Terms Of Service

These Terms of Service (the “Terms”) are a legal agreement between Red Flagg Pty Ltd (ABN 81 683 346 116), a company incorporated in Australia (“we”, “us”, “our”, “Red Flagg”), and you — the person or organisation using our website or subscribing to our services (“you”, “your”, “Customer”).

If you are entering into these Terms on behalf of an organisation, you confirm that you have the authority to bind that organisation.

These Terms apply:

• when you browse or use redflagg.com.au (our “Website”);
• when you subscribe to any of our subscription plans, including Business Protect, Business Plus, Business Shield, and Senior Protection (Protective, Wrap Around, Community Plan); and
• when you purchase any Additional Service from us, including:
  • DarkWebCheck™ Standard Scan ($120 — personal, one email address, point-in-time report);
  • DarkWebCheck™ Deep Scan ($190 — personal, up to 5 email addresses, stealer log search);
  • DarkWebCheck™ Business Scan ($750 — business, up to 25 staff email addresses);
  • Cyber Security Posture Review ($750 — Microsoft 365 or Google Workspace, one-off point-in-time assessment);
  • Board Readiness Assessment (The Rock Report) (from $1,500 — three tiers: Base, Board Pack, Premium);
  • Device Clean Up ($399 — physical device forensic cleaning via Australia Post logistics);
  • Penetration Testing (Level 0 Remote Foundation, Level 1 Systems and Core Apps, Level 2 Onsite Full Environment — quoted per engagement);
  • WAP Security Audits, Forensic Lab, Cyber Awareness Training, Phishing Campaigns, and Scam and Hack Recovery; and
• when we issue you a quote, service agreement, statement of work or order form that refers to these Terms.

A Service Agreement is any written quote, order form, or statement of work we send you and that you accept (by email, electronic signature, or payment). Where a Service Agreement and these Terms conflict, the Service Agreement prevails for the specific point of conflict.

Senior Protection plan details are published at redflagg.com.au/senior-protection.

Red Flagg provides managed cyber security services to organisations and individuals. The specific Services you receive depend on the plan or product you choose. Subscription plan details are published at redflagg.com.au/plans.

What Red Flagg provides — and what it does not. Red Flagg provides findings, recommendations, reports, configuration assistance, and training. We do not provide guarantees of security outcomes. All implementation decisions — including whether to act on any recommendation we make — remain with you, the customer. What you choose to do with our findings and reports is your business decision. Red Flagg is not your IT department and is not responsible for your organisation’s decisions about how to respond to our advice.

Our methodology for subscription services is structured around three maturity levels. Where your Service Agreement places you on a particular level, the deliverables for that level are detailed in the Service Agreement.

• Level 0 — Culture and awareness. Ten foundational steps focused on people, training, reporting habits, and everyday safety basics. Every customer starts here, regardless of their existing technical controls.
• Level 1 — Essential Eight. The full ACSC Essential Eight Maturity Level 1 baseline — 48 technical controls delivered progressively after Level 0 is established. Delivered on Business Shield plan.
• Level 2-3 — Advanced. Higher-maturity controls scoped and quoted on a project-by-project basis for organisations with regulatory, compliance, or operational drivers beyond Level 1.

Additional Services (one-off purchases) are available independently of any subscription plan and are described in clause 02.

Board Readiness Assessment. The Board Readiness Assessment (delivered as The Rock Report) is a point-in-time assessment of your Microsoft 365 or Google Workspace environment and governance posture. It produces a Board Brief and a technical Cyber Security Posture Review. This service is informational only — it does not constitute legal advice and does not certify that your organisation has met any legal obligation or that any director has satisfied their duty of care. See clause 11 for the specific disclaimer that applies to this service.

Supported platforms. Services that involve platform access (Posture Review, Microsoft 365 administration, Board Readiness Assessment) support Microsoft 365 and Google Workspace unless your Service Agreement specifies otherwise.

