SurfaceLoop Subscription Agreement

This Surfaceloop Subscription Agreement (the Agreement) is entered into between:

AMVIA Ltd of 1 North Bank, Sheffield S3 8JY (AMVIA); and

the business customer identified during the sales demonstration, onboarding flow, order form, Teams call, call transcript or other ordering record (Customer).

2.1 This Agreement is made strictly on a business-to-business basis.

2.2 The Customer confirms that it is entering into this Agreement wholly or mainly for purposes relating to its trade, business, craft or profession and not as a consumer.

2.3 The Customer warrants that the individual accepting this Agreement has authority to bind the Customer.

3.1 The Agreement is formed when an authorised representative of the Customer agrees during a Microsoft Teams or similar remote demonstration or sales call to commence the Surfaceloop trial and subscription on these terms, provided that:

• the call is recorded;
• the call is transcribed;
• these terms are made available to the Customer before or during that process; and
• the Customer is given a reasonable opportunity to review them before acceptance.

3.2 The parties agree that the call recording, transcript, any order summary, any click-through acceptance, follow-up email confirmation and these terms may together evidence the Customer's acceptance and form a binding contract.

3.3 The Customer acknowledges that the minimum term, auto-renewal mechanism, fees, fair usage restrictions, liability limitations and suspension/termination rights are material terms specifically drawn to its attention before contract formation.

4.1 AMVIA will provide access to Surfaceloop, a cybersecurity software service that may include external attack surface management, asset discovery, continuous monitoring, monitoring of domains, IP addresses, email authentication records and configurations, phishing-related alerts, dark web asset monitoring, dashboards, reports, notifications and related functionality made available by AMVIA from time to time.

4.2 AMVIA may update, improve, modify, replace or discontinue features, interfaces, data sources and components provided that the overall substance of the service is not materially degraded during a paid subscription term.

4.3 Unless expressly stated otherwise in an order summary or service schedule, the service is not a managed SOC, incident response retainer, legal compliance service, regulatory certification service, guaranteed detection service or guarantee against breach, compromise or phishing loss.

5.1 The Customer may begin with a free 14-day trial starting on the activation date notified by AMVIA.

5.2 During the trial, the Customer may access the service subject to this Agreement.

5.3 Unless the parties expressly agree otherwise in writing, if the Customer proceeds directly from the trial into a paid subscription, the discounted subscription price in clause 6.2(a) applies.

5.4 AMVIA may suspend or terminate the trial at any time where it reasonably suspects abuse, security risk, breach of this Agreement, excessive or unfair usage, non-business use or any activity that may harm the service, other customers or third parties.

6.1 Following expiry of the free 14-day trial, the Customer enters into an initial committed subscription term of 12 months unless AMVIA notifies the Customer that the subscription will not proceed.

6.2 Fees

(a) £149 per month where the Customer signs up to the paid subscription directly from the 14-day trial; or

(b) £199 per month where the Customer does not convert directly from the trial and later subscribes, rejoins or otherwise purchases outside that trial conversion pathway.

6.3 Fees are payable monthly in advance by direct debit, card or any other payment method approved by AMVIA.

6.4 All fees are exclusive of VAT and any other applicable taxes, which the Customer must pay in addition.

6.5 Except where this Agreement states otherwise, fees are non-cancellable and non-refundable.

6.6 AMVIA may suspend access for late payment on giving at least 7 days' written notice, without prejudice to any other rights or remedies.

7.1 The Agreement will automatically renew for successive 12-month renewal terms unless either party gives written notice of non-renewal at least 90 days before the end of the then-current term.

7.2 The parties acknowledge that the automatic renewal provision is a material term of this Agreement and has been specifically drawn to the Customer's attention before contract formation.

