TERMS OF SERVICE FOR
SECURITY ASSESSMENT SERVICE
PROVIDED BY HIGH-TECH BRIDGE SA
High-Tech Bridge SA (hereinafter "HTB") is a Limited Company (Ltd.) registered in the Commercial Register of canton of Geneva under Swiss Federal Identification Number CH-660.3.042.007-9 with VAT number CHE-113.980.579, domiciled at:
The present Terms of Service agreement governs your and/or your company (hereinafter "the Customer") usage of ImmuniWeb® Application Security Testing Platform provided by HTB via ImmuniWeb® Portal (hereinafter "the Portal"), designed to assess application security and to provide the findings with suggested remediations.
By ticking the «I HAVE READ AND AGREED» check-box during registration on the Portal, you are fully accepting and agreeing with the present Terms of Service agreement. The electronic acceptance of the present Terms of Service agreement by the above-mentioned procedure implies that the Customer has read, understood and fully accepted the present agreement. Otherwise, the Customer is kindly requested to leave the Portal.
The present Terms of Service agreement does not govern the relationship between the Customer and Swiss bank "PostFinance AG" that is in charge of credit card and PayPal payments processing on behalf of HTB.
2. ImmuniWeb® Web Security Testing Platform
2.1 Description of ImmuniWeb®
ImmuniWeb® is a globally registered trademark (Trademark Number: 629207; Application Number: 54506/2012) owned by HTB. ImmuniWeb® is entirely developed and supported by HTB, who is its sole owner.
ImmuniWeb® is an application security testing platform designed to provide security assessment service for websites, web services, and web and mobile applications (hereinafter "the Infrastructure"). The purpose of the service is to discover vulnerabilities, weaknesses and misconfigurations of the Infrastructure operated and/or owned by the Customer, and to offer general remediation recommendations for the discovered problems.
This service is provided to the users who created an account on the Portal via the registration procedure, obtained account approval via a confirmation email, confirmed their legitimacy and authorization to perform security testing of the Infrastructure, and paid for the service according to the procedures outlined below in the agreement. HTB retains the right to deny Security Assessment in case of any reasonable doubts regarding the Customer's legitimacy or authorization to perform such assessment.
To assess the security of the Infrastructure, the Customer shall login to the Portal under his, or her, account and create an ImmuniWeb® Security Assessment project.
ImmuniWeb® Continuous Security Assessment projects consist of 4 consecutive steps:
ImmuniWeb® On-Demand Security Assessment project consists of 6 consecutive steps:
ImmuniWeb® Mobile Security Assessment project consists of 6 consecutive steps:
ImmuniWeb® Discovery project consists of 2 consecutive steps:
2.2 ImmuniWeb® On-Demand and Mobile Security Assessment Report
Upon completion of an ImmuniWeb On-Demand or Mobile Security Assessment, the assessment report can be viewed and downloaded by the Customer directly from the Portal. The report becomes available within 1 (one) business day after the Security Assessment completion.
The Customer will be able to view and download the report (in HTML or PDF format) directly from the Portal. The report will stay available on the Portal during the next 90 (ninety) calendar days following the Security Assessment completion, and then will be securely deleted.
The Customer has a possibility to securely delete the report from the Portal any time before the above-mentioned deadline.
After being deleted, the report cannot be recovered. The Customer is entirely responsible for downloading the report within the aforementioned 90 (ninety) calendar days deadline, as well as for saving the report on a secure local storage.
2.3 ImmuniWeb® Continuous Interactive Dashboard
Within 2 (two) business days after receiving a payment for ImmuniWeb Continuous subscription, the Customer will be provided with an access to the interactive vulnerability management dashboard designed to manage and monitor the assessment and its results via the Portal.
The data provided to the Customer via the dashboard, including but not limited to assessment results and statuses of detected vulnerabilities, is accessible via the Portal during the validity of Customer’s subscription and 6 (six) months after the subscription expiration.
After the above-mentioned 6 (six) months deadline, or upon the Customer’s written demand, the data will be securely deleted. After being deleted the data cannot be recovered.
2.4 ImmuniWeb® Security Seal
Some of ImmuniWeb® packages provide the Customer with ImmuniWeb® Security Seal designed to confirm the fact and the time of the performed security assessment.