MailCheck™ response time. We target a 10-minute response time from the moment a customer submits an email via MailCheck™. This target reflects our operational commitment and is published in good faith. It is not a contractual guarantee and does not give rise to service credits or liability if exceeded. Response times may be affected by volume, analyst availability, and the complexity of the submission. Named analysts on Business Shield plans are supported by a Cyber Operations Desk to maintain coverage.

Service features are subject to change and improvement. We will not materially reduce the features included in your plan without reasonable prior notice (at least 30 days).

Our services align to ACSC Essential Eight, the NIST Cybersecurity Framework (CSF), and CIS Controls v8. Alignment to a framework does not constitute certification to any specific standard unless we explicitly state so in writing for your organisation.

Cyber security maturity is delivered progressively. We provide indicative timelines for each level so you know what to expect, while recognising that every environment is different.

The timelines above are estimates based on typical small-to-medium organisations. Your Service Agreement will specify the timeline applicable to your organisation. Where a Service Agreement specifies a timeline, that timeline is a good-faith commitment, not a contractual delivery date, unless the Service Agreement expressly states otherwise.

Timelines are not contractual delivery dates. They may shift because of:

• your specific environment, technology stack, or existing maturity;
• your team’s availability for training, approvals, or change management;
• third-party dependencies (Microsoft licensing, hardware procurement, vendor responses);
• incidents requiring focus elsewhere; or
• any other factors outside our reasonable control.

We will keep you informed of progress and any change in timeline through your quarterly reporting and your named analyst (or the Cyber Operations Desk on plans without a dedicated analyst).

To use our Services, you will need to:

• provide accurate information about yourself and your organisation;
• grant us the access we need to deliver the Services — for example, Microsoft 365 Granular Delegated Admin Privileges (GDAP) for Microsoft 365 services, or equivalent administrative access for Google Workspace services, where your plan requires it;
• keep your access credentials confidential;
• nominate a primary contact for your account; and
• notify us promptly if any information changes, or if you suspect your account has been compromised.

You are responsible for:

• the actions of your staff, volunteers, contractors, and users under your account;
• complying with applicable laws (including privacy, anti-spam, and employment laws) that apply to your own operations;
• ensuring your own data back-ups and business continuity arrangements beyond what the Services include; and
• any third-party licences (for example, Microsoft 365 or Google Workspace licences) you procure through us.

Fees for your Services are set out in your Service Agreement. Unless stated otherwise:

• Subscription plans (Business Protect, Plus, Shield, Senior Protection) are billed monthly in advance, per seat;
• Additional Services engaged by quote are billed as quoted (one-off or by milestone), due within 7 days of invoice;
• payment is due within 7 days of invoice unless otherwise agreed.

Store purchases. One-off products purchased through the Red Flagg store at redflagg.com.au/shop are charged at the time of purchase via the Squarespace checkout. No separate invoice is issued for store purchases. All prices displayed at checkout are in the currency of your jurisdiction and inclusive or exclusive of applicable tax as displayed.

NFP pricing. Significantly reduced rates are available to registered not-for-profit organisations in all three operating jurisdictions — ACNC (Australia), 501(c)(3) (USA), and NPC/PBO (South Africa). NFP pricing is applied to your quote when you provide evidence of registered status at the time of enquiry. NFP rates apply to subscription plans and to Board Readiness Assessment engagements. NFP rates are confirmed in your Service Agreement.

Accepted payment methods include direct debit, BPAY (Australia), ACH (USA), EFT (South Africa), and credit card. Credit card payments may incur a surcharge. We reserve the right to suspend Services if an invoice remains unpaid 14 days after the due date; we will notify you before doing so.

All prices are exclusive of applicable taxes unless stated otherwise at the point of purchase or in your Service Agreement.

We may adjust recurring subscription fees with at least 30 days’ written notice. If you don’t accept a price change, you may cancel without penalty before it takes effect.

