CIS Penetration Testing Services Terms and Conditions

The following terms and conditions (“TCS”) apply to the penetration testing services (the “Services”) provided by Center for Internet Security, Inc. (“CIS”) to Customer, as specified in the accompanying Statement of Work issued by CIS to Customer (the “SOW”).

  1. CIS Obligations. CIS will provide the Services specified in the SOW.  All other cybersecurity monitoring or assessment or additional consulting services will be subject to a separate agreement.
  1. Customer Obligations. Customer is responsible for selecting the penetration testing service, or combination of services, that best meet its needs. Customer also agrees to provide specific external Internet Protocol (IP) addresses and domains as requested by CIS.

    Customer agrees to have a person available at all times during the penetration testing engagement to restore, as soon as possible, any service or server that becomes unavailable.

    In the event that any or all of the Services require CIS to be present on-site at Customer’s location, Customer agrees that it will provide CIS’s Penetration Testing Team (PTT) all necessary access to Customer’s site and network in order to provide the Services, and will provide CIS in writing, in advance, any applicable restrictions for PTT presence on Customer’s site.

  1. Payment Terms. The payment terms are as specified in the SOW. Pricing for the Services is based on the assumptions as set forth in the SOW.  If, during the course of providing the Services, CIS determines that the assumptions are substantially different than those set forth in the SOW, it reserves the right to adjust the pricing prior to completion of the Services to reflect additional work required as a result of the change in assumptions.
  1. Confidentiality Obligations. In connection with performing the Services, certain confidential or proprietary information may either be provided by Customer to CIS or generated in the performance of the Services including, without limitation: information regarding the infrastructure and security of Customer’s information systems; the results of the penetration testing of Customer’s information systems insofar as those results may reveal specific vulnerabilities; any systems assessments and plans that relate specifically and uniquely to the vulnerability of  Customer’s information system; or any other document or data otherwise marked as confidential by Customer as “Confidential”  (“Confidential Information”).  CIS agrees to keep Customer’s Confidential Information in confidence to the same extent and the same manner as CIS protects its own confidential information, but in no event will less than reasonable care be provided and Customer’s Confidential Information will not be released in any identifiable form without the express written permission of Customer or as required pursuant to lawfully authorized subpoena or similar compulsive directive or is required to be disclosed by law, provided that CIS shall be required to make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure.  CIS shall, however, be permitted to disclose relevant aspects of such Confidential Information to its employees and CIS’s third-party Cyber Security Services partners including federal partners provided that they agree to protect the Confidential Information to the same extent as required under this Agreement.  CIS further agrees to use reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section. These confidentiality obligations shall survive the termination of this Agreement.

    Customer specifically acknowledges that as part of the Services it will require the PTT to view machine configuration data. CIS agrees that its PTT will avoid intentional view or transfer of any customer and user data.  Customer further acknowledges that if sniffers are used as part of the Services, it is possible that customer and/or user data will be captured.  CIS agrees that should any personal data be captured, it will destroy any personal data captured and will not review it.

  1. Additional Terms for On-Site Penetration Testing. In the event that the Services require that the PTT be on-site at Customer’s facility, Customer hereby acknowledges and consents to PTT presence on site. CIS agrees that it will comply with any reasonable restrictions for PTT access to Customer’s site, provided that such restrictions do not unreasonably inhibit CIS’s ability to provide the Services.
  1. Limitation of Liability. It is understood and agreed by Customer that there is an element of risk associated with penetration testing activities, especially to the systems tested in a live environment. This risk includes the potential that some services on Customer’s system may be rendered unavailable during the test process. Although this risk is mitigated by the use of experienced professional penetration testers and the use of tools obtained from trusted resources, it can never be fully eliminated.  It is further understood and agreed by Customer that there is no guarantee that every vulnerability in its systems will be identified during the test.


    If for any reason the CIS fails to perform Services required under the SOW, the liability of the CIS shall be limited SOLELY to the return of all, or an appropriate portion, of any consideration paid for the Services not performed.

  1. Termination. Either party may terminate the Services in the event that the other party is in breach of these TCS and such breach is not corrected within 30 days of receipt of written notice of such breach. Customer shall be responsible for payment of that portion of the Services completed prior to date of termination.
  1. Force Majeure. Neither party shall be liable for performance delays or for non-performance due to causes beyond its reasonable control.
  1. Relationship of the Parties. Neither the SOW nor these TCS create an employment relationship, agency, joint venture or partnership between the parties. Neither party is authorized to make any representation or commitment on behalf of the other party without its prior written consent. Each party shall be responsible for its own employees, contractors and agents.
  1. Governing Law. Unless otherwise specifically prohibited by the laws of Customer’s jurisdiction, any disputes arising in connection with the Services or these TCS shall be governed and interpreted by the laws of the State of New York without regard to its conflict of law provisions. In the event that the laws of Customer’s jurisdiction require that the laws of that jurisdiction apply to all contracts entered into by Customer, then the laws of that jurisdiction shall apply. 
  1. Entire Agreement. The SOW and these TCS constitute the entire agreement between CIS and Customer with respect to the Services, superseding any prior representations, discussions, negotiations or other agreement, whether written or oral, between the parties. Except as otherwise expressly stated, in the event that there is a conflict between the terms of Customer’s SOW and these TCS, the provisions of these TCS shall prevail.
  1. Waiver and Severability of Terms. The failure of either party to exercise or enforce any right or provision of these TCS shall not constitute a waiver of such right or provision. If any provision of the TCS is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions of the TCS remain in full force and effect.

Rev. 05/13/2020