01Definitions and interpretation
1.1 Definitions
In these Terms and Conditions (“Agreement”), the following terms shall have the meanings set out below:
- “Agreement” means these Terms and Conditions, together with any Order Form, the Privacy Policy, and the Data Processing Policy, which collectively govern the Customer’s use of the Platform.
- “Authorized User” means an individual who is authorized by the Customer to access and use the Platform on the Customer’s behalf, and who has been assigned a user account by a Customer administrator.
- “Customer” means the legal entity that enters into this Agreement with Ombris by completing the registration process or executing an Order Form.
- “Customer Data” means all data, including Personal Data, uploaded to, generated by, or processed through the Platform by or on behalf of the Customer. Customer Data includes Scan Data, Simulation Data, Risk Data, and Compliance Data.
- “Data Controller” means the Customer, as the entity that determines the purposes and means of processing Personal Data of its employees and users through the Platform.
- “Data Processor” means Ombris, as the entity that processes Personal Data on behalf of the Customer in accordance with the Customer’s instructions.
- “Effective Date” means the date on which the Customer completes registration or the date specified in the applicable Order Form, whichever is earlier.
- “Fees” means the amounts payable by the Customer to Ombris for use of the Platform.
- “Microsoft Entra ID” (formerly Azure Active Directory) means Microsoft’s cloud-based identity and access management service.
- “OMBRIS” or “we” means OMBRIS Cyber Security LLC, a limited liability company incorporated in the United Arab Emirates, with its registered office in Dubai, UAE.
- “Order Form” means a written or electronic document executed by both parties that specifies the Services, Subscription Term, Fees, and any additional terms.
- “Personal Data” has the meaning ascribed to it under the UAE Federal Data Protection Law, GDPR, and the Turkish Personal Data Protection Law, as applicable.
- “Platform” means the Ombris cybersecurity platform, including all modules, features, APIs, documentation, and updates.
- “Services” means the cybersecurity assessment, phishing simulation, risk scoring, compliance evaluation, and related services provided by Ombris through the Platform.
- “Subscription Term” means the period during which the Customer is entitled to access and use the Platform, as specified in the applicable Order Form.
1.2 Interpretation
References to “including” or “includes” shall mean “including without limitation.” Headings are for convenience only and shall not affect interpretation. References to any legislation shall include any amendment, re-enactment, or successor legislation. In the event of a conflict between the terms of this Agreement and an Order Form, the Order Form shall prevail to the extent of the conflict.
02Account registration and eligibility
2.1 Organizational use only
The Platform is designed exclusively for organizational use by corporate entities, government agencies, educational institutions, and other legal entities. The Platform is not intended for personal or individual consumer use.
2.2 Authority to bind
The individual completing the registration process on behalf of the Customer represents and warrants that they have the authority to bind the Customer to this Agreement. If such individual does not have the requisite authority, the Customer shall not use the Platform.
2.3 Account accuracy
The Customer shall provide accurate, current, and complete information during registration and shall maintain and update such information. Ombris reserves the right to suspend or terminate the Customer’s account if any information is found to be inaccurate, outdated, or incomplete.
2.4 Account security
The Customer is responsible for maintaining the confidentiality of its account credentials and for all activities that occur under its account. The Customer shall immediately notify Ombris of any unauthorized use of its account or any other breach of security.
2.5 Minimum age
All Authorized Users must be at least eighteen (18) years of age.
2.6 Administrator roles
The Customer shall designate at least one Authorized User as an administrator (“Admin”). The Admin shall be responsible for managing the Customer’s account, including adding and removing Authorized Users, configuring Platform settings, and initiating scans and campaigns.
03Service description
3.1 EntraScan — Microsoft Entra ID security assessment
The EntraScan module connects to the Customer’s Microsoft Entra ID tenant via OAuth 2.0 authorization and performs a comprehensive security configuration assessment against forty-five or more security indicators. EntraScan evaluates multi-factor authentication policies, conditional access configurations, privileged identity management, guest access policies, application registration security, authentication methods, identity governance settings, and risk-based policies. EntraScan generates findings categorized by severity and provides actionable remediation guidance.
