) days from the sending of a registered letter with acknowledgment of receipt notifying the breach in question, the other party may automatically terminate or resolve the contract, without prejudice to any damages and interest to which it may be entitled under this contract.

In the event of early termination of the contract, for any reason whatsoever, all amounts paid to the Company shall remain with the Company.

27. Reversibility

In the event of the termination of contractual relations, for any reason whatsoever, the Company shall, within a reasonable period, return to the client all confidential information provided by the client under these terms and shall proceed with the destruction of personal data entrusted by the client, as provided for in the annex "Personal Data."

In this context, remote access to the SaaS Services from the SaaS portal granted to the client will no longer be allowed, and the client agrees not to use it or attempt to use it, including through its users.

28. Force Majeure

In accordance with the provisions of Article 1218 of the French Civil Code, no party shall be held liable for a failure to perform its contractual obligations if such failure is due to an event beyond the control of the parties and constitutes force majeure.

Initially, cases of force majeure shall suspend the execution of the contract.

If cases of force majeure persist for more than two months, this contract shall be automatically terminated, unless otherwise agreed by the parties.

Force majeure shall be understood to mean the occurrence of an event characterized by unpredictability, irresistibility, and external factors beyond the parties' control as typically recognized by French law and courts.

The following events are considered in particular as cases of force majeure or fortuitous events:

  • war, riots, states of emergency of any kind, including health or environmental emergencies, fires, pandemics, internal or external strikes, lockouts, occupation of premises, bad weather, earthquakes, floods, water damage, chemical explosions, and situations of seriously polluted air endangering human beings and animals, legal or governmental restrictions, legal or regulatory changes in marketing forms, accidents of all kinds, epidemics, pandemics, illness affecting more than 10% of staff over a period of two consecutive months, lack of energy supply, partial or complete shutdown of the Internet network, data encryption resulting from computer fraud, and, more generally, private or public telecommunications networks, roadblocks, and supply difficulties, and any other event beyond the express will of the parties preventing the normal execution of this agreement.

29. Tolerance

The parties mutually agree that the fact that one party tolerates a situation does not grant the other party acquired rights.

Furthermore, such tolerance cannot be interpreted as a waiver of the rights in question.

30. Good Faith

The parties declare their commitments in good faith.

To this end, they declare that they have no knowledge of any information that, if disclosed, would have altered the consent of the other party.

31. Independence of the Parties

The parties acknowledge that they each act on their own behalf as independent parties separate from each other and expressly declare that they are and will remain, throughout the duration of this contract, independent professionals.

This contract does not constitute a partnership, franchise, or mandate given by one party to the other party and shall not be interpreted in any way as a commercial agency contract or any form of representation.

No party may make commitments on behalf of the other party.

In addition, each party remains solely responsible for its acts, allegations, commitments, services, products, and personnel.

32. Titles

In case of difficulties in interpretation resulting from a contradiction between any of the headings at the beginning of the clauses and any of the clauses, the headings shall be declared nonexistent.

33. Nullity

If one or more provisions of this contract are deemed invalid or declared as such under a law, regulation, or as a result of a final decision of a competent court, the other provisions shall retain their full force and effect.

34. Entirety

This contract cancels and replaces all quasi-contracts, implicit and explicit commitments, promises having the same object as those herein.

However, this clause is not intended to prevent the use of said documents but to evaluate, from a legal perspective, the quality of the consents exchanged during the formation of this contract.

35. Conciliation

In the event of any difficulty of any kind and before any legal proceedings, each of the parties undertakes to designate two individuals from their company, at the "General Management" level.

These individuals shall meet at the initiative of the more diligent party within eight days of receiving the request for a conciliation meeting.

The agenda is set by the party initiating the conciliation.

If decisions are reached by mutual agreement, they shall have contractual value.

This clause continues to apply despite any possible nullity, resolution, termination, or annulment of these contractual relations.

36. Assignment of the Contract

This contract may not be fully or partially assigned, for consideration or gratuitously, by one of the parties without the prior written consent of the other party.

37. Domicile

For the execution of this agreement, and unless otherwise specified, the parties agree to send all correspondence to their respective registered offices.

Any change of address must be notified to the other party by registered letter with acknowledgment of receipt.

38. Applicable Law

This contract is governed by French law.

This applies to substantive and formal rules, irrespective of the places of performance of the substantial or ancillary obligations.

39. Prescription

All legal actions between the parties are subject to a statute of limitations, unless contrary mandatory provisions, if they have not been initiated within one (1) year from the end of each testing campaign conducted by the client using the SaaS Services.

40. Anti-corruption

Each Party undertakes, in the performance of its obligations under this Contract (and, where applicable, will cause its Subsidiaries) to: (A) comply with (i) all applicable laws and regulations relating to anti-corruption and bribery, including the Law of December 9, 2016 on transparency, the fight against corruption, and the modernization of the economy known as "Sapin 2," the Foreign Corrupt Practices Act of December 19, 1977, and the UK Bribery Act of April 8, 2010, and (ii) other similar anti-corruption laws in other jurisdictions to the extent applicable and mandatory for the Parties, and (B) maintain policies and procedures designed to promote and achieve, in their reasonable judgment, compliance with these laws. Each Party undertakes not to take any action that would cause the other Party to violate any of the anti-corruption provisions set forth above.

Each Party hereby undertakes that, during the negotiations and as of the effective date of the Contract, it, its directors, officers, or employees have not offered, promised, given, authorized, solicited, or accepted any pecuniary or other undue advantage of any kind (or implied that they will or may do so at any time in the future) in any way related to the Contract and that reasonable measures have been taken to prevent subcontractors, agents, or any other third parties under its control from doing so.