When using our Services, you agree that you will not:

• use the Services to engage in unlawful activity;
• attempt to reverse-engineer, decompile, or extract the source code of any Red Flagg-owned tool or system;
• use our Services to send spam, phishing, or malware to anyone;
• probe, scan, or attempt to bypass the security of our systems, or the systems of other customers;
• use our reports, documentation, or outputs to misrepresent your organisation’s cyber maturity to third parties;
• resell, sublicense, or white-label our Services without written consent; or
• interfere with any other customer’s use of the Services.

We reserve the right to immediately suspend or terminate the Services if we reasonably believe you have breached this clause, or if continued provision of Services would create a legal or security risk to us, you, or other customers.

Our handling of personal information is governed by our Privacy Policy, which forms part of these Terms.

You own your data. Any data you provide to us, or that we process on your behalf (for example, log data, emails you forward to MailCheck™, scorecard results), remains your property. You grant us a limited licence to use this data only to deliver the Services, produce reports and statistics, and meet our legal obligations.

We do not sell customer data. We do not use customer data to train AI models. We do not share customer data with third parties except with your permission, with providers strictly necessary to deliver the Services, or where required by law. See clause 09 for the specific third-party platforms used in service delivery.

Data hosting. Customer data is hosted in the Microsoft Azure region aligned to your jurisdiction: Australia East/Southeast for Australian customers, East US / West US 2 for USA customers, South Africa North (Johannesburg) for South African customers. Data sovereignty is maintained at all times. Forensic evidence packs produced through Device Clean Up are stored in the same Azure region as your other data.

MailCheck™ processing. When you forward an email to Red Flagg™ via MailCheck™, the email content is processed by Can I Phish (caniphish.com), a third-party phishing analysis platform, for sandboxed analysis. Email content is also reviewed using AI-assisted triage tools — see “AI-assisted triage” below. This processing occurs solely to identify whether the email is a phishing or malicious communication. Can I Phish processes this data in accordance with its own privacy policy.

AI-assisted triage. Red Flagg uses AI-assisted tools, including large language model APIs operated by Anthropic PBC (anthropic.com), to assist analysts in triaging MailCheck™ submissions. AI tools are used for triage support only. All communications with customers are reviewed and approved by a named Red Flagg analyst before sending. No automated responses are sent to customers — the analyst is always in the decision loop. Red Flagg has confirmed that Anthropic does not use API-submitted content to train its models (as per Anthropic’s API usage policy, which Red Flagg monitors for changes).

DarkWebCheck™ scanning. DarkWebCheck™ reports are produced using the HaveIBeenPwned (HIBP) breach database, operated by Troy Hunt (haveibeenpwned.com). To run a scan, your email address(es) are transmitted to the HIBP API, which is operated outside Australia. By purchasing a DarkWebCheck™ scan, you consent to this transmission for the purpose of checking against publicly available breach databases. HIBP processes this data in accordance with its own privacy policy. The results reflect breach data indexed by HIBP at the date of scan and do not include breaches not yet publicly disclosed or not yet indexed by HIBP.

Device Clean Up — physical device handling. Device Clean Up involves you dispatching your device to Red Flagg™ via Australia Post using a pre-paid barcode we provide. The following applies:

• Transit risk. Your device is in the custody of Australia Post during transit. Red Flagg accepts no liability for loss, theft, or damage during transit. Australia Post’s own terms and parcel insurance conditions apply. We recommend you retain your lodgement receipt.
• Data access scope. Red Flagg will access only the system-level data necessary to identify and remove malware, unwanted software, and security vulnerabilities. We will not access, review, copy, or retain personal files, documents, emails, or media stored on the device.
• Forensic evidence pack. We will produce a forensic evidence pack documenting actions taken. This pack is provided for your own reference only. It is not a court-admissible forensic examination and has not been produced under forensic chain-of-custody protocols. If you require court-admissible digital forensics, please enquire about our separate Forensic Services engagement.
• Data destruction. All data accessed on your device during the service is destroyed within 30 days of service completion.
• Return. We return your device via Australia Post, postage covered, within the stated service window.