Despite our best efforts to identify as many vulnerabilities as possible within the assessment scope and timeframe, the Seal does not guarantee that the Infrastructure is 100% secure, unbreakable, or totally vulnerability-free.
2.5 ImmuniWeb® Continuous Notifications
For the Customers of ImmuniWeb Continuous, instant notification functionality is available to receive alerts about newly-detected vulnerabilities via email or SMS, depending on the ImmuniWeb subscription package.
Despite our best efforts to send the above-mentioned notifications in strict accordance with the Customer’s preferences selected on the Portal, we do not guarantee that they will arrive without delay. HTB declines any responsibility for any delays or omissions.
The SMS notification service is entirely operated and maintained by "Twilio, Inc." (CA), USA. HTB shall never be liable for any problems or damage related to the SMS notification service.
2.6 ImmuniWeb® Scope of Assessment
The scope of the assessment is always defined by the Customer on the first step of the assessment project creation.
Within reasonable, the Customer can provide specific requirements to the scope of testing on the first step of the project. HTB will carefully follow the instructions and scope defined by the Customer.
2.7 ImmuniWeb® Methodology of Testing
HTB’s web application security testing methodology is developed and based on its proprietary technology described on the ImmuniWeb web page.
Except if otherwise requested by the Customer, or required by the circumstances of the assessment, the methodology of testing is compliant and compatible with the latest versions of globally recognized standards, such as OWASP Testing Guide, NIST800-115 (Technical Guide to Information Security Testing and Assessment) and the PCI DSS Penetration Testing Guide.
HTB makes best efforts to avoid using any security testing or exploitation techniques that may harm, corrupt or destroy Customer’s data or Infrastructure. If an unexpected and dangerous event occurs during the assessment, HTB will contact the Customer within the next 15 (fifteen) minutes of the event detection to coordinate further activities.
2.8 ImmuniWeb® Quality Assurance
For the most important and critical processes and activities of the assessment, HTB relies on the four-eyes principle, which involves at least two people controlling each other.
2.9 ImmuniWeb® Customer Support
HTB provides 24/7 online and email support for the Customer.
HTB makes best possible efforts to respond to normal support tickets within 4 (four) business hours and within 15 (fifteen) minutes to urgent support tickets. Nevertheless, HTB cannot guarantee that a problem will be resolved within the above-mentioned deadline and shall never be liable for any delays and the damage caused by such delays.
Urgent support ticket functionality is available only to the Customers who have already paid for at least one assessment project. Abusive or non-appropriate usage of urgent support tickets by the Customer may lead to temporary or permanent disablement of urgent ticket functionality on the Portal.
3. ImmuniWeb® Portal
3.1 Registration Procedure
To use ImmuniWeb, the Customer must be registered and authenticated on the Portal. To obtain an account on the Portal, the Customer shall follow the registration procedure. During the registration, the Customer undertakes to provide HTB with correct, truthful and up-to-date information required by the procedure.
HTB may verify at any time the authenticity and veracity of the information provided by the Customer during the registration. Any accounts with doubtful information may be suspended, accounts with deliberately false or fake information may be deleted immediately. Any claims for reimbursement for the projects created under accounts with false of fake information will be refused.
HTB can, at its own discretion, deny the registration to any user at any time without any justification of its decision.
3.2 Identification of the Customer
The Customer should identify himself, or herself, on the Portal with his, or her, email address (login) and password (hereinafter "the Credentials").
HTB draws particular attention of the Customer that the Credentials are strictly personal and non-transferable.
The Customer undertakes to keep his, or her, Credentials strictly confidential. Otherwise, HTB retains the right to block the Customer's account and claim any damage occurred. Any claims for reimbursement for the projects created under accounts shared with third parties will be refused.
3.3 Modification of Customer Account Information
The Customer undertakes to keep his, or her, account information up-to-date. To do so, he, or she, can modify the information directly on the Portal via profile update function. Accounts with outdated information may be suspended.
3.4 Customer Data Collection, Processing, Retention and Deletion
During the aforementioned registration procedure initiated by the Customer, HTB collects information that is consciously and voluntarily submitted by the Customer (e.g. name, email address, business phone, etc.).
The information may contain Personally Identifiable Information (PII) that will be used solely for the purpose of registration and due provision of HTB’s services to the Customer subject to the present agreement.
