High-Tech Bridge SA (hereinafter "HTB") is a Limited Company (Ltd.) registered in the Commercial Register of canton of Geneva under Swiss Federal Identification Number CH-660.3.042.007-9 with VAT Number CHE-113.980.579, domiciled at:
World Trade Center II
29, Route de Pre-Bois
The present Terms of Service agreement governs your and/or your company (hereinafter "the Customer") usage of ImmuniWeb® Application Security Testing Platform provided by HTB via ImmuniWeb® Portal (hereinafter "the Portal"), designed to assess security and reliability of websites, web and mobile applications (hereinafter "the Infrastructure") and to provide the findings along with remediations via Interactive Dashboard.
By ticking the «I HAVE READ AND AGREED» check-box during registration on the Portal, you are fully accepting and agreeing with the present Terms of Service agreement. The electronic acceptance of the present Terms of Service agreement by the above-mentioned procedure implies that the Customer has read, understood and fully accepted the present agreement. Otherwise, the Customer is kindly requested to leave the Portal.
The present Terms of Service agreement does not govern the relationship between the Customer and Swiss bank "PostFinance AG" that is in charge of online payment processing on behalf of HTB.
2. ImmuniWeb® Web Security Testing Platform
2.1 Description of ImmuniWeb®
ImmuniWeb® is a globally registered trademark (Trademark Number: 629207; Application Number: 54506/2012) owned by HTB. ImmuniWeb® is entirely developed and supported by HTB, who is its sole owner.
ImmuniWeb® is an application security testing platform designed to provide website, web service, and web and mobile application security assessment services. The purpose of the service is to discover vulnerabilities, weaknesses and misconfigurations of the Infrastructure operated and/or owned by the Customer, and to offer general solutions and remediations for the discovered problems.
This service is provided to the users who created an account on the Portal via the registration procedure, obtained account approval via a confirmation email, confirmed their legitimacy and authorization to perform security testing of the Infrastructure, and paid for the service according to the procedures outlined below in the agreement. HTB retains the right to deny Security Assessment in case of any doubts regarding the Customer's legitimacy/authorization to perform such assessment.
To assess the security of the Infrastructure, the Customer shall login to the Portal under his, or her, account and create an ImmuniWeb® Security Assessment project.
ImmuniWeb® Continuous Security Assessment projects consist of 4 steps:
- Assessment Configuration
- Ownership Confirmation
- Customization and Online Payment
- Continuous Security Monitoring
ImmuniWeb® On-Demand Security Assessment project consists of 6 consecutive steps:
- Configure Assessment
- Confirm Ownership
- Select Package & Pay
- Select Date
- Monitor Assessment
- View Assessment Results
ImmuniWeb® Mobile Security Assessment project consists of 6 consecutive steps:
- Upload Mobile Application and Configure Assessment
- Confirm Ownership
- Select Package & Pay
- Select Date
- Monitor Assessment
- View Assessment Results
2.2 ImmuniWeb® On-Demand and Mobile Security Assessment Report
Upon completion of an ImmuniWeb On-Demand or Mobile Security Assessment, the assessment report can be viewed and downloaded by the Customer directly from the Portal. The report becomes available within 1 (one) business day after the Security Assessment completion.
The Customer will be able to view and download the report (in HTML format) directly from the Portal. The report will stay available on the Portal during the next 90 (ninety) calendar days following the Security Assessment completion, and then will be securely deleted.
The Customer has a possibility to securely delete the report from the Portal any time before the above-mentioned deadline.
After being deleted, the report cannot be recovered. The Customer is entirely responsible for viewing and downloading the report within the aforementioned 90 (ninety) calendar days deadline, as well as for saving the report on a secure local storage.
2.3 ImmuniWeb® Continuous Interactive Dashboard
Within 2 (two) business days after receiving payment for an ImmuniWeb Continuous subscription, the Customer will be provided with access to the interactive vulnerability management dashboard designed to manage and monitor the assessment and its results via the Portal.
The data provided to the Customer via the dashboard, including but not limited to assessment results and statuses of detected vulnerabilities, is accessible via the Portal during the validity of Customer’s subscription and 6 (six) months after subscription expiration.
