Terms of Use

This document is a translation of the original French version. In case of any discrepancy or conflict between this English version and the French version, the French version shall prevail.

1. Company Identification

Bastion Technologies (the "Company" or "Bastion Technologies") is a simplified joint-stock company (SAS), registered with the Nanterre Trade and Companies Register under number 921 179 925, with its registered office located at 65 rue de la Croix, 92000 Nanterre, France.

Contact: contact@bastion.tech

2. Services Offered

Bastion Technologies publishes a solution (the "Platform") intended for its business clients (the "Clients") aimed at protecting against cybersecurity risks (the "Services").

3. Contractual Documents

The contractual relationship between the Client and Bastion Technologies is governed, in descending order of priority, by the following documents:

The Quote:

• It is established based on the Client's needs.
• The Client must accept it in writing (including by email) within 30 days of its issuance. This acceptance constitutes acceptance of the Terms of Use in their version in effect on the date of the Quote.
• In case of conflict, the Quote shall prevail over the Terms of Use.
• In case of conflict, the most recent Quote shall prevail over older one(s).

The Terms of Use: They define the terms of use of the Services and the respective obligations of the parties. They are accessible via a direct link at the bottom of the Platform page.

4. Conditions of Access to Services

• (i) The Client is a legal entity acting through a natural person with the power or authorization required to contract on behalf of the Client and for its account.
• (ii) The Client has professional status, understood as any natural or legal person acting for purposes related to their commercial, industrial, artisanal, liberal or agricultural activity, including when acting on behalf of another professional.

5. Terms of Access and Subscription to Services

Registration automatically creates an account in the Client's name (the "Account") which allows access to the Services using their login credentials and password.

Once the Client's Account is created, they may freely create access for users (the "Users") within the limit of the number provided for in the subscribed Services.

The Client is solely responsible for creating access for Users and for their personal use of the Platform.

6. Description of Services

6.1 The Services

The Client acknowledges that the implementation of the Services requires an internet connection and that the quality of the Services depends on this connection, for which Bastion Technologies is not responsible.

The Services to which the Client has subscribed are described in the Quote. Bastion Technologies offers in particular:

• Support for SOC 2, ISO, GDPR certifications, etc.;
• An audit of the Client's external surface to identify vulnerabilities and configuration issues resulting in an actionable remediation plan;
• Immediate detection of data leaks and dark web monitoring;
• Cybersecurity training for the Client's employees (interactive chatbot, cyber maturity tests, automated reports, phishing scenario implementation, etc.);
• Web browsing security (proactive threat prevention, continuous monitoring of risky sites, etc.);
• Cloud application protection including continuous attack detection and instant remediation.

The Company reserves the right to offer any other Service. Any request to modify the subscribed Services must be subject to an additional Quote.

6.2 Additional Services

Maintenance

The Client benefits during the duration of the Services from maintenance, including corrective and evolutionary maintenance. In this context, access to the Platform may be limited or suspended. Bastion Technologies makes its best efforts to provide the Client with corrective maintenance to fix any malfunction or bug found on the Platform.

The Client benefits during the duration of the Services from evolutionary maintenance, which Bastion Technologies may carry out automatically and without prior notice, and which includes improvements to Platform functionalities, the addition of new functionalities and/or technical installations used within the Platform (aiming to introduce minor or major extensions).

Updates are performed throughout the duration hereof. Access to the Platform may also be limited or suspended for scheduled maintenance reasons, which may include the corrective and evolutionary maintenance operations mentioned above.

Hosting

Bastion Technologies provides, under a best-efforts obligation, hosting of the Platform, as well as data produced and/or entered on/through the Platform, through a professional hosting provider, and on servers located within the European Union.

Technical Support

In case of difficulty encountered when using the Services, the Client may contact Bastion Technologies via chat on the Platform or at the following address: support@bastion.tech.

The technical support service is available Monday to Friday, excluding public holidays, from 9 AM to 6 PM. Depending on the need identified, Bastion Technologies will estimate the response time and keep the Client informed.

7. Subscription Duration

The Subscription begins on the day of subscription for an initial period indicated in the Quote. The Subscription is automatically renewed for successive periods of the same duration as the initial period (together with the initial period, the "Periods"), from date to date, unless the Subscription is terminated under the conditions of the "Termination of Services" article.

8. Financial Terms

Service Prices

The prices of the Services to which the Client has subscribed are indicated in the Quote. Any Period started is due in full. Bastion Technologies' prices may be revised at any time under the conditions of the "Modification of Terms of Use" article.