The information is securely stored in a dedicated data center located in Canada (recognized by the European Commission as a country providing adequate level of data protection alongside with Switzerland) until the Customer requests to delete the account. The data center is owned by Internap Corporation (NASDAQ: INAP) that does not have any access to HTB’s data. The integrity of HTB’s servers are operated by authorized HTB employees only.
The information is stored as long as reasonably required to pursue the initial purpose of the information submission by the Customer.
The Customer can request HTB to delete his, or her, account on the Portal by submitting the request via Portal Support. The account, and all the related information available, will be securely deleted within 15 (fifteen) business days since the receipt of the request.
Deleted information is not recoverable. Any claims for reimbursement for the projects created under deleted accounts will be refused.
3.5 Portal Availability
Notwithstanding external interruptions beyond HTB's control, the Portal is available 7 days a week, 24 hours a day. In case of reasonable necessity, HTB retains the right to temporary interrupt access to the Portal, at any time, for any period of time and at its own discretion.
3.6 Portal Security
Special attention is given to the security of the Portal. Nevertheless, the Customer recognizes that despite the best efforts undertaken by HTB, including continuous risk assessment, threat and vulnerability monitoring, usage of up-to-date software, system hardening, data encryption and compliance with the latest safety regulations and standards, including ISO 27001, HTB cannot guarantee the absolute security of the Portal.
3.7 Portal Time Zone
The Portal is operating in the Central European Time (CET/CEST) time zone.
HTB takes all appropriate measures not to disturb the availability of the Customer’s Infrastructure, related systems or network equipment during an ImmuniWeb assessment. Nevertheless, exceptional side effects may occur beyond HTB’s control, and HTB shall not be held responsible for any interruptions of Customer's operations that may occur during the assessment. The Customer is advised to create a backup of the tested system before starting the assessment.
HTB makes best efforts to identify all the vulnerabilities and weaknesses within the scope and during the timeframe of the assessment, however cannot guarantee that all the vulnerabilities will be detected, and declines any responsibility for missed or omitted vulnerabilities.
An ImmuniWeb assessment itself is not intended to prevent, eliminate or fix any vulnerabilities or security weaknesses. The assessment purports to identify vulnerabilities and weaknesses within the Infrastructure, and to propose general remediation solutions for them. The Customer bears the sole responsibility for implementing any necessary corrections for the discovered vulnerabilities and weaknesses. The Customer understands that vulnerability remediations, proposed in the report or via the interactive dashboard, consist of general guidelines only, provided without any warranty of any kind.
ImmuniWeb® assessment results reflect the state of security of the Customer's Infrastructure only at the time of the assessment’s execution, and therefore cannot be considered as permanently up-to-date.
5. Obligations of the Customer
5.1 Strictly Prohibited Usage
The Customer is strictly prohibited to use ImmuniWeb to assess the security of any Infrastructure that does not belong to him, or her, or for which he, or she, does not have an explicit written authorization from the legitimate Infrastructure owner to perform the assessment.
The Customer is not allowed to use ImmuniWeb in countries where the legislation does not allow or prohibits such usage.
In case of violation of the above-mentioned conditions by the Customer, HTB reserves the right to immediately suspend the Customer's account and refuse any claims for reimbursement for the projects created under this account.
5.2 Confirmation of the Infrastructure Ownership
The Customer unconditionally agrees to use ImmuniWeb only to assess security of the Infrastructure that belongs to him, or to her, or for which he, or she, has an explicit written authorization from the legitimate Infrastructure owner to do so.
In case of website security testing, the Customer agrees that an email notification about the assessment may be sent to emails obtained from the website domain WHOIS record, or to the official emails provided directly on the website that the Customer wants to assess.
HTB also reserves the right to contact the Customer and/or his, or her, company by telephone and by any other available means in order to verify the Customer's identity and legitimacy to perform assessment of the Infrastructure.
5.3 Correctness and Completeness of Technical Information
During creation of ImmuniWeb On-Demand, Mobile or Continuous security assessment projects on the Portal, the Customer is entirely responsible for submitting correct, complete and up-to-date technical information about the Infrastructure (e.g. URL, authentication and other technical information).
In case of erroneous technical information submitted to the Portal, the Customer will bear the sole responsibility for the error. In this case HTB does not guarantee accuracy and completeness of the assessment and its results. Any claims for reimbursement in such cases will be refused.
