Posted: June 19, 2024

Effective Date: June 19, 2024

Welcome, and thank you for using Breach Plan Connect® (hereafter, “BPC”). The following Terms of Service ("Terms") cover your use and access to our Software-as-a-Service (SaaS) hosted incident response services, software, and Web sites (collectively, “Services”). If you reside anywhere throughout the world, your agreement is with Network Standard Corporation (incorporated in the Commonwealth of Pennsylvania), doing business as NetDiligence. Our Privacy Policy explains how we collect and use your information while our Acceptable Use Policy outlines your responsibilities when using our Services. By using our Services, you're agreeing to be bound by these Terms, and by extension, our corporate Privacy Policy and Acceptable Use Policy. If you're using our Services for an organization, you're agreeing to these Terms on behalf of that organization.

Your BPC Record Data & BPC Platform Management Data

When you use BPC, you may be providing and storing important information (“BPC Record Data”) that reflects your organization’s incident response plan (“IRP”) procedures, employee roles, vendor contacts, and significant details relating to information security incidents or privacy data breach events that have impacted your organization. BPC Record Data that you create belongs to your organization as a corporate (not personal) information asset. These Terms don't give us any rights to your BPC Record Data except for the limited rights described below that enable us to offer the Services. We certainly do not have the right to openly publish your BPC Record Data or sell it to a third party.

We recognize that certain data you disclose to us, including BPC Record Data, may be confidential or proprietary (meaning information that is marked as “confidential”, “proprietary” or by similar marking, or information which, given the nature of the information and circumstances of its disclosure, would reasonably be understood to be confidential). We agree that we will protect your confidential information using the same standard of care and diligence that we use to protect our own confidential information.

Some of the Services facilitate contact with vendors that you have chosen to populate (either from among those that we publish or that you provide) in your BPC Record Data as a necessary function of the BPC environment. In such cases where the intended operation of BPC features incorporates contact with such vendors, you grant us permission to initiate such contact on your behalf.

Beyond that, you also grant us permission to host and store your BPC Record Data in appropriate venues and ways that reflect contemporary information security protection standards. As of the “Effective Date” listed at the top of this Terms document, all BPC Record Data is hosted at 11:11 Systems (please see: https://1111systems.com/), for which we seek and confirm evidence of current SSAE 18 / SOC 2 compliance on an ongoing basis as a condition of continued use of their hosting services.

You grant us permission to actively manage the BPC environment – including your BPC Record Data – to facilitate 24x7x365 access, data integrity, protection against accidental/malicious disclosure, and compliance with any legal or regulatory requirements that may be imposed upon NetDiligence as a condition of providing continued Services. Your permission in these cases extends to our affiliates and trusted third parties who assist us in providing the Services.

Finally, you grant us permission to utilize your BPC Record Data – along with that of all BPC clients – to generate aggregated user data statistics, patterns and trends that can help us improve the effectiveness of the Services, as well as for external research purposes within the cyber insurance industry. We guarantee that all such use will rely upon de-identification of such BCP Data so that it cannot be traced back to you, your account, your organization, or any element of your specific activities within the BPC platform.

Apart from your BPC Record Data, NetDiligence requires the creation, use and storage of critical operational information that facilitates the functioning of the BPC platform. We designate such information as BPC Platform Management Data. BPC Platform Management Data may include – among other examples - tokens and IDs that uniquely identify client devices that are utilized in furtherance of the mobile application elements of the BPC service. In addition to being necessary for the proper operation of the mobile application for functions such as push notifications and other valued features, such data will be recorded and maintained within system/application logging data/files within the NetDiligence environment. BPC Platform Management Data will be subject to contemporary record retention policies. Sharing of BPC Platform Management Data outside of NetDiligence and its technology support partners is prohibited unless: (a) compelled under request by legal authorities, and/or (b) as a required element of any cyber security breach investigation that implicates the BPC service.

Your Responsibilities

You are responsible for your conduct within the BPC platform. Your BPC Record Data and all activities undertaken by you within the BPC platform must comply with our Acceptable Use Policy. While you are licensed to broadly utilize the Services in managing your organization’s incident response plan (IRP) requirements and capabilities, much of the content we provide may be protected by others' intellectual property rights. Except for those tasks explicitly related to your IRP roles and functions, please don't copy or download such content for the purpose of reselling it or otherwise distributing it to unlicensed individuals or organizations. We value our intellectual property and that belonging to our partners, and will work diligently to ensure that it is not stolen, abused, or dissipated without recourse against those who would undertake such actions.

