Apply Cyber

Apply Cyber Master Subscription Agreement (MSA)

Sovereign vs External Model Choice
Security Addendum
Acceptable Use Policy (AUP)
Support Policy

Apply Cyber Master Subscription Agreement (MSA)

Last revised: December, 2025

This Master Subscription Agreement ("MSA") is entered into by and between Connecting Dots Pty Ltd ("Connecting Dots", "we", "us", "our") and the entity or person ("Customer", "you", "your") that (i) executes an order form referencing this MSA ("Order Form"), (ii) accepts an Order Form via a cloud marketplace private offer, or (iii) signs up for and accesses the Services on a trial basis ("Trial Services"). Each of Connecting Dots and Customer is a "Party" and together the "Parties."

This MSA consists of the terms below and incorporates by reference any documents expressly referenced, including the Privacy Policy, Data Processing Addendum (DPA) (if applicable), Security Addendum, Support Policy, Acceptable Use Policy, and AI Addendum.

Section 1. Services and Support

1.1 Services

"Services" means the Apply Cyber products and services made available to Customer under this MSA. Subject to this MSA and the applicable Order Form, we will make the Services available during the subscription period specified in the Order Form ("Service Period").

1.2 Support

We will provide commercially reasonable support during the Service Period in accordance with our Support Policy.

1.3 Updates

We may update the Services from time to time, including to improve security, performance, or functionality. Material changes will be notified where practicable.

Section 2. Fees and Payment; Trial Services; Beta

2.1 Fees

Customer will pay the fees set forth in the applicable Order Form ("Fees"). Except as expressly set out in this MSA or an Order Form, payment obligations are non-cancellable and Fees are non-refundable.

2.2 Billing Methods

(a) Subscriptions (Platform Fees): typically billed via Stripe or another online payment method specified in the Order Form.

(b) Professional Services: consulting, advisory, and supported implementation services (if any) may be billed by invoice as specified in the applicable statement of work / Order Form.

2.3 Taxes

Fees exclude applicable taxes (including GST, VAT, sales or withholding taxes). Customer is responsible for such taxes except taxes on our net income.

2.4 Late Payment; Suspension

If Fees are overdue, we may (i) suspend access to the Services after reasonable notice, and/or (ii) charge interest on past due amounts at a reasonable rate not exceeding the maximum permitted by law.

2.5 Fee Disputes

If Customer disputes an invoice in good faith, Customer must notify us within 30 days of invoice date with sufficient detail. Parties will work in good faith to resolve the dispute. Undisputed amounts remain payable.

2.6 Price Changes

We may change pricing for the next Service Period only. We will provide reasonable notice of fee increases prior to renewal.

2.7 Cloud Marketplace Billing

If purchased through a cloud marketplace, Fees and billing may be governed by that marketplace's terms, and payment may be processed through the marketplace account.

2.8 Trial Services

Trial Services are provided as-is and may be withdrawn at any time. We do not guarantee retention of Customer Content provided during Trial Services, and Trial data may be deleted after the trial ends unless Customer converts to a paid subscription.

2.9 Beta Features

Beta/preview features ("Beta Offerings") may be made available for evaluation, are not for production use, may be changed or discontinued at any time, and are provided as-is without warranties to the extent permitted by law.

Section 3. Term and Termination

3.1 Term of MSA

This MSA begins on the effective date of the first Order Form (or Trial sign-up) and continues until all Order Forms expire or are terminated.

3.2 Service Period; Auto-Renewal

Unless otherwise stated in the Order Form, subscriptions automatically renew for successive periods of the same length as the initial Service Period, unless Customer provides notice of non-renewal at least 30 days before the end of the then-current Service Period.

3.3 Termination for Cause

A Party may terminate this MSA or an Order Form for material breach if the breach remains uncured 10 business days after written notice.

3.4 Suspension

We may suspend access immediately if we reasonably believe: (i) there is a security risk or attack, (ii) Customer violates the Acceptable Use Policy or Section 4.5, (iii) continued access could harm the Services or others, or (iv) Fees are overdue (after reasonable notice).

3.5 Effect of Termination

Upon termination or expiration:

Customer's right to access the Services ends
we will make Customer Content available for export if and as described in the Order Form and/or DPA (where applicable)
we may retain limited records as required for legal, tax, audit, or security purposes.

