Offensity End User Service Agreement (EUSA)

Offensity END USER SERVICE AGREEMENT (EUSA) applicable between A1 Digital International GmbH (A1 DIGITAL) and CUSTOMER for Offensity Services purchased from Authorized Reseller.

By accessing the DASHBOARD or by utilizing the SERVICE, CUSTOMER agrees to comply with the terms and conditions of this EUSA as stipulated below. The acceptance of terms and conditions of this EUSA by CUSTOMER is prerequisite for use of the SERVICE by CUSTOMER. The SERVICE is not available to persons who are not legally eligible to be bound by this EUSA.

Applicable starting 1 January 2021

1 Definitions

“A1 DIGITAL” means A1 Digital International GmbH, Lassallestraße 9, 1020 Vienna, Austria

“Authorized Reseller or RESELLER” means an entity entitled to resell the SERVICE to “CUSTOMER”.

“CUSTOMER” means the end-customer to whom the RESELLER resells the SERVICE; a company within the meaning of Article 1 (2) of Austrian Consumer Protection Act (Konsumentenschutzgesetz – KSchG).

“DASHBOARD” means an online tool to manage OFFENSITY SAAS

“EUSA” means End User Service Agreement, the terms and conditions each USER has to accept in order to get access to OFFENSITY SAAS.

“SERVICE” or “OFFENSITY SAAS” means the services provided in scope of the Offensity Software Solution as described in Chapter 4 of this EUSA or in the Offensity Service Description published on the A1 Digital Website.

“INITIAL CUSTOMER USER” means an employee of the CUSTOMER nominated by the RESELLER which has full access to the DASHBOARD to manage the product according to the EUSA. Full Access means to create, change, or delete other USERS, grant or change the PTA or receive a written report in English language of the ongoing scans.

“PTA” or “Permission to attack” means the permission given by the CUSTOMER to performance of the “intrusive security scans” as described in the EUSA.

"USER" an authorized person who is authorized to use the OFFENSITY SAAS. This might be the INITIAL CUSTOMER USER, or any USER added and thereby authorized by the INITIAL CUSTOMER USER or any other USER (e.g. RESELLER). A USER does not necessarily have to be an employee of the CUSTOMER. For avoidance of doubt, full access to the DASHBOARD) requires the USER to add the RESELLER as USER to its Customer Account.

2 Ordering

CUSTOMER can choose and maintain a RESELLER authorized within its region. If A1 DIGITAL or RESELLER chooses to discontinue doing business with each other, CUSTOMER can choose a replacement RESELLER or purchase the SERVICE directly from A1 DIGITAL, which may require CUSTOMER to accept different terms.

If CUSTOMER purchases the SERVICE from the Authorized Reseller, these EUSA´s shall apply. In addition (e.g. ordering, payment…) the Terms and Conditions of the Authorized Reseller shall apply.

3 Usage prerequisites

3.1 Domain ownership

In order to be able to use the SERVICE, the CUSTOMER must either be the domain owner or obtain approval from the domain owner. Without prior and legally binding approval, CUSTOMER shall not authorize the security scans on behalf of the domain owner.

The confirmation about the obtained approval can be done by the USER.

3.2 USER authorisations

CUSTOMER shall provide the RESELLER with following data of the INITIAL CUSTOMER USER:

first and last name,
email address

Please note: CUSTOMER is fully liable for the acts and omissions of the INITIAL CUSTOMER USER.

3.3 Permission to Attack

Before the intrusive security scans as described below are executed, the CUSTOMER shall provide (through the USER) a binding declaration of consent (PTA), stating that the subdomains to be activated under every domain (including the underlying IP addresses) can be scanned for vulnerabilities by Offensity.

The USER can delete already activated domains and subdomains or add additional through the DASHBOARD.

For all newly activated domains and subdomains, permission to attack given with respect to previously activated domains and subdomains will apply.

3.4 Technical prerequisites

The CUSTOMER must fulfil the following technical requirements, which are not components of the product:

a stable Internet connection
Internet browser (Microsoft Edge, Firefox, Chrome).

CUSTOMER acknowledge and agree that such system requirements, which may be changed from time to time, are Customer’s responsibility.

4 Scope of performance

In scope of the SERVICE, A1 Digital will provide following features and deliverables:

security monitoring including Domain-based asset discovery,
vulnerability scans,
risk assessment,
“deep web” monitoring and
access to solution-oriented reports on the DASHBOARD.