If we have reasonable reason to do so, we may review your conduct and content (including BPC Records) for compliance with these Terms and our Acceptable Use Policy. With that said, we have no obligation to do so. We aren't responsible for the veracity or legality of the content you provide. If we are requested by governmental authorities or opposing counsel in a legal action to remove BPC Records or supply them to an appropriate governmental body under penalty of a lawfully obtained warrant or subpoena, we will review our options and take legally appropriate/required action – which, unless prohibited by law, will include notice to your organization in a manner and time consistent with the conditions present - and regulatory requirements - associated with in any such event.

Help us keep you informed and your BPC Record Data protected. Safeguard your password to the Services, and keep your account information current. Don't share your account credentials or give others access to your account. Our BPC platform authorizes you (or your organizational administrator) to create and distribute BPC accounts to all appropriate stakeholders within your IRP program.

You may use our Services only as permitted by applicable law, including export control laws and regulations. Finally, our Services are not intended for and may not be used by people under the age of 13. By using our Services, you are representing to us that you're over 13.

Software and Mobile Apps

Some of our Services allow you to download client software ("Software") which may update automatically. So long as you comply with these Terms, we give you a limited, nonexclusive, nontransferable, revocable license to use the Software, solely to access the Services. To the extent any component of the Software may be offered under an open source license, we'll make that license available to you and the provisions of that license may expressly override some of these Terms. Unless the following restrictions are prohibited by law, you agree not to reverse engineer or decompile the Services, attempt to do so, or assist anyone in doing so.

If you are utilizing our Services via mobile-based applications (“Apps”) provided through either the Apple or Android Stores, respectively, you are legally bound to do so in a manner that is fully compliant with their rules for such use on their respective device platforms. Such rules operate in addition to – and not in place of – the rules for use of the Software set by NetDiligence.

Beta Services

We sometimes release products and features that we are still testing and evaluating (“Beta Services”). Those Beta Services have been marked beta, preview, early access, or evaluation (or with words or phrases with similar meanings) and may not be as reliable as existing BPC Services, so please keep that in mind. If you have any doubts whatsoever, do not attempt to utilize beta versions of our Services. We totally understand that running beta versions are not for everyone – and we hope that you do too. Without your explicit request/approval, we will never port your account and BPC Record Data for live production use within a Beta Services version of BPC.

Reiterating The Importance Of Our Intellectual Property Rights And Those Of Our Partners

The Services are protected by copyright, trademark, and other US and foreign laws. These intellectual property rights belong to NetDiligence, as well as to many of our partners. These Terms don't grant you any right, title or interest in the Services, our partners’ content in the Services, NetDiligence trademarks, logos and other brand features. We welcome feedback, but note that we may use comments or suggestions without any obligation to you.

Copyright, Trademark, and Intellectual Property Protection

We respect the intellectual property of others and ask that you do too. We respond to notices of alleged copyright, trademark, and intellectual property infringement if they comply with the law, and such notices should be reported using our Copyright Policy. We reserve the right to delete or disable content alleged to be infringing and terminate accounts of repeat infringers. Our designated agent for notice of alleged copyright infringement on the Services is:

Copyright Agent
Network Standard Corporation, d/b/a NetDiligence®
P.O. Box 204
Gladwyne, PA 19035
[email protected]

Subscription Payments For Breach Plan Connect (BPC)

Breach Plan Connect (BPC) is provided to you on a subscription-only basis, and your continued use of BPC and all included Services is conditioned upon continued payment of annual subscription fees. If you are an individual retail subscriber to BPC, you will be notified in advance of subscription renewal terms and then current pricing at least 30 days prior to the scheduled end-date of your current subscription. If renewal payments are not made and cleared by the scheduled end-date, NetDiligence may elect in its discretion to suspend or delete your account and its contents – but not before giving you 30-day advance written notice of cancellation, in order to provide you with a full opportunity to retrieve a copy of your BPC Record Data. If an “auto-renew” payment option is available, we will automatically renew your subscription against the payment card information you have kept on file, subject to your prior cancellation of your subscription. You are responsible for all applicable taxes, and we'll charge tax when required to do so. Some countries have mandatory local laws regarding your cancellation rights, and this paragraph doesn't override these laws. For purposes of tax obligations within different global geographies and jurisdictions, BPC is a service that originates exclusively within the United States of America.

If your BPC account has been provided to you by a third party – such as a cyber insurance policy carrier – on your behalf, your continued access to the Services is subject to the terms imposed upon you by said third party in conformance with an established license relationship that they maintain with NetDiligence.

Annual subscription fees for BPC are generally not refundable, and are provided only in cases where required by law. In our discretion, we may elect to offer refunds for unusual or hardship circumstances.