Section 4. Ownership, Licence, and Use of the Services

4.1 Ownership

We retain all rights, title, and interest in and to the Services, including software, platform design, documentation, and related intellectual property ("Provider IP"). Customer retains all rights in Customer Content ("Customer Content").

4.2 Licence to Customer

Subject to Customer's compliance with this MSA and payment of Fees, we grant Customer a limited, non-exclusive, non-transferable, non-sublicensable licence to access and use the Services during the Service Period for internal business purposes.

4.3 Licence to Provider (Customer Content)

Customer grants us a limited, non-exclusive licence to host, process, transmit, and display Customer Content solely to provide, maintain, support, and secure the Services and meet legal obligations.

4.4 Usage Data

We may generate and use service usage data, logs, and metadata ("Usage Data") to operate, support, and improve the Services, provided that any sharing with third parties is in aggregated and/or de-identified form that does not reasonably identify Customer or its users.

4.5 Prohibited Uses

Customer will not (and will not permit any user to):

resell, rent, lease, or provide the Services to third parties except as expressly permitted in writing
reverse engineer, decompile, disassemble, or attempt to discover source code or underlying structure except to the extent permitted by law
interfere with, disrupt, or gain unauthorised access to the Services
introduce malware or harmful code
use automated scraping/extraction tools against the Services
use the Services to infringe third-party rights or violate law.

4.6 Authorised Users

Customer may grant access to employees, contractors, and agents ("Authorised Users"). Customer is responsible for Authorised Users' compliance with this MSA.

4.7 Feedback

If Customer provides suggestions or feedback ("Feedback"), Customer grants us a perpetual, irrevocable, royalty-free right to use and incorporate Feedback without restriction, provided we do not disclose Customer Confidential Information in doing so.

Section 5. Data Privacy and Security

5.1 Privacy Policy

Our Privacy Policy describes how we collect and process personal information relating to the Services.

5.2 Data Processing Addendum

If required by applicable law or agreed by the Parties, the DPA applies and governs personal data processing activities for Customer Content.

5.3 Security Addendum

We will maintain administrative, technical, and organisational safeguards as described in the Security Addendum.

Section 6. AI and Automation Features

6.1 AI Features

The Services may include AI-assisted features ("AI Features"). AI Outputs are suggestions and do not constitute legal, compliance, or professional advice. Customer remains responsible for review and decisions.

6.2 Model Choice: Sovereign vs External

AI Features may be provided using:
(a)Sovereign Mode: Connecting Dots' internal ("sovereign") model capability; and/or
(b)External Model Mode: one or more third-party model providers, only if Customer elects to enable such option(s) where offered.
AI Features are governed by the AI Addendum, including mode selection, disclosures, and data-handling rules.

Section 7. Confidentiality

Each Party may receive Confidential Information of the other. "Confidential Information" includes non-public technical, commercial, security, pricing, and business information, and Customer Content. The receiving Party will protect Confidential Information with at least reasonable care and use it only to perform under this MSA. Confidentiality obligations survive termination for three (3) years, and for trade secrets as long as they remain trade secrets (where permitted by law).

Section 8. Warranties and Disclaimers

8.1 Authority

Each Party represents it has authority to enter into this MSA.

8.2 Limited Warranty

We warrant that during the Service Period, the Services will perform materially in accordance with applicable documentation, when used as authorised.

8.3 Disclaimers

Except as expressly stated, the Services (including Trial Services, Beta Offerings, and AI Outputs) are provided as-is and as available, without warranties of any kind to the maximum extent permitted by law. Customer acknowledges the Services are tools to assist Customer's own cybersecurity, risk, and compliance activities; Customer remains responsible for its compliance obligations and outcomes.

Section 9. Indemnification

9.1 Provider Indemnity (IP)

We will defend and indemnify Customer from third-party claims alleging the Services infringe third-party IP rights, provided Customer promptly notifies us, permits us to control the defence/settlement, and cooperates reasonably. This does not apply to claims arising from Customer Content, Customer instructions, misuse, or unauthorised modifications.

9.2 Customer Indemnity (Customer Content)

Customer will defend and indemnify us from third-party claims arising from Customer Content or Customer's breach of this MSA.