After the above-mentioned 6 (six) months deadline, or upon the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.
2.4 ImmuniWeb® Security Seal
Some of ImmuniWeb® packages provide the Customer with ImmuniWeb® Security Seal designed to confirm the fact and the timing of the performed security assessment.
Despite our best efforts to identify as many vulnerabilities as possible within the assessment scope and timeframe, the Seal does not guarantee that the Infrastructure is 100% secure, unbreakable, or totally vulnerability-free.
2.5 ImmuniWeb® Continuous Notifications
For the Customers of ImmuniWeb Continuous, instant notification functionality is available to receive alerts about newly-detected vulnerabilities via email or SMS, depending on the ImmuniWeb subscription package.
Despite our best efforts to send the above-mentioned notifications in strict accordance with the Customer’s preferences selected on the Portal, we do not guarantee that they will arrive on time. HTB declines any responsibility for any delays or omissions.
The SMS notification service is entirely operated and maintained by "Twilio, Inc." (CA), USA. HTB shall never be liable for any problems related to the SMS notification service.
2.6 ImmuniWeb® Scope of Assessment
The scope of the assessment is always defined by the Customer on the first step of the assessment project creation.
The Customer can provide any specific requirements to the scope of testing on the first step of the project. HTB will carefully follow and stay within the scope defined by the Customer.
2.7 ImmuniWeb® Methodology of Testing
HTB’s web application security testing methodology is developed and based on its proprietary technology described on the ImmuniWeb web page.
Except if otherwise requested by the Customer, or required by the circumstances of the assessment, the methodology of testing is compliant and compatible with the latest versions of globally recognized standards, such as OWASP Testing Guide, NIST800-115 (Technical Guide to Information Security Testing and Assessment) and the PCI DSS Penetration Testing Guide.
HTB makes best efforts to avoid using any security testing or exploitation techniques that may harm, corrupt or destroy Customer’s data or Infrastructure. If an unexpected and dangerous event occurs during the assessment, HTB will contact the Customer within the next 15 (fifteen) minutes of event detection to coordinate further activities.
2.8 ImmuniWeb® Quality Assurance
For the most important and critical processes and activities of, or related to, the assessment, HTB relies on the four-eyes principle, which involves at least two people controlling each other.
2.9 ImmuniWeb® Customer Support
HTB provides 24/7 online and email based support for the Customer.
HTB makes best possible efforts to respond to normal support tickets within 4 (four) business hours and within 15 (fifteen) minutes to urgent support tickets. Nevertheless, HTB cannot guarantee that a problem will be resolved within the above-mentioned deadline, and shall never be liable for any delays.
Urgent support ticket functionality is available only to the Customers who have already paid for at least one assessment project. Abusive or non-appropriate usage of urgent support tickets by the Customer may lead to temporary or permanent disablement of urgent ticket functionality on the Portal.
3. ImmuniWeb® Portal
3.1 Registration Procedure
To use ImmuniWeb, the Customer must be registered and authenticated on the Portal. To obtain an account on the Portal, the Customer shall follow the registration procedure. During the registration, the Customer undertakes to provide HTB only with correct, truthful and up-to-date information required by the procedure.
HTB retains the right to verify at any time the authenticity and veracity of the information provided by the Customer during the registration. Any accounts with doubtful information may be blocked, while any accounts with deliberately false or fake information will be deleted immediately. Any claims for reimbursement for the projects created under these accounts will be refused.
HTB can, at its own discretion, deny the registration to any user at any time without any justification of its decision.
3.2 Identification of the Customer
The Customer should identify himself, or herself, on the Portal with his, or her, email address (login) and password (hereinafter "the Credentials").
HTB draws particular attention of the Customer to the fact that the Credentials are strictly personal and non-transferable.
The Customer undertakes to keep his, or her, Credentials strictly confidential. Otherwise, HTB retains the right to block the Customer's account and claim any damage occurred. Any claims for reimbursement for the projects created under these accounts will be refused.
3.3 Modification of Customer Account Information
The Customer undertakes to keep his, or her, account information up-to-date. To do so, he, or she, can modify the information directly on the Portal via profile update function.
