Vyreon Terms and Conditions

GENERAL TERMS OF SERVICE

Vyreon Platform

These General Terms of Service (hereinafter, the “Terms”) govern access to and use of the platform and services offered by helmon s.r.l., with registered office at Via dell’Arte 25, Rome, VAT No. 17723211003 (hereinafter, the “Company”). Use of the platform implies acceptance of these Terms. In the event of any specific agreements with the Client, such agreements must be made in writing and shall constitute an addendum to these Terms.

1. Subject matter
1. 1.1 This document defines the terms and conditions governing the use of the Vyreon platform (hereinafter, the “Platform”), developed by helmon s.r.l. (the “Company”), which enables the Client to monitor, assess and manage the level of cyber risk arising from cyber incidents affecting the supply chain, extended to the Client’s entire supplier network. The Platform provides the Client with a concise and aggregated representation of the cyber risk arising from any cyber incidents affecting suppliers, expressed in terms of potential cost and likelihood of occurrence. Such assessment does not require technical analysis of individual events or of suppliers’ internal vulnerabilities.
  Through the Platform interface, the Client may also directly recommend to suppliers the adoption of specific insurance policies or cybersecurity services aimed at improving their cyber resilience and, consequently, enhancing the overall level of security across the supply chain.
2. 1.2 In particular, the Client may make use of the following features:
  1. a. Invitation: through the interface, the Client may invite each supplier to register free of charge on the Cybron platform, a tool dedicated to the continuous monitoring and improvement of the company’s cyber posture, integrated into the cyber susceptibility assessment process and into the Platform.
  2. b. External security posture assessment: to obtain a preliminary assessment of the security of the IT infrastructure of suppliers invited by the Client;
  3. c. Assignment of corrective actions: through the interface, the Client may indicate specific actions to the supplier aimed at reducing the risk, expressed in economic terms, which translate into the adoption of cybersecurity services and/or insurance policies, with the objective of improving the supplier’s cyber posture and strengthening supply chain security.
  4. d. Audit of improvement activities: the Client may review in real time the technical documentation provided by the supplier in support of the activated services and/or policies, in order to verify their actual implementation.
  5. e. Optional continuous monitoring service: automated and continuous monitoring of the supplier’s exposed digital information, aimed at identifying vulnerabilities and security issues on the digital perimeter.
  6. f. Optional continuous monitoring & training service: automated and continuous monitoring of the exposed digital information of the selected supplier and cyber training including phishing attack simulations for ten (10) of its users/employees.
  7. g. Optional supplier auditing support service: verification of compliance with the Information Security Management System and assessment of the effectiveness of the security measures implemented to reduce risks and protect information.
3. 1.3 The Services provided by Cybron are governed by the CYBRON Terms available on the website www.helmon.com and by the individual service sheets, which describe their contents, delivery methods and service levels (SLAs), presented to the Supplier at the time of purchase.
4. 1.4 For each service or policy purchased by the supplier, a “Service Folder” shall be made available on the Client’s Platform, containing summary documentation describing the services and/or policies activated in response to the improvement requests made by the Client.
5. 1.5 The Client undertakes to use the Platform exclusively for lawful purposes, without infringing any third-party rights, and assumes all related responsibility.
2. Platform setup
1. 2.1 Activation of the Platform requires the collection of preliminary information regarding the Client’s business context, necessary to properly calibrate the risk monitoring and assessment tools.
2. 2.2 Once the required information has been obtained, the Platform is configured in a customized manner, according to the Client’s operational and organizational characteristics.
3. 2.3 The Client is responsible for safeguarding and maintaining the confidentiality of its access credentials, as well as for all activities carried out through its account.
4. 2.4 The Company reserves the right to suspend or deactivate the Client’s account in the event of a breach of these Terms.
3. Platform delivery methods
1. 3.1 Vyreon is accessible online through the main web browsers. The Company undertakes to ensure the continuous availability of the Platform, subject to maintenance activities and technical conditions.
4. Maintenance and support
1. 4.1 The Company undertakes to keep the System operational and available for access by the Client, with a target availability of at least 99.5% on a monthly basis, excluding scheduled maintenance windows and force majeure events. Any preventive, corrective or evolutionary maintenance activities shall be communicated in advance, where possible.
2. 4.2 For the duration of the Agreement, the Company shall provide technical support relating to the Platform, available by email or telephone during normal business hours. Requests shall be handled within reasonable timeframes. Any specific agreements on response times shall be formalized in writing and attached as an appendix to the Agreement or to these Terms and Conditions.