Section 10. Limitation of Liability

To the maximum extent permitted by law:

neither Party is liable for indirect, incidental, special, consequential, or punitive damages; and
our total aggregate liability arising out of or relating to this MSA will not exceed the Fees paid by Customer in the 12 months immediately preceding the event giving rise to the claim

Nothing limits liability that cannot be limited by law.

Section 11. Third-Party Services and Integrations

The Services may integrate with third-party platforms. We are not responsible for third-party services' performance, availability, or data practices. Customer's use of third-party services is subject to those third parties' terms.

Section 12. Force Majeure

Neither Party is liable for failure or delay due to events beyond reasonable control, except Customer's payment obligations.

Section 13. Governing Law and Dispute Resolution

This MSA is governed by the laws in force in Australia. The Parties submit to the non-exclusive jurisdiction of the courts of Australia for disputes arising out of or relating to this MSA.

Section 14. Changes to the Terms

We may update this MSA with reasonable notice. Continued use after the effective date constitutes acceptance.

Section 15. Contact Information

Legal/Contract Notices: letsconnect@connectingdots.net.au

Sovereign vs External Model Choice

Last revised: December, 2025.
This AI Addendum forms part of the MSA and applies to any AI Features.

1. Definitions

AI Features: features that use machine learning/LLMs/automation to generate outputs.
AI Outputs: generated content, summaries, recommendations, or draft artefacts produced by AI Features.
Sovereign Mode: AI processing using Connecting Dots' internal model capability.
External Model Mode: AI processing using a third-party model provider, enabled by Customer choice where offered.

2. Customer Choice and Controls

Where AI Features are offered with mode selection, Customer can choose Sovereign Mode and/or External Model Mode via admin controls (where available). If External Model Mode is not enabled, AI Features operate in Sovereign Mode only.

3. Data Handling by Mode

3.1 Sovereign Mode: Customer Content submitted to AI Features is processed within Connecting Dots' environments to provide the AI Feature functionality.

3.2 External Model Mode (Opt-In): If Customer enables External Model Mode, Customer authorises Connecting Dots to transmit the minimum necessary Customer Content to the selected external provider solely to deliver the requested AI Feature. We will disclose the provider and feature scope at or before enablement (e.g., in-product notice and/or documentation).

4. Training and Improvement

We do not use Customer Content to train public models.
We may use Usage Data and Feedback (e.g., thumbs up/down) to improve service performance and user experience, provided it is handled in a way consistent with the MSA and Privacy Policy.

5. Customer Responsibilities

Customer is responsible for:

ensuring it has authority to submit data to AI Features
validating AI Outputs before use
not inputting unlawful content or content that violates policies ; and
applying appropriate internal governance where AI is used in regulated contexts.

6. AI Output Disclaimer

AI Outputs may be inaccurate or incomplete. Customer must not represent AI Outputs as human-generated where doing so would be misleading.

7. Changes

We may update AI Features and available model options over time. Material changes to External Model Mode providers will be reflected in disclosures and/or supporting documents.

Security Addendum

Last revised: December, 2025.
This Security Addendum forms part of the MSA and describes safeguards Connecting Dots maintains for the Services.

1. Scope and Shared Responsibility

Connecting Dots maintains safeguards designed to protect the Services and Customer Content. Customer is responsible for its own configurations, user access management, connected systems, endpoints, and internal security policies.

2. Hosting and Service Providers

2.1 Cloud Hosting:
Apply Cyber is hosted on AWS and/or Microsoft Azure, depending on region and deployment selection. For Australian customers where selected, hosting is in AWS Asia Pacific (Sydney).

2.2 Business and Operational Tools:
We use the following tools to operate and support the Services:

Email: Microsoft 365
Payments: Stripe (subscriptions)
Monitoring: AWS services (monitoring/telemetry within AWS)
Support/Delivery Tools: GitHub, Microsoft 365, Trello.

3. Security Measures

We maintain a security program that includes reasonable administrative, technical, and organisational measures, such as:

access controls and least-privilege practices for systems supporting the Services;
logging and monitoring for service reliability and security;
secure development and change practices appropriate to a SaaS platform;
measures designed to protect Customer Content against unauthorised access, alteration, or disclosure.

