Terms & Conditions
CURRENT VERSION: March 29, 2023
This schedule and all referenced agreements set out herein, together with our Welcome Email to your contact email address, shall form the entire agreement between BOXX and you. In the event of any inconsistency between the Terms and the Welcome Email (such as specific or unique modifications to these Terms), the Welcome Email shall govern how we service you under Cyberboxx AssistSM.
Coverage begins when you receive your Welcome Email and continues for the term specified in your Welcome Email. The “Welcome Email” is an email notification from BOXX confirming the details of the Cyberboxx AssistSM Service purchased.
If you are a member of Cyberboxx AssistSM Programs Edition, your Welcome email will be sent after you or your program manager has agreed to the Terms set out in the proposal and your details have been registered with us. Please refer to section 1 below if your registration has not completed.
1. Registration of Your Cyberboxx AssistSM
1.1 By registering and using Cyberboxx AssistSM, you unconditionally accept and agree to be bound by these Terms. BOXX may change these Terms from time to time. If you do not agree to these Terms, you shall immediately stop using Cyberboxx AssistSM and notify us at firstname.lastname@example.org.
1.2 These Terms only govern the relationship between us, you and any third-party providers which we have contracted to provide service in relation to Cyberboxx AssistSM. The dealings between you and any other third party are not governed by these Terms.
1.3 If you are registering for Cyberboxx AssistSM on behalf of a corporate entity or another individual (the “Principal”), you represent and warrant that you have been validly authorized to (a) register for Cyberboxx AssistSM on behalf of the Principal, and (b) agree to and bind the Principal to these Terms. You shall ensure that the Principal complies with all the terms and conditions in these Terms. Any breach of these Terms by a Principal shall be deemed to be a breach by you of these Terms. Any reference to “you” or “your” as used in these Terms shall include any and all Principals.
1.4 To complete the registration process for Cyberboxx AssistSM we will require the following information for each service or membership purchased:
a) Details of you and/or your business, to help us understand your risk and advise accordingly.
b) Your business email address to notify you about risks you face (if your plan includes this service) and to provide the BOXX Hackbusters™ Incident Response Services. It is important that you provide us with the email address you use for business purposes, where applicable as we will use this to determine your main web domain name (e.g.@boxxinsurance.com);
c) At your option, any additional web domains, subdomain, ancillary web domain names, or public facing IP addresses which your business uses;
d) At your option, the email addresses of any employee´s that you consent to us conducting training, awareness, or protection services on your behalf and according to your plan;
e) At your option, your phone number should we need to contact you.
1.5 You and all parties you sign up for Cyberboxx AssistSM will receive a Welcome Email after purchase. If you have not received your Welcome Email, please contact us at email@example.com
2. General Coverage of Cyberboxx AssistSM
During the Cyberboxx AssistSM Term:
2.1 BOXX shall provide you with services in accordance with the Cyberboxx AssistSM service plan purchased which may include incident response services, educational content, awareness solutions, and protection services, as shown in your Welcome Email
2.2 The BOXX Hackbusters™ Incident Response Services are provided due to a “Qualifying Cyber Security Incident”. All use of these services is subject to the use of your “Activation Credit” in accordance with the plan purchased.
A “Qualifying Cyber Security Incident” is a cyber security incident that must meet the following criteria:
- It has resulted in:
a) unauthorized access or use of your Computer System; or
b) the unauthorized acquisition, access, use or disclosure of, or the loss or theft of the personal data or corporate information you hold in your systems; or
c) the use of deception to manipulate you into divulging confidential or personal information that may be used for fraudulent purposes against you; or
d) any blocked access to your computer system, Endpoint, personal data or corporate information until a sum of money is paid. An Endpoint is any physical or virtual computing device or computing environment that communicates with a network to which it is connected.
- A Cyber Security Incident, unless we agree otherwise, is considered unqualified when:
a) we have previously advised or support you with or about the same incident; or
b) the incident has used your Activation Credit; or
c) caused by terrorism or cyber terrorism as declared by the government, including any cyber intelligence agency, or any international organization; or
d) the same incident affects more than 15% of the members of your Cyberboxx AssistSM program, or the incident is caused by a distributed denial-of-service attacks (DDOS); or
e) the incident affects your personal devices, if different to your business devices; or
f) the Endpoint is located in jurisdictions affected by any sanction, prohibition, or restriction under United Nations resolutions or the trade or economic sanctions, laws or regulations of the European Union, United Kingdom, Switzerland, Canada or the United States of America.
