HOW WE WORK TOGETHER

Terms and Conditions
___

Commercial

  1. The Client hereby represents and warrants that they possess full and unencumbered ownership of all Internet Protocol (IP) and Domain Name Service (DNS) addresses submitted to Block8 for the purpose of testing. Furthermore, the Client warrants that they have obtained all necessary authorisations, consents, and permissions to approve the conduct of such testing on the aforementioned IP and DNS addresses including from Internet Service Providers (ISP).

  2. Commercial agreements are defined as Letter of Engagement (LoE).

  3. All engagements are provided on a Fixed Price basis, which are based on a fixed scope as defined in the LOE.

  4. LoE are valid for 30 days from the date of issue.

  5. Payment is required prior to delivery of the engagement.

  6. Engagements are defined as Scheduling, Testing and Reporting.

  7. All Penetration Testing, including Vulnerability Assessment, activities will be performed remotely.

  8. Deliverables documents are defined as Reports.

  9. Acceptance of Deliverable documents will be assumed to have been accepted if no response is received after 5 days from the date of delivery.

  10. Block8 offers free re-test of Critical or High-level vulnerabilities within 45 days of the original test. This gives you the time to remediate the vulnerabilities identified, following the recommendations provided by Block8 and provides a clear test with certificate to provide client.

  11. All documentation will be provided using Block8 standard templates.

  12. The Client is responsible for ensuring that on the dates and times requested for testing that no business critical activities are being undertaken involving the technologies scheduled for testing.

  13. To the fullest extent permitted by law, Block8are not liable for indirect, incidental, or consequential damages, including loss of profits, data, or business opportunities, arising from the clients use of the Services. The total liability is limited to the amount paid for the Services during the 12 months preceding the event giving rise to the claim.

  14. Block8 may suspend or terminate the clients account or access to the Services for any violation of these Terms or at the discretion of Block8 and without notice or liability. Upon termination, the clients right to use the Services ceases immediately, and Block8 may delete the clientsr data unless required by law to retain it.

  15. Block8 reserve the right to modify, suspend, or discontinue any part of the Services at any time without prior notice. Block8 are not liable for any interruptions or delays in the Services due to technical issues, maintenance, or other unforeseen circumstances. Block8 do not guarantee the availability, functionality, or accuracy of the Services at all times.

  16. Block8 strive to ensure that the information on theBlock8 bsite and within the Services is accurate, complete, and up-to-date. Hover, Block8 do not warrant that all content is free from errors or omissions. Block8 reserve the right to correct any inaccuracies, errors, or omissions and to update information without prior notice, including pricing, descriptions, availability and various other information.

  17. In commissioning this engagement, the Client understands that they have taken steps to prevent any potential issues/damage caused by testing. It is the responsibility/liability of the client to ensure that consideration has been given to the organisations operational needs and that the client accepts that whilst unlikely, penetration testing has potential to cause issues/outage.

  18. On termination of the Engagement:

    1. the accrued rights and remedies of each Party remain unaffected.

    2. Each party shall at the other party’s option, either destroy or return to the other party any of its Confidential Information, including any copies thereof in its possession or control.

    3. In respect of a termination effected by Block8, parties are to discuss ownership of the IP in any work product arising out of the performance of the services, and licensing for that work product.

  19. Block8 has no liability if:

    1. the allegation of infringement is a result of a modification of the engagement not performed or approved by Block8;

    2. the allegation of infringement is a result of use with any non-Block8 supplied third party product;

  20. Each party shall retain all rights to the Confidential Information of that party owned prior to entry into this Agreement. If any Confidential Information of a party is used by the non-owning party under or in connection with this Agreement, such utilisation shall not transfer, or imply the transfer, of ownership of said Confidential Information to the non-owning party. Parties must discuss and agree in writing the ownership of the IP in any work product arising out of the performance of the Services, and licensing arrangements for that Work Product.

