Terms Of Service

These Terms of Service (the "Terms") are a legal agreement between Red Flagg Pty Ltd (ABN 81 683 346 116), a company incorporated in Australia ("we", "us", "our", "Red Flagg"), and you — the person or organisation using our website or subscribing to our services ("you", "your", "Customer").

If you are entering into these Terms on behalf of an organisation, you confirm that you have the authority to bind that organisation.

These Terms apply:

• when you browse or use redflagg.com.au (our "Website");
• when you subscribe to any of our services, including Business Protect, Business Plus, Business Shield, Senior Protection (Protective, Wrap Around, Device Clean Up, Community Plan), and any Additional Services (together, the "Services"); and
• when we issue you a quote, service agreement, statement of work or order form that refers to these Terms.

A Service Agreement is any written quote, order form, or statement of work we send you and that you accept (by email, electronic signature, or payment). Where a Service Agreement and these Terms conflict, the Service Agreement prevails for the specific point of conflict.

Red Flagg provides managed cyber security services to organisations and individuals. The specific Services you receive depend on the plan you choose. Details of each plan are published at redflagg.com.au/plans and redflagg.com.au/new-page (Senior Protection).

Our methodology is structured around three maturity levels. Where your Service Agreement places you on a particular level, the deliverables for that level are detailed in the Service Agreement.

• Level 0 — Culture and awareness. Ten foundational steps focused on people, training, reporting habits, and the everyday safety basics. Every customer starts here.
• Level 1 — Essential Eight. The full ACSC Essential Eight Maturity Level 1 baseline — 48 technical controls delivered progressively after Level 0 is established.
• Level 2-3 — Advanced. Higher-maturity controls scoped and quoted on a project-by-project basis for organisations with regulatory or operational drivers.

Service features are subject to change and improvement. We will not materially reduce the features included in your plan without reasonable prior notice (at least 30 days).

Our services align to ACSC Essential Eight, the NIST Cybersecurity Framework (CSF), and CIS Controls v8. These are industry reference frameworks. Alignment to a framework does not constitute certification to any specific standard unless we explicitly state so in writing for your organisation.

Cyber security maturity is delivered progressively. We provide indicative timelines for each level so you know what to expect, while recognising that every environment is different.

The timelines above are estimates based on typical small-to-medium organisations. Your Service Agreement will specify the timeline for your organisation following the Cyber Maturity Assessment.

Timelines are not contractual delivery dates. They may shift because of:

• your specific environment, technology stack, or existing maturity;
• your team's availability for training, approvals, or change management;
• third-party dependencies (Microsoft licensing, hardware procurement, vendor responses);
• incidents requiring focus elsewhere; or
• any other factors outside our reasonable control.

We will keep you informed of progress and any change in timeline through your monthly reporting and your named analyst (or the Cyber Operations Desk on plans without a dedicated analyst).

To use our Services, you will need to:

• provide accurate information about yourself and your organisation;
• grant us the access we need to deliver the Services (for example, Microsoft 365 Granular Delegated Admin Privileges (GDAP) if your plan requires it);
• keep your access credentials confidential;
• nominate a primary contact for your account; and
• notify us promptly if any information changes, or if you suspect your account has been compromised.

You are responsible for:

• the actions of your staff, volunteers, contractors, and users under your account;
• complying with applicable laws (including privacy, anti-spam, and employment laws) that apply to your own operations;
• ensuring your own data back-ups and business continuity arrangements beyond what the Services include; and
• any third-party licences (for example, Microsoft 365 licences) you procure through us.

Fees for your Services are set out in your Service Agreement. Unless stated otherwise:

• Business plans are billed monthly in advance, per seat;
• Senior Protection plans are billed monthly in advance;
• Additional Services are billed as quoted (one-off or by milestone);
• payment is due within 7 days of invoice unless otherwise agreed.

Accepted payment methods include direct debit, BPAY (Australia), ACH (USA), EFT (South Africa), and credit card. Credit card payments may incur a surcharge. We reserve the right to suspend Services if an invoice remains unpaid 14 days after the due date; we will notify you before doing so.

All prices are exclusive of applicable taxes unless stated otherwise. Taxes include GST (Australia), sales tax (USA), and VAT (South Africa) as applicable to your jurisdiction.

