Terms and Conditions of Service

PLEASE READ THESE TERMS AND CONDITIONS OF SERVICE ("AGREEMENT") CAREFULLY BEFORE USING THE SERVICES PROVIDED BY BRIGHT DEFENSE, LLC, A CALIFORNIA LIMITED LIABILITY COMPANY ("BRIGHT DEFENSE," "COMPANY," "WE," OR "US"). IT CONTAINS VERY IMPORTANT INFORMATION REGARDING YOUR RIGHTS AND OBLIGATIONS, INCLUDING LIMITATIONS AND EXCLUSIONS THAT MIGHT APPLY TO YOU. BY EXECUTING AN ORDER FORM, STATEMENT OF WORK, OR BY ACCESSING OR USING ANY SERVICES, THE CLIENT ("YOU" OR "CLIENT") AGREES TO BE LEGALLY BOUND BY THESE TERMS. IF YOU DO NOT AGREE, DO NOT ACCESS OR USE THE SERVICES.

  1. DEFINITIONS

As used in this Agreement, the following terms have the meanings set forth below:

  • Agreement” means these Terms and Conditions, together with any Order Form, Statement of Work, or Schedule incorporated herein by reference.
  • Authorized User” means any employee, contractor, or agent of Client who is authorized by Client to access and use the Services on Client’s behalf.
  • Client Data” means all data, information, and materials submitted by Client or its Authorized Users to Bright Defense in connection with the Services.
  • Compliance Framework” means any regulatory or industry standard addressed by the Services, including without limitation SOC 2, ISO 27001, HIPAA, and CMMC.
  • Confidential Information” has the meaning set forth in Section 9.
  • Documentation” means user manuals, technical specifications, and other materials provided by Bright Defense describing the features and functionality of the Services.
  • Fees” means all amounts payable by Client to Bright Defense under this Agreement.
  • Order Form” means a written or electronic order document executed by both parties that describes the specific Services purchased, applicable Fees, and Subscription Plan (if any).
  • Services” means the cybersecurity compliance services, subscription plans, vCISO advisory services, security awareness training, penetration testing, and compliance automation services provided by Bright Defense, as further described in Section 3.
  • “Subscription Plan” means a tiered plan subscribed to by Client pursuant to an Order Form.
  • Term” has the meaning set forth in Section 12.
  1. ACCEPTANCE OF TERMS
    • Binding Agreement. By (a) executing an Order Form or Statement of Work, (b) accessing or using any Service, or (c) clicking "I Agree" or similar button, Client agrees to be bound by this Agreement. If Client is entering into this Agreement on behalf of a company or other legal entity, Client represents that it has the authority to bind such entity to this Agreement.
    • Cancellation. Your receipt of an electronic or other form of order confirmation does not signify our acceptance of your order, nor does it constitute confirmation of our offer to sell. We reserve the right to any time after receipt of your order to accept, decline, or limit your order for any reason, whether or not your credit card has been charged. If your credit card has been charged and your order is canceled you will receive a prompt refund credit to your account.
    • Updates to Terms. Bright Defense reserves the right to modify this Agreement at any time. Bright Defense will provide at least thirty (30) days’ prior written notice of material changes via email or through the applicable platform. Continued use of the Services after the effective date of any modification constitutes acceptance of the modified Terms.
  2. DESCRIPTION OF SERVICES

Bright Defense agrees to provide the Services described in Client’s Order Form or Statement of Work (collectively “Order Form”), subject to the scope set for in the applicable Order Form.

