Terms and Conditions of Use and Sale
1. Company Identification
Bastion Technologies (the “Company” or “Bastion Technologies”) is a simplified joint-stock company (SAS), registered with the Nanterre Trade and Companies Register under No. 921 179 925, with its registered office at 65 rue de la Croix, 92000 Nanterre, France.
Contact: contact@bastion.tech
2. Services Provided
Bastion Technologies publishes a solution (the “Platform”) for business customers (the “Clients”) aimed at protecting against cybersecurity risks (the “Services”).
3. Contract Documents
The contractual relationship is governed, in descending order of precedence, by:
- The Quote (the “Quote”):
- Prepared based on the Client’s needs.
- Must be accepted in writing (including by email) within 30 days of issuance. Such acceptance constitutes acceptance of these Terms and Conditions in force on the Quote date.
- In case of conflict, the Quote prevails over these Terms and Conditions.
- In case of conflict between Quotes, the most recent prevails.
- These Terms and Conditions: define the terms of use of the Services and the parties’ respective obligations. Accessible via a footer link on the Platform.
4. Conditions of Access to the Services
- (i) The Client is a legal entity acting through a duly authorized individual.
- (ii) The Client qualifies as a professional within the meaning of applicable law.
5. Access and Subscription
To subscribe, the Client completes the Platform form and provides all required information. Registration creates an account (the “Account”) to access the Services using a login and password. The Client may create user access (the “Users”) within the limits set in the Quote and remains responsible for such access and their use.
6. Description of the Services
6.1 Services
The Client acknowledges the Services require an internet connection, the quality of which is outside Bastion Technologies’ responsibility. The subscribed Services are described in the Quote. By way of example, Bastion may provide:
- Certification support (SOC 2, ISO, GDPR, etc.) (the “Certification Audit”)
- External attack surface assessment and remediation plan
- Data leak detection and dark-web monitoring
- Cybersecurity training (chatbot, maturity tests, reports, phishing simulations, etc.)
- Real-time email protection (AI-based)
- Secure web browsing (proactive threat prevention, continuous watch on risky sites)
- Cloud application protection (continuous detection and remediation)
Bastion may offer other services. Any change to the subscribed scope will be subject to an additional Quote.
6.2 Additional Services
6.2.1 Maintenance
During the Services term, the Client benefits from corrective and evolutive maintenance. Access to the Platform may be limited or suspended accordingly. Bastion will use reasonable efforts to fix malfunctions and deploy updates (improvements/new features). The Client agrees to install or allow deployment of necessary updates to ensure proper operation of the Services.
6.2.2 Hosting
Bastion ensures, under an obligation of means, hosting of the Platform and related data via a professional hosting provider on servers located within the European Union.
6.2.3 Technical Support
Support via Platform chat or support@bastion.tech, Monday to Friday (excluding public holidays), 9:00–18:00 (CET). An indicative response time is communicated depending on the request.
7. Subscription Term
The Subscription starts on the subscription date for the initial period indicated in the Quote and is tacitly renewed for successive periods of the same duration (together, the “Periods”), unless terminated in accordance with “End of Services”.
8. Financial Terms
8.1 Prices
Prices are stated in the Quote. Any Period started is due in full. Prices may be revised pursuant to “Amendments to the Terms and Conditions”.
8.2 Invoicing and Payment
An invoice is issued for each Period. Payment is by direct debit at subscription and upon each renewal (annual) or monthly (monthly subscription), unless otherwise provided in the Quote. The Client warrants it is authorized to use the selected payment method.
8.3 Late or Non-Payment
- Immediate suspension of the Services until full payment
- Late interest: 3× the legal interest rate + fixed €40 recovery fee (and additional indemnity if recovery costs exceed this amount)
- Acceleration of all amounts due
9. Intellectual Property
9.1 Platform
The Platform and all components (software, databases, content, trademarks, etc.) are owned by Bastion and protected by applicable IP and database-producer rights. No ownership rights are transferred. The Client and Users are granted a non-exclusive, non-transferable SaaS license for the Subscription term.