Invoicing and Payment Terms

Bastion Technologies sends the Client an invoice per Period by any appropriate means. Payment is made by direct debit upon Subscription, then at each renewal in the case of an annual subscription. Other invoicing and payment terms of the Company may be specified in the Quote.

The Client guarantees Bastion Technologies that they have the necessary authorizations to use this payment method.

Consequences of Late or Non-Payment

In case of non-payment or late payment, Bastion Technologies reserves the right, from the day after the due date shown on the invoice, to:

• Immediately suspend the ongoing Services until full payment of all amounts due.
• Charge late payment interest equal to 3 times the legal interest rate, based on the amount of sums not paid by the due date, and a fixed indemnity of 40 euros for recovery costs, without prejudice to additional compensation if the recovery costs actually incurred exceed this amount.
• Where applicable, declare all amounts owed by the Client immediately due and payable.

9. Intellectual Property Rights

Intellectual Property Rights on the Platform

The Platform is the property of Bastion Technologies, as are the software, infrastructures, databases and content of any kind (texts, images, visuals, music, logos, trademarks, etc.) that it operates. They are protected by all intellectual property rights or database producer rights in force.

The license granted by Bastion Technologies to the Client does not entail any transfer of ownership. The Client and Users benefit from a non-exclusive and non-transferable SaaS license to use the Platform for the duration provided in the "Subscription Duration" article.

Intellectual Property Rights on Deliverables

Hereby, Bastion Technologies assigns to the Client the proprietary copyright that it may hold on any deliverables provided as part of the Services, including files, reports and other documents related to the Certification Audit (the "Deliverables"). However, this assignment does not cover the tools and methods it has developed and uses, or more broadly any element that enabled the provision of the Services, as well as logos and trademarks affixed to the Deliverables.

This assignment shall be made automatically, as the Deliverables are provided. This assignment is granted to the Client without restriction or reserve, in full ownership, exclusively and definitively, Bastion Technologies being prohibited from exploiting the Deliverables itself or granting any rights thereon to third parties. It is granted for the entire legal duration of copyright protection, worldwide and for all forms of exploitation known or unknown to date, foreseeable or unforeseeable.

The rights thus assigned include:

• The right to reproduce and fix the Deliverables, in whole or in part, in any format, on any medium including paper or digital, and by any material or immaterial process, whether such media or processes are existing or future, foreseeable or unforeseeable;
• The right to manufacture, use or publish the Deliverables, in whole or in part;
• The right to adapt, translate, modify, arrange, transform and correct the Deliverables, in particular, without this list being exhaustive, through retouching, change of format or colors of the Deliverables, subject to respect for the author's moral rights, where applicable.

It is recalled that these Terms do not impose on the Client any obligation to exploit the Deliverables, the Client remaining completely free to exploit them or not.

10. Commercial References

The parties may use their respective names, trademarks and logos and refer to their respective platforms as commercial references during the duration of their contractual relationship and for 3 years thereafter.

11. Client Obligations and Liability

Regarding the Provision of Information

The Client undertakes to provide Bastion Technologies with all information necessary for the subscription and use of the Services.

The Client acknowledges that it is crucial to respect the deadlines communicated by Bastion Technologies in the context of the Services, particularly in the context of the Certification Audit which requires adherence to a certain schedule. It undertakes to respect any deadlines imposed by the Service Provider.

Any delay attributable to the Client in communicating these elements may:

• Delay the possible schedule for the provision of Services agreed between the Parties;
• Make it impossible for the Service Provider to complete the Certification Audit, in which case the Client remains liable for the amounts provided in the Quote and may not claim a refund of any advance payment or amounts already paid for the Certification Audit.

Finally, the Client acknowledges that Bastion Technologies provides the Services based on information they have entered on the Platform. Consequently, Bastion Technologies will not be held responsible in particular if the Client submits false or incorrect information or documents. More generally, the Client acknowledges that the Certification Audit does not guarantee the issuance of the related certification, as this largely depends on the Client and the measures taken by them in connection with the certification. Bastion Technologies cannot be held responsible for any failure of the Certification Audit, as Bastion Technologies does not guarantee its success in any way.

Regarding the Client's Account

The Client:

• Guarantees that the information provided in the form is accurate and undertakes to keep it updated.
• Acknowledges that this information constitutes proof of their identity and binds them upon validation.
• Is responsible for maintaining the confidentiality and security of their login credentials and password; any access to the Platform using these credentials is deemed to have been made by them.

The Client must immediately contact Bastion Technologies at the coordinates mentioned in the "Company Identification" section if they discover that their Account has been used without their knowledge. They acknowledge that Bastion Technologies will have the right to take all appropriate measures in such cases.