3.2 Human Awareness — phishing simulation and awareness testing
The Human Awareness module enables the Customer to conduct phishing simulation campaigns targeting the Customer’s own employees. The module sends simulated phishing emails using customizable templates of varying difficulty levels and tracks recipient interactions, including email opens and link clicks. Campaign results are aggregated into reports showing organizational susceptibility, departmental trends, and repeat offender identification.
3.3 Risk Management — unified risk scoring
The Risk Management module aggregates data from EntraScan (technical risk, weighted at 60%) and Human Awareness (human risk, weighted at 40%) to produce a unified organizational risk score. The module provides user-level risk profiles, department-level risk distributions, and trend analysis over time. Risk scores represent a relative risk assessment and shall not be construed as an absolute measurement of security posture. The Customer retains sole responsibility for security decisions made based on risk scores.
3.4 Compliance — framework assessment
The Compliance module evaluates the Customer’s security posture against recognized compliance frameworks, including CIS Benchmarks, NIST Cybersecurity Framework, ISO 27001, GDPR, and HIPAA. The module maps security indicator results to framework controls and provides a compliance readiness score. Compliance assessments are advisory in nature and do not constitute legal advice or certification.
04Microsoft Entra ID integration
4.1 OAuth 2.0 authorization
To use the EntraScan and Human Awareness modules, the Customer must grant Ombris access to the Customer’s Microsoft Entra ID tenant through the Microsoft OAuth 2.0 consent flow. The Customer’s designated Admin shall initiate the consent process, which requires Global Administrator or equivalent permissions.
4.2 Scope of access
Ombris accesses the Customer’s Microsoft Entra ID tenant with the minimum permissions necessary to perform the Services, including user directory information, authentication configuration, application registrations, sign-in and audit logs (as permitted by the Customer’s Entra ID license tier), and role assignments.
4.3 Data NOT accessed
Ombris does not access and has no technical capability to access:
- User passwords or password hashes.
- Email message content, mailbox contents, or calendar data.
- Files stored in OneDrive, SharePoint, or other Microsoft 365 storage services.
- Microsoft Teams messages, chat content, or meeting recordings.
- Any data outside the scope of the Graph API permissions consented to by the Customer.
4.4 Token management
Microsoft Graph API access tokens and refresh tokens are encrypted at rest using AES-256-CBC encryption. Tokens are stored exclusively in Ombris’s secure infrastructure and are never transmitted to third parties. Tokens are used solely to perform authorized scans and campaigns.
4.5 Consent revocation
The Customer may revoke Ombris’s access to its Microsoft Entra ID tenant at any time by using the consent revocation feature within the Ombris Platform or by removing the Ombris enterprise application from the Customer’s Microsoft Entra ID tenant directly through the Microsoft Azure portal. Upon revocation, Ombris shall immediately cease accessing the Customer’s tenant.
4.6 Microsoft terms compliance
The Customer acknowledges that Ombris’s use of the Microsoft Graph API is subject to Microsoft’s API Terms of Use and Microsoft Cloud Agreement. Ombris shall use the Microsoft Graph API in compliance with Microsoft’s applicable terms and policies.
05Phishing simulation specific terms
5.1 Authorized use only
The Customer shall use the Human Awareness phishing simulation module exclusively to conduct security awareness testing within its own organization, targeting only its own employees, contractors, and personnel for whom the Customer has the legal authority and necessary consents to conduct such testing.
5.2 Prohibition on third-party targeting
The Customer shall NOT use the Platform to:
- Send phishing simulations to any individual who is not an employee, contractor, or authorized personnel of the Customer’s organization.
- Conduct phishing simulations against third-party organizations, competitors, partners, or any external parties.
- Use simulation templates or techniques for actual malicious phishing, social engineering, or fraud.
