Cybersecurity Awareness Training Terms of Service

Terms of Service

Version 1. Last Updated June 12, 2026.

These terms and conditions (“Terms of Service”) govern your purchase, access to and use of the Cybersecurity Awareness Training service and the cloud-based behaviour-change platform through which it is delivered (together, the “Services”), as ordered from the Canadian Internet Registration Authority (“CIRA,” “we,” “us” or “our”) through a CIRA authorized reseller. They apply to the customer ordering the Services (“Customer,” “you” or “your”).

BY SUBSCRIBING TO, ACCESSING OR USING THE SERVICES, AND BY CLICKING TO ACCEPT THESE TERMS OF SERVICE THROUGH THE PLATFORM, YOU AGREE THAT YOU HAVE READ AND AGREE, WITHOUT RESERVATIONS, TO BE BOUND BY THE LATEST VERSION OF THESE TERMS OF SERVICE. The individual accepting these Terms of Service represents that they are an administrative user authorized to bind the Customer.

The Services are provided using a platform and related technology supplied to CIRA by a third-party supplier and licensor (“Supplier”). You acknowledge that certain functions of the Services, including hosting and Tier Three support, are performed by Supplier, and that the protections, disclaimers, exclusions and limitations of liability in these Terms of Service are also made for the benefit of, and may be relied upon and enforced by Supplier as set out below.

General

These Terms of Service may be modified from time to time, for any reason, by having the revised terms and conditions posted within the platform. Please review these Terms of Service from time to time so that you are apprised of any changes. If you continue to access or use the Services after the revised terms and conditions have been posted, you will be deemed to have agreed to them.

Privacy

As a provider of an online service, Supplier requires users to provide certain information in order to provide the Services. All information you provide is collected, used, maintained, shared and destroyed in accordance with the Privacy Policy set out in Appendix A, which is incorporated into these Terms of Service by reference.

Helpful Definitions

“Authorized Reseller” means a CIRA authorized reseller or sub-partner from which you may have purchased the Services, where applicable;

“Confidential Information” means any and all information disclosed, either directly or indirectly, by a disclosing party (“Disclosing Party”) to a receiving party (“Receiving Party”) in connection with these Terms of Service, whether provided before, during the Term , including, without limitation, any inventions or discoveries (whether or not patentable), trade secrets, ideas, concepts, prototypes, designs, financial information, technical data or know-how, marketing and product information, pricing, business plans, contracts, policies and procedures, customer lists (including customer information), technologies (including computer programs, computer code, modules, scripts, algorithms, routines, systems, databases, equipment, features, processes, methodologies, schematics, testing procedures, software design and architecture, design and function specifications, analysis and performance information, and user documentation), internal documentation and materials, and any personal information pertaining to an individual, such as employees or customers, together with all notes, memoranda, analyses, records or other documents prepared by the Receiving Party or its representatives containing or based upon, in whole or in part, information acquired from the Disclosing Party in connection with these Terms of Service, in verbal, written or machine-readable form, and regardless of whether it is specifically identified or marked as “confidential” or “proprietary”;

“Customer Data” means any data, information or material that you or your Users disclose or submit to us, to Supplier or to the Services in the course of using the Services;

“Documentation” means the user and technical manuals, in paper or electronic format, for the Services that Supplier generally makes available to its customers, as updated, amended and replaced from time to time;

“Maintenance” means Updates and Upgrades to the Services;

“Order Form” means the order form, quote or other ordering document agreed between you  and an Authorized Reseller for the Services;

“Services” means the Cybersecurity Awareness Training service and access to the cloud-based behaviour-change platform through which it is delivered;

“Supplier” means a third-party supplier or licensor that provides to CIRA all or part of the platform, technology or services underlying the Services;

“Update(s)” means changes made to the Services to correct errors or defects, or to make the Services conform to their specifications;

“Upgrade(s)” means improvements, enhancements, additions or changes to the Services which: (a) provide new or enhanced capability; (b) replace any portion of the platform; or (c) enable the Services to operate with third-party technology; and

“User(s)” means your employees, representatives, consultants, contractors or agents who are authorized to use the Services and have been supplied access by you (or by CIRA or an Authorized Reseller at your request).