9.2 Deliverables
Bastion assigns to the Client, as and when delivered, economic copyrights it may hold in deliverables provided under the Services (files, reports, etc.) (the “Deliverables”), excluding Bastion’s tools, methods, trademarks, and logos. Assignment is worldwide, for the legal protection term, for all modes of exploitation, subject to moral rights.
- Rights to reproduce/fix the Deliverables on any medium by any means
- Right to use/publish the Deliverables
- Rights to adapt, translate, modify, arrange, and correct the Deliverables
The Client has no obligation to exploit the Deliverables.
10. Marketing References
Each party may reference the other (name, logo, platform) as a commercial reference during the contractual relationship and for 3 years thereafter.
11. Client Obligations and Liability
11.1 Information
The Client provides the information necessary for subscription and use of the Services and respects the timelines communicated by Bastion, notably for the Certification Audit. Any delay by the Client may postpone the schedule or prevent completion of the Certification Audit, without refund of amounts due/paid.
Services are performed based on Client-provided information; Bastion is not responsible for consequences of false or inaccurate information. The Certification Audit does not guarantee any certification.
11.2 Account
- The Client warrants accuracy and updates of information provided.
- Credentials bind the Client; the Client ensures their confidentiality.
- In case of unauthorized use, the Client promptly notifies Bastion; Bastion may take appropriate measures.
- The Client remains responsible for User access it creates.
11.3 Use of the Services
The Client is responsible for its use and Users’ use. The Client shall not misuse the Services (unlawful activities, harm to third parties/public order/systems, unauthorized promotion, etc.) nor infringe Bastion’s rights/interests (copying/diverting components, interference, resale/transfer of access).
The Client is responsible for any content it publishes (“Content”) and must not post illegal, infringing, misleading, harmful, or inappropriate content. The Client shall defend, hold harmless, and indemnify Bastion from related claims.
12. Bastion’s Obligations and Liability
Bastion performs the Services diligently under an obligation of means.
12.1 Service Quality
Bastion conducts regular checks and may carry out maintenance. Bastion is not responsible for unavailability due to factors outside its network (third-party equipment, providers/ISPs, Client misconfiguration, force majeure, etc.). The Services, under continuous improvement, may contain residual errors and are not tailored to the Client’s specific needs.
12.2 Availability
Without a service-level guarantee, Bastion uses reasonable efforts to maintain 24/7 access, excluding planned maintenance and force majeure.
12.3 Backups
Bastion implements reasonable backups. Except for Bastion’s proven fault, it is not liable for data loss during maintenance.
12.4 Storage & Security
Bastion provides sufficient storage capacities and implements reasonable technical and organizational measures (infrastructure/Platform protection, threat detection/prevention, recovery).
12.5 Subcontracting & Assignment
Bastion may use subcontractors bound by equivalent obligations and remains responsible to the Client. Bastion may assign its contract and will notify the Client in writing.
13. Limitation of Liability
Bastion’s liability is limited to proven direct damages only. Except for personal injury, death, or gross negligence, and subject to a claim notified by registered letter within one month of the event, Bastion’s total liability is capped at the amount received by Bastion for the Services at issue.
The Certification Audit is an assistance service and does not guarantee certification. Bastion is not liable for decisions of certification bodies or for Client decisions based on Bastion’s recommendations.
14. Evidence
Evidence may be brought by any means. Messages exchanged via the Platform and data collected on the Platform and Bastion’s systems constitute admissible evidence, in particular to demonstrate Services performed and price calculation.
15. Personal Data
15.1 General Provisions
Each party complies with applicable data-protection regulations (French Data Protection Act and GDPR). Processing activities carried out by Bastion as controller are described in Bastion’s Privacy Policy.
15.2 Processing Performed by Bastion as Processor
Bastion processes, on behalf of the Client (controller), personal data necessary to provide the Services:
- Purposes: Performance of the Services in accordance with these Terms.
- Operations: collection, recording, organization, storage, consultation, use, transmission, anonymization, deletion/destruction.