3. 4.3 Should the Client request additional maintenance services, extended support or specific service level commitments (including guaranteed response times), such conditions shall be defined separately in a Service Level Agreement (SLA) or in another written document attached to the Agreement or to these Terms and Conditions.
5. Continuous external monitoring
1. 5.1 Upon the Client’s request, the Platform provides a subscription-based service for continuous monitoring of the Suppliers’ external IT perimeter. This service is based on a methodology of automated and continuous external monitoring of networks and IT systems in order to detect potential security issues.
2. 5.2 The monitoring is for indicative and informational purposes only and does not constitute an exhaustive or certified assessment of the Supplier’s security posture. The results obtained must be interpreted with caution and within the broader context of cyber risk management activities. The Company does not guarantee that the continuous monitoring will be able to detect all vulnerabilities present in the Client’s supply chain, nor that the results provided will be complete, up to date or error-free. In any case, the Company declines all liability for any direct, indirect, consequential or incidental damages arising from the use of the service, from any misinterpretation of the results, or from any decision made by the Client on the basis thereof.
6. Access to Client Data for technical purposes
1. 6.1 Limited and necessary access The Company may access the data, information and content uploaded, transmitted or generated by the Client through the Platform (“Client Data”) exclusively to the extent strictly necessary to provide the Services, including maintenance, technical support, operational monitoring and troubleshooting activities.
2. 6.2 Exclusively technical use The Company shall not use Client Data for purposes other than the provision of the Services, nor for autonomous analysis activities, commercial evaluations, statistics, profiling, or improvements unrelated to the resolution of technical issues, unless otherwise agreed in writing.
3. 6.3 Authorized personnel and confidentiality Access to Client Data is permitted only to the Company’s personnel and duly authorized subcontractors, bound by confidentiality obligations and limited to the access strictly necessary for the provision of the Services, in compliance with the applicable technical and organizational measures.
4. 6.4 Regulatory compliance Where Client Data contains personal data, the Company shall process it in compliance with the GDPR and applicable law, according to the roles and purposes defined in these Terms and in any appointment agreement as Data Processor.
5. 6.5 Security and audit The Company shall adopt appropriate technical and organizational measures to ensure the security of Client Data and may keep logs of access carried out for control, security and compliance purposes, retaining them only for the time necessary.
7. Continuous external monitoring & Training.
1. 7.1 Upon the Client’s request, the Platform provides a subscription-based service for continuous monitoring of the Suppliers’ external IT perimeter together with a cyber risk training plan and phishing attack simulations for each Supplier’s employees.
2. 7.2 The service is designed to increase the awareness and skills of the Supplier’s personnel in managing cyber threats.
3. 7.3 The training is reserved for ten (10) employees of the Supplier selected by the Client and shall be delivered asynchronously, combining educational sessions and operational simulations, thereby strengthening the level of organizational security, minimizing risks arising from human error, and improving the overall defensive posture.
8. Support for Supplier Auditing activities
1. 8.1 In addition to using the Platform on a subscription basis, the Client may choose to purchase the Auditing Service for one or more Suppliers identified by the Client.
2. 8.2 This service is aimed at supporting the assessment and verification of performance, as well as the compliance and reliability of the Supplier itself.
3. 8.3 Upon completion of the assessments carried out, a reporting file containing the data and results collected for each designated Supplier shall be prepared and delivered to the Client.
9. Platform license and use
1. 9.1 The Company grants the Client the right to use the Platform and the optional continuous monitoring and/or training services on the basis of these Terms and Conditions. The Platform shall be deemed activated upon the Company’s initial communication launching the onboarding process. The right of use is limited to the Client’s Users, meaning persons operating under the Client’s direction, under an employment agreement as employees, or as independent contractors, freelancers, or under similar contractual arrangements, for whose actions the Client is responsible.
2. 9.2 The Company shall not be responsible for any issues, losses or damages arising from the Client’s use of the Platform as is or from any adaptation thereof. The Client assumes full responsibility for any modifications, customizations or adaptations made to the Platform’s configuration.
3. 9.3 The Company shall, to the best of its abilities, assist the Client in meeting its specific needs from time to time, taking into account the specifications, design and functionalities of the Services. The Client acknowledges that it is its responsibility to ensure that the Platform is fit for the intended use.