5.4 Non-Resistance to Security Assessment
HTB’s IP addresses from which the assessment will take place will be communicated to the Customer by email 1 (one) day before the assessment and just before the start of the assessment for all ImmuniWeb On-Demand and Mobile projects. For ImmuniWeb Continuous projects, the IP addresses are constantly visible on the Portal.
The Customer is required to properly authorize or whitelist HTB’s IP addresses on his, or her, IPS (Intrusion Prevention System), WAF (Web Application Firewall), and any other hardware or software solutions that may partially or entirely block or slow down the assessment, and thus, influence its completeness and accuracy. Otherwise, accuracy and completeness of the assessment and its results are not guaranteed by HTB. Any claims for reimbursement in such case will be refused.
The Customer is strongly advised to delete HTB’s IP addresses from any whitelists and revoke any temporary permissions or demo accounts created for the purpose of the assessment once the assessment is finished.
5.5 Availability of the Infrastructure
The Customer is entirely responsible for availability of his, or her, Infrastructure during the assessment.
If for any reason the Infrastructure will not be fully accessible from HTB’s IP addresses during the assessment, the Customer will bear the sole responsibility for incompleteness, inaccuracy or non-delivery of the assessment. Any claims for reimbursement in such case will be refused.
5.6 Obligation to Inform Concerned Third Parties
The Customer must inform and obtain an explicit authorization to perform the assessment from all the third parties (if any) that are directly or indirectly concerned by the assessment.
This obligation particularly applies if the Customer is not the sole owner of the web, database or any other servers or equipment where Customer’s Infrastructure or its data are located. HTB does not bear any responsibility for delays caused by coordination between the Customer and the concerned third parties.
5.7 Obligation to Respect Account Integrity and Confidentiality
The Customer undertakes to take all reasonable measures to protect his, or her, account Credentials from unauthorized third-parties. If the Customer becomes aware of any illegal, unauthorized, unethical or improper usage of the Portal account, he, or she, shall immediately inform HTB by writing or another reliable and prompt mean.
The Customer undertakes to be solely liable and responsible for any damage suffered by HTB in case of breach of this clause.
5.8 Availability for Emergencies
The Customer undertakes to provide a valid email and direct phone number in his, or her, profile on the Portal, to be contacted in case of emergency (e.g. unexpected event or breach detection).
6. Measures Against Abuse
In case of any illegal, unethical, improper, unauthorized by the present agreement or performed in a bad faith usage of ImmuniWeb, the Customer unconditionally agrees to be solely liable and responsible for any damage suffered by HTB, as well as for any liabilities that HTB could owe to any third parties in result of such usage by the Customer.
In case of abuse HTB retains the right to:
7. Limited Liability of HTB
7.1 Access to the Portal
HTB makes best efforts to provide the Customer with an uninterrupted access to the Portal. However, HTB does not guarantee a permanent access to and uninterrupted operation of the Portal. HTB cannot be held liable for any interruptions of the Portal’s availability.
7.2 Security Assessment Interruption
HTB retains the right to interrupt the assessment at any time in case of any risk related to the security or stability of the Infrastructure or related system(s), without any obligation to justify such action.
HTB is not liable for any direct or indirect damage caused by this kind of interruption. HTB's liability is also excluded in case of interruption of the assessment by HTB due to a Force Majeure.
7.3 Inappropriate Usage by the Customer
HTB shall not bear any responsibility for any damage resulting from any inappropriate, unethical, illegal or abusive usage of ImmuniWeb by the Customer, particularly for the damage caused by Customer’s breach of the present agreement or instructions indicated on the Portal.
7.4 Damage Caused to Third Parties
HTB shall in no case bear responsibility for any direct or indirect damage caused to any third parties during the execution of the assessment.
In the improbable case, if HTB will be held liable for any damage caused to a third party, the Customer undertakes to entirely indemnify HTB for the amount that HTB may be obliged to pay in relation thereto, as well as to reimburse HTB all the expenses incurred while defending its interests in courts including but not limited to legal expenses and lawyers’ fees.