- Conduct simulations that violate any applicable law, regulation, or the rights of any individual.
5.3 Customer responsibility for internal authorization
The Customer is solely responsible for obtaining all necessary internal authorizations, approvals, and consents; complying with applicable labor laws, employment agreements, works council requirements, and data protection regulations; determining whether to inform its employees about the existence of phishing simulation programs; ensuring that simulation campaigns do not create a hostile work environment; and ensuring that the use of phishing simulations complies with the UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021), in particular Article 11 (fraud via IT means) and Article 44 (impersonation).
5.4 Nature of simulations
Phishing simulations conducted through the Platform are security awareness testing exercises and do not constitute actual cyberattacks. The Customer acknowledges that simulation results are for internal security improvement purposes only and shall not be used as the sole basis for disciplinary action against employees.
5.5 Email deliverability
Ombris shall use commercially reasonable efforts to deliver simulation emails to recipients’ inboxes. However, Ombris does not guarantee email deliverability, as delivery is subject to factors outside Ombris’s control, including the Customer’s email security configurations, SPF, DKIM, and DMARC configurations, Microsoft 365 or other email provider filtering rules, and network conditions. The Customer is responsible for configuring appropriate email security exceptions (allowlisting) to enable the delivery of simulation emails.
5.6 Ombris liability for simulation impact
Ombris shall not be liable for any damages, losses, or claims arising from:
- An employee’s emotional distress, panic, or overreaction to a simulation email.
- An employee reporting a simulation email to law enforcement or external parties.
- Business disruption caused by employees responding to simulation emails as though they were real threats.
- The Customer’s failure to properly configure email security exceptions.
- Any third-party claims arising from the Customer’s misuse of the simulation module in violation of Section 5.2.
06Subscription and fees
6.1 Subscription plans
Access to the Platform is provided on a subscription basis. The specific modules, features, usage limits, and Fees applicable to the Customer’s subscription are set out in the applicable Order Form or as displayed on the Platform’s pricing page at the time of purchase.
6.2 Payment terms
All Fees are quoted and payable in United States Dollars (USD) unless otherwise specified. Fees shall be invoiced in advance on an annual or monthly basis, as specified in the Order Form. Payment is due within thirty (30) days of the invoice date, unless otherwise specified. All Fees are exclusive of applicable taxes, duties, and levies.
6.3 Late payment
If the Customer fails to make any payment when due, Ombris may charge interest on the overdue amount at a rate of 1.5% per month (or the maximum rate permitted by applicable law, whichever is lower), suspend the Customer’s access to the Platform upon fourteen (14) days’ written notice, and terminate this Agreement if payment remains outstanding for more than sixty (60) days.
6.4 Price changes
Ombris may adjust Fees upon renewal of the Subscription Term by providing the Customer with at least thirty (30) days’ written notice prior to the commencement of the renewal term. If the Customer does not agree to the adjusted Fees, the Customer may terminate this Agreement effective at the end of the then-current Subscription Term.
6.5 Free trial and early access
Ombris may offer free trial periods or early access programs at its sole discretion. During such periods, the Platform is provided “as is” without any service level commitments, and Ombris may modify or discontinue the trial at any time without notice.
6.6 No refunds
All Fees are non-refundable once paid, except as expressly provided in this Agreement or as required by applicable law.
07Customer obligations
7.1 Lawful use
The Customer shall use the Platform in compliance with all applicable laws, regulations, and industry standards, including but not limited to data protection laws, employment laws, and cybersecurity regulations.
7.2 Consent and authorization
The Customer shall obtain all necessary consents, authorizations, and permissions required under applicable law before granting Ombris access to its Microsoft Entra ID tenant, initiating phishing simulation campaigns, processing Personal Data of its employees through the Platform, or sharing assessment results or risk reports with third parties.