10. Term and termination
1. 10.1 The subscription term shall be twelve (12) or thirty-six (36) months (hereinafter, the “Term”), calculated from the date of the Client’s acceptance of these Terms and Conditions. The Term shall automatically renew, as shall the optional services, for successive periods of 12 months, unless the Client or the Company gives written notice of termination of the subscription.
2. 10.2 Termination without cause: The Client may withdraw from the subscription and from the right to use the System by giving 30 days’ notice prior to the expiry of a Term. Notice of termination must be given in writing by certified mail. The Company may terminate the Client’s right to use the Services by giving at least 3 months’ notice prior to the expiry of the Term. In such case, the Company shall refund the Client the prepaid fees corresponding to the unused portion of the Term on a pro rata basis and shall carry out any agreed exit plan.
3. 10.3 The Company shall also have the right to interrupt the Client’s right to use the System if the Client materially breaches its obligations under these Terms and Conditions, unless such material breach is remedied within 15 days from receipt of notice of the breach.
11. Intellectual Property and Software License
1. 11.1 The Company grants the Client a non-exclusive, non-transferable and revocable license to access and use the Platform and the software exclusively for the provision of the purchased Services.
2. 11.2 The Client is prohibited from copying, modifying, distributing, decompiling or carrying out reverse engineering activities on the software or on any component of the Platform.
3. 11.3 The Client declares and warrants that it is the owner of the information system in relation to which the Service will be provided, or that it is authorized to appoint the Company to perform the purchased Service.
4. 11.4 In the case of licenses provided by third-party suppliers through the Company, the Client acknowledges that it has accepted the terms of such licenses and undertakes to use the software in compliance with such terms and exclusively for its own personal use.
12. Limitations of liability
1. 12.1 The Company does not guarantee absolute immunity from cyberattacks for the Client or its Supplier chain, but undertakes to provide Services in line with industry standards.
2. 12.2 The Company shall not be liable for any direct damages or losses arising from the inactivity of the Platform or the inability to access the Services in the following cases: scheduled interruptions for ordinary or extraordinary maintenance activities, communicated to the Client in advance where possible; force majeure events, including, by way of example, natural disasters, cyberattacks, failures of technological infrastructure, or other circumstances not attributable to the Company; malfunctions or interruptions of the Client’s internet connection; issues, errors or incompatibilities of the Client’s information system, hardware or software; actions or omissions of the Client or third parties affecting the proper provision of the Services.
3. 12.3 In the above cases, the Company undertakes to restore the operation of the Platform or the provision of the Services as quickly as possible, without this giving rise to any compensation or indemnification obligation towards the Client.
4. 12.4 It is understood that the Company’s overall liability for any defaults or direct damages attributable to it shall in any event be limited to the amount actually paid by the Client for the purchased or renewed Service affected by the damaging event. Any other indemnity or compensation to the Client for any damage is excluded.
5. 12.5 In any event, the Company shall not be liable for:
  1. a. indirect, incidental or consequential damages;
  2. b. loss of data or loss of profit;
  3. c. improper use of the Platform or the Services by the Client;
  4. d. damages resulting from the Client’s communication of incorrect data;
  5. e. any damage to persons or property arising from an act, fact or omission of the Client or its employees or collaborators;
  6. f. any damage, interruption, malfunction, defect, violation, or unauthorized intrusion into the information system of the Client or third parties directly or indirectly caused by the execution of the Service purchased by the Client, except in cases of wilful misconduct or gross negligence on the part of the Company.
6. 12.6 The Company does not perform any specific backup of the data, information or content processed on behalf of the Client through the Platform, except for backups periodically carried out by the Company as a precaution for the possible restoration of the Platform.
7. 12.7 The Company shall in no way be liable for damages suffered by the Client or third parties, directly or indirectly, as a consequence of the use of the Platform.
8. 12.8 The Company assumes an obligation of means and not of result; it does not guarantee that the purchased Services are suitable for the Client’s purposes or needs, nor that the devices, programs or applications used by the Client are compatible with the Service, such verification being the sole responsibility of the Client.