- This Cyber Security Incident is discovered by you during your Cyberboxx AssistSM Term and is informed to BOXX during that period.
Your “Activation Credit” is a single-use credit provided to you to use in the event you require BOXX to respond to a Qualifying Cyber Security Incident. It cannot be used for a Cyber Security Incident which does not meet the qualifying criteria above. The Activation Credit is deemed used when you submit a valid notification to us. We will not refund any Activation Credit(s) used for a Cyber Security Incident which is not a Qualifying Cyber Security Incident.
2.3 As a Cyberboxx AssistSM member, you shall also be provided with our preferential rates for any of our cyber security technical and consultancy services secured through third parties.
3. BOXX Hackbusters™, Our Incident Response Services
If during the Cyberboxx AssistSM Term you contact BOXX to tell us that you have experienced a Qualifying Cyber Security Incident, we shall provide to you with the following Incident Response Services to predict, prevent, respond and recover depending on the Cyber Security Incident. These services are SUBJECT ALWAYS to our (a) reasonable availability at the time of your report; and (b) our professional opinion and expertise on a proportionate response of the Cyber Security Incident.
a) Cyber Security Incident Triage Services: A BOXX Hackbusters™ specialist shall provide you with a general plan of action and recommendations for handling the Qualifying Cyber Security Incident based on our professional assessment and industry best practices.
b) Cyber Security Containment Services: In certain occasions, the Cyber Security Incident may still be active. This means that there is continued unauthorized access of at least one of your Computer Systems. Our ability to identify and assist with an active incident will depend on your cooperation and our ability to access your information systems and networks in a timely manner. We will use our reasonable efforts to respond and contain an Active Cyber Security Incident. Due to the nature of Active Cyber Security Incidents, we are unable to warrant that we are able to respond to or contain the Active Cyber Security Incident completely or even at all as not all Active Cyber Security Incidents are the same.
c) Basic Remediation Advisory Services: We will also provide you with recommendations and basic advice which you can take on board to improve the vulnerability which gave rise to the Cyber Security Incident. However, depending on the vulnerability which caused the Cyber Security Incident – not all proposed steps are remediable without additional cost and expense (whether for further professional services and analysis or as a result of additional requirements you may not have). Where possible, we will highlight these costs and expenses and use our reasonable efforts to advise you. We will not incur any costs and expenses without your express consent to do so. It is important for you to consider and understand Section 4(a) below.
4. What is Not Covered Under Your Cyberboxx AssistSM
It is important for you to note that in the event you utilize your Activation Credit under the Cyberboxx AssistSM, BOXX DOES NOT provide:
a) Remediation Services: Under the Cyberboxx AssistSM, we only offer basic advice. We do not offer action plans nor take any steps or implement any changes on your behalf on your systems and Endpoints.
b) Recovery Services: Cyber Security recovery addresses the steps you will take to reconstitute or recover assets which may have been damaged, compromised or lost after a Cyber Security Incident. We do not provide the development of restoration plans for your implementation, either.
The reason we do not provide the above is because Cyberboxx AssistSM is packaged and developed as an entry-level cyber security solution for small-to-medium businesses and enterprises. We believe all businesses should have the benefit of cyber security experts. Our Cyberboxx AssistSM Incident Response Services are to provide a baseline solution for your business. We may advise that further investigation and services are required for the Cyber Security Incident which are not provided under Cyberboxx AssistSM. In such scenarios, you are entitled to our preferential rates for these services.
BOXX specifically DOES NOT warrant that the Cyberboxx AssistSM is sufficient for any legal, regulatory and/or compliance obligations applicable to you under the relevant laws that arise in the event of a Cyber Security Incident. Among other reasons, this is because there are many types of Cyber Security Incidents, and all our members businesses differ. We advise all our members in the event of a Cyber Security Incident to obtain legal advice as to its legal and/or compliance obligations under the applicable laws.
5. Qualifying Cyber Security Incident
In the event of a Qualifying Cyber Security Incident, you may obtain our BOXX Hackbusters™ Incident Response Services (details set out in Section 3 above) by emailing us at Hackbusters@BOXXInsurance.com or calling 1-888-349-6660.