We may change the fees in effect at the time of your next annual renewal, but will give you advance notice at least 30 days ahead of these changes via a message to the email address associated with your account.

Termination

You're free to stop using our Services at any time. We reserve the right to suspend or terminate your access to the Services with notice to you if:

  • (a) you're in breach of these Terms,
  • (b) you're using the Services in a manner that violates applicable law, and would cause a real risk of harm or loss to us or other users, or
  • (c) you have not paid your annual subscription renewal and your current subscription end-date has been reached.

We'll provide you with reasonable advance notice (which in no case will be less than 30 days) via the email address associated with your account to remedy the activity that prompted us to contact you and give you the opportunity to export your BPC Record Data from our Services. If after such notice you fail to take the steps we ask of you, we reserve the right to terminate or suspend your access to the Services.

We won't provide notice before termination where:

  • (a) you're in material breach of these Terms, and where such breach may risk a technical compromise risk of the BPC platform or subject us to potential legal liability for failure to take prudent remediation steps, or (b) we're otherwise prohibited from doing so by law.

You may terminate the Services if we are in breach of these Terms and fail to cure such breach within 30 days of your notifying us of such breach. In such a case, we will give a full opportunity to export your BPC Record Data from our platform, and provide you with a pro-rata refund of fees associated with the remaining time on your annual subscription.

Discontinuation of Services

We may decide to discontinue the Services in response to unforeseen circumstances beyond NetDiligence’s control or to comply with a legal requirement. If we do so, we'll give you reasonable prior notice so that you can export your BPC Record Data from our systems. If we discontinue Services in this way before the end of any fixed or minimum term you have paid us for, we'll refund the portion of the fees you have pre-paid but haven't received Services for.

Services "AS IS"

We strive to provide great Services, but there are certain things that we can't guarantee. TO THE FULLEST EXTENT PERMITTED BY LAW, AND EXCEPT AS SET FORTH IN THIS AGREEMENT, NETDILIGENCE AND ITS AFFILIATES, SUPPLIERS AND DISTRIBUTORS MAKE NO WARRANTIES, EITHER EXPRESS OR IMPLIED, ABOUT THE SERVICES. THE SERVICES ARE PROVIDED "AS IS." WE ALSO DISCLAIM ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. Some places don't allow the disclaimers in this paragraph, so they may not apply to you.

Notwithstanding the above, we represent and warrant that the Services will be: (a) provided in a good and workmanlike manner, (b) in accordance with all applicable laws, and (c) through the implementation of commercially reasonable technical, administrative and physical security measures to ensure the availability, confidentiality, and integrity of the Services.

Limitation of Liability

IN NO EVENT SHALL NETDILIGENCE (OR ANY AFFILIATE PARTY) BE LIABLE FOR ANY ACT, ERROR OR OMISSION BY ANY VENDOR, LOSS OF PROFITS, LOSS OF USE, LOSS OF DATA, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH OR ARISING OUT OF THIS AGREEMENT, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE), AND WHETHER OR NOT THE POSSIBILITY OF SUCH DAMAGES HAS BEEN DISCLOSED TO THE PARTIES IN ADVANCE OR COULD HAVE BEEN REASONABLY FORESEEN BY SUCH PARTIES. NETDILIGENCE’S (AND/OR ANY OF THEIR AFFILIATE’S) TOTAL LIABILITY ON ANY CLAIM, LOSS OR LIABILITY ARISING OUT OF OR CONNECTED WITH THESE TERMS - WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY - SHALL NOT EXCEED THE FEES PAID BY YOU DURING THE CURRENT SUBSCRIPTION PERIOD.

WE DON'T EXCLUDE OR LIMIT OUR LIABILITY TO YOU WHERE IT WOULD BE ILLEGAL TO DO SO—THIS INCLUDES ANY LIABILITY FOR NETDILIGENCE’S OR ITS AFFILIATES' FRAUD OR FRAUDULENT MISREPRESENTATION IN PROVIDING THE SERVICES. IN COUNTRIES WHERE THE FOLLOWING TYPES OF EXCLUSIONS AREN'T ALLOWED, WE'RE RESPONSIBLE TO YOU ONLY FOR LOSSES AND DAMAGES THAT ARE A REASONABLY FORESEEABLE RESULT OF OUR FAILURE TO USE REASONABLE CARE AND SKILL OR OUR BREACH OF OUR CONTRACT WITH YOU. THIS PARAGRAPH DOESN'T AFFECT CONSUMER RIGHTS THAT CAN'T BE WAIVED OR LIMITED BY ANY CONTRACT OR AGREEMENT.