(We intentionally avoid listing specific cryptographic algorithms or guaranteed control sets here unless you want to formally commit to them.)

4. Incident Management

We maintain incident response processes designed to assess and respond to security events affecting the Services. Where legally required and applicable, we will provide notifications in accordance with law and contractual commitments.

5. Subprocessors

Our subprocessors may include: AWS, Microsoft Azure (where used), Microsoft 365, Stripe, GitHub, and Trello. We may update subprocessors as the Services evolve. Where appropriate, we will maintain a published subprocessor list and provide notice of material changes.

6. Customer Obligations

Customer should implement reasonable security practices including:

managing Authorised Users and permissions;
applying appropriate authentication controls for user access;
ensuring it has authority to provide Customer Content;
measures designed to protect Customer Content against unauthorised access, alteration, or disclosure.
reviewing configurations and outputs before relying on them for compliance decisions.

7. Requests and Assurance

Upon reasonable request, we may provide security information (e.g., questionnaires or summaries) to support Customer due diligence, subject to confidentiality.

What I need from you (one-liners) to finalise this as a ready-to-publish "legal pack"

Do you already have an Acceptable Use Policy page, or should I draft it too (short and Vanta-like)?
Do you want a separate Support Policy page (with severity + response targets), or keep it "commercially reasonable" only for now?

If you answer those, I'll produce the missing pages so your Apply Cyber legal section reads like a complete Vanta-grade suite (MSA + DPA pointer + Security + AI + AUP + Support), all consistent and copy-paste ready.

Acceptable Use Policy (AUP)

Owner/Operator: Connecting Dots Pty Ltd (Australia).
Platform: Apply Cyber.
Last revised: December 2025.

This Acceptable Use Policy ("AUP") governs your access to and use of the Apply Cyber platform and services ("Services"). This AUP forms part of the Apply Cyber Master Subscription Agreement (MSA) and applies to all Customers and Authorised Users.

1. Purpose

The purpose of this AUP is to protect Customers, the Services, and the broader ecosystem by preventing misuse, unlawful activity, and harmful or disruptive behaviour.

2. Who This Applies To

This AUP applies to:

any organisation or individual using the Services (Customer); and
all users granted access under Customer's account (Authorised Users).

Customer is responsible for ensuring Authorised Users comply with this AUP.

3. General Rules

You must use the Services:

lawfully and in accordance with applicable regulations;
in a way that does not compromise the security, integrity, availability, or performance of the Services; and
only for legitimate internal business purposes, unless otherwise agreed in writing (e.g., a reseller/partner agreement).

4. Prohibited Uses

You must not (and must not permit any third party to):

4.1 Security Abuse and Unauthorised Access

attempt to gain unauthorised access to the Services, accounts, or underlying infrastructure;
probe, scan, or test vulnerabilities of the Services except where explicitly authorised in writing;
bypass authentication, access controls, or usage limitations.

4.2 Disruption and Service Interference

interfere with, degrade, or disrupt the Services or other customers' use;
overload or attempt to overload the Services through automation, excessive requests, or abusive traffic patterns.

4.3 Malware and Harmful Content

upload, transmit, or store malicious code (including viruses, worms, trojans, backdoors, or exploits);
use the Services to deliver phishing, spam, or other deceptive communications.

4.4 Unlawful, Infringing, or Harmful Activities

use the Services for unlawful surveillance or monitoring;
use the Services to infringe intellectual property rights, privacy rights, or other legal rights of others;
upload content that is unlawful, defamatory, or used to harass or discriminate.

4.5 Reverse Engineering, Scraping, and Competitive Use

reverse engineer, decompile, disassemble, or attempt to discover the source code, models, or underlying structure of the Services except to the extent permitted by law;
use scraping, extraction tools, bots, or automated means to access or copy the Services or its content beyond normal intended usage;
access or use the Services to build or support a competing product or service.

4.6 Resale / Service Bureau

resell, rent, lease, time-share, or provide the Services to third parties as a service bureau unless explicitly permitted under a written agreement.

5. Customer Responsibilities

Customer is responsible for:

maintaining account security and managing user access;
ensuring only authorised users access the Services;
ensuring Customer Content submitted to the Services is lawful and that Customer has rights/authority to submit it;
promptly notifying Connecting Dots of suspected unauthorised access or misuse.