7.5 Damage Caused to the Customer
Except for the case of deliberate misconduct, HTB shall not bear any responsibility for any direct or indirect damages (including but not limited to loss of integrity, availability or accessibility of any data or information, destruction of any information, files, databases or archives, or damage caused to any software or network equipment) incurred by the Customer in relation to an ImmuniWeb assessment.
By accepting the present agreement, the Customer unconditionally undertakes not to take any legal actions, lawsuits or procedures against HTB in relation to an ImmuniWeb assessment.
7.6 Liability Limit
HTB's total liability in relation with an ImmuniWeb assessment is limited to the price paid by the Customer for the security assessment in question. By accepting the present agreement, the Customer unconditionally accepts the aforementioned HTB's liability limit.
8. Payment Conditions
8.1 Price, Currencies and VAT
The price of ImmuniWeb assessment is fixed in USD (US Dollars) and varies depending on the selected package. The price of a package is always displayed on the Portal on the Payment Step of project creation.
The price of any ImmuniWeb package may be changed at any time at HTB’s own discretion. All projects that were fully prepaid prior to the price change will not be affected by the change.
Payment can be made in US Dollars (USD), Euros (EUR) and Swiss Francs (CHF). When paying in EUR or CHF a currency conversion commission may be applied by your bank and/or by your card processing center.
Online payment processing may increase the price by a commission or a transaction fee charged by the processing company, bank or their subsidiaries. HTB has absolutely no relation or influence over these fees and shall never be responsible to reimburse or compensate them.
The price is indicated without VAT (Value Added Tax). Swiss VAT of 7.7% will be charged if the Customer resides in Switzerland and is not exempted from VAT; or in the exceptional case when the Customer resides abroad but is obliged to pay VAT in Switzerland.
8.2 Online Payment
The entire online payment procedure via credit cards or PayPal is managed and operated by Swiss bank "PostFinance AG" in accordance to their Terms and Conditions.
The entire online payment procedure via crypto currencies is managed and operated by Lithuanian processing center UAB "Virtualios valiutos" under the brand of “CoinGate” in accordance to their Terms and Conditions.
HTB declines any liability for any delay, loss or damage incurred by the Customer in relation to the online payment procedure.
8.3 Terms of Payment for ImmuniWeb On-Demand and Mobile
Any ImmuniWeb On-Demand or Mobile assessment is started only after receiving a full prepayment for the selected package by the Customer.
The Customer can either pay online on the Portal, or just generate an invoice on the Portal and make the payment via wire bank transfer. If paid via bank transfer, within the next 5 (five) business days after the receipt of the funds on HTB’s bank account, the Customer will receive a 100% Discount Code that he, or she, shall enter on the Payment step of the project and skip the online payment procedure.
The invoice in PDF format becomes available for download on the Portal immediately after successful payment for the assessment. The invoice will be available on the Portal for the next 12 (twelve) months after the payment. After the above-mentioned deadline, the invoice will be automatically deleted without any notification to the Customer.
The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. HTB does not provide any backup or copies of the invoices.
8.4 Terms of Payment for ImmuniWeb Continuous
ImmuniWeb Continuous assessment starts in 2 (two) business days upon receipt of a full payment for the entire duration of the service or of the first invoice if the Customer selects a monthly, quarterly or annual billing cycle.
Thirty (30) days before the end of current billing cycle period, an invoice for the next period becomes available on the Portal and shall be entirely paid within the next twenty-nine (29) days. Any overdue payments may lead to monetary penalties and overdue interests in accordance with the Swiss law.
The Customer can select the duration of an ImmuniWeb Continuous subscription on the Portal of one (1) month, six (6) months, one (1) year, two (2) years, or three (3) years, and obtain a corresponding loyalty discount that will be displayed alongside the price. Once selected, the subscription is deemed to be purchased for the selected period of time, and if cancelled before for any reason, the entire amount of the upcoming payments must be paid to HTB without any deduction.
The invoice in PDF format is stored on the Portal during the subscription validity and six (6) months after subscription expiration. After the above-mentioned deadline, the invoice will be automatically deleted without any notification to the Customer.
The Customer is solely responsible for printing and keeping the invoice for administrative and accounting needs and requirements. HTB does not provide any backup or copies of the invoices.
8.5 False-Positives Reimbursement
HTB makes best efforts to assure zero false-positives for every security assessment. In the improbable case if the Customer will find a false-positive (i.e. a reported vulnerability that does not exist and did not exist at the time of the assessment) among the assessment report, he, or she may claim a reimbursement.