Resolving Disputes

We want to address your concerns without needing a formal legal case. Before filing a claim against NetDiligence, you agree to try to resolve the dispute informally by contacting [email protected]. We'll try to resolve the dispute informally by contacting you via email. If a dispute is not resolved within 30 days of submission, you or NetDiligence may bring a formal proceeding. You and NetDiligence agree that any judicial proceeding to resolve claims relating to these Terms or the Services will be brought in the federal or state courts of Philadelphia, Commonwealth of Pennsylvania. Both you and NetDiligence consent to venue and personal jurisdiction in such courts. If you reside in a country (for example, European Union member states) with laws that give consumers the right to bring disputes in their local courts, this paragraph doesn't affect those requirements.

Controlling Law

These Terms will be governed by Pennsylvania law, unless local laws mandate an alternative choice.

Entire Agreement

These Terms constitute the entire agreement between you and NetDiligence with respect to the subject matter of these Terms, and supersede and replace any other prior or contemporaneous agreements, or terms and conditions applicable to the subject matter of these Terms. These Terms create no third party beneficiary rights.

Waiver, Severability & Assignment

NetDiligence's failure to enforce a provision is not a waiver of its right to do so later. If a provision is found unenforceable, the remaining provisions of the Terms will remain in full effect and an enforceable term will be substituted reflecting our intent as closely as possible. You may not assign any of your rights under these Terms, except to a successor in interest via the legal acquisition of your organization, who in turn agrees to be bound by the Terms without further modification. NetDiligence may assign its rights to any of its affiliates or subsidiaries, or to any successor in interest of any business associated with the Services.

Modifications

We may revise these Terms from time to time to better reflect:

  • (a) changes to the law,
  • (b) new regulatory requirements, or
  • (c) improvements or enhancements made to our Services.

If an update affects your use of the Services or your legal rights as a user of our Services, we'll notify you prior to the update's effective date by sending an email to the email address associated with your account or via an in-product notification. These updated terms will be effective no less than 30 days from when we notify you.

If you don't agree to the updates we make, please cancel your account before they become effective. Where applicable, we'll offer you a prorated refund based on the amounts you have prepaid for Services and your account cancellation date. By continuing to use or access the Services after the updates come into effect, you agree to be bound by the revised Terms.

Posted: May 1, 2017

Effective: May 1, 2017

NetDiligence services, such as eRiskHub®, Breach Plan Connect®, and QuietAudit®, are used by a variety of clients in many different types of settings, and we are grateful for your support. As a condition of benefitting from these offerings, we trust you to use our services responsibly.

You agree not to misuse NetDiligence services ("Services") or help anyone else to do so. For example, you must not even try to do any of the following in connection with the Services:

  • probe, scan, or test the vulnerability of any system or network;
  • breach or otherwise circumvent any security or authentication measures;
  • access, tamper with, or use non-public areas or parts of the Services, or shared areas of the Services you haven't been invited to;
  • interfere with or disrupt any user, host, or network, for example by sending a virus, overloading, flooding, spamming, or mail-bombing any part of the Services;
  • access, search, or create accounts for the Services by any means other than our publicly supported interfaces (for example, "scraping" or creating accounts in bulk);
  • send unsolicited communications, promotions or advertisements, or spam;
  • send altered, deceptive or false source-identifying information, including "spoofing" or "phishing";
  • promote or advertise products or services other than your own without appropriate authorization;
  • abuse referrals or promotions to get more storage space than deserved;
  • circumvent storage space limits;
  • sell or publicly redistribute the Services unless specifically authorized to do so;
  • publish or share materials that are unlawfully pornographic or indecent, or that contain extreme acts of violence;
  • advocate bigotry or hatred against any person or group of people based on their race, religion, ethnicity, sex, gender identity, sexual preference, disability, or impairment;
  • violate the law in any way, including storing, publishing or sharing material that's fraudulent, defamatory, or misleading; or
  • violate the privacy or infringe the rights of others.

Posted: May 1, 2017

Effective: May 1, 2017

NetDiligence respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998, the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf. NetDiligence will respond expeditiously to claims of copyright infringement committed using the NetDiligence services ("Services") if such claims are reported to NetDiligence's Designated Copyright Agent identified in the sample notice below.

If you are a copyright owner, authorized to act on behalf of one, or authorized to act under any exclusive right under copyright, please report alleged copyright infringements taking place on or through the Site by completing the following DMCA Notice of Alleged Infringement and delivering it to NetDiligence's Designated Copyright Agent. Upon receipt of Notice as described below, NetDiligence will take whatever action, in its sole discretion, it deems appropriate, including removal of the challenged content from the Site.