This service does not include any technical support services.

In case of questions regarding the SERVICE or invoices the CUSTOMER shall contact the RESELLER.

In case of questions regarding the service availability and data protection, CUSTOMER can send an email to ask.security@a1.digital.

4.1 Domain-based asset discovery

Based on the customer’s domain name (e.g. example.com”), corresponding, externally accessible IT systems are surveyed. This includes, for instance Domain Name System (DNS) and email servers as well as subdomains.

4.1.1 Domain control validation

When the domain is activated, CUSTOMER can choose between the following three “state-of-the-art” technical methods by which Offensity verifies their domain ownership:

Email-based domain control validation: When the order is placed, an email address is selected from a shortlist of acceptable options. An email is sent to that address, containing a unique validation code. The email should be received by someone in control of the domain. The list of acceptable email addresses for any given domain are, for instance, admin@, administrator@, hostmaster@, postmaster@, or any administrator, registrant, tech or zone contact email address that appears on the domain’s WHOIS record , and is visible to us.
DNS-based domain control validation: The CUSTOMER has to upload a predefined text code as a so-called DNS text record in his DNS management console.
HTTP-based domain control validation: The registrant has to upload an authentication file to the root folder of his website.

4.2 Vulnerability scans and risk assessment

The systems are examined on the network side, from the Internet, with the help of security scanners and automated analyses to obtain information that an attacker can use to prepare and execute virtual break-ins. The tools used currently check known vulnerabilities in network components, operating systems, applications and protocols if they can be verified from the Internet. They are evaluated in the framework of an automated risk analysis.

The CUSTOMER shall ensure that the systems used for vulnerability scans are excluded from dynamic security restrictions (e.g. web application firewalls, fail2ban, etc.). An exception from static security measures (such as a packet filtering firewall) is possible, but A1 Digital does not recommend it.

The source systems and their IP address ranges used for vulnerability scans by OFFENSITY SAAS shall be reported to the CUSTOMER upon request via E-Mail to support@offensity.com). Offensity scans a maximum of one underlying IP address per subdomain.

4.2.1 Vulnerability scans

The vulnerability scans (“security scans”) can be “intrusive” and “non-intrusive”.

Intrusive security scans are scans that can circumvent the technical or organisational security measures. These scans require legally binding consent from the CUSTOMER or via the USER stating that the activated subdomains under each domain (including the underlying IP addresses) can be scanned for vulnerabilities by Offensity (see Chapter 3.3 “Permission To Attack”). Without such a declaration of consent, these scans may be illegal.
Non-intrusive security scans are scans that do not circumvent any technical or organisational security measures to determine the presence of vulnerabilities. This includes, for instance, determining software versions. Generally, this does not require consent from the system owner.

4.2.2 Risk assessments

The risk status is documented and can be compared with past results at any time. When new vulnerabilities are found, the customer infrastructure will be checked for susceptibility depending on the technical options, feasibility, risk potential and relevance.

4.3 “Deep web” monitoring

Involuntarily published data sets from third-party platforms can result in security problems because of email addresses and login credentials of users who use these platforms can fall into the hands of outside parties. Offensity monitors the “deep web” (also called “hidden web”) to detect published data. Discovered data sets are selected and verified based on the customer domain in order to promptly inform customers of published data sets.

Offensity compares the customer’s domains and IP addresses to public and partially public block and blacklists to detect a limitation in the customer services as early as possible. Entries in these lists can also indicate misuse of or compromising of customer systems.

4.4 Solution-oriented reports

The results of the ongoing scans are made available in the form of a written report via the DASHBOARD. The potentially detected vulnerabilities are categorised, the vulnerability is described and, if applicable, additional information and instructions will be provided to rectify the vulnerability. The report is drafted in English.

5 Service availability

A1 Digital shall comply with service availability provisions as follows:

Usage time (i.e. period during which the SERVICE is available for the CUSTOMER to use): Monday to Friday, 09:00 am - 5:00 pm.
Observation period: one calendar year
Availability: 96%

Note: The availability, expressed as a percentage, is the ratio between the time during which an agreed upon service was usable in accordance with the contract and the observation period. Only critical errors are relevant to availability.