Confidentiality. Each party must keep the other’s confidential information (such as your systems architecture, our methodology, pricing and reports) confidential, and use it only to perform obligations under these Terms. Confidentiality obligations survive termination for three (3) years.

Notifiable data breaches. If we become aware of an eligible data breach affecting your information, we will notify you without undue delay and in any event within the timeframes required by applicable law:

• Australia: Notifiable Data Breaches scheme under the Privacy Act 1988 (as soon as practicable after becoming aware).
• South Africa: POPIA (Protection of Personal Information Act) — notification to the Information Regulator and affected parties as soon as reasonably possible.
• USA: HIPAA (where relevant to health information) and applicable state breach notification laws. Timeframes vary by state — we will comply with the shortest applicable requirement.

Our Services depend on third-party platforms and services. Each platform operates under its own terms of service, which you acknowledge apply where relevant. Red Flagg is not responsible for the actions, availability, or data handling of third-party platforms, but will use reasonable efforts to assist you when third-party issues affect your service delivery.

Where Red Flagg purchases Microsoft licences on your behalf as a Microsoft Partner, you also agree to the Microsoft Customer Agreement.

The Red Flagg name, logo, and product names (including MailCheck™, SafeText™, DarknetCheck™, DarkWebCheck™, Board Readiness Assessment, The Rock Report, and Device Clean Up), our methodology, reports, and any materials we produce remain the property of Red Flagg Pty Ltd.

We grant you a non-exclusive, non-transferable, revocable licence to use the reports and deliverables we produce for you for the purpose they were produced. This licence includes the right to share reports with your board, directors, auditors, legal advisors, insurers, and regulatory bodies without requiring our written consent, provided such sharing is for the purpose for which the report was produced.

You may not:

• publish our reports on public-facing websites, social media, or in external communications without our written consent (a summary or extract with attribution is usually fine — ask us);
• use our trademarks or branding in your own marketing without written consent; or
• claim authorship of our methodology or derived works.

Any feedback or suggestions you provide are given freely; we may use them without obligation.

We warrant that:

• we will provide the Services with due care, skill, and diligence, using appropriately qualified personnel;
• we will use reasonable efforts to deliver the Services within the timeframes agreed in your Service Agreement; and
• our Services do not, to the best of our knowledge, infringe the intellectual property rights of any third party.

Security outcome disclaimer. Red Flagg provides findings, recommendations, and configuration assistance. We do not warrant, represent, or guarantee that:

• implementing our recommendations will prevent any specific cyber incident;
• our Services will be uninterrupted or error-free;
• third-party platforms (like Microsoft or Google) will always be available;
• any specific cyber maturity score, outcome, or measurable result will be achieved by a particular date; or
• indicative maturity timelines published on our Website will be met for your specific environment.

A report, scorecard, or deliverable produced by Red Flagg documents findings and progress at a point in time. It is not a certificate of security and does not represent that your organisation is free from cyber risk or that no breach will occur.

Board Readiness Assessment disclaimer. The Rock Report (Board Readiness Assessment) is prepared for informational and governance planning purposes only. It does not constitute legal advice. Red Flagg Pty Ltd is not a law firm. Nothing in The Rock Report represents a legal opinion on whether any director has satisfied their obligations under the Corporations Act 2001, the Cyber Security Act 2024, or any other applicable law. Directors seeking a legal opinion on their personal liability should engage qualified independent legal counsel.

Nothing in this clause limits your rights under consumer protection laws that cannot be excluded by contract (see clause 12).

If you are a “consumer” under the Australian Consumer Law (Competition and Consumer Act 2010 (Cth), Schedule 2), our Services come with guarantees that cannot be excluded. These include guarantees that the Services will be provided with due care and skill, and will be reasonably fit for purpose.

You have a right to a remedy (refund, resupply, or compensation) if these guarantees are not met. Nothing in these Terms limits your rights under Australian Consumer Law or the applicable consumer protection law of your jurisdiction.