  21. The Confidential Information of each party is valuable to it. Each party must keep the Confidential Information of the other party as confidential. A recipient of Confidential Information may only use the Confidential Information of the discloser for the purposes of performing its obligations under the commercial agreement. A recipient must:

    1. not disclose Confidential Information of the discloser to any person except if permitted by the commercial agreement; and

    2. not permit or assist any person to make any unauthorised use of the discloser’s Confidential Information. A recipient may disclose Confidential Information of the discloser to:

      • (where the recipient is Block8) employees, officers and directors of Block8 but only strictly on a "need to know basis";

      • (where the recipient is the Client) employees, officers and directors of the Client, or

      • to any other person with the discloser's prior written consent (such consent to be given or withheld in the disclosing party’s absolute discretion). Before doing so, the recipient must ensure that those persons are aware of the confidential nature of the Confidential Information and are bound by confidentiality obligations consistent with the commercial Agreement.

  22. Client Data remains the property of Client at all times. Except as required by law, Block8 must:

    1. not use Client Data for any purpose other than directly for the performance of its obligations under the commercial agreement;

    2. not, and must ensure that Block8 personnel do not, sell, commercially exploit, mine, analyse, let for hire, assign rights in or otherwise dispose of any Client Data;

    3. not make any Client Data available to a third party other than an approved subcontractor and then only as is necessary for the approved subcontractor to perform; and

    4. not remove or transfer Client Data to any non-Client premises or systems without obtaining the prior approval of the Client.

  23. A recipient’s obligations in respect of all Confidential Information received under or in connection with the commercial agreement commences on the date of the commercial agreement and continues until the date which is two (2) years after the date the commercial agreement expires or is terminated, except to the extent that the discloser specifically releases the recipient by written notice.

  24. The rights and obligations of a recipient continue beyond the [two (2)] year period under clause 17) where the discloser is bound by a contract with a third party to keep the Confidential Information confidential for a longer or indefinite period of time.

  25. Termination of the commercial agreement shall not affect any accrued rights or remedies to which a discloser is entitled.

  26. To the fullest extent permitted by law, except for IP infringement claims, breach of confidentiality, personal injury or death or the loss/damage to property of the Clients; fraud and willful misconduct caused by negligence or wilful default of Block8, Block8's liability to the Client for any damage, loss or liability for any cause whatsoever, regardless of the form of action will be limited to the total amount of fees paid by the Client (as set out below) under or in any way connected with the commercial Agreement.

  27. Each party represents, warrants and agrees that it has not made nor will make, directly or indirectly:

    1. any unlawful offer, payment promise to give or authorisation of the giving of anything of value, directly or indirectly, to or for the use or benefit of any Public Official for the purpose of influencing any discretionary act or decision by such Public Official or of gaining an undue advantage in connection with the matters which are the subject of this Agreement, or for any other purpose, in connection with the matters which are the subject of the Head Agreement, which would breach an Anti-Corruption Law;

    2. any unlawful such offer, payment, gift, promise or authorisation to or for the use or benefit of any other person if the party or its affiliates knows, has a firm belief, or is aware that there is a high probability, the other person would use such offer, payment, gift, promise or authorisation for any of the purposes described in paragraph (1)(i) and which would breach an Anti-Corruption Law; and

    3. each must respond promptly, and in reasonable detail, to any request for information from the other party or its auditors pertaining to the warranties and agreements stated in paragraph (1)(i) and (1)(ii) and must furnish documentary support for such response upon being reasonably requested to do so by such other party.

General Conditions

  1. Any waiver by a party of any term, condition or obligation in the commercial Agreement express or implied shall not operate as a waiver or a continuing or recurring breach of the same or any other term, condition or obligation.

  2. The commercial Agreement embodies the entire agreement and understanding between the parties with respect to all matters referred to in it.

  3. No variation of the commercial agreement shall be valid unless it is in writing and signed by or on behalf of each of the parties.

  4. The commercial Agreement is governed by the laws in force in the country of operation.

  5. The provisions of the commercial agreement are and shall be construed to be divisible and severable to the effect that if any provision hereof shall at any time be found or declared invalid, void, voidable or unenforceable the remaining provisions shall remain valid and enforceable.

  6. The commercial Agreement does not create a partnership, agency, fiduciary or any other relationship, except the relationship of contracting parties, between the parties.