Availability [%]=((Observation period- unavailable time)/(Observation period))×100

Maintenance window: Wednesday from 2:00 pm to 6:00 pm

Note: Regular maintenance of the SERVICE may require a scheduled interruption of the SERVICE. Therefore, interruptions required to perform maintenance on the SERVICE will be planned by A1 DIGITAL for a period of time that is defined as maintenance window. In addition, special maintenance work required for operation, but outside the maintenance window can be performed by A1 DIGITAL. Outside delays can result in an extension of the maintenance work for which A1 Digital is not responsible.

Service availability provisions shall not apply in case of Force Majeure Events and/or in case of breach of this EUSA by CUSTOMER, including but not limited to its payment obligations against the RESELLER.

6 Exclusion of liability

Please note that the execution of security scans may limit the availability and integrity of the target systems. It is possible that proper operation may only be able to be restored by manually accessing the target system. That means, for instance, that websites on the target system may no longer be reachable or that registrations, logins or orders may be executed with incorrect data. A1 DIGITAL is not liable in this respect.

Every identified subdomain must be explicitly released by the customer so it can be scanned. By activating the subdomain, the customer bindingly declares it is authorised to have the underlying IP addresses attacked. When changing the DNS entries to additional or other IP addresses, the customer is obligated to deactivate the subdomain. If it is not deactivated, Offensity is allowed to assume that the customer is authorised to attack the updated IP addresses.

It is a sole responsibility of the CUSTOMER to clarify and resolve all questions pertaining to rights to the domains (e.g. registration, ownership, blocks, purchasing, rental, leasing, sharing, copyrights, name rights, trademarks, etc.) and other potentially resulting conflicts before issuing a PTA.

A1 DIGITAL is only liable in the event of intent or gross negligence. Liability for lost profit, missed savings, loss of interest, direct and consequential damages, immaterial damages, damages from claims from third parties as well as claims for lost or modified data is excluded. A1 DIGITALs liability for each damaging event is limited to the yearly fee paid by the CUSTOMER to the RESELLER for the SERVICE but in any case, to a maximum of EUR 7,000.

Under no circumstances will A1 Digital be liable in any way for any existing vulnerabilities not detected by the SERVICE. All technical tests and assessments do not guarantee absolute security for systems, data or processes as depending on the selected configuration, some vulnerabilities cannot be recognized.

7 Indemnification

The CUSTOMER shall fully indemnify A1 DIGITAL against all claims for damages asserted and suits filed by third parties based on a breach of provisions in this EUSA by the CUSTOMER.

8 Suspension by A1 Digital

A1 DIGITAL shall have the right to immediately suspend the SERVICE and/or the access to the DASHBOARD in the event that:

CUSTOMER has breached this EUSA; or
A1 DIGITAL receives a justified request from the RESELLER to do so.

9 Data protection

During the performance of the services specified in this EUSA and for 5 (five) years after termination thereof, CUSTOMER and A1 Digital shall treat confidential information such as vulnerabilities and data sets detected by the SERVICE confidentially and to disclose it only to those persons or authorized third parties who have a need to know with regard to such confidential information.

Both, CUSTOMER and A1 Digital shall comply with all applicable data protection laws, guidelines and regulations. During the performance of the services specified in this EUSA, it may be necessary, that A1 Digital processes personal data on behalf of the customer. In such cases, the CUSTOMER acts as controller and A1 Digital as processor as defined in the General Data Protection Regulation (GDPR); and the General Terms and Conditions of A1 Digital for Processing of Personal Data (GTC DPA) apply, including the Data Protection Appendix applicable to the SERVICE. The GTC DPA govern the rights and obligations of the contractual parties with respect to processing of personal data in accordance with Art. 28 and Art. 29 GDPR and are available together with Data Protection Appendix applicable to the SERVICE under https://www.a1.digital/at/ueber-a1-digital/agbs/ or sent to CUSTOMER upon request. The privacy policy, as well as further information concerning data protection, are available under https://www.a1.digital/at/ueber-a1-digital/datenschutzerklarung.

10 Licence rights

The customer is entitled to the non-exclusive and non-transferable right to use the SERVICE according to this EUSA for the duration of the contractual relationship with RESELLER. The CUSTOMER shall not acquire any rights to software used in the course of the provision of the services specified in this EUSA.

11 Governing Law and Jurisdiction

This EUSA shall be exclusively subject to Austrian law excluding its conflict of laws principles. Moreover, the court of jurisdiction shall be the competent Court in the First District of Vienna.