7.3 AMVIA may increase fees for any renewal term by giving written notice before that renewal term begins.

8.1 The Customer must:

• use the service only for lawful internal business purposes;
• provide accurate information about its domains, IPs, assets and environments;
• maintain the confidentiality of login credentials;
• ensure its systems and configurations are suitable for use with the service;
• obtain all rights, permissions and consents required for AMVIA to process Customer data and monitor relevant assets;
• ensure that all assets submitted to the service are assets owned, controlled or lawfully authorised by the Customer; and
• not use the service in a way that is unlawful, misleading, abusive, harmful, excessive, competitive, disruptive or likely to create security, infrastructure or reputational risk for AMVIA or others.

8.2 The Customer remains solely responsible for deciding whether and how to remediate any risks, alerts, exposures or recommendations identified through the service.

9.1 The service is subject to fair usage limits. Unless AMVIA agrees otherwise in writing, fair usage means and is limited to:

• up to 50 monitored assets;
• up to 100 API calls per calendar month;
• up to 100 scans per calendar month; and
• use in relation to the Customer's own assets only, and not any third-party assets.

9.2 The Customer must not use the service to monitor, profile, scan, assess or investigate assets that it does not own or control or for which it does not have clear written authority.

9.3 Enforcement

If AMVIA reasonably believes the Customer is exceeding fair usage or abusing the service, AMVIA may, with immediate effect where necessary:

• issue a warning;
• require the Customer to reduce usage;
• throttle, restrict or suspend access;
• require the Customer to move to a different commercial arrangement; or
• terminate the Agreement immediately on written notice in serious cases or where the issue is not remedied promptly.

9.4 Abuse

Abuse includes attempted reverse engineering, unauthorised security testing against third parties, scraping or extraction of data beyond intended use, interference with the service, circumvention of access controls, reselling without permission, benchmarking or competitive analysis without consent, or use contrary to law or regulation.

10.1 AMVIA and its licensors retain all intellectual property rights in and to the service, software, methodologies, reports, templates, documentation, designs, know-how and related materials, except for Customer data.

10.2 Subject to payment of fees and compliance with this Agreement, AMVIA grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the term to access and use the service for its internal business operations.

10.3 The Customer grants AMVIA a non-exclusive right to use Customer data as necessary to provide, secure, maintain and improve the service and to comply with law.

11.1 The parties acknowledge that use of the service, including dark web monitoring for business email addresses and related exposure indicators, may involve processing of personal data relating to individual business email account holders and other business contacts, even though this Agreement is business-to-business.

11.2 Each party will comply with applicable data protection law in connection with the processing of personal data under this Agreement.

11.3 The Customer is responsible for ensuring that it has an appropriate lawful basis and any required notices, permissions or internal authorisations for instructing AMVIA to monitor the Customer's domains, email-related indicators and associated business credentials.

11.4 AMVIA may process personal data only as necessary to provide the service, secure the platform, prevent misuse, generate alerts and reports, comply with legal obligations and exercise its rights under this Agreement.

11.5 If required by applicable data protection law, the parties will enter into a separate data processing agreement covering the nature and scope of any processor activities.

12.1 AMVIA will implement measures it considers appropriate to protect the service and Customer data, but no online service can be guaranteed to be secure, uninterrupted or error-free at all times.

12.2 The Customer acknowledges that cybersecurity monitoring and discovery services depend on third-party sources, internet infrastructure, DNS records, email configurations, cloud services, public and private datasets, and external systems beyond AMVIA's control.

12.3 AMVIA does not warrant that the service will identify every asset, vulnerability, threat, impersonation, phishing campaign, leaked credential, misconfiguration or security issue, or that use of the service will prevent any breach, incident, attack, loss or regulatory consequence.

12.4 The Customer is solely responsible for its own security programme, remediation decisions, backups, business continuity, insurance, legal compliance and incident response.

12.5 The service is provided on an as is and as available basis, with no service level agreement, uptime commitment, response-time commitment or guaranteed reporting cadence unless expressly agreed in writing.

13.1 To the fullest extent permitted by law, AMVIA disclaims all implied warranties, conditions and terms, including implied terms of satisfactory quality, fitness for a particular purpose, non-infringement, uninterrupted availability, compatibility, accuracy and results.

13.2 No statement, report, alert, recommendation, demo, estimate, roadmap, marketing material or oral comment forms a warranty or guarantee unless expressly set out in this Agreement.