3.4 Customer Account Information Storage and Deletion
The information about and related to the Customer’s account is stored on the Portal until the Customer requests to delete the account.
The Customer can request HTB to delete his, or her, account on the Portal by submitting the request in writing or via Portal Support. The account, and all the related information, will be securely deleted within 15 (fifteen) business days since the receipt of the request.
Deleted information is not recoverable. Any claims for reimbursement for the projects created under deleted accounts will be refused.
3.5 Portal Availability
Notwithstanding external interruptions beyond HTB's control, the Portal is available 7 days a week, 24 hours a day. In case of necessity, HTB retains the right to temporary interrupt access to the Portal, at any time, for any period of time and at its own discretion.
3.6 Portal Security
Special attention is given to security of the Portal. Nevertheless, the Customer recognizes that despite the best efforts undertaken by HTB, including continuous risk assessment, threat and vulnerability monitoring, usage of up-to-date software, system hardening, data encryption and compliance with the latest safety regulations and standards, including ISO 27001, HTB cannot guarantee the absolute security of the Portal.
3.7 Portal Time Zone
The Portal is operating in the Central European Time (CET/CEST) time zone.
HTB takes all appropriate measures not to disturb the availability of the Customer’s Infrastructure, related systems or network equipment during an ImmuniWeb assessment. Nevertheless, exceptional side effects may occur beyond HTB’s control, and HTB may not be held responsible for any interruptions of Customer's operations that may occur during the assessment. The Customer is advised to create a backup of the tested system before starting the assessment.
HTB makes best efforts to identify all the vulnerabilities and weaknesses within the scope and during the timeframe of the assessment, however cannot guarantee that all the vulnerabilities will be detected, and declines any responsibility for missed or omitted vulnerabilities.
An ImmuniWeb assessment itself is not intended to prevent, eliminate or fix any vulnerabilities or security weaknesses. The assessment only identifies vulnerabilities and weaknesses within the Infrastructure, and proposes general solutions and remediations for them. The Customer bears the sole responsibility for implementing any necessary corrections for the discovered vulnerabilities and weaknesses. The Customer understands that vulnerability remediations, proposed in the report or via the interactive dashboard, consist of general guidelines only, provided without any warranty of any kind.
ImmuniWeb® assessment results reflect the state of security of the Customer's Infrastructure only at the time of the assessment’s execution, and therefore cannot be considered as permanently up-to-date.
5. Obligations of the Customer
5.1 Strictly Prohibited Usage
The Customer is not allowed to use ImmuniWeb to assess the security of Infrastructure that does not belong to him, or her, or for which he, or she, does not have an explicit written authorization from the legitimate Infrastructure owner to perform such testing.
The Customer is not allowed to use ImmuniWeb in countries where the legislation does not allow such usage.
In case of violation of the above-mentioned conditions by the Customer, HTB reserves the right to immediately block the Customer's account and refuse any claims for reimbursement for the projects created under this account.
5.2 Confirmation of the Infrastructure Ownership
The Customer unconditionally agrees to use ImmuniWeb to assess the security only of the Infrastructure that belongs to him, or to her, or for which he, or she, has an explicit written authorization from the legitimate Infrastructure owner to do so.
In case of website security testing, the Customer agrees that an email notification about the assessment may be sent to emails obtained from the website domain WHOIS record, or to the official emails provided directly on the website that the Customer wants to assess.
HTB also reserves the right to contact the Customer and/or his, or her, company by telephone and by any other available means, in order to verify the Customer's identity and legitimacy to perform assessment of the Infrastructure.
5.3 Correctness and Completeness of Technical Information
During creation of ImmuniWeb On-Demand, Mobile or Continuous security assessment projects on the Portal, the Customer is entirely responsible for submitting correct, complete and up-to-date technical information about the Infrastructure (e.g. URL, authentication and other technical information).
In case of erroneous technical information submitted to the Portal, the Customer will bear the sole responsibility for the error. In this case HTB does not guarantee accuracy and completeness of the assessment and its results. Any claims for reimbursement in such cases will be refused.
5.4 Non-Resistance to Security Assessment
HTB’s IP addresses, from which the assessment will take place, will be communicated to the Customer by email 1 (one) day before the assessment and just before the start of the assessment for all ImmuniWeb On-Demand and Mobile projects. For ImmuniWeb Continuous projects, the IP addresses are constantly visible on the Portal.