The Client is solely responsible for creating access for Users.

Regarding the Use of Services

The Client is responsible for their use of the Services and any information they share in this context. They are also responsible for the use of the Services and all information shared by Users. They undertake to ensure that the Services are used exclusively by themselves and/or the Users, who are subject to the same obligations as them in their use of the Services.

The Client is prohibited from using the Services for purposes other than those for which they were designed, including:

• Engaging in illegal or fraudulent activity.
• Violating public order and good morals.
• Infringing on third parties or their rights in any way.
• Violating any contractual, legislative or regulatory provision.
• Engaging in any activity that interferes with a third party's computer system, in particular to violate its integrity or security.
• Engaging in maneuvers aimed at promoting their services and/or sites or those of a third party.
• Helping or inciting a third party to commit one or more of the acts or activities listed above.

The Client is also prohibited from:

• Copying, modifying or misappropriating any element belonging to Bastion Technologies or any concept it exploits in the context of the Services.
• Adopting any behavior that interferes with or diverts the computer systems of Bastion Technologies or interferes with its computer security measures.
• Infringing on the financial, commercial or moral rights and interests of Bastion Technologies.
• Marketing, transferring or providing access in any way to the Services, information hosted on the Platform, or any element belonging to Bastion Technologies.

The Client is responsible for Content (the "Content") of any kind they disseminate in the context of the Services.

The Client accepts that Content disseminated through the Solution may be seen by the Users of the Services.

The Client is prohibited from disseminating any Content (this list is not exhaustive):

• Violating public order and good morals (pornographic, obscene, indecent, shocking or unsuitable for family audiences, defamatory, abusive, violent, racist, xenophobic or revisionist).
• Infringing on third parties' rights (counterfeit content, infringement of personality rights, etc.) and more generally violating any contractual, legislative or regulatory provision.
• Harmful to third parties in any way.
• False, misleading or proposing or promoting unlawful, fraudulent or deceptive activities.
• Harmful to third parties' computer systems.

The Client indemnifies Bastion Technologies against any claim and/or action that may be brought against it following the violation of any of the Client's obligations. The Client will indemnify Bastion Technologies for any harm suffered and will reimburse it for all amounts it may have to pay as a result.

12. Bastion Technologies Obligations and Liability

Bastion Technologies undertakes to provide the Services with diligence, it being specified that it is bound by a best-efforts obligation. As such, Bastion Technologies guarantees that it holds all intellectual property rights on the Platform and Services. Any delay attributable to the Client delays the agreed delivery deadlines accordingly.

Regarding Quality of Services

Bastion Technologies makes its best efforts to provide the Client with quality Services. To this end, it regularly performs checks to verify the operation and accessibility of its Services and may carry out maintenance as specified in the "Maintenance" article. However, Bastion Technologies is not responsible for temporary difficulties or impossibilities in accessing its Services due to:

• Circumstances external to its network.
• Failure of equipment, cabling, services or networks not included in its Services or not under its responsibility.
• Interruption of Services by telecom operators or internet access providers.
• Client intervention, particularly through misconfiguration applied to the Services.
• Force majeure.

Bastion Technologies is responsible for the operation of its servers, whose outer limits are constituted by connection points. Furthermore, it does not guarantee that the Services:

• Subject to constant research to improve in particular performance and progress, will be completely free of errors, defects or faults.
• Being standard and in no way offered according to the Client's personal constraints, will specifically meet their needs and expectations.

Regarding Service Level Guarantee

Bastion Technologies does not offer any service level guarantee for the Platform. However, Bastion Technologies makes its best efforts to maintain access to the Platform 24/7 except in case of scheduled maintenance as defined in the "Maintenance" article or force majeure.

Regarding Data Backup on the Platform

Bastion Technologies makes its best efforts to back up all data produced and/or entered on/through the Platform. Except in cases of proven fault on the part of Bastion Technologies, it is not responsible for any data loss during maintenance operations.

Regarding Data Storage and Security

Bastion Technologies makes its best efforts to ensure data security by implementing infrastructure and Platform protection measures, detection and prevention of malicious acts, and data recovery.

Regarding Subcontracting and Assignment

Bastion Technologies may use subcontractors in the execution of the Services, who are subject to the same obligations as it within the scope of their involvement. It nevertheless remains solely responsible for the proper execution of the Services to the Client.

Bastion Technologies may substitute any person who will be subrogated in all its rights and obligations under its contractual relationship with the Client. If so, it will inform the Client of this substitution by any written means.