DMCA Notice of Alleged Infringement ("Notice")

  1. Identify the copyrighted work that you claim has been infringed, or - if multiple copyrighted works are covered by this Notice - you may provide a representative list of the copyrighted works that you claim have been infringed.
  2. Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled, including at a minimum, if applicable, the URL of the link shown on the Site or the exact location where such material may be found.
  3. Provide your company affiliation (if applicable), mailing address, telephone number, and, if available, email address.
  4. Include both of the following statements in the body of the Notice:
    • "I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use)."
    • "I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of, the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed."
  5. Provide your full legal name and your electronic or physical signature.

Deliver this Notice, with all items completed, to NetDiligence's Designated Copyright Agent:

Copyright Agent
NetDiligence
P.O. Box 204
Gladwyne, PA 19035

Posted: May 1, 2017

Effective: May 1, 2017

Thanks for using NetDiligence services, such as eRiskHub®, Breach Plan Connect®, and QuietAudit®! Here we describe how we collect, use and handle your information when you use our Websites, software and services ("Services").

What & Why

We collect and use the following information to provide, improve and protect our Services:

We collect, and associate with your account, information like your name, email address, phone number, payment info, physical address, and account activity. Some of our services let you access your accounts and your information with other service providers.

Our Services are designed to make it simple for you to manage/improve your organization's overall cyber risk profile, including via participation in applications (such as Breach Plan Connect® that allow you to provide and store data (such as Breach Plan Connect® records) and access same across multiple devices. To make that possible, we store, process, and transmit your data, as well as information related to it. This related information can be things like your organizational contact data that makes it easier to collaborate with other members of your organization and vendors who work with us to support our Services and your utilization of them. Our Services, where appropriate, can provide you with different options for sharing your data.

We collect information related to how you use the Services, including actions you take in your account. This helps us provide you with improved features over time. In addition, we use de-identified data from our users for cyber risk-related research purposes in aggregated formats so that individual data elements cannot be traced back to their original owners.

We also collect information from and about the devices you use to access the Services. This includes things like IP addresses, the type of browser and device you use, the web page you visited before coming to our sites, and identifiers associated with your devices. Your devices (depending on their settings) may also transmit location information to the Services.

We may use technologies like cookies and pixel tags to provide, improve, protect and promote our Services. For example, cookies help us with things like remembering your username for your next visit, understanding how you are interacting with our Services, and improving them based on that information. You can set your browser to not accept cookies, but this may limit your ability to use the Services.

With Whom

We may share information as discussed below, but we won't sell it to advertisers or other third parties.

NetDiligence uses certain trusted third parties (for example, providers of customer support and IT services) to help us provide, improve, protect, and promote our Services. These third parties will access your information only to perform tasks on our behalf in compliance with this Privacy Policy, and we'll remain responsible for their handling of your information per our instructions.

Our Services display information like your name, profile picture, and email address to other users in places like your Breach Plan Connect (BPC) user profile and incident response plan documentation. When you further rely upon nomination of vendors within Breach Plan Connect or other Services as elements within your overall BPC Data Record, we may notify the selected vendors – including specifically in cases where your BPC Data Record implicates contact with them to help you address/resolve incident investigation, remediation, and prevention requirements.

If you are the designated account administrator for an organization, such as with our Breach Plan Connect service, you are deemed responsible for the creation and management of additional user accounts within your organizational subscription. This means that you are jointly responsible – along with NetDiligence – for guarding against the unauthorized exposure and distribution of user account credentials within the context of your organization's ongoing subscription activities.

We may disclose your information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of any NetDiligence Service or our users; or (d) protect NetDiligence's intellectual property rights (and/or those of our supporting partners).

How

We have a team dedicated to keeping your information secure and testing for vulnerabilities. We also continue to work on features to keep your information safe, and may bring these added features to your attention whenever they have been integrated into the platforms of Breach Plan Connect® or any of our other Services.

We'll retain information you store on our Services for as long as we need it to provide you the Services. If you delete your account, we'll also delete this information. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information if necessary to comply with our legal obligations, resolve disputes, or enforce our agreements. You can access your profile information by logging on to your account, and we provide mechanisms for updating same within Breach Plan Connect® and all of our Services.

Where

To provide you with the Services, we may store, process and transmit information in the United States and locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services.

Changes

If we are involved in a reorganization, merger, acquisition or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your account) of any such deal and outline your choices in that event.

We may revise this Privacy Policy from time to time, and will post the most current version on our website. If a revision meaningfully reduces your rights, we will notify you.

Contact

Have questions or concerns about NetDiligence, our Services and privacy? Contact us at [email protected]