Bright Security Commercial Proposal
Table Of Content:
5.Support Services (Choose One Tier)***
7.Subscription & Support Term:
11.Appendix 2: Services Packages
12.Appendix 3: BX Company Specific DPA
Introduction
Bright Security was established in 2018, with the goal of leading and dramatically advancing the world of applicative security. Bright helps significantly improve application security at a lower cost by providing a developer-centric application and API AppSec solutions built for modern development environments. We integrate into DevOps environments and enable you to run AppSec scans as part of your CI/CD flows to identify thousands of security vulnerabilities. We enable you to scan multiple protocols across Web, mobile (server side) & API and are built for developers to identify vulnerabilities throughout the SDLC by providing remediation guidelines for every vulnerability identified.
In addition, the platform provides real-time reports and findings to developers (for quick remediation), The CISO organization & AppSec professionals so that they have full visibility regarding vulnerabilities found and how to address them.
This proposal & T&Cs document are unique for BX companies with preferential and pre-negotiated terms to enable BX companies to adopt, deploy and take advantage of a unique offering.
Unique Differentiators
- Minimal-False Positive – Automated verification and presentation of findings, including proof of exploitation, and prioritization based on the risk severity to the business.
- Broad coverage – Across Web, Mobile Servers, and multiple API protocols
- Speed of performing high quality and deep tests and scans.
- Advanced testing and support of single-page applications – E.g. XML, JSON, etc.
- Advanced API scanning (REST, GraphQL, etc.)
- Integration with SAST (Snyk) to correlate SAST and DAST scan results
- Extensive set of payloads – Regularly updated set of payloads backed by our
- global team of security professionals. Currently containing tens of thousands of
- attack combinations including CVEs.
- The only DAST product to also include Business Logic Vulnerability attacks
Bright is honored to submit a proposal for the Bright AppSec Enterprise SaaS licensing to _____
Pricing Proposal
Subscription type: Enterprise SaaS License
Bright’s AppSec solution covering Web-apps and APIs
Notes
- Unlimited use of Bright’s AppSec scanning services for the entire period of use based on the number of concurrent scan engines offered.
- Unlimited number of Applications / API’s / Targets / URLs {scanned by the organization.
- Unlimited number of users in the system on the part of the customer.
- To clarify, the proposal includes scans on servers and Internet addresses used by __ only.
- Each scan generates a detailed and dedicated findings report. The report details the findings identified by Bright’s App
Investment
| Bright Security Proposal Terms – Valid through , 2025 | |||||
|---|---|---|---|---|---|
| Annual Pricing for a 3 year subscription | |||||
| License / Module | List Price per license (scan engine) per Year (USD) |
Number of Concurrent Licenses |
Annual Fee (USD) |
Customer / Partner Discount % |
Net Annual Fee (USD) |
| Bright DAST SaaS subscription* | $35,000 | 20% | |||
| Bright STAR module** | $14,000 | 20% | |||
| Total license price per year | |||||
20% discount automatically applied to BX companies. Volume discounts will be applied on top.
** Bright STAR provided for free to BX companies in the first year of their agreement when applicable.
Support Services (Choose One Tier)***
| Tier | Fee Basis | Net Annual Fee (USD) |
Selected |
|---|---|---|---|
| Platinum | +22% of Annual Fees | $12,320 | ☐ |
| Gold | +20% of Annual Fees | Included | ☒ |
| Silver | +10% of Annual Fees | $5,600 | ☐ |
*** BX companies receive an automatic upgrade to the Gold Success package at no additional cost. Please see Appendix 2 for details regarding services packages.
Pricing Summary
| Subscription Net Annual Fee (USD) |
Support Fees (USD) |
Total Price per year (USD) |
|---|---|---|
| Included |
Subscription & Support Term:
Term Start: ____ Term End: ___
Terms and Conditions
- Payment terms: net + 60* days from the date of invoice.
- Bright Security will invoice reseller/customer for the subscription fees and any professional services upon execution of this Proposal, and in case of a multi-year subscription term – Bright Security will invoice reseller/ customer before each anniversary of the subscription term.
- Prices are in USD, and do not include VAT (where relevant) or other applicable sales tax. Reseller/Customer is responsible for paying all taxes associated with this Proposal except for taxes on Bright Security’s net income.