You must, upon request, present your Welcome Email. This is required, among other reasons, to verify the identity of your representatives.
6. Your Consent to Scans and Monitoring Services
PLEASE READ THIS SECTION CAREFULLY AND THOROUGHLY
6.1 Our Scans: As part of the Cyberboxx AssistSM service, BOXX may from time-to-time conduct security and vulnerability scans or such continuous monitoring of your Endpoints and attack surfaces (hereafter “Scan”). Any Scan may include, among other things, information gathering, crawling, fingerprinting, fuzz testing, deploying of test scripts and introducing other non-intrusive activities similar to what is known as a penetration test. The purpose of these scans is to identify and assess potential vulnerabilities, weaknesses, or exposures in your digital assets and networks, and to provide recommendations for addressing any issues discovered. In other words, we will knock the door, but we will never get in. We will perform the security vulnerability Scans with due care and diligence.
An attack surface is your web domains and subdomains, including other domains and IP-addresses such domains point to, and all associated information, such as but not limited to DNS records, open ports and applications and services run on them. These attack surfaces are where an attacker can try to enter, cause an effect on, or extract data from your systems.
We may also from time to time provide monitoring services of the email addresses you provide, and any other references of your business, based on public information or the one provided from you or any member of you (i.e. association). Please check your Welcome Email to verify the services included in your plan.
6.3 Your Consent: You acknowledge that by registering to Cyberboxx AssistSM, the purpose of such Scans is to, as applicable, monitor and strengthen the security of your Internet-facing assets and/or strengthen the security of your Attack Surface. Accordingly, we may, when performing a Scan, among other things, perform crawling, fuzz testing, authenticated testing, deploy test script, and introduce other non-intrusive penetration tests for the limited purpose of revealing security vulnerabilities in your Endpoints (“Purpose”). You agree and acknowledge that the provision of the Scans in accordance with these Terms may lead to detrimental impact on your Endpoints. By registering your Cyberboxx AssistSM, you are responsible for the initiation of all Scans and the outcome of the Scan and for any inconveniences, interruptions, or other negative consequences thereof.
7. Your Responsibilities
PLEASE READ THIS SECTION CAREFULLY AND THOROUGHLY
7.1 Your Cooperation: To receive service or support under the Plan, you agree to (i) provide your registered email address to Cyberboxx AssistSM, (ii) provide information about the symptoms and causes of the issues with the Cyber Security Incident and the affected Endpoints (iii) respond to requests for information needed to diagnose or service the Endpoint, and (iv) to adhere to any reasonable requests and instructions we may provide to you in our professional discretion and expertise. You agree that you shall or procure any third parties to provide all reasonable access requested by BOXX to the relevant Endpoints in order to perform the Incident Response Services. You further agree that our ability to provide our Incident Response Services in an effective and/or timely manner shall depend on your adherence to this Section 7.1.
7.2 General Warranties: (a) You agree that your registration of Cyberboxx AssistSM, your agreement to these Terms, and your performance of your obligations under these Terms will not and are not likely to (i) result in a breach of, or give any third party a right to terminate or modify or result in the creation of any encumbrance under any agreement, license or other legal instrument or (ii) result in a breach of any applicable laws, order, judgment or decree of any court, government agency or regulatory body to which you are a party or your assets are bound. (b) You agree that except as expressly provided under these Terms or the other terms and conditions referenced herein, there are no conditions, warranties or other terms binding on you and us with respect to the services contemplated under these Terms. Any condition, warranty or other term in this regard that might otherwise be implied or incorporated under these Terms whether by the applicable laws or otherwise is, to the maximum extent permitted by applicable laws, excluded from these Terms.