Term and Termination

The term of these Terms of Service will be for the duration of your subscription as set out in your Order Form with the Authorized Reseller.

We may terminate these Terms of Service and your receipt of the Services if you breach these Terms of Service. Upon termination or expiry of these Terms of Service, you will cease all use of the Services, and any access to Maintenance and Support Services will cease.

Service Model

You may use the Services for your own internal use to:

1. measure, monitor and manage cyber risk as assessed by the system using user surveys, self-assessments, education and quizzes, as well as external threat information gathered by the Services;
2. deliver online-based educational materials via included course modules, licensed third-party content or your unique modules using the course builder tool;
3. conduct simulated social engineering attacks via email against only your own organization or a subsidiary, using the built-in simulated phishing emails or custom emails;
4. deliver email newsletters for security awareness with content provided by us, developed by you or through licensed third-party content; and
5. use any other features for the purposes for which they were designed, in accordance with the Documentation that we may make available to you during the Term.

You may not:

1. use, copy, modify, rent, sell, distribute or transfer any part of the Services except as provided in these Terms of Service, and shall not authorize or instruct any third party to engage in any of the uses of the Services restricted under these Terms of Service;
2. connect to third-party systems through any unlicensed application programming interface;
3. reverse engineer, decode, decompile or disassemble the Services;
4. add, remove, obscure or modify any label or other indication of trademark, copyright or other intellectual property rights on the Services, the Documentation or other written material supplied to you;
5. duplicate or reproduce any part of the Services, the Documentation or other written material supplied to you;
6. sublicense the Services to a third-party organization; or
7. use the Services to send simulated phishing exercises that use government agency logos. Specifically, due to direction from certain government agencies, notably the Internal Revenue Service in the United States, you are not allowed to send phishing simulations using the IRS logo or name,

in each case without our explicit prior written consent.

You acquire only the right to use the Services in accordance with these Terms of Service, and you do not acquire any intellectual property rights in the Services, the Documentation or our Confidential Information. As between the parties, we and/or Supplier and licensor own, and retain all right, title and interest in and to, the Services, the platform, the Documentation and all related intellectual property. You retain all intellectual property rights in your content and data.

Obligations

Security and compliance are a shared responsibility. The requirements for infrastructure are provided and you must provide your own control implementation within the Services. You are responsible for all activity occurring under your User accounts. You agree that you will:

1. comply with the Documentation, and agree that new procedures may be established for your use of the Services as deemed necessary for the optimal performance of the Services;
2. abide by all applicable provincial, state, national and foreign laws, treaties and regulations in connection with your and your Users’ use of the Services;
3. regularly review and approve user access and privileges within your instance of the Services;
4. keep your security credentials to access your instance of the Services secure;
5. provide notification as soon as practical of any unauthorized access to the Services;
6. provide notification as soon as practical of any copying or distribution of the Services that is known or suspected by you or your Users, and use reasonable efforts to stop the same; and
7. regularly review and update your configuration of, and integrations with, the Services.

Neither we nor Supplier shall be liable for the unauthorized disclosure, alteration or destruction of data as a result of any failure by you to regularly review and approve appropriate access to, permissions within, and configuration of, your instance of the Services. Neither we nor Supplier shall be liable for any damages arising out of your failure to use the security tools provided for use in the Services—such as, but not limited to, multi-factor authentication and domain validation—and any damages that occur to you or to third parties through the abuse of the Services using your tenant (including, but not limited to, unauthorized phishing) are solely at your risk and liability.

Support Services

We divide support requests into the following categories with the associated responsibilities:

(a) Tier One addresses basic user authentication issues, basic user interface questions, user questions about score and reporting suspected phishes, and typos and errors in custom content developed by you. You are responsible for all Tier One requests.