13. Limitation of Bastion Technologies Liability

Bastion Technologies' liability is limited solely to proven direct damages suffered by the Client as a result of using the Services. With the exception of bodily harm, death and gross negligence, and subject to having issued a claim by registered letter with acknowledgment of receipt within one month of the occurrence of the damage, Bastion Technologies' liability may not be engaged for an amount exceeding the amounts it has received for the provision of its Services.

Bastion Technologies is only bound by a best-efforts obligation in the context of providing the Services, excluding any obligation of result. In the context of the Certification Audit, the Client acknowledges and accepts that the Services constitute assistance in their certification requests and that the use of the Services in no way guarantees obtaining these certifications.

The Client acknowledges and accepts that Bastion Technologies cannot be held responsible (i) for decisions made by the bodies issuing the certifications and (ii) for any damage resulting from decisions the Client makes based on the recommendations and advice given by Bastion Technologies in the context of the Services. More generally, Bastion Technologies does not guarantee that the Services and Deliverables resulting from them will satisfy the Client's expectations.

14. Admissible Evidence

Evidence may be established by any means. The Client is informed that messages exchanged through the Platform as well as data collected on the Platform and Bastion Technologies' computer equipment constitute one of the admissible forms of evidence, particularly to demonstrate the reality of the Services provided and the calculation of their price.

15. Personal Data

General Provisions

The parties undertake, each for their part, to comply with all legal and regulatory obligations incumbent upon them regarding the protection of personal data, including Law 78-17 of January 6, 1978 in its latest amended version known as the Data Protection Act and EU Regulation 2016/679 of the European Parliament and Council of April 27, 2016 (together the "Applicable Regulations").

For more information about the processing carried out by Bastion Technologies, the Client is invited to review the Privacy Policy.

Terms of Data Processing by Bastion Technologies as Processor

The purpose of this clause is to define the conditions under which Bastion Technologies undertakes, on behalf of the Client, the processing of personal data described below.

Bastion Technologies and the Client mutually undertake, each for their respective part, to comply with the regulations applicable to personal data and in particular the General Data Protection Regulation (EU Regulation 2016/679 of the European Parliament and Council of April 27, 2016) and the Personal Data Protection Act of January 6, 1978 in its current version (hereinafter collectively referred to as the "Applicable Regulations").

Description of Sub-Processed Treatment

In the context of the Services, Bastion Technologies processes personal data as a processor within the meaning of the Applicable Regulations on behalf of the Client. The Client acts as data controller within the meaning of the Applicable Regulations. The characteristics of the treatments are described below:

Purposes of Data Processing: Provision of Services in accordance with these Terms of Use.

Nature of Processing Operations: Any operation required to achieve the above purposes, including collection, recording, organization, storage, consultation, use, communication by transmission, anonymization, deletion or destruction.

Types of Personal Data Processed:

• Identification data (surname, first name, photograph)
• Contact details (email addresses, phone number)
• Professional data (company, position)
• Data related to training and awareness of cybersecurity risks (history of training completed, history of chatbot conversations, responses to phishing campaigns (email ignored, email opened, email reported, compromised credentials, etc.), password strength, assessment of cybersecurity risk awareness level)
• Connection and browsing data (date and time of connection, IP address, location, device, browser, operating system)

Categories of Data Subjects: Employees, collaborators of the Client.

Processing Duration: Duration of the commercial relationship between Bastion Technologies and the Client.

Authorized Sub-processors:

Changes to Sub-Processors: In the event of changes in the list of authorized Sub-Processors, Bastion Technologies will inform the Client in advance and in writing. This information must clearly indicate the sub-processing activities, the identity and contact details of the Sub-Processor. The Client has a period of 15 (fifteen) days from the date of receipt of this information to present legitimate and substantiated objections. Failing notification of objections after this period, the Client will be deemed to have accepted the use of the Sub-Processor.

The Sub-Processor is required to comply with the obligations of these Terms for your account and according to the Client's instructions. It is Bastion Technologies' responsibility to ensure that the Sub-Processor presents adequate guarantees regarding the implementation of appropriate technical and organizational measures so that processing meets the requirements of the Applicable Regulations. If the Sub-Processor fails to meet its data protection obligations, Bastion Technologies remains responsible to the Client for the Sub-Processor's performance of its obligations.

International Data Transfers: Bastion Technologies is authorized to transfer personal data processed under these Terms to countries located outside the European Union, provided that appropriate safeguards are in place as defined in Chapter V of the aforementioned regulation.

Assistance and Provision of Information: Bastion Technologies undertakes to assist the Client and respond promptly to any information request addressed to it, whether in the context of a request to exercise rights by data subjects, an impact analysis or a request presented by data protection authorities or the Client's data protection officer.