7.3 Specific Warranties relating to Anti-Money Laundering and Economic Sanctions. (a) You confirm that you and your respective officers, employees and agents (where applicable) have conducted your business in accordance with all applicable laws and regulations including (anti-bribery laws, anti-money laundering laws and economic sanctions) and there is no law, statute, order, decree or judgment of any court, government agency or regulatory body outstanding against you and/or your respective officers, employees and/or agents. You further confirm that there are no investigations, actions, suits or proceedings against you in relation to anti-bribery laws, anti-money laundering laws and economic sanctions. (b) You confirm that you, your respective officers, employees and/or agents are not sanctioned persons. (c) If BOXX in its reasonable discretion is of the view that you are in breach of Sections 7.3
7.4 Your Use: You shall, and shall procure that your Affiliates shall, (a) obtain all necessary authorizations, approvals and permissions for use of Cyberboxx AssistSM in relation to the relevant Endpoints; (b) use Cyberboxx AssistSM in full compliance with these Terms; (c) use Cyberboxx AssistSM in accordance with all applicable laws and government regulations (including any local laws to which you are subject); (d) not make Cyberboxx AssistSM available to any unauthorized third party, and promptly inform BOXX in the event of any suspected unauthorized access to or use of Cyberboxx AssistSM ; (e) not create or attempt to create any substitute service or service similar to Cyberboxx AssistSM , by use of, reference to or access to, Cyberboxx AssistSM or any of BOXX’s Intellectual Property Rights; (f) not sell, lend out, lease, transfer, assign, sublicense, distribute or permit access or use of Cyberboxx AssistSM, or any part thereof, to any third party without our prior written approval; (g) not interfere with, or disrupt the integrity or performance of Cyberboxx AssistSM or any third party data contained therein; (h) not attempt to gain unauthorized access to Cyberboxx AssistSM or its related systems or networks; and (i) not decompile, disassemble, or reverse-engineer the software included in the Cyberboxx AssistSM, subject to what follows from applicable law.
7.5 Your Indemnity. (a) You expressly agree and acknowledge that in the course of our BOXX Hackbusters™ Incident Response Services or any other service provided, BOXX is reliant on your obligations, representations and warranties set out in this Section 7 to ensure that among others, we are not perpetuating wrongful acts. (b) You agree to promptly indemnify, defend and hold harmless BOXX and its officers, employees and agents (“BOXX Personnel”) from any and all losses incurred by BOXX or BOXX Personnel arising directly or indirectly from or in connection with or relating to breach of (i) Sections 6 to 7.5, (ii) fraud, (iii) willful misconduct or (iv) willful negligence by you.
8. Limitation of Liability
To the maximum extent permitted by applicable laws, BOXX and BOXX Personnel or those working on our behalf , will under no circumstances be liable to you for any indirect or consequential damages, including, but not limited to, the costs of recovering, reprogramming, or reproducing any program or data or the failure to maintain the confidentiality of data, any loss of business, profits, revenue or anticipated savings, resulting our obligations under the Cyberboxx AssistSM and/or these Terms.
To the maximum extent permitted by applicable laws, the limit of BOXX and any BOXX Personnel (including those working on our behalf)’s liability to you and any subsequent owner arising under this Cyberboxx AssistSM and/or these Terms shall not exceed the original price paid for Cyberboxx AssistSM (whether by you or a third party).
BOXX specifically DOES NOT warrant that (i) it will be able to repair or replace the Endpoints without risk to or loss of programs or data, (ii) it will maintain the confidentiality of data, or (iii) the operation of the Endpoint will be uninterrupted or error-free.
We will not be held liable for any direct, indirect, or incidental damages resulting from the scans, provided that they are conducted in accordance with the terms of this agreement.
Unless the applicable laws provide otherwise, there are no cancellations or refunds and both you and us agree to abide by these Terms for the Cyberboxx AssistSM Term.
Cyberboxx AssistSM (all versions) will renew automatically, unless:
- You notify us at least 90 days before expiring your intent to not renew the contract or program; or
- You notify us at least 90 days before expiring your intent to re-negotiate the costs and / or scope of the services you purchased; or
- We notify you, at least 90 days before expiring, our intent to not renew the contract or program, or modify the services or prices of Cyberboxx AssistSM.
BOXX is not obligated to renew Cyberboxx AssistSM. If BOXX does offer to renew your Cyberboxx AssistSM, BOXX reserves the right to determine the price and terms of such renewal.
11. Intellectual Property Rights
11.1 “Intellectual Property Rights” means Intellectual Property Rights means all copyrights and related rights, design rights, registered designs, patents, trademarks and service marks (registered and unregistered), trade secrets, database rights, know-how, rights in confidential information and all other intellectual property rights throughout the world for the full term of the rights concerned, including any derivative works incorporating any of the foregoing that may be created or developed in connection with these Terms.