(b) Tier Two addresses administrative user questions related to managing your tenant that are not covered by our standard Documentation. You are responsible for reaching out to your Authorized Reseller for all Tier Two requests.

(c) Tier Three addresses: (1) broken functionality in the Services; and (2) service availability or speed issues.

Support Services will be provided by the Authorized Reseller from which you ordered the Services, except for Tier Three support.

Confidential Information

At all times during the term of these Terms of Service and after their termination or expiration, each of us shall:

1. protect the confidentiality of the other party’s Confidential Information with the same degree of care as it uses for its own similar information, but no less than a commercially reasonable degree of care;
2. not divulge or disclose the other party’s Confidential Information to any third parties; and
3. not use any Confidential Information for any purposes other than the performance of the obligations under these Terms of Service.

Confidential Information may only be used by those employees or agents who have a need to know such information for purposes related to these Terms of Service. Our respective confidentiality obligations do not apply to any information that is:

1. already known by the recipient prior to disclosure by the other party;
2. independently developed prior to, or independent of, the disclosure;
3. publicly available;
4. rightfully received from a third party with no duty of confidentiality;
5. disclosed with prior written approval;
6. disclosed under, or required by, law; or
7. aggregate data gathered, created or interpreted by the Services, which will not contain any personally identifiable information.

Events Beyond Our Control

If either of us is affected by any act of God, act of war or other cause beyond our control and without fault or negligence, we shall promptly notify each other of the nature and extent of the situation. Neither of us shall be deemed to be in breach of these Terms of Service, or otherwise be liable to the other, by reason of any delay in performance or non-performance of any of its obligations hereunder to the extent that such delay or non-performance is due to any delaying cause of which the other has been notified. As well, the time for performance of that obligation shall be extended accordingly, provided that we all use commercially reasonable efforts to perform.

Warranties and Liability

You represent, warrant and agree that you own, or have sufficient rights to, all intellectual property rights in the Customer Data. If a complaint is received that your Customer Data is an unauthorized use of third-party intellectual property rights, you will be required to remove or modify the Customer Data in question so that it is no longer infringing, or Supplier may remove it. We and Supplier will not be liable for any interruption of service or reconfiguration of the Services required by such removal or modification.

We will not indemnify your organization for issues related to the use of government logos. Failure to cooperate with us, or with a government agency or other third party that contacts us, regarding an infringing phishing template or campaign could result in the termination of the Services without refund.

We represent and warrant to you that we and/or our Supplier own, or have sufficient rights to, all intellectual property rights in the Services and any third-party products used in the Services.

The Services are provided “as is” and we do not warrant that use of the Services will be uninterrupted or error free.

WE MAKE NO WARRANTIES, REPRESENTATIONS OR CONDITIONS WITH RESPECT TO THE SERVICES, MAINTENANCE OR SUPPORT SERVICES EXCEPT AS SET OUT IN THESE TERMS OF SERVICE, AND ALL OTHER WARRANTIES, REPRESENTATIONS OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY EXCLUDED. WE DO NOT WARRANT ANY SOFTWARE OR OTHER PRODUCTS MANUFACTURED BY THIRD PARTIES AND SUPPLIED IN CONNECTION WITH THE SERVICES, MAINTENANCE AND SUPPORT SERVICES.