14.1 Either party may terminate this Agreement immediately by written notice if the other party:

• commits a material breach which is incapable of remedy;
• commits a material breach capable of remedy and fails to remedy it within 14 days after notice; or
• becomes insolvent or ceases to trade.

14.2 AMVIA may suspend or terminate immediately where necessary to protect the security, integrity or availability of the service, comply with law, address abuse or fair usage issues, prevent harm to third parties, or manage material payment default.

14.3 Termination does not relieve the Customer of liability for fees accrued before termination and, where termination results from Customer breach, AMVIA may accelerate and recover fees due for the remainder of the committed term, subject to applicable law.

15.1 Nothing in this Agreement excludes or limits liability for:

• death or personal injury caused by negligence;
• fraud or fraudulent misrepresentation; or
• any liability that cannot lawfully be excluded or limited.

15.2 Subject to clause 15.1, AMVIA's total aggregate liability arising out of or in connection with this Agreement, whether in contract, tort (including negligence), misrepresentation, restitution or otherwise, will not exceed the total fees paid or payable by the Customer under this Agreement in the 12 months preceding the event giving rise to the claim.

15.3 Excluded Losses

Subject to clause 15.1, AMVIA will not be liable for any:

• indirect or consequential loss;
• loss of profit;
• loss of revenue;
• loss of business;
• loss of contracts;
• loss of goodwill;
• loss of anticipated savings;
• loss, corruption or inaccuracy of data;
• security incident costs, remediation costs, regulatory fines or third-party claims arising from the Customer's own systems, acts, omissions or remediation decisions; or
• failure to detect, identify or notify any particular security issue, asset or threat in every case.

15.4 The parties agree that the fees reflect the allocation of risk in this Agreement and that the limitations and exclusions in this clause are intended to be reasonable in the context of a B2B cybersecurity software subscription, although enforceability remains subject to applicable law and reasonableness tests.

16.1 The Customer will indemnify and keep indemnified AMVIA against losses, liabilities, damages, costs and expenses arising from:

• the Customer's unlawful or abusive use of the service;
• the Customer's breach of this Agreement;
• the Customer's lack of authority or rights to request monitoring of any assets, systems or data;
• claims arising from Customer data or Customer instructions; and
• the Customer's infringement of third-party rights.

16.2 AMVIA gives no indemnity except as expressly stated in this Agreement.

Each party must keep the other party's confidential information confidential and use it only for the purposes of this Agreement, except where disclosure is required by law, regulation or court order.

18.1 The Customer consents to the recording and transcription of the sales, demo, onboarding and contracting call for quality assurance, contract formation, evidential, operational and dispute resolution purposes.

18.2 AMVIA may retain recordings and transcripts for as long as reasonably necessary for those purposes and in accordance with its retention policies and applicable law.

18.3 The Customer is responsible for ensuring that its attendees are informed of the recording where required by its own internal policies or applicable law.

Unless the Customer opts out in writing, AMVIA may identify the Customer's name and logo in customer lists and marketing materials. No confidential information will be disclosed.

20.1 AMVIA may amend this Agreement on renewal by giving prior written notice.

20.2 During a current committed term, AMVIA may make operational, technical, security or compliance changes to the service and acceptable use requirements that do not materially reduce the core paid-for functionality.

Notices under this Agreement must be in writing and may be sent by email to the business email addresses used by the parties during contracting, onboarding or account administration.

22.1 This Agreement constitutes the entire agreement between the parties and supersedes prior discussions, proposals and statements relating to its subject matter.

22.2 The Customer may not assign, transfer or subcontract any rights or obligations under this Agreement without AMVIA's prior written consent. AMVIA may assign this Agreement to an affiliate or successor in connection with a reorganisation, sale or transfer of its business.

22.3 A failure or delay to exercise any right does not waive that right.

22.4 If any provision is held invalid or unenforceable, the remaining provisions will continue in full force.

22.5 This Agreement is governed by the laws of England and Wales, and the courts of England and Wales will have exclusive jurisdiction.