7.3 Account security
The Customer shall implement appropriate access controls for its Authorized Users, including strong passwords and multi-factor authentication; not share account credentials among multiple individuals; promptly deactivate accounts of Authorized Users who no longer require access; and report any suspected unauthorized access to Ombris within twenty-four (24) hours.
7.4 Prohibited conduct
The Customer shall not:
- Sublicense, resell, rent, or lease the Platform to any third party without Ombris’s prior written consent.
- Use the Platform for any purpose other than the Customer’s internal cybersecurity assessment and awareness programs.
- Attempt to gain unauthorized access to any part of the Platform, other customers’ data, or Ombris’s infrastructure.
- Interfere with or disrupt the integrity or performance of the Platform.
- Use the Platform to store or transmit malicious code, viruses, or harmful content.
- Use automated scripts, bots, or crawlers to access the Platform except through Ombris-provided APIs and within documented rate limits.
08Intellectual property
8.1 Ombris intellectual property
Ombris retains all right, title, and interest in and to the Platform, including all software, algorithms, security indicator definitions, remediation guidance, templates, user interfaces, documentation, trademarks, and other intellectual property. The Customer is granted a limited, non-exclusive, non-transferable, revocable license to access and use the Platform during the Subscription Term solely for the purposes set out in this Agreement.
8.2 Customer data ownership
The Customer retains all right, title, and interest in and to Customer Data. Ombris shall not acquire any ownership rights in Customer Data by reason of this Agreement.
8.3 Scan results and reports
Reports, findings, risk scores, and compliance assessments generated by the Platform based on Customer Data are provided to the Customer for its internal use. The underlying algorithms, scoring methodologies, indicator logic, and assessment frameworks remain the exclusive intellectual property of Ombris.
8.4 Feedback
If the Customer provides Ombris with suggestions, enhancement requests, or recommendations regarding the Platform, Ombris shall have an unrestricted, perpetual, irrevocable, royalty-free license to use such Feedback for any purpose, including to improve the Platform.
8.5 Restrictions
The Customer shall not:
- Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Platform.
- Modify, adapt, translate, or create derivative works based on the Platform.
- Copy, reproduce, or duplicate any part of the Platform except as expressly permitted.
- Remove, alter, or obscure any proprietary notices, labels, or markings on the Platform.
- Use Ombris’s name, logo, or trademarks without prior written consent, except to identify Ombris as a service provider in the ordinary course of business.
8.6 Aggregated and anonymized data
Ombris may create aggregated and anonymized statistical data derived from the Customer’s use of the Platform, provided that such data does not identify the Customer, any Authorized User, or any individual. Ombris may use Aggregated Data for benchmarking, product improvement, research, and industry reporting purposes.
09Data protection and security
9.1 Data Processing Policy
The processing of Personal Data through the Platform is governed by the Ombris Data Processing Policy, which is incorporated by reference into this Agreement. In the event of a conflict between this Agreement and the Data Processing Policy regarding data protection matters, the Data Processing Policy shall prevail.
9.2 Roles
The Customer acts as the Data Controller, and Ombris acts as the Data Processor with respect to Personal Data processed through the Platform. The respective obligations of each party are set out in the Data Processing Policy.
9.3 Security measures
Ombris implements and maintains appropriate technical and organizational measures to protect Customer Data, including TLS 1.2+ encryption in transit, AES-256 encryption at rest (AES-256-CBC for Microsoft Graph API tokens), role-based access control, AWS VPC isolation with Web Application Firewall and DDoS protection, and immutable append-only audit logs for all administrative actions.
9.4 Data breach notification
In the event of a confirmed data breach affecting Customer Data, Ombris shall notify the Customer without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach, provide sufficient information to enable the Customer to fulfill its own breach notification obligations, take all reasonable steps to contain and remediate the breach, and provide a detailed post-incident report within thirty (30) days.
10Service level and availability
10.1 Uptime target
Ombris shall use commercially reasonable efforts to maintain Platform availability of ninety-nine point nine percent (99.9%) uptime during each calendar month.