If the false-positive is confirmed and recognized by HTB, the Customer shall receive the amount paid for ImmuniWeb On-Demand or Mobile package purchased by the Customer, or the amount paid for one week of assessment in pro-rata for ImmuniWeb Continuous package.
This clause is valid only for the false-positives among security vulnerabilities with assigned CVSSv3 score and CWE-ID. Under no circumstances this clause is valid for ImmuniWeb® Discovery or supplementary services or appendixes, such as Server Software Security Monitor, SSLScan, WebScan, or Trademark Monitor.
8.6 Reimbursement Claims and Limitations
Any reimbursement claims must be made by the Customer via Support within 10 (ten) business days after an incident that triggered the claim has occurred. Any reimbursement claims received after the aforementioned deadline will not be reimbursed.
In case of reimbursement claim approval by HTB, the reimbursement amount corresponding to the gravity of the incident shall be paid to the Customer within the next 30 (thirty) business days following the approval. The amount of the reimbursement can never exceed the total amount paid by the Customer for the assessment during which the incident occurred.
9. Confidentiality and Privacy
9.1 Customer Data Protection, Commercial and Business Secrets
When providing its services under to the present agreement, HTB and its employees undertake its best reasonable effort to handle the information related to, or received from, the Customer in a strictly confidential manner and in compliance with HTB’s ISO 27001 certification, related security policies and procedures.
All customer-related data is accessible only to the authorized HTB’s employees, required to have access to this data to perform their direct professional duties. HTB’s employees are internally vetted and required to sign a Non-Disclosure Agreement (NDA) before obtaining an access to any customer-related data. HTB’s technical personnel is required to act in conformity with CREST Code of Conduct for Individuals, assuring confidentially, ethics, honesty and integrity. Regular internal vetting in accordance to CREST guidelines is performed on HTB employees.
HTB undertakes not to disclose, share or transfer any customer-related data (e.g. technical or vulnerability data) to any unauthorized third parties for any purposes, with the only exception when such action is demanded by a valid order of a Swiss court.
Retention of technical data (e.g. vulnerability data) is described in the articles 2.2 and 2.3 of the present agreement. Customer account removal described in the article 3.4 of the present agreement implies secure deletion of all the projects created by the Customer and the related data.
The Customer is responsible for using ImmuniWeb in accordance with any concerned third party's right to data protection.
9.2 Customer PII Data Protection
HTB and its employees undertake its best reasonable effort to protect Customer's PII data in accordance with corporate ISO 27001 certification, related security policies and procedures.
PII data collection, processing, retention and removal are performed according to the procedures outlined by the article 3.4 of the present agreement.
HTB’s Data Protection Officer is regularly conducting privacy audits as imposed by application regulation.
10. Intellectual Property
HTB remains the sole owner of names, trademarks, logos, labels and any other distinctive signs that belong to it, as well as of the software, source codes, programming algorithms, design concepts, databases, assessment reports, dashboard interface and all tangible and intangible goods related to ImmuniWeb service.
11. Entire Agreement
The present agreement constitutes the entire agreement between the Customer and HTB with respect to the subject matter thereof and supersedes all and any prior oral and written understandings, promises, arrangements or agreements relating to such subject matter. The Customer hereby agrees that there are no other representations or warranties relating to the subject matter of the present agreement.
HTB undertakes not to make modifications of the present Terms of Service agreement that will jeopardize confidentiality or privacy of the Customer except if such modification is explicitly required by applicable law or court order. In other cases, when the modifications are performed for a good reason and in good faith, the present agreement can be modified without any prior notification at any time by HTB at its own discretion.
The new version of the agreement shall be immediately published on the Portal. For any substantial changes, or changes involving Customer’s confidentiality or privacy, the Customer shall receive a prompt notification about such change via email, special message or support ticket on the Portal.
The modified agreement shall be effective only for the projects created after the modification.
The present version of Terms of Service was last modified on the 24th of May 2018.
13. Applicable Law
The present Terms of Service agreement applies worldwide and is governed by and construed in accordance with the Swiss law. Application of any international treaties or conventions is excluded.
The exclusive place of jurisdiction for any dispute resolution is Geneva, Switzerland.