  1. FEES AND PAYMENT
    • Fees. Client agrees to pay all Fees specified in the applicable Order Form. Unless otherwise stated in the Order Form, Fees are billed monthly in advance.
    • Invoicing and Payment. Bright Defense will invoice Client in accordance with the Order Form. Client shall pay all invoices within thirty (30) days of the invoice date. All payments shall be made in U.S. dollars. We accept Visa, Mastercard, American Express, PayPal, and ACH. The use of a credit card for payment will incur a 3% credit card processing fee. You represent and warranty that: (i) the credit card information you supply to us is true, correct and complete; (ii) charges incurred by you will be honored by your credit card company; and (iii) you will pay charged incurred by you at the posted prices, including all applicable taxes, if any.
    • Late Payments. Amounts not paid when due shall accrue interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law, from the due date until paid in full. Bright Defense reserves the right to suspend Services for accounts that are more than thirty (30) days past due, upon written notice to Client.
    • Taxes. Fees are exclusive of all sales, use, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, or local governmental entity. Client is responsible for paying all such taxes, excluding taxes on Bright Defense’s net income. If Bright Defense is required to collect or pay any taxes for which Client is responsible, Bright Defense will invoice Client for such amounts.
    • No Refunds. Except as expressly required by applicable law or as set forth in this Agreement, all Fees are non-refundable.
  2. CLIENT OBLIGATIONS
    • Accurate Information. Client shall provide Bright Defense with accurate, complete, and timely information, materials, and access necessary for Bright Defense to perform the Services. Client acknowledges that the quality of the Services is dependent on the accuracy and completeness of information provided by Client.
    • Authorized Users. Client is responsible for (a) all acts and omissions of its Authorized Users, (b) ensuring that Authorized Users comply with this Agreement, and (c) maintaining the security of Authorized User credentials.
    • Compliance Responsibility. Client retains responsibility for its compliance with all applicable laws, regulations, and Compliance Frameworks. Bright Defense’s Services are advisory and supportive in nature and do not constitute legal or regulatory opinions. Achieving or maintaining certification or compliance under any Compliance Framework is the responsibility of Client.
    • Cooperation. Client shall reasonably cooperate with Bright Defense in connection with the performance of the Services, including promptly responding to requests for information, approvals, or decisions.
    • Prohibited Conduct. Client shall not, and shall ensure its Authorized Users do not: (a) use the Services for any unlawful purpose; (b) interfere with or disrupt the integrity or performance of the Services or related systems; (c) attempt to gain unauthorized access to the Services or related systems; (d) reverse engineer, decompile, or disassemble any software provided by Bright Defense; or (e) use the Services to develop a competing product or service.
  3. INTELLECTUAL PROPERTY
    • Bright Defense IP. Bright Defense retains all right, title, and interest in and to the Services, Documentation, methodologies, tools, templates, software, and all deliverables created by Bright Defense (collectively, “Bright Defense IP”), including all intellectual property rights therein. No rights in Bright Defense IP are granted to Client except as expressly set forth in this Agreement.
    • License to Client. Subject to Client’s payment of all applicable Fees and compliance with this Agreement, Bright Defense grants Client a limited, non-exclusive, non-transferable, non-sublicensable license during the Term to use the Services and Documentation solely for Client’s internal business purposes.
    • Client Data. Client retains all right, title, and interest in and to Client Data. Client grants Bright Defense a non-exclusive, worldwide, royalty-free license to use, process, and store Client Data solely to the extent necessary to provide the Services and as otherwise permitted under this Agreement.
    • Feedback. If Client provides Bright Defense with feedback, suggestions, or ideas regarding the Services (“Feedback”), Client grants Bright Defense a perpetual, irrevocable, royalty-free, worldwide license to use, incorporate, and exploit such Feedback without restriction or compensation to Client.
    • Aggregate Data. Bright Defense may collect and use anonymized, aggregated data derived from Client’s use of the Services for Bright Defense’s internal business purposes, including product improvement, benchmarking, and industry reporting, provided that such data does not identify Client or any individual.
  4. DATA PRIVACY AND SECURITY
    • Data Processing. Each party shall comply with all applicable data protection and privacy laws in connection with the Services and the processing of Client Data, including without limitation the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and the Health Insurance Portability and Accountability Act (HIPAA), to the extent applicable.
    • Business Associate Agreement. To the extent Client is a HIPAA Covered Entity or Business Associate and Client Data includes Protected Health Information (PHI) as defined under HIPAA, the parties shall execute a mutually agreed Business Associate Agreement (BAA) prior to Bright Defense’s access to or processing of any PHI. Absent a signed BAA, Client shall not provide PHI to Bright Defense.
    • Security Measures. Bright Defense shall implement and maintain reasonable administrative, physical, and technical safeguards designed to protect Client Data against unauthorized access, use, disclosure, or destruction. Bright Defense’s information security program is ISO 27001:2022 certified, and Bright Defense shall maintain such certification or a materially equivalent security standard during the Term.