- By executing this Proposal, customer agrees to purchase the subscription/s selected above and Customer shall be liable for payment of all applicable payments until the end of the chosen subscription term. This Proposal (once executed) and all payment obligations under it are non-cancelable, non-contingent, and any payment made are non-refundable.
- Service Level Commitment (SLA), in accordance with Appendix 1 attached.
- Bright Security will start setting up the environment (one-day process) and user passwords will be transferred to you within 7 business days from the signed agreement.
- Unless otherwise mutually agreed between the Parties in writing, the services set forth in this Proposal, and the agreement between you and the Bright entity referenced below, are governed by the Bright Terms of Service found at https://stagingbrightsec.brightsec.com/terms-of-use/ (including any referenced URL Terms). In addition, the Data Protection Addendum attached hereto as Appendix 3 shall also apply. In the event that this proposal is made to a reseller/distributor, the applicable terms and conditions will be as specified in the reseller/distributor agreement between Bright and you. Bright Terms of Service or such a reseller/distributor agreement (if applicable) prevail over any terms and conditions that may be attached to a Customer purchase order or are otherwise provided by Customer.
Special benefit to BX companies. Typical payment term is 30 days
Proposal confirmation
IN WITNESS WHEREOF the parties set forth in the signature blocks below have
accepted the terms and conditions of this Proposal as of the last date set forth in the
signature blocks:
Appendix 1: SUPPORT & SLAs
This appendix outlines the service levels provided by Bright Security including
system uptime and issue response time.
- System Uptime: The system will be up 99.5% of the time measured on a monthly basis. System uptime excludes scheduled maintenance hours which are planned for off hours and will not exceed 8 hours per month. Further, any downtime resulting from outages of third-party connections or utilities or other reasons beyond Bright’s control will also be excluded from any such up time calculation. Customer’s sole and exclusive remedy, and Bright’s entire liability, in connection with Service availability shall be that for each period of downtime lasting longer than one hour, Bright will
credit Customer 5% of Service fees for each period of 30 or more consecutive minutes of downtime; provided that no more than one such credit will accrue per day. Downtime shall begin to accrue as soon as Customer (with notice to Bright) recognizes that downtime is taking place, and continues until the availability of the Services is restored. In order to receive downtime credit, Customer must notify Bright in writing within 24 hours from the time of downtime, and failure to provide such
notice will forfeit the right to receive downtime credit. Such credits may not be redeemed for cash and shall not be cumulative beyond a total of credits for one (1) week of Service fees in any one (1) calendar month in any event. Bright will only apply a credit to future invoices for Services. Bright’s blocking of data communications or other Service in accordance with its policies shall not be deemed to be a failure of Bright to provide adequate service levels under this Agreement - Issue response times:
| Issue Severity | Response Time | Severity Level Description |
|---|---|---|
| Severity 0 | <6 Hours | System Down: System is inaccessible via web or API and the system appears to be down. |
| Severity 1 | <12 Hours | Critical: Critical parts of the system are inaccessible via web or API, for example scan control (stop, start). |
| Severity 2 | <24 Hours | High: Semi-Critical parts of the system are inaccessible via web or API, for example, control users, integrations. |
| Severity 3 | <48 Hours | Medium: Auxiliary parts of the system and non-critical functionality is inaccessible via web or API, for example, report generation, scan analysis, agents, or features. |
| Severity 4 | <72 Hours |
Low: Slowness in the system, administrative issues
(user locked, or other low-level functionality). Informational: General inquiry about the system, support documents, etc. |
| * Response Times are considered “worst case” as we try to answer any query ASAP | ||
| ** Response Times can be an automated response from the ticket system | ||
Appendix 2: Services Packages
This appendix outlines the service levels provided by Bright Security including system uptime and issue response time.