IN NO EVENT SHALL WE OR SUPPLIER BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, OR LOST DATA OR OPPORTUNITIES, OF ANY KIND RELATING TO THESE TERMS OF SERVICE, REGARDLESS OF THE BASIS OF THE CLAIM. SUBJECT TO AND IN ADDITION TO THE FOREGOING EXCLUSION, THE CUMULATIVE LIABILITY OF CIRA AND SUPPLIER TO YOU FOR ANY LOSS OR DAMAGES ARISING OUT OF OR RELATING TO THESE TERMS OF SERVICE OR THE USE OF THE SERVICES SHALL NOT EXCEED THE AMOUNT OF FEES PAID BY YOU TO AN AUTHORIZED RESELLER. IN NO EVENT SHALL CIRA OR SUPPLIER BE LIABLE FOR ANY LOSS, CLAIM OR ACTION BASED ON A CLAIM THAT CUSTOMER DATA INFRINGES ANY INTELLECTUAL PROPERTY RIGHT OF ANY THIRD PARTY. THESE LIMITATIONS AND EXCLUSIONS FROM LIABILITY SHALL APPLY REGARDLESS OF THE BASIS OF THE CLAIM, INCLUDING, WITHOUT LIMITATION, ANY CLAIM OF BREACH OF CONTRACT, AND SHALL APPLY FOR THE BENEFIT OF CIRA AND ITS SUPPLIERS, LICENSORS AND SERVICE PROVIDERS, AND THEIR RESPECTIVE OFFICERS, EMPLOYEES, AGENTS AND SUBCONTRACTORS.

NO ACTION, REGARDLESS OF FORM, ARISING OUT OF THESE TERMS OF SERVICE MAY BE BROUGHT BY EITHER PARTY MORE THAN ONE YEAR AFTER THE CAUSE OF ACTION HAS ARISEN, EXCEPT FOR PAYMENT OF AN OUTSTANDING ACCOUNT.

Supplier is an intended third-party beneficiary of the disclaimers, exclusions and limitations of liability set out in these Terms of Service and may rely upon and enforce them directly as if it were a party to these Terms of Service.

Things to Avoid

You may not issue press releases or otherwise publish any information with respect to the Services, Maintenance or Support Services without our prior written consent.

Assignment

These Terms of Service may not be assigned by either party without the prior express consent of the other. Any attempt to assign these Terms of Service shall be a breach of these Terms of Service and shall be null and void.

General

These Terms of Service shall be governed by and construed in accordance with the laws of the Province of Ontario and the laws of Canada applicable therein. Under no circumstances will either of us be a partner, employee or agent of the other.

The provisions of these Terms of Service shall be deemed severable. If any provision is held invalid or unenforceable by any court of competent jurisdiction, it shall be construed, limited or, if necessary, severed to the extent necessary to eliminate such invalidity or unenforceability, and the remaining provisions shall remain in full force and effect.

The headings contained in these Terms of Service are for convenience of reference only and in no way define, limit or affect the scope or substance of any portion of these Terms of Service.

These Terms of Service constitute the entire agreement between you and CIRA with respect to the subject matter hereof and replace all prior promises or understandings, oral or written. These Terms of Service may be modified by CIRA as set out in the section titled “General” above.

Appendix A – Privacy Policy

This Privacy Policy describes how Supplier (collectively “We” for the purposes of this Privacy Policy) collects, uses, discloses, stores and otherwise process information when you use the Services. This policy may periodically be reviewed and updated.  Please review this Privacy Policy from time to time so that you are apprised of any changes. Your continued use of the Services after changes have been posted will constitute your acceptance of such changes.

Information Collected

This Privacy Policy applies to Personal Data and other information We collect from or about users of the Services. “Personal Data” refers to information that does, or is capable of, identifying an individual, and may include name, address and contact data (such as email address, telephone number, job title and employer name). We collect only the minimum Personal Data required to offer the Services.

We also collect de-personalized, anonymized data that does not identify you or our clients (“aggregate data”) and use such data to improve the Services. We collect technical information provided by your web browser when you interact with the Services (“Technical Information”), which does not by itself identify a specific individual but could be used to indirectly identify you, including your Internet Protocol (IP) address, browser type and version, language, and the date and time of your request.

How We Collect Information

Email communications – Services.  The phishing simulation services use pixel tags, cookies and URL tracking when conducting exercises. These tools allow us and our clients to measure when simulated phishing emails are opened, when links are clicked or if attachments are accessed, to help clients improve their cybersecurity awareness efforts.

Log files. We use log files to understand how the Services are being used, to monitor for unauthorized account activity, and to monitor the performance and availability of the Services.

