Visory Secure Compliance Schedule

Addendum to Customer’s Master Services Agreement

This Visory SecureCompliance Schedule is an addendum to the Customer’s Master Services Agreement with Visory. In the event of any conflict between the terms of this Schedule and the terms of the Customer’s Master Services Agreement, the terms of this Schedule shall prevail but only to the extent of the conflict.

1.    Service Description

Visory’s SecureCompliance solutions offer a range of services designed to help you manage your cybersecurity risks.  The SecureCompliance Platform is used to continuously assess your cybersecurity and compliance posture, build strategic remediation plans, and execute them to reduce risk.

Key capabilities:

• Automated security assessments: Continuous assessment of your security posture and risk level based on customized questionnaires, industry standards, validation of security controls, and scans combined with cybersecurity expert knowledge and knowhow.
• Vulnerability and exploit gap analysis: Based on express external scans and internal scans that uncover critical vulnerabilities and help prioritize remediation steps.
• Continuous compliance readiness: Comprehensive compliance assessments and plans mapped to dozens of frameworks demonstrate compliance status and support task prioritization.
• Tailored security policies: Easy-to-follow, actionable security policies, based on your cyber profile, relevant regulatory requirements and industry benchmarks.
• Prioritized remediation plan and tasks: A customized, prioritized remediation task list split into various plans, including impact and criticality rate per task.
• Ongoing task management and process tracking: Ongoing remediation task management, collaboration and progress tracking tools.

Real-time dashboard and customer-facing reports: The SecureCompliance dashboard allows ongoing monitoring of your cybersecurity and compliance posture. Exportable easy-to-consume customer-facing security and compliance status and progress reports can be easily shared with customer shareholders.

2.    Service Offers

Visory SecureAudit

The VisorySecure Audit is a onetime engagement performed as a standalone cybersecurity assessment or as part of the implementation of the Visory SecureCompliance service. Through a series of questionnaires and scans that we perform on your environment, we create a full assessment of your current risk level and cybersecurity posture, compared to industry benchmarks which also includes a gap analysis of vulnerabilities and exploits. As part of the engagement, we identify which regulatory standards your organization needs to meet and benchmark your results against those standards. Those results are then reviewed with you and a strategic plan is put in place to remediate the vulnerabilities identified as a part of the audit.

The fees for the service are based on the number of employees you have as Visory has found the larger the organization, the more work that is needed.

Visory SecureCompliance

A monthly recurring service, Visory SecureCompliance affords you an on-going review, scoring, and assessment of the client’s security posture as compared to the goals or framework set during the SecureAudit.  You choose which program level is right for you with a key differentiator being whether and how much monthly support is included.

Visory SecureCompliance – Essentials manages the ongoing execution of any remediation plans from the Visory SecureAudit while also providing ongoing monitoring, scanning and future changes or tweaks where necessary to maintain your desired security profile. This leaves you to focus on your core business, knowing that your digital security is in good hands. We deliver in-depth status and progress reports, showing your current security posture, improvement trends, compliance gaps and comparison with industry benchmarks, to reflect your current security posture, progress and remaining gaps. This service includes monthly reporting and an annual meeting and review, as well as our assistance in completing your annual insurance renewal forms. All security work is billed to the client at Visory hourly billable rates.

Visory SecureCompliance – Professional includes all the elements of Essentials with the addition of a pool of 8 hours of professional services monthly for use in addressing cybersecurity-related needs such as updates, remediations, and other issues. This service also includes an expanded monthly report set.

Visory SecureCompliance – Comprehensive includes all the elements of Professional with a pool of 16 hours of professional services monthly for use in addressing cybersecurity-related needs such as updates, remediations, and other issues. This service also includes quarterly meetings and real-time access to the SecureCompliance

3.    Rates and Fees

If not specified in Customer’s Service Order, the below standard rates for the Services shall apply.

The Monthly Fee is billed in advance and Customer agrees to pay at the beginning of each calendar month for Service that month.  One Time Fees are billed upon completion.

If a ransomware attack or security incident occurs that requires review, remediation, and recovery work which is significant in Visory’s sole discretion, a separate Statement of Work for the review, restoration, and remediation will be created for the Customer as an additional chargeable engagement.

Billable services rates:

4.     Additional Terms – Cynomi

These additional terms (“Flow Down Terms”) form part of the Agreement between Visory, Inc. (“Channel Partner”) and Customer and govern the use of the AI Virtual CISO software (“Software”) provided by Cynomi Ltd. (“Cynomi”).