The Parties undertake and warrant:

  • to refrain, directly or indirectly, from engaging in corruption, extortion, or solicitation of bribes, influence peddling, and money laundering,
  • to comply, to the extent applicable, with all international anti-corruption laws, such as the Sapin 2 law, and the ethical and professional principles that their activity imposes in the performance of the Contract and in all relations and interactions with third parties,
  • not to have taken or be subject to unfavorable information, allegations, proceedings, or convictions for corruption.

The Service Provider undertakes and warrants that it evaluates its own subcontractors, and requires them to comply with the anti-corruption legislation in force in France, as well as the Foreign Corrupt Practices Act and the UK Bribery Act.

During the term of this contract, but no more than once a year, the client may, at any time and at its own expense, after providing written notice of fourteen (14) business days sent to the Service Provider by registered letter with acknowledgment of receipt, conduct an audit during business hours to verify compliance with this article by the Service Provider.

In addition, each Party shall immediately inform the other Party if it has information or suspects that there may be a violation of any anti-corruption law in connection with the performance of activities under this Contract.

In the event of a breach of the provisions of this article, the client may terminate the Contract, without prejudice to any damages that may be claimed from the defaulting party, block payment of amounts due under the Contract, or demand reimbursement of amounts already paid and initiate legal proceedings.

41. List of Appendices

The appendices are as follows:

  • Appendix 1: Description of SaaS Services;
  • Appendix 2: Financial Conditions;
  • Appendix 3: Service Level Commitments;
  • Appendix 4: Personal Data.

Appendix 1: Description of SaaS Services

The SaaS services are as follows:

  • Design and configuration of awareness campaigns for phishing and cybersecurity issues for the company;
  • Launching awareness campaigns based on the file of professional email addresses of the recipients of the relevant test campaigns according to the parameters defined by the client;
  • Provision of an up-to-date catalog of customizable phishing awareness campaign scenarios, following trends in phishing attacks;
  • Creation and editing of scenarios to customize awareness campaigns for recipients;
  • Implementation of "just-in-time" micro-learning programs distributed in the event of compromising actions by the recipients of the test campaigns;
  • Establishment of a dashboard for monitoring the resilience of recipients over time with a result ("score") to assess the level of security achieved at the end of each awareness campaign and on average at the end of the test period;

Annex 2: Financial Conditions

1. Price

It is defined by the application at the time of purchase of a paid plan, based on the number of email addresses of recipients loaded into the application.

The price is payable in advance at the time of activation of the paid usage plan.

2. Invoicing

2.1 Billing Address

The billing address is defined by the client in their member area and will be used on the invoices issued at the time of payment.

2.2 Payment Timeframe

Payment is instantaneous.

Annex 3: Service Level Commitments

1. Hosting

The volume subscribed by the client is specified in the Offer.

2. Availability

  • Minimum monthly service availability rate: 95% (excluding maintenance).
  • Availability time range: 24/7 (excluding maintenance).

3. Technical Support

  • Company's technical support email address: [email protected]
  • Opening hours: Monday to Friday (excluding holidays), from 9 a.m. to 5 p.m.
  • Response time for requests: 4 hours from the receipt of the request at the email address specified above.

4. Corrective Maintenance

Response time: 4 hours from receipt

Definition of severity level:

  • Severity 1 or critical issue: an issue that, individually or cumulatively, makes the operation of the services impossible or results in significant data loss, or prevents the normal operation of the SaaS Services;
  • Severity 2 or major issue: an issue that, individually or cumulatively, has negative repercussions on the quality of the SaaS Services, causing significant inconvenience or limitations or restrictions in the use of one or more SaaS Services features, including degradation of its or their performance, but still allowing at least partial operation of the SaaS Services;
  • Severity 3 or minor issue: any other issue detected in the services that has no impact on the use or operation of the SaaS Services features, not classified as critical or major.

Correction time from the receipt of the request:

Severity Time to Permanent Solution Time to Workaround Solution
Severity 1 48 business hours 4 business hours
Severity 2 4 business days 8 business hours
Severity 3 7 business days 8 business hours

Annex 4: Personal Data

This annex is an integral part of the contract and, along with the "Personal Data" article, serves as a written data processing agreement between the Company, a personal data processor, and the client, the data controller.

The Company is authorized to process personal data on behalf of the client in the execution of the subscribed SaaS Services by the client.

Purpose & objectives. The processing of personal data carried out by the Company has the exclusive purpose and objective of implementing the SaaS Services in accordance with these terms.

Nature. The operations carried out on this data are as follows:

  • the use of data uploaded to the SaaS portal by the client for the purpose of:
  • launching test campaigns through sending emails to professional email addresses of recipients;
  • creating reports to assess the level of security against phishing risks;
  • data storage on outsourced servers; data destruction;
  • data structuring to deduce the security level against phishing risks;
  • data extraction to generate reports usable by the client;

Duration. In principle, and unless otherwise instructed by the client, the duration of the processing carried out by the Company is limited to the period of use of the SaaS Services and, in any case, may not exceed three (3) months from:

  • the last use of the SaaS service;
  • the termination of contractual relations concerning the storage and destruction of data.
Responses identified in the "password" field are not collected.

Type of data. The personal data processed by the Company pertains to the following categories of data:

  • data related to the identity of recipients: name, first name
  • data related to the professional life of recipients: professional email address
  • responses to questions from any forms based on the selected or customized phishing scenario by the client

Categories of individuals concerned. The personal data subject to processing concerns the following categories of individuals:

  • client's employees

List of authorized sub-processors. Sub-processors authorized by the client to carry out all or part of the personal data processing are as follows:

Authorized Sub-processors Sub-processed Data Processing Activities Location of Processing Appropriate Safeguards Implemented for Data Transfer Outside EU
Google Cloud Platform Hosting Europe N/A
Mailgun Email Delivery Service Europe N/A