Notification of Personal Data Breaches: Bastion Technologies undertakes to notify the Client of any personal data breach affecting the processing covered by this contract and to provide any useful information and documentation to enable it, if necessary, to notify this breach to the competent supervisory authority, as soon as possible after becoming aware of it.

Fate of Data: Bastion Technologies undertakes, at its option, to delete personal data at the end of the use of the Services or to return it to the Client and not to retain a copy, unless the Applicable Regulations require retention.

Documentation: Bastion Technologies makes available to the Client, upon request, all information and documents necessary to demonstrate compliance with its obligations.

Client Obligations to Bastion Technologies:

The Client undertakes to:

• Provide Bastion Technologies with the personal data referred to in the "Description of Sub-Processed Treatment" article excluding any irrelevant, disproportionate or unnecessary personal data, and excluding any "special category" data within the meaning of the Applicable Regulations, unless the processing justifies it, with the Client responsible for establishing these justifications and taking all measures, in particular prior information, consent collection and security measures, appropriate for such special data;
• Collect under their responsibility, lawfully, fairly and transparently, the personal data they provide to Bastion Technologies, for the execution of the Services, and in particular, ensure the legal basis for this collection and the information owed to data subjects;
• Maintain a record of processing activities and more generally, comply with the principles of the Applicable Regulations;
• Ensure beforehand and throughout the duration of processing, compliance with obligations provided by the Applicable Regulations.

16. Force Majeure

Bastion Technologies cannot be held responsible for failures or delays in the performance of its contractual obligations due to force majeure occurring during its relationship with the Client, as defined in Article 1218 of the French Civil Code.

If Bastion Technologies is prevented from performing its obligations due to force majeure, it must inform the Client by registered letter with acknowledgment of receipt. Obligations are suspended upon receipt of the letter and must be resumed within a reasonable time after the cessation of the force majeure event.

Bastion Technologies remains bound, however, by the performance of obligations that are not affected by a force majeure event.

17. Termination of Services

The Subscription must be terminated no later than 30 days before the end of the current Period, by:

• The Client, by sending Bastion Technologies a request to the following email address: support@bastion.tech;
• Bastion Technologies, by sending an email to the Client.

Any Period started is due in full.

It is the Client's responsibility to download all documents accessible on the Platform before the end date of the Services. Bastion Technologies cannot be held responsible for the deletion of these documents from that date.

The Client no longer has access to their Account from the end of the Services.

18. Sanctions for Breach

The following constitute essential obligations with respect to the Client (the "Essential Obligations"):

• Payment of the price.
• Provision of information necessary for the Certification Audit in accordance with the schedule set by Bastion Technologies.
• Not providing erroneous, incomplete information to Bastion Technologies.
• Respecting usual rules of politeness and courtesy in exchanges with Bastion Technologies.
• Not using the Services for a third party.
• Not engaging in illegal, fraudulent activities or activities that infringe on the rights or security of third parties.
• Violation of public order or violation of laws and regulations in force.

In case of breach of any of these Essential Obligations, Bastion Technologies may:

• Suspend or terminate the Client's access to the Services.
• Publish on the Platform any information message that Bastion Technologies deems useful.
• Notify any competent authority, cooperate with it and provide all useful information to search for and suppress illegal or unlawful activities.
• Take any legal action.

These sanctions are without prejudice to any damages and interest that Bastion Technologies may claim from the Client.

In case of breach of any obligation other than an Essential Obligation, Bastion Technologies will request by any useful written means that the Client remedy the breach within a maximum period of 15 calendar days. The Services will end at the end of this period if the breach is not remedied.

The end of the Services results in the deletion of the Client's Account.

19. Modification of Terms of Use

Bastion Technologies may modify its Terms of Use at any time and will inform the Client by any written means (including by email) at least 30 calendar days before they come into effect.

The modified Terms of Use are applicable upon renewal of the Client's Subscription. If the Client does not accept these modifications, they must terminate their Subscription according to the terms provided in the "Termination of Services" article. If the Client uses the Services after the entry into force of the modified Terms of Use, Bastion Technologies considers that the Client has accepted them.

20. Language

The French language shall prevail in case of any contradiction or dispute regarding the meaning of a term or provision.

21. Applicable Law and Jurisdiction

These Terms of Use are governed by French law. In case of dispute between the Client and Bastion Technologies, and failing amicable agreement within 2 months of the first notification, the dispute shall be submitted to the exclusive jurisdiction of the courts of Paris (France), except for mandatory provisions to the contrary.