The Customer is required to properly authorize or whitelist HTB’s IP addresses on his, or her, IPS (Intrusion Prevention System), WAF (Web Application Firewall), and any other hardware or software solutions that may partially or entirely block or slow down the assessment, and thus, influence its completeness and accuracy. Otherwise, the accuracy and completeness of the assessment and its results are not guaranteed by HTB. Any claims for reimbursement in such case will be refused.
The Customer is advised to delete HTB’s IP addresses from any whitelists and revoke any temporary permissions or accounts created for the assessment after the assessment is finished.
5.5 Availability of the Infrastructure
The Customer is entirely responsible for availability of his, or her, Infrastructure during the assessment.
If for any reason the Infrastructure will not be accessible from HTB’s IP addresses during the assessment, the Customer will bear the sole responsibility for incompleteness or non-delivery of the assessment. Any claims for reimbursement in such case will be refused.
5.6 Obligation to Inform Concerned Third Parties
The Customer must inform and obtain explicit authorization to perform the assessment from all the third parties (if any) that are directly or indirectly concerned by the assessment.
This obligation particularly applies if the Customer is not the sole owner of the web or database servers where the Infrastructure and its data are located. HTB does not bear any responsibility for delay caused by coordination between the Customer and the concerned third parties.
5.7 Obligation to Respect Account Integrity and Confidentiality
The Customer undertakes to take all possible measures to protect his, or her, account Credentials from unauthorized third-parties. If the Customer is aware of any illegal, unauthorized, or improper usage of his, or her, Portal account, he, or she, shall immediately inform HTB.
The Customer undertakes henceforth, and without any counterpart, to be held liable and responsible for any damage suffered by HTB in case of breach of this clause.
5.8 Availability for Emergencies
The Customer undertakes to provide a valid email and direct phone number in his, or her, profile on the Portal, by which he, or she, can be reached in case of emergency (e.g. unexpected event or breach detection).
6. Measures Against Abuse
In case of any illegal, unethical, improper, or contrary to the present agreement or good will, usage of ImmuniWeb, the Customer agrees henceforth, and without any counterpart, to be held liable and responsible for any damage suffered by HTB, as well as for any liabilities that HTB could owe to any third party.
In case of abuse HTB retains the right to:
- Take any technical measures it deems appropriate under such circumstances;
- Inform competent law enforcement agencies;
- Inform all the third parties concerned by the abuse;
- Initiate criminal and civil complaints against the Customer;
- Request indemnification for all suffered damage with applicable interest.
7. Limited Liability of HTB
7.1 Access to the Portal
HTB makes best efforts to provide the Customer with uninterrupted access to the Portal. However, HTB does not guarantee permanent access to and uninterrupted operation of the Portal. HTB cannot be held liable for any interruptions of the Portal’s availability.
7.2 Security Assessment Interruption
HTB retains the right to interrupt the assessment at any time in case of any risk related to the security or stability of the Infrastructure or related system(s), without any obligation to justify such action.
HTB is not liable for any direct or indirect damage caused by this kind of interruption. HTB's liability is also excluded in the case of interruption of the assessment by HTB due to a Force Majeure.
7.3 Inappropriate Usage by the Customer
HTB shall not bear any responsibility for any damage resulting from any inappropriate, unethical, illegal or abusive usage of ImmuniWeb by the Customer, particularly for the damage caused due to the non-observance by the Customer of the present agreement or instructions indicated on the Portal.
7.4 Damage Caused to Third Parties
HTB shall in no case bear responsibility for any direct or indirect damage caused to any third parties during the execution of the assessment.
In the improbable case, if HTB bears responsibility for damage caused to a third party, the Customer undertakes to entirely indemnify HTB for the amount that HTB may be obliged to pay in relation thereto, as well as to reimburse HTB all the expenses incurred while defending its interests in court including any legal expenses and lawyers’ fees.