  7. No party is liable for an act or omission of another party, except to the extent set out in the commercial agreement.

  8. The commercial agreement is properly executed if each party executes the commercial agreement or an identical document. In the former case, the commercial agreement takes effect when the last party executes the commercial agreement In the latter case, the commercial agreement takes effect when the last of the identical documents is executed.

  9. Evidence of execution of the commercial agreement by a party may be shown by email or a PDF copy of the executed Head Agreement.

  10. The provisions of the commercial agreement do not merge with any action performed or document executed by any party for the performance of the commercial agreement.

  11. Except as expressly permitted by the commercial agreement a party must not assign any of its rights and obligations under the commercial agreement without the prior written consent of the other parties. That consent may be given or withheld at a party’s absolute discretion.

  12. A person who is not a party to the commercial agreement does not have any rights under or in connection with it.

  13. To the full extent permitted by law, any legislation that adversely affects a right, remedy or obligation of a party, under or relating to the commercial agreement is excluded.

  14. Except as otherwise agreed by the parties in writing, each party must pay its own costs in relation to preparing, negotiating and executing the commercial agreement and any document related to the commercial agreement.

  15. Subject to the conditions applied to Intellectual Property, Confidentiality and Client Data, the obligations in the commercial agreement survive the termination or purported termination of the commercial agreement.

Legislation and Regulations

The following laws and regulations apply to engagements carried out in the stated jurisdictions or concerning the specified subject matter:

  • The Privacy Act 1998 (Australia) and subsequent amendments

  • Information Privacy Act 2014 (Australian Capital Territory)

  • Information Act 2002 (Northern Territory)

  • Privacy and Personal Information Protection Act 1998 (New South Wales)

  • Information Privacy Act 2009 (Queensland)

  • Personal Information Protection Act 2004 (Tasmania)

  • Privacy and Data Protection Act 2014 (Victoria).

  • The Freedom of Information Act 1992 (Western Australia)

  • EU General Data Protection Regulations (EU Citizen Data)

  • Cybercrime Act 2001 (Australia)

  • Copyright Act 1968 (Australia)

  • Corporations Act 2001 (Australia)

Glossary of Terms

Adaptive Process

An adaptive process is a dynamic approach that adjusts its behaviour or parameters in response to changing conditions or feedback. It involves continuous monitoring, evaluation, and modification to achieve optimal performance or outcomes.

AI

Artificial Intelligence. Human intelligence simulated by software coded activities, enabling machines to perform tasks that typically require human cognition.

Block8

Block8.ai is the next evolution in cybersecurity. Our cutting-edge platform harnesses Artificial Intelligence (AI) to conduct comprehensive Penetration Testing with unprecedented speed and precision. Block8.ai leverages Artificial Intelligence to transform traditional Penetration Testing into a continuous, adaptive process, identifying and exploiting vulnerabilities from multiple angles with speed and efficiency beyond human limitations. Furthermore, Block8.ai ensures every finding is validated by cybersecurity experts to ensure accuracy, quality, and relevance, providing a thorough assessment of the clients defences.

Cloud

Cloud Computing. The use of a network of remote servers hosted on the internet to store, manage, and process data, rather than using a local server or a personal computer. The most common cloud computing services are provided by Amazon, Microsoft and Google.

Cloud Based Scalability

Use of cloud technology to provide an infinitely scalable solution allowing the organisation to grow in the confidence that the cloud solution has the capability to match that growth.

Confidential Information

Information that is considered by either party to be data which is private to that organisation that should not be shared or made publicly available. This term may incorporate privacy information.

Cyber

The term ‘Cyber’ is now commonly used in place of ‘information security’ to define the industry of protecting the Confidentiality, Integrity and Availability of the information that is owned by or entrusted to an organisation.

Exploit

The act of taking advantage of a weakness or flaw in a system, software, or hardware to gain unauthorised access, execute malicious code, or cause harm.

Human Validation

Whilst the AI revolution is often viewed as a means to replace human activity in a process. Block8 understand the limitations in current AI technologies. Through the Block8 defined processes human penetration testing Subject Matter Experts (SME) are employed to validated all AI processes. This process significantly reduces the potential for human error providing our clients with the best of both works.