    • Data Breach Notification. Bright Defense shall notify Client without undue delay, and in any event within seventy-two (72) hours of discovery (or such shorter period as required by applicable law), of any confirmed unauthorized access to or disclosure of Client Data (a “Security Incident”). Such notice shall include, to the extent then known, the nature of the Security Incident, the categories of data affected, and the remedial steps Bright Defense has taken or intends to take.
    • Data Retention and Return. Upon termination or expiration of this Agreement, or upon Client’s written request, Bright Defense shall return or securely destroy Client Data in its possession within thirty (30) days, except to the extent Bright Defense is required by law to retain such data.
  5. THIRD-PARTY SERVICES AND TOOLS
    • Third-Party Platforms. The Services may integrate with or rely upon third-party platforms, tools, or services (“Third-Party Services”), including Drata and other compliance automation platforms. Bright Defense makes no representations or warranties regarding Third-Party Services and shall not be liable for any failure, interruption, or change in Third-Party Services.
    • Third-Party Terms. Client’s use of Third-Party Services may be subject to additional terms and conditions imposed by the applicable third-party provider. Client is responsible for reviewing and complying with such terms.
  6. CONFIDENTIALITY
    • Definition. “Confidential Information” means any non-public information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally, in writing, or electronically, that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure, including without limitation business plans, pricing, technical information, security reports, Client Data, and audit findings.
    • Obligations. The Receiving Party shall: (a) hold all Confidential Information in strict confidence; (b) use Confidential Information only for the purposes of this Agreement; and (c) disclose Confidential Information only to its employees, contractors, and advisors who have a need to know and who are bound by confidentiality obligations no less protective than those set forth herein.
    • Exclusions. Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was already known to the Receiving Party at the time of disclosure; (c) is rightfully received from a third party without restriction; or (d) is independently developed by the Receiving Party without use of Confidential Information.
    • Required Disclosure. If the Receiving Party is required by law or court order to disclose Confidential Information, it shall promptly notify the Disclosing Party (to the extent permitted by law) and cooperate with the Disclosing Party’s efforts to seek a protective order or other appropriate relief.
    • Survival. Confidentiality obligations under this Section 9 shall survive termination or expiration of this Agreement for a period of three (3) years.
  7. DISCLAIMER OF WARRANTIES
    • THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BRIGHT DEFENSE DISCLAIMS ALL WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.
    • THE SERVICES ARE ADVISORY AND SUPPORTIVE IN NATURE AND DO NOT CONSTITUTE LEGAL, REGULATORY, OR ACCOUNTING ADVICE OR OPINIONS. CLIENT SHOULD CONSULT QUALIFIED LEGAL COUNSEL AND CERTIFIED AUDITORS FOR SPECIFIC COMPLIANCE AND REGULATORY MATTERS.
  8. LIMITATION OF LIABILITY
    • Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS, LOST REVENUE, LOSS OF DATA, BUSINESS INTERRUPTION, OR LOSS OF GOODWILL), HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY (INCLUDING CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE), EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    • Cap on Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BRIGHT DEFENSE’S TOTAL AGGREGATE LIABILITY TO CLIENT FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS AGREEMENT OR THE SERVICES, REGARDLESS OF THE FORM OF ACTION, SHALL NOT EXCEED THE TOTAL FEES ACTUALLY PAID BY CLIENT TO BRIGHT DEFENSE IN THE SIX (6) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM.
    • Essential Basis. The parties acknowledge that the limitations set forth in this Section 11 reflect a reasonable allocation of risk and form an essential basis of the bargain between the parties. These limitations shall apply notwithstanding any failure of essential purpose of any limited remedy.
    • Exceptions. Nothing in this Agreement shall limit or exclude either party’s liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) gross negligence or willful misconduct; or (d) any liability that cannot be excluded or limited under applicable law.
  9. INDEMNIFICATION
    • By Client. Client shall defend, indemnify, and hold harmless Bright Defense and its members, officers, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Client’s breach of this Agreement; (b) Client’s negligence or willful misconduct; (c) Client’s violation of any applicable law or regulation; or (d) any third-party claim arising from Client Data or Client’s use of the Services in violation of this Agreement.
    • By Bright Defense. Bright Defense shall defend, indemnify, and hold harmless Client and its officers, directors, employees, and agents from and against any third-party claims alleging that the Services, as provided by Bright Defense and used in accordance with this Agreement, infringe any U.S. patent, copyright, trademark, or trade secret. The foregoing obligation does not apply to the extent the claim arises from: (a) Client’s modification of the Services; (b) Client’s combination of the Services with third-party products or services not provided by Bright Defense; (c) Client Data; or (d) Client’s use of the Services in violation of this Agreement.
    • Indemnification Procedure. The indemnified party shall: (a) promptly notify the indemnifying party in writing of the claim; (b) grant the indemnifying party sole control of the defense and settlement of the claim; and (c) reasonably cooperate with the indemnifying party, at the indemnifying party’s expense. The indemnifying party shall not settle any claim in a manner that imposes obligations or restrictions on the indemnified party without prior written consent.
  10. TERM AND TERMINATION
    • Term. This Agreement commences on the effective date and continues for the initial term specified in the Order Form. Unless otherwise specified, Subscription Plans automatically renew for successive twelve (12) month periods unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current term.