| Services Package | Silver | Gold | Platinum |
|---|---|---|---|
| Offering cost | 10% of license cost | 20% of license cost | 22% of license cost |
| 24/7/365 Human Technical Support / Faster response SLAs offered with Gold / Platinum) | X | X | X |
| Documentation | X | X | X |
| Environment Setup | X | X | X |
| Integration with CI/CD | X | X | X |
| Initial User Training – train the trainer | X | X | X |
| Best Practices / Onboarding | 1 session | Bi Weekly | Weekly / As Needed |
| Ongoing training | Bi Weekly | Weekly / As Needed | |
| Software Updates | X | X | X |
| Application / API Scan Onboarding / Setup | 2 | up to 5 per engine subscription | up to 10 per engine subscription |
| Ongoing scan configuration scheduling and review | Up to 4 times a year | Up to 25 quarterly | |
| Security Assessment (review scan results & provide guidance) | Quarterly | Monthly | |
| Compliance Consult with Bright CISO or (e.g. GDPR, HIPPA, PCI etc) | Twice per year | Quarterly | |
| Threat Cost Modeling based on vulns found | Once per year | Quarterly | |
| Scan & process Performance Tuning | Annual | Quarterly | Monthly |
| Usage & Findings Reporting and Analysis | Quarterly | Monthly | |
| Continuous Monitoring | X | X | X |
| Executive Business Review | Annual | Twice per year | Quarterly |
| CSM Assignment | Pooled CSM | Dedicated | Dedicated |
| CSE Assignment | Pooled CSE | Dedicated | Dedicated |
| Technical meeting cadence | Monthly | BiWeekly | Weekly + As needed |
| Custom Dev (depends on size / scope of feature request) | 1 per Quarter | ||
| On boarding & re-training for new staff, appsec, developers after initial onboarding | Annual | BiAnnual | Quarterly |
Appendix 3: BX Company Specific DPA
DATA PROTECTION ADDENDUM
This Data Protection Addendum (“Addendum”) is entered into by and between Customer (together with its related subsidiary or affiliated entities) and Bright Security, Inc. (together with its related subsidiary or affiliated entities, “Vendor”). Customer and Vendor shall be referred together as the “Parties” and each, a “Party.” This Addendum forms part of one or more written agreements, including the Terms of Service to which this Addendum is attached (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect to the extent they are not inconsistent with this Addendum. The terms of the Addendum shall otherwise supersede any such inconsistent terms under the Agreement. In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement.
- Definitions. In this Addendum, the following terms shall have the meanings set out below and similar terms shall be construed accordingly: (A) “Applicable Data Protection Laws” means all applicable data privacy and security laws, legislation, regulations and regulatory guidance, each as updated or replaced from time to time. (B) “Affiliates” means any entity which directly or indirectly controls, is controlled by, or is under common control by either party. For the purposes of the preceding sentence, “control” means direct or indirect ownership or control of more than 50% of the voting securities of the subject entity or that the applicable entity otherwise has direct or indirect authority to control the management of the subject entity, whether by contract or otherwise. (C) “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed, and also includes like terms as defined under Applicable Data Protection Laws. (D) “Data
Subject” means a natural person or consumer whose Personal Information is processed and who receives rights and protections under Applicable Data Protection Laws. (E) “Personal Information” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an individual, along with other like terms, such as “personal data” and “personally identifiable information.” All other terms used in this
Addendum and not defined herein have the respective meanings ascribed to such terms and related terms under Applicable Data Protection Laws. - Instructions and Details of Processing. With regard to the processing of Customer’s Personal Information by Vendor, Customer shall be the business, organization or controller and Vendor shall be the service provider, contractor, or processor of the Personal Information acting on behalf of the business, organization or controller, as those terms and like terms are defined under Applicable Data Protection Laws. Vendor shall process Customer’s Personal Information only at Customer’s instruction and for the limited and specified purposes set forth in the Agreement which may include
(including if such process occurs inadvertently): (“Services”):
☐ Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
☒ Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
☒ Debugging to identify and repair errors that impair existing intended functionality.
☐ Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
☒ Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
☐ Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
☐ Undertaking internal research for technological development and demonstration.
☒ Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
The type of Data Subjects whose Personal Information is processed under the Agreement are tenants, residents, employees, and other Data Subjects related thereto, the type of Personal Information processed is
☒ Contact information
☐ Financial information
☐ Government identification
☐ Commercial information
☐ Internet or other electronic activity
☐ Audio/visual data
☐ Professional or employment-related information
☐ Other personal information described to the Data Subject upon
collection
and the duration of the processing is until the conclusion of the Agreement
- Compliance with Applicable Data Protection Laws. Vendor shall comply with all Applicable Data Protection Laws under the Agreement and this Addendum. Vendor shall notify Customer no later than five (5) business days after it makes a determination that it can no longer meet its obligations under Applicable Data Protection Laws and this Addendum. Customer may take reasonable and appropriate steps to ensure Vendor uses Customer’s Personal Information in a manner consistent
with Customer’s obligations under Applicable Data Protection Laws. Customer may take reasonable and appropriate steps to stop and remediate Vendor’s unauthorized use of Customer’s Personal Information. - Duty of Confidentiality. Vendor shall ensure that persons authorized to process Customer’s Personal Information are subject to an appropriate duty of confidentiality.
