1. Definitions:
| Service Provider | Either (a) Phishbite OÜ when it is contracting directly with the Customer, or (b) a Managed Service Provider (as defined below) authorized by Phishbite OÜ if designated as suvh by the Customer Agreement. |
| Customer | The legal entity to whom the Service Provider will provide services under this agreement. |
| Customer Agreement | The document that sets out the contractual details between the Customer and the Service Provider, including Customer-specific terms, pricing, and any special conditions agreed upon by the Parties. The Customer Agreement incorporates these General Terms of Service by reference. |
| Service | The service described in section 3 of the General Terms of Service that the Service Provider provides to the Customer. |
| Parties | Service Provider and the Customer |
| Employee | Customer’s employee whose information has been provided to the Service Provider by the Customer and to whom the Service Provider provides the Service. |
| Third Party | A legal or physical person who is not a party to this agreement or an employee of a party to the agreement. |
| Managed Service Provider | A third party authorized by Phishbite OÜ to market, sell, or deliver the Service to a Customer under these Terms. |
| General Terms of Service | This document, which sets forth the terms of service use. |
2. General
2.1. The Service Provider and the Customer enter into this Customer Agreement for the use of the Service.
2.2. The Service Provider shall commence providing the Service within seven (7) business days after the Customer has completed all necessary preparatory activities as specified in Section 5.
2.3. Service Provider will test and educate the Customer Employees and provide the Customer with an overview on the Employees cybersecurity awareness level.
3. Service description
3.1. The Service consists of phishing simulations and general cybersecurity awareness training.
3.2. Phishing simulations are delivered to the Customer’s Employees to test their security awareness. The simulations will vary in complexity and may include different phishing tactics. The Employees’ interactions with the phishing simulations, including, link clicks and lesson progress will be recorded and analyzed. The results of the phishing simulations will be presented to the Customer.
3.3. General cybersecurity awareness training lessons are delivered to the Customer’s Employees on a monthly basis if not agreed otherwise by the Parties. The training lessons are designed to enhance Employees’ ability to recognize and mitigate cybersecurity threats in their daily work environment. The content of the training lessons may be adjusted periodically to reflect emerging threats and industry best practices.
3.4. Overview of the results of the Service are provided through regular reports and the customer portal.
3.5. The Service Provider may use publicly available data about the Customer for providing the Service.
4. Obligations of the Service Provider
4.1. Main Obligations
4.1.1. The Service Provider shall provide the Customer the Service described in Section 3.
4.1.2. The Service Provider shall send regular phishing simulation emails to the Customer’s Employees, using a variety of tactics to test and improve security awareness.
4.1.3. Phishing simulations are delivered 1-2 times per month per employee if not agreed otherwise by the Parties.
4.1.4. The Service Provider shall deliver cybersecurity awareness training lessons once a month to the Customer’s Employees if not agreed otherwise by the Parties.
4.1.5. The Service Provider periodically updates the training content to address new threats and best practices.
4.1.6. The Service Provider shall provide regular reports to the Customer, detailing the results of phishing simulations, including clicks on phishing links and similar interactions by Employees through the Customer portal or by other means agreed upon by both Parties.
4.2. Commencement of Service
4.2.1. The Service Provider shall commence providing the Service within seven (7) business days after the Customer completes the preparatory activities described in Section 5.
4.3. Confidentiality
4.3.1. The Service Provider shall maintain the confidentiality of all information received from the Customer in connection with this Agreement, and shall not disclose such information to Third Parties without the Customer’s written consent, except as permitted under Section 11.
4.4. Data Protection
4.4.1. The Service Provider shall process the Employee personal data specified in Section 13 only for the purpose of delivering the Service.
4.4.2. In its role as a data processor (as set forth in Section 13.3), the Service Provider shall implement appropriate technical and organizational measures to safeguard Employee personal data in accordance with applicable data protection laws.
4.4.3. The Service Provider may engage sub-processors only in compliance with Section 13.6 and shall ensure that each sub-processor agrees to equivalent data protection obligations.