• License and Use of Software: The Customer is granted a non-exclusive, non-transferable, non-sublicensable, limited license to access and use the Software as part of the SecureCompliance -Comprehensive Services provided by the Channel Partner. This license is subject to the terms and conditions of this Agreement and the Flow Down Terms herein. In the event that a provision in the Agreement conflicts with any of these Flow Down Terms, these Flow Down Terms shall prevail, but only to the extent of the conflict.
• Ownership Rights: The Software is licensed, not sold. Other than the limited license to use the Software, as expressly granted in these Flow Down Terms, all right, title, and interest, including any intellectual property rights evidenced by or embodied in, attached, connected, and/or related to the Software (and any and all improvements, modifications and derivative works thereof) and any other products, deliverables or services provided by Cynomi, are and shall remain owned solely by Cynomi or its licensors. Any anonymous information, which is derived from the use of the Software (i.e., metadata, aggregated and/or analytics information and/or intelligence relating to the operation, support, and/or Customer’s use, of the Software) which is not personally identifiable information and which does not identify Customer (“Analytics Information”) may be used for providing the Software, for development, and/or for statistical purposes. Such Analytics Information is Cynomi’s exclusive property.
• Customer Responsibilities: The Customer is responsible for all activities that occur under its user account(s). The Customer shall: (a) have sole responsibility for the accuracy, quality, integrity, legality, reliability, and appropriateness of all data submitted to the Software; (b) prevent unauthorized access to, or use of, the Software; and (c) comply with all applicable local, state, national, and foreign laws in using the Software.
• Prohibited Uses: Customer must not, and shall not allow any person or third party to, directly or indirectly: (i) copy, modify, create derivative works of, make available or distribute, publicly perform, or display any part of the Software (including by incorporation into its products), or use the Software to develop any service or product that is the same as (or substantially similar to) it; (ii) sell, license, lease, assign, transfer, pledge, rent, sublicense, or share the Software with any third party (including but not limited to offering the Software as part of a time-sharing, outsourcing or service bureau environment); (iii) use any “open source” or “copyleft software” in a manner that would require Cynomi to disclose the source code of the Software to any third party; (iv) disclose the results of any testing or benchmarking of the Software to any third party; (v) disassemble, decompile, decrypt, reverse engineer, extract, or otherwise attempt to discover the Software’s source code or non-literal aspects (such as the underlying structure, sequence, organization, file formats, non-public APIs, ideas, or algorithms); (vi) remove or alter any trademarks or other proprietary right notices displayed on or in the Software; (vii) circumvent, disable or otherwise interfere with security-related features of the Software or features that enforce use limitations; (viii) export, make available or use the Software in any manner prohibited by applicable laws; and/or (ix) store or transmit any malicious code (e., software viruses, Trojan horses, worms, robots, malware, spyware or other computer instructions, devices, or techniques that erase data or programming, infect, disrupt, damage, disable, or shut down a computer system or any component of such computer system) or other unlawful material in connection with the Software.
• Confidentiality: The Customer shall maintain the confidentiality of any proprietary, confidential, and/or non-public information received through the use of the Software and shall not disclose such information without the prior written consent of Cynomi. Without derogating from the foregoing, the Software shall be deemed Cynomi’s Confidential Information and shall be subject to the confidentiality obligations set forth in the Agreement.
• Data Security and Privacy: The Customer agrees to adhere to all applicable data protection laws and regulations. The Customer is responsible for maintaining the confidentiality and security of its data.
• No Representations or Warranties by Cynomi: THE CUSTOMER ACKNOWLEDGES THAT CYNOMI MAKES NO REPRESENTATIONS, WARRANTIES, PROMISES, OR GUARANTEES OF ANY KIND WITH RESPECT TO THE SOFTWARE, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
• Limitation of Liability: Cynomi shall bear no liability whatsoever to the Customer arising out of or in relation to its use of and access to the Software, including, without limitation, any direct, indirect, incidental, consequential, special, or exemplary damages, loss of profits or revenue, loss of or damage to good will or reputation, or loss of data, or loss of use, regardless of whether Cynomi was advised of the possibility of such damages. Channel Partner assumes sole responsibility and liability for any claims, damages, losses, or liabilities that may arise, whether directly or indirectly, in connection with the Customer’s use of and access to the Software.
• Indemnification: The Customer agrees to indemnify and hold Cynomi, its affiliates, and their respective officers, directors, employees, and agents harmless from any claim, demand or proceeding made or initiated by any third party, and any associated liabilities, costs and expenses, including reasonable attorneys’ fees, arising out of or relating to the Customer’s use of or access to the Software, the violation of these Flow Down Terms by the Customer, or the infringement by the Customer, or other users of the Software using the Customer’s account, of any intellectual property or other rights of any person or entity.
• Third Party Beneficiary: Cynomi is an intended third-party beneficiary with the right to enforce these Flow Down Terms against the Customer.
• Termination: These Flow Down Terms are subject to termination in accordance with the terms and conditions of this Agreement. Notwithstanding the foregoing, the license granted to the Customer shall automatically terminate in the event of any breach of these Flow Down Terms by Customer. Upon termination, the Customer must cease all use of and access to the Software and destroy all copies of any Software documentation.