- Security of Processing and Notification of Data Breach. Vendor shall use, implement, and maintain all reasonable safeguards to protect Customer’s Personal Information. Vendor shall promptly and thoroughly investigate (with Customer’s participation if so desired by Customer) all potential Data Breaches involving Customer’s Personal Information and provide, within 24 hours, a detailed description of the event to Customer in writing, together with a list of all corrective or protective measures that have been taken or that will be taken by Vendor. Vendor shall promptly provide
Customer with updated and additional information as it continues its investigation or as otherwise becomes available. Customer shall have the right at any time after learning of a Data Breach impacting Customer’s Personal Information to engage and involve external forensic firms in the investigation of the incident (which will include a right to investigate Vendor’s systems), and Vendor shall comply with all reasonable requests of such external forensic firm. Vendor shall also help and assist Customer to meet its obligations under Applicable Data Protection Laws in relation to the Data Breach or security incident. Unless required by Applicable Data Protection Laws, Vendor shall not inform any third party of any security incident without first obtaining Customer’s prior written consent. Unless otherwise required by Applicable Data Protection Laws, Customer shall have
the sole right to determine (A) whether and how notice of a Data Breach is to be provided to any Data Subjects, supervisory authorities, law enforcement agencies, consumer reporting agencies, or others as may be required by Applicable Data Protection Laws or in Customer’s discretion, and (B) the contents of such notice.To the extent any Data Breach involving Customer’s Personal Information arises out of or is connected to a breach by Vendor of its obligations under the Agreement, Vendor shall bear, in addition to any other damages for which Vendor may be liable for under the Agreement, costs incurred by the Customer in responding to such breach, to the extent such measures are required under Applicable Data Protection Laws. Vendor’s liability for such costs shall be limited to the greater of (a) the limitations of liability set forth in the Agreement, or (b) $500,000. - Monitoring Compliance. Vendor shall make available to Customer all information necessary to demonstrate compliance with the Addendum and Applicable Data Protection Laws. Vendor shall permit Customer to monitor Vendor’s compliance with the Addendum and Applicable Data Protection Laws through measures, including, but not limited to, ongoing manual reviews, audits, or other testing once every 12 months. Vendor shall allow for, and contribute to such reasonable audits, assessments, and inspections by Customer or another auditor designated and mandated by Customer. The audit, assessment, or inspection shall be conducted using appropriate and accepted control standards or frameworks and audit processors, at Customer’s expense, and Vendor shall provide a report for Customer’s audit, assessment, or inspection upon request.
- Vendor Assistance to Customer. Vendor shall promptly, but no later than within five (5) business days of Customer’s request, provide assistance requested by Customer to enable Customer to comply with its obligations under Applicable Data Protection Laws, including in relation to Data Subject requests, data protection impact assessments, prior consultations, and responding to any regulator or state attorneys’ general request, investigation, or legal action. Customer shall inform Vendor of any Data Subject requests made pursuant to Applicable Data Protection Laws that Vendor must comply with, and provide the information necessary for Vendor to comply with the Data Subject requests, where required by Applicable Data Protection Laws. Vendor’s assistance shall not be unreasonably withheld.
- Indemnification. Vendor will indemnify, keep indemnified and hold harmless Customer and its clients, officers, directors, employees, agents, representatives, successors, assigns, and associates from and against all third-party’s losses, harm, costs, expenses, government fines, penalties, sanctions, damages, and liability they may suffer or incur, including reasonable legal fees and expenses, arising from or in connection with Vendor’s non-compliance with the requirements of this Addendum or Applicable Data Protection Laws. Vendor’s indemnification for such costs shall be subject to the limitations of liability set forth in the Agreement.