    • Termination for Cause. Either party may terminate this Agreement immediately upon written notice if: (a) the other party materially breaches this Agreement and fails to cure such breach within thirty (30) days of written notice describing the breach; or (b) the other party becomes insolvent, makes an assignment for the benefit of creditors, or becomes subject to bankruptcy, receivership, or similar proceedings.
    • Effect of Termination. Upon termination or expiration of this Agreement: (a) all licenses granted to Client shall immediately terminate; (b) Client shall pay all outstanding Fees accrued through the termination date; (c) each party shall promptly return or destroy the other party's Confidential Information; and (d) Sections 1, 4, 6, 9, 10, 11, 12, 14, and 15 shall survive termination or expiration.
    • No Refunds Upon Termination. Except where Bright Defense terminates for cause attributable to Bright Defense, Client shall not be entitled to any refund of prepaid, unused Fees.
  11. GOVERNING LAW; DISPUTE RESOLUTION
    • Governing Law. This Agreement shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of laws principles.
    • Informal Resolution. Before initiating any formal dispute resolution proceeding, the parties shall attempt in good faith to resolve any dispute arising out of or relating to this Agreement through informal negotiation. Either party may initiate informal negotiation by providing written notice to the other party describing the dispute. The parties shall have thirty (30) days from the date of such notice to resolve the dispute informally.
    • Binding Arbitration. If the parties cannot resolve a dispute through informal negotiation, the dispute shall be finally resolved by binding arbitration administered by JAMS pursuant to the JAMS Comprehensive Arbitration Rules and Procedures in effect at the time of the dispute, except as modified herein. The arbitration shall be conducted by a single arbitrator. The arbitration shall take place in Los Angeles County, California, unless the parties mutually agree to a different location or to conduct the arbitration remotely. The arbitrator’s award shall be final and binding, and judgment may be entered on the award in any court of competent jurisdiction.
    • Exceptions to Arbitration. Either party may seek: (a) preliminary injunctive or other equitable relief to prevent actual or threatened infringement of intellectual property rights or unauthorized disclosure of Confidential Information, in any court of competent jurisdiction; or (b) relief in small claims court for disputes within the jurisdictional limits of such court.
    • Costs. Each party shall bear its own costs and attorneys’ fees in any arbitration, unless the arbitrator determines that a party’s claim or defense was frivolous, in which case the arbitrator may award reasonable costs and attorneys’ fees to the prevailing party.
  12. GENERAL PROVISIONS
    • Entire Agreement. This Agreement, together with all Order Forms, Statements of Work, and any incorporated schedules or exhibits, constitutes the entire agreement between the parties with respect to its subject matter and supersedes all prior and contemporaneous agreements, representations, and understandings, whether written or oral, relating to such subject matter.
    • Order of Precedence. In the event of any conflict or inconsistency between this Agreement and an Order Form or Statement of Work, the Order Form or Statement of Work shall control solely with respect to the specific Services described therein, unless the Order Form or Statement of Work expressly states otherwise.
    • Amendment. No amendment to this Agreement shall be valid unless made in writing and signed by authorized representatives of both parties.
    • Waiver. No failure or delay by either party in exercising any right or remedy under this Agreement shall constitute a waiver of such right or remedy. No single or partial exercise of any right or remedy shall preclude any other or further exercise thereof.
    • Severability. If any provision of this Agreement is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith a valid, enforceable replacement provision that most nearly reflects the original intent of the invalid provision.
    • Assignment. Neither party may assign this Agreement or any rights hereunder without the prior written consent of the other party, except that Bright Defense may assign this Agreement without Client’s consent to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of Bright Defense’s assets. Any attempted assignment in violation of this Section shall be void. This Agreement shall bind and inure to the benefit of the parties’ successors and permitted assigns.
    • Force Majeure. Neither party shall be liable for any delay or failure in performance under this Agreement to the extent caused by circumstances beyond such party’s reasonable control, including without limitation natural disasters, acts of God, acts of government, war, terrorism, labor disputes, power failures, epidemics, or internet outages (each, a “Force Majeure Event”), provided that the affected party promptly notifies the other and uses commercially reasonable efforts to resume performance.
    • Notices. All notices under this Agreement shall be in writing and delivered by: (a) personal delivery; (b) overnight courier with tracking; or (c) email with confirmation of receipt. Notices to Bright Defense shall be sent to the address set forth in the applicable Order Form. Notices to Client shall be sent to the billing or primary contact address on file.
    • Independent Contractors. The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, employment, or agency relationship between the parties. Neither party has authority to bind the other or incur obligations on the other’s behalf.
    • No Third-Party Beneficiaries. This Agreement does not create any third-party beneficiary rights in any person or entity.
    • Counterparts; Electronic Signatures. Order Forms may be executed in counterparts, each of which shall be deemed an original. Electronic signatures shall be deemed valid and binding to the same extent as original signatures.
    • Headings. Section headings are for convenience only and shall not affect the interpretation of this Agreement.

Reviewed and Updated on 03/24/2026