13. Indemnity
1. 13.1 The Client undertakes to indemnify and hold harmless the Company, as well as its directors, employees, collaborators, suppliers and subcontractors, from any liability, loss, damage, burden, cost or expense (including, by way of example, reasonable legal fees) arising from or connected with:
  1. a) the improper or non-compliant use of the Platform or the Services by the Client or by third parties authorized by the Client, including, by way of example, partners, employees or suppliers;
  2. b) any breach by the Client of these General Terms, laws, regulations or applicable rules, at either national or European level, including – where applicable – the provisions of Directive (EU) 2022/2555 (“NIS2”) and any implementing national legislation concerning the security of network and information systems;
  3. c) any infringement of third-party rights, including intellectual property rights, industrial property rights, confidentiality rights or personal data protection rights;
  4. d) any claims, demands or disputes raised by third parties who have relied on the information, analyses or suggestions contained in the results of the Services provided by the Platform, including the information contained in the Service Folder;
  5. e) claims or actions brought by third parties in relation to operational or strategic decisions taken by the Client or its suppliers on the basis of the results of the Services, including preliminary scanning services or recommendations suggested through the Platform.
2. 13.2 The Company reserves the right to directly manage its own legal defense in relation to any claim or proceeding in respect of which this indemnity has been invoked. In such case, the Client undertakes to cooperate actively by promptly providing any information, document or support useful for the defense, upon the Company’s request.
14. Processing of Personal Data
1. 14.1 The Company shall process the Client’s personal data and, where applicable, the personal data of its suppliers or technical contacts, in compliance with Regulation (EU) 2016/679 (“GDPR”), applicable national legislation and its own Privacy Policy, available on the Company’s website.
2. 14.2 (Roles in processing) With reference to the personal data communicated by the Client during registration, account activation, user environment configuration and use of the Platform, the Company acts as Data Controller pursuant to Article 4(7) of the GDPR.
  With reference, however, to any personal data contained in the systems, infrastructures or digital environments of the Client (or its suppliers), which the Company may access in the context of the provision of the Services, the latter shall act as Data Processor pursuant to Article 28 of the GDPR, on the basis of a specific appointment agreement (Data Processing Agreement – DPA), to be entered into separately where required.
3. 14.3 (Purposes and methods of processing) The data shall be processed for purposes strictly connected with the provision, management and improvement of the Services offered through the Platform, the administrative management of contractual relationships, and compliance with applicable legal obligations (including those relating to cybersecurity and risk management).
  Processing shall take place by manual and/or automated means, using IT and telematic tools, adopting technical and organizational measures appropriate to ensure a level of security compliant with Article 32 of the GDPR.
4. 14.4 (Sub-processors and data transfers) The Company may rely, for the provision of specific services, on external suppliers (sub-processors) duly appointed pursuant to Article 28 GDPR, who shall act in accordance with documented and binding instructions. The updated list of the main sub-processors is available upon the Client’s request. Should the data be transferred outside the European Economic Area (EEA), such transfer shall take place in compliance with the safeguards set out in Chapter V of the GDPR, including the standard contractual clauses adopted by the European Commission.
5. 14.5 Data retention and account management: The Client’s account shall remain active until a request for deactivation is made by the Client, either through the functionalities available on the Platform or by writing to the email address: privacy@helmon.com. The Company reserves the right to deactivate accounts that have been inactive for more than 12 months, subject to prior notice. Data shall be retained for the time strictly necessary to pursue the purposes for which they were collected and, in any case, in compliance with the time limits provided for by applicable law concerning retention, contractual liability and cybersecurity.
6. 14.6 In the event of account closure:
  1. a. the account shall no longer be accessible to the Client;
  2. b. after the account is closed, the data and all documents contained in the Service Folder shall no longer be available to the Client;
  3. c. the data associated with the account shall be retained by the Company for a maximum period of 12 months after closure, exclusively for the purposes indicated in the privacy notice, including compliance obligations, management of any disputes, or other legitimate interests.
7. 14.7 Once the 12-month period has elapsed, the data shall be deleted, unless further retention is required by law or is necessary to protect the Company’s rights.
8. 14.8 For further details on the processing of personal data, please refer to the privacy notice available on the website www.helmon.com.
15. Appointment as Data Processor
1. 15.1 (Appointment) The Client hereby appoints the Company as Data Processor (or sub-processor for the processing of third-party data where the Client acts as Data Processor in relation to such data) with respect to the personal data processing activities carried out by the Company in the execution of the Service.
2. 15.2 (Duration) The appointment as Data Processor (or sub-processor) and the commitments set out herein shall last for the duration of the Service. The appointment and this deed shall automatically cease to have effect in the event of termination, withdrawal or loss of effectiveness of the contract. In the event of tacit renewal of the Service, this appointment shall be deemed automatically renewed for a term equal to the contractual term.
