General Terms of Sale

Pricing & Payment Terms

The UserAware Suite is billed at a fixed price of $19.99 per month, plus $5.00 per additional user. All payments are securely processed via Stripe. Your bank may apply additional card fees.

Subscriptions renew automatically every month on the purchase anniversary date unless cancelled (see § 5).

Service Delivery

• Instant digital delivery: MFA & Mail‑hardening PDFs are e‑mailed immediately after payment.
• The first awareness video is sent right away, along with a phishing test email.

All materials are supplied electronically (PDF, MP4, HTML dashboard), no physical shipments.

Billing

An invoice is automatically e‑mailed to the address you provide once Stripe confirms payment. Each invoice lists the subscription plan, number of seats, and next renewal date.

Cancellation & Minimum Commitment

Subscriptions are commitment‑free. You may cancel at any time via your customer portal or by contacting support. Access remains active until the end of the paid‑up period, no extra fees apply.

Price Validity

Published prices are firm. While SecuBreakers may update rates for new customers in the future, the price you subscribe at is locked in for the life of your active subscription, it will never increase unless you cancel and re-subscribe.

Refunds & Dissatisfaction

SecuBreakers offers a 100 % refund if the service materially fails to meet the following commitments:

• Activation links or PDFs not delivered within 24 hours of payment.
• No phishing‑simulation e‑mails sent during the first billing week.

For refund requests, e‑mail a detailed explanation to yoann.amicel@secubreakers.com.

Liability

• No absolute security - UserAware Suite is designed to reduce, not eliminate, human-driven cyber-risk. We cannot guarantee 100 % protection against every phishing attempt or malware campaign.
• Customer responsibilities - The service’s effectiveness relies on: your timely application of the MFA and e-mail-security settings provided in our guides, and your users’ participation in the awareness videos and phishing simulations. SecuBreakers is not liable for incidents that result from partial, delayed or non-implementation, or from user non-participation.
• Changes outside our control - Subsequent configuration changes, third-party software updates or new integrations may introduce vulnerabilities beyond our control.
• Exclusion of consequential damages - SecuBreakers will under no circumstances be liable for indirect, special, incidental or consequential losses (including lost profits or revenue).

Data Protection & Privacy

For the purpose of providing the UserAware Suite (including awareness and phishing simulations), SecuBreakers and the Client acknowledge that personal data may be processed. Unless otherwise agreed in writing, the Client acts as Data Controller and SecuBreakers acts as Processor within the meaning of applicable data protection laws (e.g., GDPR).

• Purpose & legal basis — Security awareness and phishing simulations, reporting and continuous improvement of email security (performance of the contract and/or legitimate interests of the Client in securing its organization).
• Data categories — Business contact data, email metadata and contents strictly required for simulations, campaign results and training records.
• Confidentiality & security — SecuBreakers implements appropriate technical and organizational measures (access control, least privilege, logging, encryption at rest/in transit where applicable) and ensures staff confidentiality.
• Sub-processing — SecuBreakers may engage vetted sub-processors (including GottaPhish, see §10). SecuBreakers remains responsible for its sub-processors and will maintain a list available upon request.
• Data location & transfers — Where processing involves transfers outside the EEA/UK, appropriate safeguards (e.g., Standard Contractual Clauses) will be implemented.
• Incident response — In case of a personal data breach affecting the Service, SecuBreakers will notify the Client without undue delay and cooperate in good faith.
• Data subject rights — SecuBreakers reasonably assists the Client in responding to requests (access, rectification, erasure, restriction, objection) to the extent applicable to the Service.
• Retention — Campaign logs and related personal data are retained only as long as necessary for the agreed purposes or legal obligations, then deleted or anonymized.
• Audit & records — Upon reasonable prior notice and no more than once per 12 months (unless legally required), the Client may audit compliance through questionnaires or review of relevant summaries/certifications.

A detailed Data Processing Agreement (DPA) can be provided upon request and, if executed, prevails over this summary in the event of conflict.

Use of Third-Party Service Providers (GottaPhish)

For the technical execution of phishing simulations, SecuBreakers collaborates with a specialized provider, GottaPhish. The Client acknowledges that certain operations are delegated to GottaPhish and may require extensive permissions in the Client’s email environment (via identity providers such as Microsoft 365 or Google Workspace).

10.1 Delegated operations

• Conception, configuration and sending of phishing emails;
• Read/write/send access to user and shared mailboxes, including campaign management;
• Directory and domain data retrieval for campaign scoping and deliverability;
• Whitelisting and mail-security rule adjustments required for proper simulation delivery;
• Any other related operation strictly necessary to perform phishing simulations.

10.2 Client acknowledgement

• The Client reviews and approves all permissions requested by GottaPhish within its admin console (Microsoft Entra ID/Azure AD, Google Admin, or equivalent) and may revoke them at any time.
• These permissions are necessary for the Service to function as intended; refusal/revocation may degrade or prevent delivery of simulations and reporting.
• The Client is responsible for ensuring that granting such access complies with its internal policies, employee information duties and applicable laws.

10.3 Independence & terms of GottaPhish

GottaPhish acts as an independent service provider. Its infrastructure, software and data handling are governed by its own terms and privacy documentation. SecuBreakers does not control GottaPhish’s systems and does not provide any warranty regarding their availability, security, or fitness for a particular purpose.

10.4 Liability & indemnification

• To the maximum extent permitted by law, SecuBreakers shall not be liable for damages, incidents, service interruptions, unauthorized access or data breaches attributable to GottaPhish or to the permissions granted by the Client to GottaPhish.
• The Client agrees to indemnify and hold harmless SecuBreakers against claims, losses and liabilities arising from the use of GottaPhish within the Client’s environment, except in cases of SecuBreakers’ wilful misconduct or gross negligence.

10.5 Security & oversight

• SecuBreakers selects and reviews its providers with due care and maintains reasonable oversight;
• SecuBreakers will inform the Client of any material change to core third-party providers used for phishing simulations and will cooperate in good faith to mitigate impacts.

Note: Depending on your identity provider (Microsoft or Google), a banner may indicate that the app is “unverified”. This is expected, as the GottaPhish application is not yet formally certified by the provider. This does not affect the correct functioning of the Service.

Use of Stripe & Payment Disputes

All payments are securely processed via Stripe. For chargebacks or suspected fraud, please contact Stripe directly, their Terms & Conditions apply.

Contact

Questions about these General Terms of Sale?

• E-mail: yoann.amicel@secubreakers.com
• Phone: +33 6 98 08 28 60