- Use of Subcontractors. Vendor has Customer’s general authorization for the engagement of subcontractors for this Agreement; however, Vendor shall not subcontract with any third party for services that include direct or indirect access to, storage or processing of, or other contact with Personal Information, without the prior consent of Customer, except for existing infrastructure provider – Amazon Web Services (AWS) and Google Workplace services (Gmail, GoogleMeet, GoogleDocs). Vendor shall inform Customer in writing of any replacement of subcontractors in advance, thereby giving Customer sufficient time to be able to object to such changesprior to the engagement of the subcontractor(s). If Customer objects to a subcontractor, and Vendor is unable to resolve Customer’s objections, Customer may terminate the Services that use the objected-to subcontractor. Vendor shall ensure that each of its subcontractors are bound by contractual obligations with respect to Personal Information that are the same as, or no less than, those contained in this Addendum. Vendor shall provide, on request, a copy of such subcontractor data protection agreement (and any subsequent amendments) to Customer. Vendor is responsible for the performance of the subcontractor’s obligations in compliance with the terms of this Addendum and Applicable Data Protection Laws.
- Restrictions on Processing of Personal Information. Vendor is subject to all restrictions on processing of Personal Information as applicable to Processors under Applicable Data Protection Laws. Vendor is prohibited from selling or sharing Personal Information. Vendor is prohibited from retaining, using, or disclosing Personal Information for any purpose other than for the business purposes set forth in this Addendum and the Agreement, or as otherwise permitted by Applicable Data Protection Laws. Vendor is prohibited from retaining, using, or disclosing Personal Information for a commercial purpose other than the business purposes specified in this Addendum and the Agreement, or as otherwise permitted by Applicable Data Protection Laws. Vendor is prohibited from retaining, using, or disclosing Personal Information outside of the direct business relationship between Vendor and Customer, unless permitted by Applicable Data Protection Laws. Vendor is prohibited from combining or updating the Personal Information that Vendor receives from, or on behalf of, Customer with Personal Information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the Data Subject.
- Return or Delete Personal Information. Vendor shall delete or return all Personal Information to Customer within sixty (60) days after the end of the provision of services relating to processing under the Agreement, and delete existing copies unless retention of the Personal Information is required by applicable law. If Vendor is unable to delete or return Customer’s Personal Information, Vendor shall inform Customer of that obligation and comply with the requirements of Applicable Data Protection Laws until the Personal Information is securely deleted or returned to Customer.
- Warranties. Vendor represents and warrants that no Applicable Data Protection Law, or privacy or information security enforcement action, investigation, litigation or claim prohibits Vendor from (a) fulfilling its obligations under this Addendum; or (b) complying with instructions it receives from Customer concerning Personal Information. In the event an Applicable Data Protection Law, or privacy or information security enforcement action, investigation, litigation or claim, or any other circumstance, is reasonably likely to adversely affect Vendor’s ability to fulfill its obligations under this Addendum, Vendor shall promptly notify Customer in writing and Customer may, in its sole discretion and without liability to Customer, suspend (1) the transfer or disclosure of Personal Information to Vendor and/or (2) access to Personal Information by Vendor, and terminate any further processing of Personal Information by Vendor.
- Coverage. During the term of the Agreement, Vendor shall carry and maintain at its own cost, with such companies as are reasonably acceptable to Customer, cyber liability insurance for not less than $5,000,000 USD per occurrence and in the aggregate. Vendor shall, prior to providing any services hereunder, provide Customer with certificates of insurance evidencing the coverages and amounts set forth above. Vendor will give thirty (30) days’ prior written notice to Customer of any cancellation of the coverage afforded under this section. The insurance shall contain a waiver of subrogation and a waiver of right of recovery against Customer, in a form satisfactory to Customer.
- Disclosure of Personal Information. Subject to Applicable Data Protection Laws, Vendor shall notify Customer immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding requiring access to or disclosure of Personal Information which notice shall describe the Personal Information to be disclosed and the identity of the third party requiring such disclosure so that Customer may interpose an objection to such disclosure, take action to assure confidential handling of the Personal Information, or take such other action as it deems appropriate to protect the Personal Information. In either case, Vendor shall reasonably cooperate with Customer in its efforts to seek a protective order or other appropriate remedy or, in the event such protective order or other remedy is not obtained, to obtain assurance that confidential treatment will be accorded such Personal Information.
- Survival. Vendor’s obligations under this Addendum shall survive termination or expiration of the Agreement, so long as Vendor has possession, custody, or control of any Personal Information received from or on behalf of Customer.
- Certification. Vendor certifies, under Applicable Data Protection Laws, that it understands the restrictions in this Addendum and will comply with them.