4.5. Maintenance of the Service
4.5.1. The Service Provider shall use commercially reasonable efforts to maintain the availability and functionality of the phishing simulation and training systems.
4.5.2. The Service Provider shall promptly notify the Customer of any significant disruptions or issues affecting the Service and take reasonable steps to resolve such issues without undue delay.
5. Obligations of the Customer
5.1. Main obligations
5.1.1. The Customer is aware that the Service Provider sends phishing-imitating emails to the Employees’ email addresses in order to test their security awareness.
5.1.2. The Customer confirms that it will use the Service only in relation to Employees and will not use the Service for any individual over whom the Customer does not have the legal right or consent to carry out such simulations.
5.1.3. The Customer shall pay the fees for the Service in accordance with Section 6 (Payment) and any applicable invoices issued by the Service Provider.
5.2. Provision of Employee Data
5.2.1. The Customer shall provide accurate and up-to-date Employee data in the format or via the form prescribed by the Service Provider.
5.2.2. The Customer shall promptly make updates to Employees’ email addresses or status (e.g., employees leaving, joining, or changing roles) in the customer portal or if not possible promptly inform the Service Provider of such changes.
5.2.3. The Customer ensures that it has lawful basis (employment contract, consent) for using the service on the Employees as required by applicable data protection laws before submitting the data to the Service Provider.
5.3. Technical Preparations
5.3.1. The Customer shall implement, in accordance with the Service Provider’s instructions, any exceptions or configurations in its email server or IT systems necessary to allow the Service Provider to conduct phishing simulation attacks without being blocked by the Customer’s security filters.
5.3.2. The Customer shall cooperate with the Service Provider to resolve technical issues that may hinder or prevent the proper delivery of phishing simulations or cybersecurity training content.
6. Payment
6.1. Fee
6.1.1. The Customer shall pay a fee for the Service as agreed by the Parties. The Price covers the phishing simulations and cybersecurity awareness training described in Section according to the Price agreed by the Parties.
6.2. Subscription term
6.2.1. The Service is provided on an annual subscription basis if not agreed otherwise by the Parties.
6.2.2. The subscription renews automatically each year in accordance with Section 10 (Validity and Termination), unless terminated by the Customer or the Service Provider under the terms of this Agreement.
6.2.3. The Customer acknowledges that the entire annual subscription fee is payable in advance for each subscription period, unless otherwise agreed in writing by the Parties.
6.3. Invoicing
6.3.1. The Service Provider sends invoices to the Customer’s designated billing address or the email address provided for billing purposes.
6.3.2. The Service Provider sends the invoice within 14 days after agreeing to the Customer Agreement or after renewing subscription to an annual period.
6.3.4. The Customer pays the invoice within 7 days after receiving it.
6.4. Refunds
6.4.1. Except where otherwise provided in this Agreement (e.g., a material breach by the Service Provider as outlined in Section 10.5), the Customer acknowledges that paid fees are non-refundable if the Agreement is terminated early.
6.4.2. If the Customer lawfully terminates the Agreement before the next subscription period starts, no further payment obligations apply, and no new invoice will be issued.
6.5. Late Payment and Suspension
6.5.1. If the Customer fails to pay the invoice by the due date, the Service Provider may:
a. Suspend the provision of the Service until full payment is received;
b. Charge a late payment interest of 0.05% of the overdue amount per day for each day the payment is delayed;
c. Require the Customer to pay reasonable collection costs incurred in recovering the overdue amounts.
6.5.2. The Service Provider shall notify the Customer in writing before suspending the Service. If the Customer still fails to pay after receiving such notice, the Service Provider may terminate the Agreement in accordance with Section 10.
7. Customer Support
7.1. Availability
7.1.1. Customer support is available on working days from 09:00 to 17:00 (EET).
7.2. Contact Methods
7.2.1. The customer support phone number is +372 5384 8276, if not set otherwise by the Customer Agreement. Customer support is available during the hours specified in Section 7.1.
7.2.2. The customer support email address is help@phishbite.com if not set otherwise by the Customer Agreement.
7.3. Response Times
7.3.1. The Service Provider shall provide an initial response to customer support inquiries within forty-eight (48) working hours of receiving them by email.