7.5 Damage Caused to the Customer
Except for the case of serious and deliberate misconduct, HTB shall not bear any responsibility for any direct or indirect damage (including but not limited to loss of integrity, availability or accessibility of any data or information, destruction of any information, files, databases or archives, or damage caused to any software or network equipment) incurred by the Customer in relation to an ImmuniWeb assessment.
By accepting the present agreement, the Customer unconditionally undertakes not to initiate any legal actions, lawsuits or procedures against HTB in relation to an ImmuniWeb assessment.
7.6 Liability Limit
HTB's total liability arising in connection with an ImmuniWeb assessment is limited to the price paid by the Customer for the security assessment. By accepting the present agreement, the Customer unconditionally accepts HTB's liability limit.
8. Payment Conditions
8.1 Price, Currencies and VAT
The price of ImmuniWeb assessment is fixed in USD (US Dollars) and varies depending on the selected package. The price of a package is always displayed on the Portal on the Payment Step of project creation.
The price of any ImmuniWeb package may be changed at any time at HTB’s own discretion. All projects that were prepaid prior to the price change will not be affected by this change.
Payment can be made in US Dollars (USD), Euros (EUR) and Swiss Francs (CHF). When paying in EUR or CHF a currency conversion commission may be applied by your bank and/or by your card processing center. HTB has absolutely no relation or influence over these fees and shall never be responsible to reimburse or compensate them in any manner.
The price is indicated without VAT (Value Added Tax). Swiss VAT of 8% (eight percent) will be charged if the Customer resides in Switzerland and is not exempted from VAT; or in the exceptional case when the Customer resides abroad but is obliged to pay VAT in Switzerland.
8.2 Online Payment
The entire online payment procedure via credit cards or PayPal is managed and operated by Swiss bank "PostFinance AG" in accordance to their Terms and Conditions. HTB declines any responsibility for any delay or damage incurred by the Customer in relation to the online payment procedure.
8.3 Terms of Payment for ImmuniWeb On-Demand and Mobile
Any ImmuniWeb On-Demand or Mobile assessment is started only after receiving a full prepayment for the selected package by the Customer.
The Customer can either pay online on the Portal, or just generate an invoice on the Portal and make the payment via wire bank transfer. If paid via bank transfer, within the next 5 (five) business days after the receipt of the funds on HTB’s bank account, the Customer will receive a 100% Discount Code that he, or she, shall enter on the Payment step of the project and skip the online payment procedure.
The invoice in PDF format becomes available for download on the Portal immediately after successful payment for the assessment. The invoice will be available on the Portal for the next 12 (twelve) months after the payment. After the above-mentioned deadline, the invoice will be automatically deleted without any notification to the Customer.
The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. HTB does not provide any backup or copies of the invoices.
8.4 Terms of Payment for ImmuniWeb Continuous
ImmuniWeb Continuous assessments start in 2 (two) business days upon receipt of a full prepayment for the service, or of a first invoice if the Customer selects a monthly, quarterly or annual billing cycle.
Thirty (30) days before the end of current billing cycle period, an invoice for the next period becomes available on the Portal and shall be entirely paid within the next twenty-nine (29) days. Any overdue payments may lead to monetary penalties duly foreseen by Swiss law.
The Customer can select the duration of an ImmuniWeb Continuous subscription on the Portal of six (6) months, one (1) year, two (2) years, or three (3) years, and obtain a corresponding loyalty discount that will be displayed alongside the price. Once selected, the subscription is deemed to be purchased for the selected period of time, and if cancelled before for any reason, the entire amount of the upcoming payments must be paid to HTB without any deduction.
The invoice in PDF format is stored on the Portal during the subscription validity and six (6) months after subscription expiration. After the above-mentioned deadline, the invoice will be automatically deleted without any notification to the Customer.
The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. HTB does not provide any backup or copies of the invoices.
8.5 False-Positives Reimbursement
HTB makes best efforts to assure zero false-positives for every security assessment. In the improbable case if the Customer will find a false-positive among the assessment results, he, or she may claim a reimbursement.
If the false-positive is confirmed and recognized by HTB, the Customer shall receive the amount paid for ImmuniWeb On-Demand or Mobile package, or the amount paid for one week of assessment in pro-rata for ImmuniWeb Continuous package.