JIT

Just in Time. JIT is the common term given to the practice of applying security controls in a blanket format with access to systems or information or services only being provide when they are required for a justified task.

Legislation

The term legislation refers to the implementation of law through the production and approval of Acts such as the Privacy Act.

LLM

Large Language Model. An LLM is a language model that is trained and used in AI by machine learning processes. An LLM consists of vast amounts of textual content.

LoE

Letter of Engagement. An LoE defines in detail the service to be provided. This may include such detail as:

  • the IP addresses or the URL to be tested

  • the originating IP address for the test

  • conditions for testing (exemptions etc.)

  • contact details including escalation points in the event of an issue

the LoE is normally required to have been signed by the client before a test can commence.

Next Generation Penetration Testing

Penetration has been a stable of every organisations security controls for more than 25 years. Block8 provides the next level of evolution utilising the power of AI technologies and the vast experience gained by human penetration test experts.

OAIC

The Office of the Australian Information Commission. The OAIC are the government regulatory body that regulates the Privacy act and its subsequent amendments.

PCI

Payment Card Industry. PCI is the industry regulation for the secure handling of credit card information. Any organisation that wishes to store, process or transmit credit card information is required to comply with the PCI Data Security Standard (DSS).

Penetration Test

A controlled attack on a computer system, network or application to identify security vulnerabilities that threat actors might exploit.

Privacy

Privacy is a fundamental human right that underpins freedom of association, thought and expression, as well as freedom from discrimination. Privacy is defined in law through privacy legislation specific to each country. In Australia privacy is defined through the Privacy Act 1988 and subsequent amendments.

Regulatory Compliance

The regulators of many industries impose compliance requirements upon organisation working within that industry.

Report

Report refers to the document used to provide information regarding the conduct of the test. Typically a report includes as a minimum:

  • An Executive Summary which provides a non-technical description of the findings that can be distributed to management and executive levels of an organisation.

  • Details of key findings of the test.

  • Detailed remediation advice empowering the report recipient to secure their systems and networks.

Re-Test

When an organisation undertakes a penetration test it is common for the test to identify vulnerabilities within an organisation and to define the remediation activities necessary to increase security. A re-test gives the organisation the ability to generate a fresh report that takes into account the good work performed by the organisation to increase their security posture.

Self Service Reporting

Block8 provides the ability for clients to define their own reporting requirements. This ensures that an organisation receives the level of reporting specifically necessary to that organisation.

SoW

Statement of Work. The SoW is the agreed definition of the service to be provided for a service. The SoW includes details of the service to be provided and of the scope or extent of the work to be undertaken. An SoW is used by a service provide to define the service being proposed.

T&Cs

Terms and Conditions. The terms and conditions for engaging with Block8 have been documented and are published on the website and as part of the Statement of Work.

Test

Whilst the common term Penetration Test is used, the activity would be better described as an assessment by which an organisation can gain a detailed understanding of the secure status of their networks.

Threat Actor

Threat actor is the term given to any individual, group, or entity that intentionally causes harm or disruption to computer systems, networks, or data, often by exploiting vulnerabilities. They are considered to be a security risk and can encompass a wide range of actors, such as cybercriminals, nation-state actors, hacktivists, and even insiders. 

Threat Intelligence

Threat intelligence is the process of gathering, analysing, and interpreting information about existing and potential cyber threats to help organisations proactively defend against them. It transforms raw data into actionable insights, enabling security teams to make informed decisions and enhance their security posture. Essentially, threat intelligence provides a deeper understanding of the threat landscape, allowing organisations to identify, assess, and mitigate risks more effectively

Vulnerability

A technical vulnerability is a weakness in a computer system, network, device or software that can be exploited by a threat actor to gain unauthorised access, cause damage, or disrupt operations. These weaknesses can stem from flaws in the system's design, incorrect configuration, incorrect implementation, or from human error.

Vulnerability Assessment (VA)

The identification of vulnerabilities within a target environment. VA is the first phase in a penetration test.

Web Application

A software program (application) which is Internet facing and can be accessed by persons (authorised) from locations external to the organisation hosting the application. Web based applications need to have extensive security due to their published location.