7.3.2. The Service Provider aims to resolve or escalate inquiries within seven (7) working days of the initial response.
7.3.3. In cases involving complex issues or third-party components, the Service Provider may extend the resolution time up to fourteen (14) working days. The Customer will be notified if an extension is required.
7.4. Employee Data Management
7.4.1. The Customer can change Employee data or add Employees by submitting a request to the customer support email address.
7.4.2. Only contacts designated by the Customer can request modifications to Employee data or the addition of new Employees.
8. Limitation of Liability
8.1. Liability Cap
8.1.1. The total aggregate liability of the Service Provider for all claims arising out of or in connection with this Agreement shall not exceed the total fees actually paid by the Customer to the Service Provider during the three (3) months immediately preceding the event giving rise to such claim.
8.2. Exclusion of Certain Damages
8.2.1. The Service Provider shall not be liable for any indirect, incidental, consequential, special, or punitive damages, including but not limited to loss of profits, loss of revenue, loss of data, or business interruption, arising from or related to the use of the Service.
8.3. Application of Limitations
8.3.1. The limitations of liability set forth in this Section 8 shall apply to the maximum extent permitted by applicable law and regardless of the form or theory of claim.
8.3.2. These limitations do not apply to any liability that cannot be excluded or limited under applicable law (for example, liability arising from the Service Provider’s willful misconduct or gross negligence, if so prescribed by law).
9. Amendment of the Agreement
9.1. Proposed Amendments
9.1.1. The Service Provider may propose amendments to the terms of this Agreement at any time; however, no changes shall affect the agreed Price during the ongoing subscription period.
9.2. Effective Date of Amendments
9.2.1. Any proposed amendments shall take effect only upon the start of the next renewal period of the Agreement and shall not alter the terms of an ongoing, fixed-term subscription.
9.3. Customer’s Right to Decline Amendments
9.3.1. If the Customer does not agree to the proposed amendments, the Customer may choose not to renew the Agreement by notifying the Service Provider in accordance with Section 10 (Validity and Termination).
9.3.2. Failure to provide such notice before the renewal date shall be deemed acceptance of the amended terms for the subsequent renewal period.
10. Validity and Termination of the Customer Agreement
10.1. Effective Date
10.1.1. This Customer Agreement becomes effective on the date the Customer accepts it, whether by signing, clicking an acceptance button (for online agreements), or otherwise indicating consent in writing.
10.2. Initial Term
10.2.1. The Agreement remains in effect for an initial term of twelve (12) months, unless the Parties agree otherwise in writing.
10.3. Automatic Renewal
10.3.1. Unless the Customer notifies the Service Provider in writing at least fourteen (14) days before the end of the initial 12-month term (or any subsequent renewal term) of its intent to terminate, the Agreement automatically renews for another twelve (12) months on the same terms.
10.4. Termination Upon Renewal Invoice
10.4.1. Within fourteen (14) days of receiving the invoice for a new renewal period, the Customer may terminate the Agreement by providing written notice to the Service Provider.
10.4.2 If the Customer does not exercise this right within the 14-day window, the renewal is deemed accepted.
10.5. Early Termination and Refunds
10.5.1. In the event of early termination during an ongoing term, the fee already paid by the Customer is non-refundable, except where the termination is due to the Service Provider’s material and repeated breach of this Agreement.
10.5.2. Before terminating for breach, the Customer shall provide the Service Provider with written notice of the breach and a reasonable opportunity to remedy it. If the Service Provider fails to rectify the breach, and a second material breach occurs thereafter, the Customer may terminate the Agreement and the Service Provider shall refund the pro-rated portion of any prepaid fees for the remainder of the term.
11. Confidentiality
11.1. Confidential Information
11.1.1 Each Party (“Receiving Party”) shall treat as confidential all information obtained from the other Party (“Disclosing Party”) in connection with the signing, performance, modification, or termination of this Agreement. This includes, but is not limited to, information about the Disclosing Party’s customers, business partners, employees, financial status, transactions, or any other sensitive or proprietary data.