Cookies. We collect information about your use of the Services through cookies—small text files stored on your device that can be used to track interests, settings and preferences, or to personalize your experience. We use analytics, performance cookies and tracking codes provided by third-party analytics and marketing providers.

How We Use Information

We may use your information to: provide personalized content; process and respond to inquiries; provide marketing information about services; improve the Services; and deliver the Services. We will use your information in accordance with these Terms of Service or any applicable fully executed agreement between the parties. You have the right to know what Personal Data we hold about you and may submit a request to us using the contact details below. We will supply Personal Data we hold about you within a reasonable timeframe and reserve the right to charge a reasonable fee for repeated requests.

Information Sharing

We will not sell or rent your information to a third party. We may disclose your Personal Data to contracted third-party vendors and service providers who are contractually bound by confidentiality obligations, only to help us provide the Services to you.

Acquisition or sale. If we sell any or all of our operations, we may transfer Personal Data in connection with such a sale. Where possible, we will contact those whose data will be disclosed.

Lawful access. We reserve the right to disclose information, by law, litigation or as a matter of national security, to comply with valid legal processes including subpoenas, court orders or search warrants. We may also disclose Personal Data in the event of an emergency that threatens an individual’s life, health or security. When permitted by law or order, we will inform you of any lawful access requests.

Individual Rights

Access. A User may access the data we hold about them at any time by contacting us directly or viewing their personal profile in the Services.

Move. Subject to our retention period, a User may receive an extract of all their personal data in CSV format for personal use or use in another platform. Any requests by business clients will be subject to a fee.

Erase and forget. If the data we have about a User is not correct or is no longer relevant, they can request that we erase their data.

Security

We use reasonable administrative, technical and physical safeguards to protect Personal Data from unauthorized access, modification or disclosure. Only necessary people and third-party service providers have access to Personal Data. We require our third-party service providers and partners to agree to keep all confidential information shared with them secure and to use such information only to perform their obligations to us. Any information you provide directly to a third party independently is subject to that third party’s privacy policy. Where the Services are offered by or combined with the professional services of a partner, the partner is responsible for ensuring that only necessary personnel have access to personal information and that reasonable administrative, technical and physical safeguards are in place to protect information in their custody.

Liability. Any and all liabilities related to any security incidents will be as outlined in these Terms of Service or any other fully executed agreement between you and us. Unless stated in those agreements, we will not be responsible for any damages or liabilities related to the loss, damage, abuse, alteration or disclosure of Personal Data, to the fullest extent permitted by law.

Notification. Upon confirmation of any security incident involving your Personal Data, we will comply with the notification requirements under the appropriate jurisdiction. If a security incident involving data hosted in the Services requires notification and the Services were contracted through a partner, the partner is responsible for contacting the respective client administrative contact, who will then be responsible for coordinating any communications to you.

Data Storage and Retention

Storage. The Services are hosted, processed and stored in Canada and Europe by a third party acting on our behalf.

Retention. We retain information for business purposes for as long as an account is active and/or as long as is reasonably required to provide you with the Services, and as long as reasonably necessary to comply with legal obligations, resolve disputes or enforce agreements. You agree and acknowledge that we are not obligated to retain Customer Data for longer than thirty (30) days after termination of these Terms of Service, and that we may delete Customer Data if you have materially breached these Terms of Service and the breach has not been cured within ten (10) days of notice. Upon termination for cause resulting from an uncured breach, your right to access or use Customer Data immediately ceases. Data requested to be deleted may be retained in backup systems for up to ninety (90) days. Clients can customize the retention of Personal Data within their respective instance of the Services, and retention periods will be subject to those settings.

Optional Advanced Email Analysis and Threat Categorization Service

This section applies only if you have the optional advanced email analysis and threat categorization service (the “Analyst”) turned on in your instance of the Services. The Analyst is an optional add-on component that analyzes emails submitted through the Outlook or Google “Report a Phish” button, the email forwarding system or the Application Programming Interface (API). The Analyst only analyzes emails that Users submit on an individual basis.