- Data types: identification (first/last name, photo), contact (email, phone), professional data (company, role), training/awareness data (training history, chatbot conversations, phishing campaign reactions, password robustness, cybersecurity awareness level), connection/browsing data (date/time, IP, location, device, browser, OS).
- Data subjects: Client, employees, collaborators.
- Duration: duration of the commercial relationship between Client and Bastion.
Bastion’s Obligations towards the Client
- Processing on instructions: Bastion acts only on the Client’s documented instructions, including for any transfer outside the EU; prior notice in case an instruction appears unlawful or where law requires otherwise (unless prohibited by law).
- Security & confidentiality: appropriate technical/organizational measures; personnel bound by confidentiality.
- Sub-processors: prior notice of changes; 15-day objection period. Bastion ensures equivalent safeguards and remains responsible to the Client.
- Transfers outside the EU: permitted subject to GDPR Chapter V safeguards (including Standard Contractual Clauses).
- Assistance & information: reasonable assistance (data-subject rights, DPIAs, authority/DPO requests).
- Data breaches: notification to the Client without undue delay and provision of useful information.
- End of processing: at the end of the Services, deletion or return (at the Client’s choice), unless retention is required by law.
- Documentation & audits: information necessary to demonstrate compliance; one audit per year at the Client’s expense, with 2-week notice, without impacting Bastion’s security/confidentiality or operations; audit report is confidential.
Authorized Sub-processors
Provider | Processing Activities | Processing Location | Safeguards for non-EU transfers |
---|---|---|---|
Amazon Web Services | Hosting of personal data | Europe | Standard Contractual Clauses (if applicable) |
Microsoft | Hosting of personal data | United States | Standard Contractual Clauses |
Stripe | Payment services | Europe | Standard Contractual Clauses (if applicable) |
Yousign | Electronic signatures | Europe | Standard Contractual Clauses (if applicable) |
Pipedrive | Customer relationship management | Europe | Standard Contractual Clauses (if applicable) |
OpenAI | Artificial intelligence services | United States | Standard Contractual Clauses |
Slack | Communication tools | United States | Standard Contractual Clauses |
Client Obligations
- Provide only relevant and necessary data; avoid special categories of data (GDPR) unless justified and subject to appropriate measures (notice, consent, security).
- Collect data lawfully, ensure a valid legal basis, and inform data subjects.
- Maintain a processing register and comply with GDPR principles.
- Continuously verify compliance with applicable obligations.
16. Force Majeure
Neither party is liable for failure due to force majeure as defined by French Civil Code Article 1218. Obligations affected are suspended during the impediment and resume within a reasonable time after it ends.
17. End of Services
- Notice: at least 30 days before the end of the current Period (annual) or 14 days (monthly).
- Form: by the Client to support@bastion.tech; by Bastion via email.
- Period due: any Period started is due in full.
- Unused credits: refunded by bank transfer within 30 days.
- Export: the Client must download documents before the end date; Bastion is not responsible for deletion thereafter.
- Account: deleted at the end of the Services.
18. Sanctions for Breach
Essential obligations include:
- Payment of the price
- Providing timely information required for the Certification Audit
- Providing accurate and complete information
- Respectful, courteous communications
- No use of the Services for unauthorized third parties
- No illegal/fraudulent activities or activities infringing third-party rights/safety
In case of breach of an essential obligation, Bastion may suspend/terminate access, publish an information notice, alert/cooperate with authorities, and bring legal action, without prejudice to damages.
For any other breach, Bastion will request remediation within 15 calendar days; failing remediation, the Services end and the Account is deleted.
19. Amendments to the Terms and Conditions
Bastion may amend these Terms and Conditions by notifying the Client in writing (including email) at least 30 days before they take effect. Amended Terms apply upon renewal of the Subscription. If the Client does not accept the amendments, it must terminate per “End of Services”. Continued use after the effective date constitutes acceptance.
20. Language
In the event of inconsistency, the French version prevails.
21. Governing Law and Jurisdiction
These Terms and Conditions are governed by French law. Failing amicable resolution within 2 months of first notice, disputes shall be submitted to the exclusive jurisdiction of the courts of Paris (France), unless mandatory provisions provide otherwise.