10.2 Downtime exclusions
“Downtime” does not include:
- Scheduled maintenance windows, for which Ombris shall provide at least forty-eight (48) hours’ advance notice.
- Emergency maintenance required to address security vulnerabilities or critical system issues.
- Unavailability caused by factors outside Ombris’s reasonable control, including Microsoft Graph API outages, AWS service disruptions, internet connectivity issues, force majeure events, or actions by the Customer.
- Unavailability resulting from the Customer’s equipment, software, or network connections.
10.3 Service credits
| Monthly uptime percentage | Service credit |
|---|---|
| 99.0% – 99.89% | 10% of monthly Fees |
| 95.0% – 98.99% | 25% of monthly Fees |
| Below 95.0% | 50% of monthly Fees |
Service credits shall be the Customer’s sole and exclusive remedy for Ombris’s failure to meet the uptime target and shall not exceed fifty percent (50%) of the monthly Fees for the affected month. To receive a service credit, the Customer must submit a written request within thirty (30) days of the end of the affected month.
10.4 Support
Ombris shall provide technical support to the Customer via email during business hours (Sunday through Thursday, 9:00 AM to 6:00 PM GST), with a target initial response time of eight (8) business hours for standard inquiries and four (4) business hours for critical issues. Additional support tiers may be offered for an additional fee as specified in the Order Form.
11Limitation of liability
11.1 Cap on direct damages
11.2 Exclusion of indirect damages
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY SHALL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOSS OF REVENUE, PROFIT, BUSINESS, ANTICIPATED SAVINGS, DATA OR DATA CORRUPTION (EXCEPT WHERE CAUSED BY OMBRIS’S BREACH OF ITS DATA PROTECTION OBLIGATIONS), GOODWILL OR REPUTATION, COST OF PROCUREMENT OF SUBSTITUTE SERVICES, OR ANY DAMAGES ARISING FROM BUSINESS INTERRUPTION, REGARDLESS OF WHETHER SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
11.3 Exceptions to limitation
The limitations in Sections 11.1 and 11.2 shall not apply to:
- Either party’s indemnification obligations under Section 12.
- The Customer’s obligation to pay Fees.
- Damages arising from a party’s gross negligence or willful misconduct.
- Damages arising from a party’s breach of its confidentiality obligations.
- Ombris’s liability for a data breach caused by Ombris’s failure to implement the security measures described in this Agreement and the Data Processing Policy.
11.4 Assessment results disclaimer
The Customer acknowledges that EntraScan results, risk scores, compliance assessments, and phishing simulation results are provided for informational and advisory purposes only. Ombris does not warrant that its assessments will identify all security vulnerabilities, misconfigurations, or threats. The Customer is solely responsible for evaluating assessment results and making security decisions based on its own judgment and risk tolerance.
11.5 Force majeure
Neither party shall be liable for any failure or delay in performing its obligations under this Agreement to the extent that such failure or delay is caused by circumstances beyond its reasonable control, including natural disasters, acts of war or terrorism, pandemics, government actions, power outages, internet service provider failures, or third-party service disruptions. If the force majeure event continues for more than sixty (60) consecutive days, either party may terminate this Agreement upon written notice.
12Indemnification
12.1 Ombris indemnification
Ombris shall defend, indemnify, and hold harmless the Customer from and against any third-party claims arising from Ombris’s infringement of any third party’s intellectual property rights through the Platform, Ombris’s material breach of its data protection obligations, or Ombris’s gross negligence or willful misconduct in the performance of the Services.
12.2 Customer indemnification
The Customer shall defend, indemnify, and hold harmless Ombris from and against any third-party claims arising from the Customer’s use of the Platform in violation of this Agreement, the Customer’s failure to obtain required consents or authorizations for phishing simulations or Microsoft Entra ID access, the Customer’s violation of applicable laws or regulations, any third-party claims arising from phishing simulation campaigns conducted by the Customer, or Customer Data that infringes any third party’s rights.