3. 15.3 (Processed data) The Services provided by the Company, consistently with the technical specifications of the Service, allow the Client to process data in the ways and for the purposes established by the Client. The scope of the appointment of the Company is limited solely to the processing of personal data to which the Company has access in the context of the execution of the Service.
4. 15.4 (Obligations and rights) By virtue of this appointment, the Company is authorized exclusively to process personal data to the extent and within the limits necessary for the performance of the activities entrusted to it. The Company shall carry out processing activities in compliance with the GDPR and, in particular, undertakes to:
  1. a) process personal data exclusively for the purpose of providing the Service purchased by the Client;
  2. b) ensure that the persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that they have been instructed regarding the processing activities assigned to them;
  3. c) adopt, pursuant to Article 32 of Regulation (EU) 2016/679, the technical measures indicated in the service sheets and the organizational security measures appropriate to the processing; make available to the Client all information necessary to demonstrate compliance with the obligations set out herein, allowing review and verification activities arranged by the Client, at its own expense, subject to prior agreement on the timing and methods of such verification;
  4. d) upon the Client’s request, delete or return to the Client any copies of the personal data once the provision of the Service has ended.
5. 15.5 (Sub-processors) By conferring the assignment, the Client authorizes the Company to make use of its own sub-processors, including third-party suppliers, for the provision of the Services (support, maintenance, provision of additional services, network providers and electronic communication services), who in the context of such activities may have access to the personal data for which the Client is the controller or processor. The Company warrants that it has appointed the sub-processor in writing and that such deed provides that: a) the sub-processor shall have access to the Client’s data only to the extent required to fulfil the obligations delegated to it for the provision of the Service; b) the sub-processor shall assume the obligations set out in Article 28 of Regulation (EU) 2016/679; c) the Company remains responsible towards the Client for all obligations undertaken. The Company undertakes to keep an updated list of such third parties and the documentation evidencing the obligations undertaken by such third parties with regard to the personal data processing obligations set out herein, where they process data in the context of the selected Service.
6. 15.6 (Breaches) Should events occur involving a breach of the data processed by the Company in the provision of the Services, the latter shall notify the Client in writing within 48 hours, providing all information in its possession at the time of the notification.
16. Confidentiality
1. 16.1 The Company undertakes to keep confidential all commercial and technical information acquired in the course of carrying out its activities, except where disclosure is required by law or by competent authorities.
2. 16.2 The Client undertakes not to disclose to third parties any data, materials, documents, software, technical specifications, know-how, source codes, methods, procedures, test results, reports, analyses, and any other information provided or made available by the Company to the Client, or acquired by the Client during the use of the Services. The Client must adopt all measures necessary to ensure that such information is not disclosed to third parties.
17. Duration and termination
1. 17.1 These Terms shall remain valid and effective for the duration of the Service, unless the contractual relationship is terminated in the cases of withdrawal or termination provided for in these Terms.
2. 17.2 The Client may cease using the Services at any time, it being understood that the Client shall have no right to refunds or credits in relation to paid Services that have not been used.
3. 17.3 The Company reserves the right to suspend the provision of the Services or the Client’s account in the event of breaches of these Terms and, in the event of breach of the provisions set out in Articles 2 (Registration on the Platform) and 8 (Intellectual Property and Software License), to terminate the contract pursuant to Article 1456 of the Italian Civil Code by written notice, without prejudice in any case to the right to seek recourse and compensation for damages suffered.
4. 17.4 The Company reserves the right to withdraw from the contract at any time by giving written notice to the Client, effective from the moment the Client receives such notice.
18. Assignment of the contract
1. 18.1 The Client may not assign, in whole or in part, the contract to third parties, nor subcontract or make the purchased Services available to third parties on any basis whatsoever, without the prior consent of the Company.
2. 18.2 The Client hereby gives its consent in advance to the Company assigning the contract, or its rights or obligations, in whole or in part, to third parties.
19. Applicable law and jurisdiction
1. 19.1 These Terms shall be governed by Italian law.
2. 19.2 Any dispute relating to the interpretation or execution of these Terms shall fall under the exclusive jurisdiction of the Court of Rome.
20. Specific approval pursuant to Articles 1341 and 1342 of the Italian Civil Code
1. 20.1 Pursuant to and for the purposes of Articles 1341 and 1342 of the Italian Civil Code, the Client specifically approves the following provisions: Article 10.1 (Term and termination); Article 11 (Limitations of liability); Article 12 (Indemnity); Article 16 (Duration and termination); Article 18 (Assignment of the contract); Article 19 (Applicable law and jurisdiction).