6. Monitoring and Enforcement

We may monitor usage and activity to maintain security and service reliability.

If we reasonably believe you have violated this AUP, we may:

require you to stop the offending activity;
suspend or limit access to the Services (including specific features or users);
terminate the Services as permitted under the MSA; and/or
report unlawful activity to relevant authorities where required or appropriate.

We will take reasonable steps to provide notice where practical, but may act immediately if necessary to protect the Services, customers, or third parties.

7. Changes

We may update this AUP from time to time. Material changes will be notified where practicable. Continued use of the Services after the effective date constitutes acceptance.

8. Contact

Questions about this AUP: letsconnect@connectingdots.net.au

Support Policy

Owner/Operator: Connecting Dots Pty Ltd (Australia).
Platform: Apply Cyber.
Last revised: December 2025.

This Support Policy describes the support Connecting Dots provides for Apply Cyber ("Services"). This Support Policy forms part of the Apply Cyber Master Subscription Agreement (MSA).

1. Purpose

Our support is designed to help Customers use the Services effectively, resolve service-related issues, and maintain a secure and stable experience.

2. Scope of Support

Support typically includes:

assistance with platform access, authentication,
investigation of platform errors, outages, or degraded performance;
guidance on configuration and usage of platform features;
troubleshooting platform integrations and connectors to the extent they are provided and controlled by Apply Cyber;
bug triage and defect resolution planning.

Support does not replace your internal IT/security team, your MSP, or your professional advisers.

3. Support Channels

Support is provided through channels we make available to Customers, which may include:

email support; and/or
ticketing or shared work tools agreed with the Customer for delivery coordination.

(You can publish a single official support email like support@applycyber.tech later if you want — for now I've left it generic to avoid inventing an address.)

4. Support Hours

Unless otherwise stated in an Order Form, support is provided during standard Australian business hours (excluding public holidays).

For Customers requiring extended hours or dedicated coverage, this can be agreed under an Order Form or statement of work.

5. Severity Levels and Response Targets (Commercially Reasonable)

We use severity levels to prioritise issues. The targets below are commercially reasonable goals, not guarantees.

Severity 1 (Critical):

Definition: Service is unavailable for most users, or there is a severe security-impacting issue affecting the Services.
Target response: as soon as reasonably practicable after notification.
Target action: triage immediately, prioritise restoration/containment.

Severity 2 (High):

Definition: Significant degradation of core functionality with no reasonable workaround.
Target response: within a commercially reasonable timeframe.
Target action: prioritised investigation and mitigation.

Severity 3 (Medium):

Definition: Partial loss of non-critical functionality, or a workaround exists.
Target response: within a commercially reasonable timeframe.
Target action: triage and schedule fix or guidance.

Severity 4 (Low):

Definition: General questions, minor issues, enhancement requests.
Target response: within a commercially reasonable timeframe.
Target action: advice, documentation guidance, or backlog consideration.

6. Customer Responsibilities (to receive effective support)

To help us assist quickly, Customer should:

provide clear issue descriptions, screenshots/log context where available, and steps to reproduce;
confirm whether the issue affects a single user or multiple users;
ensure Authorised Users and admin contacts are available for troubleshooting when needed;
maintain accurate user roles/permissions and basic environment information.

7. Third-Party Services and Integrations

Where issues relate to third-party services (e.g., cloud providers, Microsoft 365, payment processors, or tools not controlled by Apply Cyber), our support will focus on:

identifying whether the issue originates from Apply Cyber or the third party; and
providing reasonable guidance on next steps.

We are not responsible for outages, changes, or performance issues in third-party services.

8. Professional Services (Optional)

Configuration, onboarding, advisory, custom implementation, and supported implementation may be provided as Professional Services under a separate statement of work / Order Form and may be billed via invoice.

9. Maintenance and Updates

We may perform maintenance or deploy updates from time to time. Where practical, we will provide notice of planned maintenance that may impact availability.

10. Changes

We may update this Support Policy from time to time. Continued use of the Services after changes take effect constitutes acceptance.

11. Contact

Support requests and queries: letsconnect@connectingdots.net.au