To the extent permitted by law:

• Our total aggregate liability to you under or in connection with these Terms (however arising, including in negligence) is limited to the total fees you have paid us in the 12 months preceding the event giving rise to the claim.
• Neither party is liable for indirect, consequential, special, or punitive damages, including loss of profit, loss of revenue, loss of data, loss of goodwill, or loss of opportunity.
• We are not liable for losses caused by: events beyond our reasonable control (force majeure); your own actions or omissions; your decision not to act on our recommendations; third-party platforms (Microsoft, Google, network providers, Australia Post); or delays in maturity progression where caused by factors set out in clause 4.

Nothing in this clause limits:

• liability for fraud or wilful misconduct;
• liability for death or personal injury caused by negligence; or
• rights under consumer protection laws that cannot be excluded.

For institutional partners or contracts exceeding $50,000 AUD per annum, liability limits may be negotiated separately in a Service Agreement. Where no such agreement exists, this clause applies.

Subscription cancellation. All Red Flagg subscription plans are monthly, with no lock-in. You may cancel at any time with notice before your next billing date. Cancellation takes effect at the end of the then-current billing month. No refunds are issued for the month in which you cancel, except where required by law.

Cancellation during a maturity rollout. If you cancel mid-way through a Level 1 rollout (or during any multi-month deliverable), the Services up to your cancellation date have already been delivered and remain payable. You retain all reports and deliverables produced up to that point. We are under no obligation to refund or pro-rate fees attributable to work completed.

Senior Protection 28-day trial. Senior Protection plans include a 28-day trial. You can cancel during the trial period for a full refund.

One-off store purchases — refund and cancellation policy.

• DarkWebCheck™ scans. No refund is available once the scan has been run and results have been provided. A DarkWebCheck™ report reflects findings from publicly available breach databases at the date of scan. A finding that your data has been exposed in a breach is the accurate result of the service — it is not a service failure and does not entitle you to a refund.
• Cyber Security Posture Review. No refund is available once both deliverables (written report and implementation roadmap) have been provided. If the engagement cannot be completed within the stated timeframe and no revised timeframe has been agreed, you may request a full refund.
• Board Readiness Assessment. No refund once both deliverables (The Rock Report Board Brief and the Cyber Security Posture Review) have been provided. If the engagement cannot be completed, a pro-rata refund of the unused portion will be issued.
• Device Clean Up. You may cancel before your device has been received by Red Flagg for a full refund. Once your device has been received and cleaning has commenced, no refund is available for the service fee. If your device is lost in transit to Red Flagg, we will assist you to make a claim with Australia Post and issue a full refund of the service fee. Your device remains in Australia Post’s custody during transit and transit loss claims are subject to Australia Post’s own terms.

All one-off purchases are subject to non-excludable consumer law rights in your jurisdiction (see clause 12). If a service does not match its stated description, you have a right to resupply or refund regardless of the above.

Termination by us. We may terminate these Terms immediately if:

• you breach a material term and don’t remedy the breach within 14 days of our written notice;
• you fail to pay an invoice within 30 days of its due date;
• you become insolvent, enter administration, or cease trading; or
• we reasonably believe continuing to provide the Services would put us, you, or other customers at legal or security risk.

On termination. We will:

• offboard our access to your Microsoft 365 or Google Workspace environment within 5 business days;
• make your reports and deliverables available for export for 30 days after termination;
• delete operational data within 90 days, retaining only minimal billing records required by tax law; and
• issue a final invoice for any outstanding fees.

Penetration testing services (Level 0 Remote Foundation, Level 1 Systems and Core Apps, Level 2 Onsite Full Environment) are subject to this clause in addition to all other applicable clauses in these Terms.

Mandatory Statement of Work. No penetration testing engagement will commence until a written Penetration Testing Statement of Work (SOW) has been executed by both parties. The SOW defines:

• the specific systems, networks, and applications in scope;
• the testing period (start date and end date);
• the rules of engagement (permitted testing methods and restrictions);
• the key contacts and authorisation chain; and
• any systems explicitly excluded from scope.