We may adjust recurring fees with at least 30 days' written notice. If you don't accept a price change, you may cancel without penalty before it takes effect.

When using our Services, you agree that you will not:

• use the Services to engage in unlawful activity;
• attempt to reverse-engineer, decompile, or extract the source code of any Red Flagg-owned tool or system;
• use our Services to send spam, phishing, or malware to anyone;
• probe, scan, or attempt to bypass the security of our systems, or the systems of other customers;
• use our reports, documentation, or outputs to misrepresent your organisation's cyber maturity to third parties;
• resell, sublicense, or white-label our Services without written consent; or
• interfere with any other customer's use of the Services.

We reserve the right to immediately suspend or terminate the Services if we reasonably believe you have breached this clause, or if continued provision of Services would create a legal or security risk to us, you, or other customers.

Our handling of personal information is governed by our Privacy Policy, which forms part of these Terms.

You own your data. Any data you provide to us, or that we process on your behalf (for example, log data, emails you forward to MailCheck™, scorecard results), remains your property. You grant us a limited licence to use this data only to deliver the Services, produce reports and statistics, and meet our legal obligations.

We do not sell customer data. We do not use customer data to train AI models. We do not share customer data with third parties except:

• with your permission;
• with providers strictly necessary to deliver the Services (for example, Microsoft, our data-hosting providers); or
• where required by law.

Data hosting. Customer data is hosted in the Microsoft Azure region aligned to your jurisdiction: Australia East/Southeast for Australian customers, East US / West US 2 for USA customers, South Africa North (Johannesburg) for South African customers. Data sovereignty is maintained at all times.

Confidentiality. Each party must keep the other's confidential information (such as your systems architecture, our methodology, pricing and reports) confidential, and use it only to perform obligations under these Terms. Confidentiality obligations survive termination for three (3) years.

Notifiable breaches. If we become aware of an eligible data breach affecting your information, we will notify you without undue delay and in any event within the timeframes required by applicable law. In Australia, this is the Notifiable Data Breaches scheme under the Privacy Act 1988. Similar obligations apply under HIPAA (USA, where relevant) and POPIA (South Africa).

Our Services depend on third-party platforms, most notably Microsoft 365 and the Microsoft Azure cloud. These platforms have their own terms of service and are provided by Microsoft Corporation, not by us.

By subscribing to our Services, you acknowledge that:

• Microsoft may update, change, or discontinue features of Microsoft 365;
• outages affecting Microsoft's systems can affect the Services we deliver;
• if you purchase Microsoft licences through us (as a Microsoft Partner), you also agree to the Microsoft Customer Agreement; and
• we are not responsible for Microsoft's actions or omissions, but we will use reasonable efforts to assist you when third-party issues affect your service.

The Red Flagg name, logo, product names (including MailCheck™, DarkWebCheck™, Safe Text™, Caller Check™, DeID™), our methodology, reports, and any materials we produce remain the property of Red Flagg Pty Ltd.

We grant you a non-exclusive, non-transferable, revocable licence to use the reports and deliverables we produce for you internally within your organisation for the purpose they were produced.

You may not:

• publish our reports externally without our written consent (a summary or extract with attribution is usually fine — ask us);
• use our trademarks or branding in your own marketing without written consent; or
• claim authorship of our methodology or derived works.

Any feedback or suggestions you provide are given freely; we may use them without obligation.

We warrant that:

• we will provide the Services with due care, skill, and diligence, using appropriately qualified personnel;
• we will use reasonable efforts to deliver the Services within the timeframes published on our Website or agreed in your Service Agreement; and
• our Services do not, to the best of our knowledge, infringe the intellectual property rights of any third party.

We do not warrant that:

• our Services will be uninterrupted or error-free;
• our Services will prevent every possible cyber incident;
• third-party platforms (like Microsoft) will always be available;
• any specific cyber maturity score, outcome, or measurable result will be achieved by a particular date; or
• indicative maturity timelines published on our Website (Level 0: 6 to 12 months minimum; Level 1: 12 to 24 months in most environments; Level 2-3: per project) will be met for your specific environment — refer to your Service Agreement for the timeline applicable to your organisation.

Nothing in this clause limits your rights under consumer protection laws that cannot be excluded by contract (see clause 12).