12.3 Procedure
The indemnifying party’s obligations are conditioned upon the indemnified party providing prompt written notice of the claim, granting the indemnifying party sole control of the defense and settlement of the claim, and providing reasonable cooperation and assistance in the defense of the claim at the indemnifying party’s expense.
12.4 Indemnification cap
Each party’s total aggregate indemnification obligations under this Section 12 shall not exceed two times (2x) the Liability Cap defined in Section 11.1, except in cases of gross negligence or willful misconduct.
13Termination
13.1 Subscription term and renewal
The initial Subscription Term is specified in the applicable Order Form. Unless otherwise specified, the Subscription Term shall automatically renew for successive periods equal to the initial Subscription Term, unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.
13.2 Termination for convenience
Either party may terminate this Agreement for convenience by providing the other party with thirty (30) days’ written notice. If the Customer terminates for convenience during a Subscription Term, the Customer shall not be entitled to a refund of any prepaid Fees for the remainder of the term.
13.3 Termination for cause
Either party may terminate this Agreement immediately upon written notice if the other party commits a material breach and fails to cure within thirty (30) days of receiving notice, becomes insolvent or files for bankruptcy, or is subject to a change of control that the non-defaulting party reasonably determines would adversely affect the performance of this Agreement.
Ombris may terminate this Agreement or suspend the Customer’s access immediately without notice if the Customer uses the Platform in violation of Section 5.2 or Section 14, if continued provision of the Services would violate applicable law, or if the Customer’s use of the Platform poses a security risk to Ombris or other customers.
13.4 Effect of termination
Upon termination or expiration of this Agreement, the Customer’s right to access and use the Platform shall immediately cease. Ombris shall make Customer Data available for export by the Customer for a period of thirty (30) days following the effective date of termination. After the export period, Ombris shall delete all Customer Data within an additional thirty (30) days, except where retention is required by applicable law. All outstanding Fees for Services rendered prior to termination shall remain due and payable. Microsoft Graph API tokens associated with the Customer’s tenant shall be securely destroyed.
13.5 Surviving provisions
Sections 1 (Definitions), 8 (Intellectual Property), 9.4 (Data Breach Notification), 11 (Limitation of Liability), 12 (Indemnification), 13.4 (Effect of Termination), 13.5 (Surviving Provisions), 15 (Confidentiality), 16 (Governing Law), and 17 (General Provisions) shall survive termination or expiration of this Agreement.
14Acceptable use policy
14.1 Permitted use
The Platform shall be used solely for the Customer’s internal cybersecurity assessment, security awareness testing, risk management, and compliance evaluation purposes.
14.2 Prohibited activities
The Customer shall not, and shall not permit any Authorized User to:
- Use phishing simulation capabilities to target individuals outside the Customer’s organization.
- Use the Platform to conduct actual cyberattacks, social engineering attacks, or fraud against any party.
- Use the Platform for competitive intelligence gathering against Ombris or any other entity.
- Use assessment results to publicly disparage or harm the reputation of any third party.
- Exceed documented API rate limits or use automated tools to scrape Platform data beyond approved integrations.
- Upload malicious content, viruses, or code designed to disrupt or damage the Platform.
- Attempt to access other customers’ data or Ombris’s internal systems.
- Use the Platform in any manner that violates applicable laws or regulations.
14.3 Enforcement
Ombris reserves the right to investigate suspected violations of this Acceptable Use Policy and to take appropriate action, including issuing warnings, suspending access, or terminating this Agreement.
15Confidentiality
15.1 Definition
“Confidential Information” means any non-public information disclosed by one party to the other that is designated as confidential or that a reasonable person would understand to be confidential. Confidential Information includes Customer Data, Platform source code, security assessment methodologies, business plans, pricing, and technical specifications.
15.2 Obligations
The recipient shall use Confidential Information solely for the purposes contemplated by this Agreement; protect Confidential Information with at least the same degree of care it uses to protect its own confidential information, and in no event less than reasonable care; and limit disclosure of Confidential Information to its employees, contractors, and advisors who have a need to know and are bound by confidentiality obligations.