Any access to systems, networks, or applications outside the scope defined in the SOW is not authorised by Red Flagg and will be halted immediately if identified during an engagement. Red Flagg will notify you promptly if out-of-scope access is inadvertently encountered.

Third-party system exclusion. Penetration testing is authorised only against systems owned by you or for which you have obtained separate written permission from the system owner. Red Flagg is not responsible for access to third-party systems (including cloud services, APIs, or connected platforms not listed in the SOW) that may be encountered during an engagement. If a third-party system is to be included in scope, you must provide written authorisation from that system’s owner before the engagement begins.

No subcontractors. All penetration testing services are performed exclusively by Red Flagg Pty Ltd employees and directors. Red Flagg does not engage subcontractors, freelancers, or external consultants to perform any part of a penetration testing engagement. This is a contractual commitment. Exceptions may only be made with your prior written consent for specialist components that you have been informed about and have approved in writing.

Findings and liability. Red Flagg provides a report of findings based on the scope defined in the SOW. This report reflects the state of the systems tested at the time of testing. Red Flagg does not warrant that all vulnerabilities in the tested systems have been identified — penetration testing is not exhaustive. The report is informational. What you choose to do with the findings is your decision.

Data handling. Any data encountered or accessed during a penetration testing engagement that belongs to you or your users will be treated as confidential and will not be retained beyond the period necessary to produce the engagement report. All customer data accessed during testing is destroyed within 30 days of delivery of the final report.

Performance impact. Some testing activities may cause performance degradation on tested systems. Red Flagg will use reasonable care to minimise disruption, but accepts no liability for performance impacts on production systems that result from testing activities within the agreed SOW scope.

If something goes wrong, please tell us first. Email hello@redflagg.com.au with the subject line “Complaint” and we will:

• acknowledge your complaint within 2 business days;
• investigate and propose a resolution within 10 business days where reasonably possible;
• escalate to a Director if we can’t resolve it at first instance.

If we can’t reach a resolution together, you may refer the matter to an appropriate external body:

• 🇦🇺 Australia: the Office of the Australian Information Commissioner (OAIC) for privacy matters, or the relevant state/territory consumer affairs body for other disputes.
• 🇺🇸 United States: your state’s Attorney General’s office or the Federal Trade Commission (FTC).
• 🇿🇦 South Africa: the Information Regulator for privacy matters, or the National Consumer Commission for consumer disputes.

Before issuing any court proceedings, each party agrees to attempt good-faith negotiation for a period of at least 30 days.

We may update these Terms from time to time. The “Last updated” date at the top of this page tells you when.

For material changes (changes that meaningfully affect your rights or obligations), we will:

• notify you by email at least 30 days before the change takes effect;
• post a summary of the change on this page; and
• allow you to cancel without penalty if you don’t accept the new terms.

For minor changes (fixing typos, clarifying wording, adding plain-English summaries), we may update the page without individual notice.

Continuing to use the Services after a change takes effect means you accept the updated Terms.

These Terms are governed by the laws of Victoria, Australia. Each party submits to the exclusive jurisdiction of the courts of Victoria, Australia, and courts competent to hear appeals from those courts.

For customers outside Australia, this choice of law does not remove consumer protection rights you may have under the laws of your home jurisdiction that cannot be excluded by contract.

Institutional partners. For contracts with institutional partners (including financial institutions, government agencies, and regulated entities) or contracts with an annual value exceeding $50,000 AUD, the jurisdiction clause and dispute resolution mechanism may be agreed by separate written agreement. Where no such agreement exists, Victorian courts apply. Institutional partners who require international arbitration or a mutually agreed forum should raise this at the time of contracting.

For questions about these Terms, or anything else:

• Email: hello@redflagg.com.au
• Phone: 1800 930 329 (8am–8pm, 7 days, local time)
• Post: Red Flagg Pty Ltd — ABN 81 683 346 116 — Melbourne, Victoria, Australia
• Partnerships (banks / government): partnerships@redflagg.com.au
• Customer support: support@redflagg.com.au