Submitted emails remain in each customer’s live database instance for a period of 45 days to allow customer administrators and support to review the results. Customer administrators can remove specific emails at any time from the live database, and the encrypted data will be deleted from backups per the applicable backup retention schedule. By default, emails that have not been deleted from the live database within 45 days are moved to an encrypted data warehouse, where they may be used to train the Analyst to improve performance; such emails will be fully anonymized or automatically deleted from the data warehouse within 18 months of being moved there. Customer administrators can delete specific emails from the data warehouse at any point by deleting the email record within the Analyst; such emails will be deleted from the data warehouse within 24 hours and from backups per the applicable backup retention schedule. Customer administrators can opt out of having any submitted emails moved to the data warehouse, but Analyst functionality may be limited as described in the Documentation and the Services.

Links to Other Websites or Services

The Services may link to third-party websites. We are not responsible for any Personal Data collected by those third-party sites or services. Information collected by third-party websites is subject to their privacy policies.

Appendix B – AI Feature Controls, Data Use, and Customer Responsibilities

1. Definitions. Capitalized terms in this Appendix B have the meanings set out in the Terms of Service. For purposes of this Appendix B: “Inputs” means any data, text, prompts, files, selections, configurations or other materials submitted, uploaded, entered or otherwise provided by the Customer or its Users into any AI-enabled feature of the Services; and “Outputs” means any content, recommendations, summaries, analyses, predictions or other results generated by an AI-enabled feature of the Services in response to Inputs.
2. Applicability. This Appendix B applies only to a Customer that has enabled the use of an AI-powered feature within the Services.
3. Enabling and Disabling AI Features. The Services allow the Customer to enable or disable each AI-powered feature individually. AI features are disabled by default unless otherwise specified. When the Customer enables an AI feature, the Services will describe the categories of data that will be processed by that feature, and the Customer must affirmatively acknowledge this disclosure in order to activate the feature. The Customer may disable any AI feature at any time through the administrative settings of the Services.
4. Data Processed When AI Features Are Enabled. When an AI feature is enabled, the Services may process Inputs for the following purposes: (a) training, refining and improving AI models used by the Services; (b) conducting data analysis to enhance system performance, accuracy and reliability; (c) informing the development of new features, reports and product capabilities; and (d) aggregating and de-identifying data for research and insights related to cybersecurity awareness, behaviour and culture. Processing is limited to the scope necessary to provide and improve the AI-powered functionality. Aggregated or de-identified data will not be used in a manner that reasonably permits re-identification of the Customer or its authorized Users.
5. Customer Responsibilities Regarding Inputs. The Customer is solely responsible for the nature, accuracy and legality of all Inputs. The Customer agrees not to provide any erroneous, proprietary, confidential or personally identifiable information as Inputs. We do not monitor, filter or manage Inputs and are not responsible for any disclosure, misuse or consequences arising from the Customer’s decision to input personal data, proprietary information or inaccurate information into the Services.
6. Customer Representations. The Customer represents and warrants that it has all necessary rights and permissions to provide Inputs and that doing so does not violate any law, contract or third-party right.
7. Ownership and Use of Outputs. All Outputs are generated automatically and may be inaccurate, incomplete or unsuitable for certain uses. The Customer acknowledges that Outputs are provided on an “as-is” basis without warranties, and that the Customer is responsible for reviewing and validating Outputs before relying on them.
8. Ownership of Outputs and Models. The Customer and its Users do not obtain any ownership rights in Outputs, and we and/or Supplier retain all rights, title and interest in and to Outputs and the underlying AI models.
9. Similarity of Outputs. Outputs may be similar or identical to outputs generated for other customers due to the nature of AI systems.
10. Permitted Use of Outputs. The Customer may use Outputs solely for its internal business purposes and only in accordance with these Terms of Service.
11. Limitations and Acceptable Use. The Customer agrees not to use AI features for unlawful, harmful or high-risk purposes, including decisions that may have legal, financial, medical or safety consequences without appropriate human oversight. We may suspend or restrict access to AI features if misuse or violation of this section is detected.