11.1.2 The Receiving Party shall not disclose such confidential information to any third party without the Disclosing Party’s prior written consent, and shall use it solely for the purposes of performing this Agreement.
11.1.3 The confidentiality obligations set out in this Section 11 remain in effect indefinitely, even after the Agreement is terminated or otherwise ends.
11.2. Public Reference
11.2.1. Notwithstanding Section 11.1, each Party may publicly refer to the fact of its contractual relationship with the other Party (e.g., listing the other Party’s name and logo on client lists or marketing materials), provided that no further confidential details are disclosed without the other Party’s explicit written consent.
12. Intellectual property
12.1. Ownership of Intellectual Property
12.1.1. Phishbite OÜ retains all rights, title, and interest in and to the intellectual property that it creates or uses in the course of providing the Service, including but not limited to software, methodologies, training materials, and phishing simulation content, unless otherwise agreed in writing.
12.2. Right to Use
12.2.1. The Customer receives a non-exclusive, non-transferable right to access and use the Service Provider’s materials and content strictly for the duration and purposes of this Agreement. The Customer shall not reproduce, distribute, or make derivative works of such materials without the Service Provider’s prior written consent.
12.3. Legal Basis for Simulation Content
12.3.1 Phishbite OÜ shall ensure that any intellectual property (including third-party images, text, or code) incorporated into the phishing simulation emails or cybersecurity training materials is used lawfully under an applicable legal exception (e.g., fair use) or pursuant to a valid license, in accordance with all relevant laws and regulations.
13. Processing of Personal Data
13.1. Categories of Personal Data
13.1.1 Under this Agreement, the Service Provider processes the following personal data of the Customer’s Employees:
a. Name
b. Email address
c. Job title
d. Department
e. Results of security awareness tests
13.2. Roles of the Parties
13.2.1. The Customer is the data controller for the personal data outlined in Section 13.1.
13.2.2. The Service Provider is the data processor for the personal data outlined in Section 13.1 and processes such data solely on the Customer’s documented instructions.
13.3. Purpose of Processing
13.3.1. The Service Provider processes the Employee personal data for the purpose of conducting phishing simulations, delivering cybersecurity awareness training, evaluating cybersecurity readiness, and providing related feedback or reports to the Customer.
13.4. Retention Period
13.4.1 The Service Provider shall retain the Employee data outlined in Section 13.1 for up to three (3) years after the end of the provision of the Service or until the term specified by the Customer, whichever occurs first, unless otherwise required by applicable law.
13.5. Data Processing Agreement
13.5.1. The detailed terms and conditions regarding the processing of personal data, including the Service Provider’s obligations related to data security measures, international transfers, handling of data subject requests, and breach notifications, are set forth in the separate Data Processing Agreement (DPA) entered into by the Parties.
13.5.2. The DPA is available here: Data Processing Agreement. The DPA is hereby incorporated into this Agreement by reference.
13.5.3. In the event of any conflict between this Agreement and the DPA regarding personal data processing, the terms of the DPA shall prevail.
13.6. Sub-Processors
13.6.1. The Service Provider may engage sub-processors for the provision of the Service, subject to the terms in the DPA. The Service Provider shall ensure each sub-processor is bound by obligations equivalent to those set out in this Agreement and the DPA.
13.7. Compliance with Data Protection Laws
13.7.1. Both Parties shall comply with all applicable data protection laws and regulations, including the GDPR (if and to the extent it applies), in connection with the processing of personal data under this Agreement.
13.7.2. The Service Provider shall store and process the Employee data within the European Union, except where explicitly permitted by the Customer or required by applicable law to process data elsewhere, in accordance with the safeguards outlined in the DPA.
14. Applicable Law and Jurisdiction
14.1. Governing Law
14.1.1. This Agreement, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the Republic of Estonia, without regard to its conflict-of-law rules.
14.2. Dispute Resolution
14.2.1. The Parties shall first attempt in good faith to resolve any disputes or claims arising out of or in connection with this Agreement through negotiations.
14.2.2. If the Parties are unable to reach an amicable resolution within a reasonable time, any dispute or claim shall be settled exclusively in Harju County Court, Estonia.