11.2 All Intellectual Property Rights subsisting in and relating to or arising out of Cyberboxx AssistSM and BOXX Hackbusters™ Incident Response Services, including all software, technology and content, are owned by and vest in BOXX and/or its licensors, including all developments and enhancements made to the aforementioned. You acknowledge and agree that no rights, title, or interest in or to Cyberboxx AssistSM or the Incident Response Services or any related BOXX Intellectual Property Rights are assigned or transferred to you under these Terms.
11.3 The Test results generated under the Agreement are your data and shall be owned by you, however excluding any BOXX or open-sourced Intellectual Property Rights included therein (including but not limited to software, copyrighted works, know-how and trade secrets, such as attack vectors and payloads). You may only use such Intellectual Property Rights for the purpose of handling any identified security gaps in your Endpoints.
11.4 You grant to BOXX a non-exclusive, sub-licensable, royalty-free, worldwide, perpetual and irrevocable license to freely use any data generated as a result of your use of Cyberboxx AssistSM and the BOXX Hackbusters™ Incident Response Services, in anonymized and aggregated form only, for commercial purposes including sharing with any third parties, provided that your confidentiality is maintained, and such material is disclosed in a form which is not capable of being reverse engineered.
11.5 If you submit feedback about Cyberboxx AssistSM or BOXX Hackbusters™ Incident Response Services to BOXX, including comments and ideas on how to improve the foregoing, all such feedback will constitute confidential information of BOXX and will be the sole and exclusive property of BOXX. You hereby irrevocably assign and transfer to BOXX all your rights, title and interest in and to all feedback including all Intellectual Property Rights therein.
12. General Terms
12.1 BOXX may subcontract or assign performance of its obligations to third parties but shall not be relieved of its obligations to you in doing so.
12.2 BOXX is not responsible or liable for any failures or delays in performing our obligations under these Terms or the Cyberboxx AssistSM that are due to events outside of our reasonable control. Such events specifically include (but are not limited to) acts of war and terrorism and any cyber operations carried out in the course of war or terrorism. These would include cyber operations that have been attributable to a state or terrorist group (or those acting on their behalf) by reputable sources or where there is reasonable evidence to imply such attribution. Reputable sources include but are not limited to the defending or victim state or industry leading open-source intelligence sources such as the US National Institute of Standards and Technology (NIST).
12.4 We have security measures, which should protect your data against unauthorized access or disclosure as well as unlawful destruction. You will be responsible for the instructions you give to us regarding the processing of data in the event of a Cyber Security Incident, and BOXX will seek to comply with those instructions as reasonably necessary for the performance of our services and obligations under these Terms and Cyberboxx AssistSM.
12.5 These Terms and the other terms and conditions referred to herein, and the Welcome Email, shall prevail over any conflicting, additional, or other terms of any purchase order or other document, and constitute yours and our entire understanding with respect to Cyberboxx AssistSM.
12.6 We reserve the right to change, modify, or amend these Terms at any time to reflect changes in our practices and service offerings. If we modify our Terms, such changes will be effective upon posting. It is your obligation to check our current Terms for any changes. These Terms may only be modified in writing. Any ambiguities in the interpretation will not be construed against the drafter.
12.7 Our Services, including our website, are intended only for users over the age of eighteen (18). We do not target our Services to minors, who are under thirteen (13) (or a higher age threshold where applicable). You agree that you are not under thirteen (13) years of age. We do not intend to collect or process any information from anyone under the age of thirteen (13). If we become aware that a user is under thirteen (13) (or a higher age threshold where applicable) and has provided us with information, we will take steps to comply with any applicable legal requirement to remove such information. Contact us if you believe that we have mistakenly or unintentionally collected information from a person under the age of thirteen (13).
12.8 Jurisdiction. We control and operate Services from our headquarters in Canada and the Content and features may not be appropriate or available for use in other locations. As such you agree that all matters relating to the access to, or use of, this Service shall be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without reference to its conflict of laws principles, and that you will comply with all such applicable laws. Any dispute between us and you or any other person arising from, in connection with or relating to this Service, these Terms, any transaction through this Service or any related matters must be resolved before the Courts of the Province of Ontario, Canada, and you hereby irrevocably submit and attorn to the exclusive jurisdiction of those Courts in respect of any such dispute.