If you are a "consumer" under the Australian Consumer Law (Competition and Consumer Act 2010 (Cth), Schedule 2), our Services come with guarantees that cannot be excluded. These include guarantees that the Services will be provided with due care and skill, and will be reasonably fit for purpose.

You have a right to a refund or resupply if these guarantees are not met. Nothing in these Terms limits your rights under Australian Consumer Law.

To the extent permitted by law:

• Our total aggregate liability to you under or in connection with these Terms (however arising, including in negligence) is limited to the total fees you have paid us in the 12 months preceding the event giving rise to the claim.
• Neither party is liable for indirect, consequential, special, or punitive damages, including loss of profit, loss of revenue, loss of data, loss of goodwill, or loss of opportunity.
• We are not liable for losses caused by: events beyond our reasonable control (force majeure); your own actions or omissions; third-party platforms (Microsoft, network providers); any failure to follow our security advice; or delays in maturity progression where caused by factors set out in clause 4.

Nothing in this clause limits:

• liability for fraud or wilful misconduct;
• liability for death or personal injury caused by negligence; or
• rights under consumer protection laws that cannot be excluded.

Cancellation by you. All Red Flagg subscription plans are monthly, with no lock-in. You may cancel at any time with notice before your next billing date. Cancellation takes effect at the end of the then-current billing month. No refunds are issued for the month in which you cancel, except where required by law.

Cancellation during a maturity rollout. If you cancel mid-way through a Level 1 rollout (or during any multi-month deliverable), the Services up to your cancellation date have already been delivered and remain payable. You retain all reports and deliverables produced up to that point. We are under no obligation to refund or pro-rate fees attributable to work completed.

Senior Protection 28-day trial. Senior Protection plans include a 28-day trial. You can cancel during the trial period for a full refund.

Termination by us. We may terminate these Terms immediately if:

• you breach a material term and don't remedy the breach within 14 days of our written notice;
• you fail to pay an invoice within 30 days of its due date;
• you become insolvent, enter administration, or cease trading; or
• we reasonably believe continuing to provide the Services would put us, you, or other customers at legal or security risk.

On termination. We will:

• offboard our access to your Microsoft environment within 5 business days;
• make your reports and deliverables available for export for 30 days after termination;
• delete operational data within 90 days, retaining only minimal billing records required by tax law; and
• issue a final invoice for any outstanding fees.

If something goes wrong, please tell us first. Email hello@redflagg.com.au with the subject line "Complaint" and we will:

• acknowledge your complaint within 2 business days;
• investigate and propose a resolution within 10 business days where reasonably possible;
• escalate to a Director if we can't resolve it at first instance.

If we can't reach a resolution together, you may refer the matter to an appropriate external body:

• 🇦🇺 Australia: the Office of the Australian Information Commissioner (OAIC) for privacy matters, or the relevant state/territory consumer affairs body.
• 🇺🇸 United States: your state's Attorney General's office or the Federal Trade Commission (FTC).
• 🇿🇦 South Africa: the Information Regulator for privacy matters, or the National Consumer Commission.

Before issuing any court proceedings, each party agrees to attempt good-faith negotiation for a period of at least 30 days.

We may update these Terms from time to time. The "Last updated" date at the top of this page tells you when.

For material changes (changes that meaningfully affect your rights or obligations), we will:

• notify you by email at least 30 days before the change takes effect;
• post a summary of the change on this page; and
• allow you to cancel without penalty if you don't accept the new terms.

For minor changes (fixing typos, clarifying wording, adding plain-English summaries), we may update the page without individual notice.

Continuing to use the Services after a change takes effect means you accept the updated Terms.

These Terms are governed by the laws of Victoria, Australia. Each party submits to the exclusive jurisdiction of the courts of Victoria, Australia, and courts competent to hear appeals from those courts.

For customers outside Australia, this choice of law does not remove consumer protection rights you may have under the laws of your home jurisdiction that cannot be excluded by contract.

For questions about these Terms, or anything else:

• Email: hello@redflagg.com.au
• Phone: 1800 930 329 (8am–8pm, 7 days, local time)
• Post: Red Flagg Pty Ltd — ABN 81 683 346 116 — Melbourne, Victoria, Australia
• Partnerships (banks / government): partnerships@redflagg.com.au
• Customer support: support@redflagg.com.au