15.3 Exclusions
Confidential Information does not include information that:
- Is or becomes publicly available through no fault of the recipient.
- Was known to the recipient prior to disclosure by the discloser.
- Is independently developed by the recipient without use of the discloser’s Confidential Information.
- Is rightfully received from a third party without restriction on disclosure.
15.4 Compelled disclosure
The recipient may disclose Confidential Information to the extent required by law, regulation, or court order, provided that the recipient (to the extent legally permitted) provides the discloser with prompt written notice and reasonable assistance to contest or limit such disclosure.
16Governing law and dispute resolution
16.1 Governing law
This Agreement shall be governed by and construed in accordance with the laws of the United Arab Emirates, without regard to its conflict of laws principles. For Customers operating within the Dubai International Financial Centre (DIFC), DIFC Law No. 5 of 2020 (as amended) shall apply to data protection matters.
16.2 Amicable resolution
The parties shall attempt to resolve any dispute arising out of or in connection with this Agreement through good faith negotiation for a period of thirty (30) days following written notice of the dispute.
16.3 Arbitration
If the dispute is not resolved through negotiation, either party may submit the dispute to binding arbitration administered by the Dubai International Arbitration Centre (DIAC) in accordance with its rules. The arbitration shall be conducted in English, in Dubai, UAE, before a single arbitrator. The award of the arbitrator shall be final and binding.
16.4 Injunctive relief
Notwithstanding the foregoing, either party may seek injunctive or other equitable relief from the DIFC Courts or the Dubai Courts to prevent or restrain any breach or threatened breach of this Agreement involving intellectual property rights, confidentiality obligations, or data protection obligations, without the requirement to post a bond.
16.5 Applicable data protection law
Where the processing of Personal Data is subject to the GDPR or the Turkish Personal Data Protection Law, the provisions of such laws shall apply to the extent they impose additional or more protective obligations than UAE law, and disputes relating to such processing may be brought before the competent supervisory authority or courts under those laws.
17General provisions
17.1 Entire agreement
This Agreement, together with the Privacy Policy, the Data Processing Policy, and any applicable Order Forms, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior or contemporaneous agreements, proposals, negotiations, representations, or communications.
17.2 Amendments
Ombris may update these Terms and Conditions from time to time. Ombris shall provide the Customer with at least thirty (30) days’ prior notice of material changes via email and through a notification within the Platform. Continued use of the Platform after the effective date of the updated Terms constitutes acceptance.
17.3 Waiver
The failure of either party to enforce any provision of this Agreement shall not constitute a waiver of such provision or the right to enforce it at a later time. Any waiver must be in writing and signed by the waiving party.
17.4 Severability
If any provision of this Agreement is held to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, and the remaining provisions shall continue in full force and effect.
17.5 Assignment
The Customer shall not assign or transfer this Agreement without the prior written consent of Ombris. Ombris may assign this Agreement in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets.
17.6 Notices
All notices under this Agreement shall be in writing and shall be deemed delivered when sent by email to the email address registered in the Customer’s account (for notices to the Customer) or to legal@ombris.com (for notices to Ombris).
17.7 Independent contractors
The relationship between the parties is that of independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, employment, or agency relationship between the parties.
17.8 Export compliance and anti-corruption
The Customer shall comply with all applicable export control laws and regulations, including restrictions on the export, re-export, or transfer of technology or data to sanctioned countries, entities, or individuals. Each party represents and warrants that it has not and shall not offer, pay, promise to pay, or authorize the payment of any bribe, kickback, or other improper payment in violation of applicable anti-corruption laws, including the UAE Federal Anti-Corruption Law.
18Contact information
OMBRIS Cyber Security LLC — Dubai, United Arab Emirates
By using the Ombris Platform, the Customer acknowledges that it has read, understood, and agrees to be bound by these Terms and Conditions.