This clause is only valid for the false-positives among security vulnerabilities with assigned CVSSv3 score and CWE-ID. Under no circumstances is this clause valid for ImmuniWeb® Discovery or supplementary services or appendixes, such as Server Software Security Monitor, SSL Server Security, Web Server Security, Trademark Abuse Radar.
8.6 Reimbursement Claims and Limitations
Any reimbursement claims (via Support) must be made by the Customer within the next 10 (ten) business days after an incident that triggered the claim has occurred. Any reimbursement claims received after the aforementioned 10 (ten) business days deadline will not be accepted and are not liable for reimbursement.
In case of reimbursement claim approval by HTB, the reimbursement amount corresponding to the gravity of the incident shall be paid to the Customer within the next 30 (thirty) business days following the approval. The amount of the reimbursement can never exceed the total amount paid by the Customer for the assessment during which the incident occurred.
9. Confidentiality and Privacy
9.1 Observance of Professional, Commercial and Business Secrets
HTB and its employees undertake to handle all the information related to, or received from, the Customer by email or phone, via the Portal or by any other means, in a strictly confidential manner and in compliance with HTB’s ISO 27001:2013 certification, related security policies and procedures.
All customer-related data is accessible only to the authorized HTB’s employees, required to have access to this data to perform their professional duties.
All HTB’s employees are internally vetted and required to sign a Non-Disclosure Agreement (NDA) before obtaining access to any customer-related data. HTB’s employees in charge of the assessment and related technical activities, are required to act in strict conformity with CREST Code of Conduct for Individuals, assuring confidentially, ethics, honesty and integrity. Regular internal vetting in accordance to CREST guidelines is performed on all HTB employees.
HTB undertakes not to disclose, share or transfer any customer-related data (i.e. personal, financial, technical and vulnerability data) to any unauthorized third-parties for any purposes, with the only exception when such action is demanded by a court order.
9.2 Customer Data Retention and Deletion
HTB collects, stores and processes Customer data only if that is required or necessary for the execution of ImmuniWeb assessments and related activities, such as proper functioning of the Portal.
HTB stores and deletes this data according to the procedures outlined by the articles 2.2 (for ImmuniWeb On-Demand and Mobile) and 2.3 (for ImmuniWeb Continuous) of the present agreement.
9.3 Personal Data Retention and Deletion
HTB may process Personal Data (also known as Personally Identifiable Information) provided by the Customer during the registration or later via the Portal, and handle it with the highest precaution and store it in accordance with the applicable Swiss law.
The Customer can request HTB to delete his, or her, personal data at any time. All personal data of the Customer will be securely deleted together with his, or her, account on the Portal within 15 (fifteen) business days since the receipt of a written notification from the Customer.
By initiating such a request, the Customer unconditionally agrees that all ImmuniWeb assessment projects created by him, or her, on the Portal will be also unrecoverably deleted and will not be reimbursed.
9.4 Data Protection
HTB undertakes to protect Customer's data and Personal Data in accordance with the applicable Swiss law and regulations.
The Customer is responsible for using ImmuniWeb in accordance with any concerned third party's right to data protection.
10. Intellectual Property
HTB remains the sole owner of names, trademarks, logos, labels and any other distinctive signs that belong to it, as well as of the software, source codes, programming algorithms, design concepts, databases, assessment reports, dashboard interface and all tangible and intangible goods related to ImmuniWeb service.
HTB undertakes not to make modifications of the present Terms of Service agreement that will jeopardize confidentiality or privacy of the Customer except if such modification is explicitly required by applicable law or court order. In other cases, the present agreement can be modified without any prior notification at any time by HTB at its own discretion.
The new version of the agreement shall be immediately published on the Portal. For any substantial changes, or changes involving Customer’s confidentiality or privacy, the Customer shall receive an instant notification about such change via email, special message or support ticket on the Portal.
The modified agreement shall apply thereafter to all newly created ImmuniWeb assessments.
The present version of Terms of Service was last modified on the 28th of September 2017.
12. Applicable Law
The present Terms of Service agreement applies worldwide, and is governed by and construed in accordance with Swiss law. Application of any international treaty or convention is excluded.
The exclusive place of jurisdiction for any dispute resolution is Geneva, Switzerland.