Terms of Service

"Platform" means Opsinel software and related services available at opsinel.com for authorised phishing simulations, training, campaign management, and reporting.

"Client" means a legal entity, institution, or other organisation that contracts with Opsinel and uses the Platform for internal cybersecurity purposes.

"Administrator" means a person appointed by the Client to manage the Client account, recipient lists, campaigns, settings, and consents.

"End User" or "Employee" means an employee, contractor, intern, board member, or other person controlled by the Client whom the Client may lawfully include in security training or simulations.

"Authorised Simulation" means a simulation initiated by the Client solely for its organisational security training, resilience assessment, or incident prevention purposes and only with the required authority and legal basis.

The person accepting these Terms on behalf of the Client represents that they have authority to legally bind the Client. Without such authority, the person may not register an account, launch campaigns, or use the Platform.

The Platform is not intended for personal, family, or household consumer use. If the Client is nevertheless treated as a consumer under mandatory law, these Terms do not limit mandatory consumer rights.

Opsinel provides cybersecurity training services that may include:

• sending authorised phishing simulations to recipients specified by the Client;

• employee security awareness training modules;

• campaign statistics, risk indicators, and reports;

• recipient import, grouping, campaign scheduling, and SMTP settings management;

• technical support, documentation, and other functions included in the selected plan.

The Platform is provided as software-as-a-service. Opsinel does not provide legal, employment law, data protection officer, audit, or incident investigation services unless separately agreed in writing.

The Client understands that simulation results are a training and risk assessment tool. They must not be used as the sole basis for disciplinary sanctions, termination of employment, or decisions that could unfairly harm an employee's reputation.

3.1. The Client must provide accurate, current, and complete registration, billing, and organisation information.

3.2. One account is for one organisation unless otherwise agreed in writing. Sharing, reselling, or using accounts, logins, or plans for third parties is prohibited.

3.3. The Client is responsible for the acts and omissions of its administrators, users, and anyone else who receives access. Actions performed through the Client account or credentials are treated as Client actions unless the unauthorised access was caused by Opsinel.

3.4. The Client must protect credentials, apply reasonable access controls, and immediately notify Opsinel of unauthorised access, account compromise, or suspected abuse.

3.5. If the Client exceeds recipient, campaign, user, or other limits in the selected plan, Opsinel may restrict features, require the Client to reduce usage, or charge additional fees under the then-current pricing.

Before creating or launching any campaign, the Client must ensure that:

• the campaign is conducted only for the Client organisation's lawful internal security purposes;

• the required management, IT security, HR, or other competent internal approval has been obtained;

• recipients belong to the Client organisation or are otherwise controlled by the Client and may lawfully receive training;

• employees have been generally informed through employment contracts, internal policies, privacy notices, or security policies that security simulations may be conducted;

• any required data protection, employment law, employee representation, or other internal assessment has been completed;

• campaign content is not discriminatory, degrading, intimidating, sexual, politically manipulative, or disproportionally harmful to employees;

• the Client does not use the Platform to collect real passwords, bank card data, personal identity numbers, health data, special category data, or other secrets.

Opsinel may request evidence of authorisation, recipient lawfulness, domain control, or internal approval. If sufficient evidence is not provided, Opsinel may refuse to start, suspend, or cancel a campaign.

6.1. If Opsinel reasonably suspects a breach of these Terms, law, third-party rights, email provider rules, or security requirements, Opsinel may immediately take one or more of the following actions:

• suspend a campaign, sending, SMTP integration, recipient import, administrator access, or the entire account;

• require additional identity, domain, authority, recipient lawfulness, or campaign authorisation checks;

• remove, isolate, or block content, domains, templates, recipient lists, or sending settings;

• retain audit logs, campaign metadata, and other evidence as necessary to investigate abuse, resolve disputes, or comply with legal requirements;

• notify the Client, affected parties, service providers, supervisory authorities, or law enforcement where required by law or necessary to stop harm.

6.2. A material breach includes any breach of Sections 4 or 5, non-payment after notice, false authority representations, attempts to conceal abuse, repeated breaches, or any action creating real harm to Opsinel, recipients, third parties, or Platform security.

6.3. In case of a material breach, Opsinel may terminate the agreement immediately without further notice, revoke access, and refuse refunds for services already provided or reserved to the extent permitted by applicable law.

6.4. Suspension or termination does not release the Client from paying overdue amounts, compensating damages, covering legal costs, or complying with confidentiality, data protection, and liability obligations.

7.1. The Client is responsible for campaign purposes, recipient lists, timing, templates, domains and sender usage, employee notices, internal approvals, data protection legal basis, and all decisions based on campaign results.

7.2. The Client agrees to indemnify Opsinel, its officers, employees, and service providers for all reasonable losses, claims, fines, penalties, investigation costs, legal fees, and other damages arising from:

• the Client's or its users' breach of these Terms;

• unlawful, unauthorised, or disproportionate use of the Platform;

• claims by employees, recipients, customers, suppliers, or other third parties relating to Client campaigns;

• the Client's data, content, domains, trademarks, or sender names;

• the Client's failure to have a legal basis, inform employees, or comply with GDPR, employment law, and other laws.

7.3. The Client may not avoid responsibility by arguing that an act was performed by its employee, contractor, administrator, or another person with access if that person acted through the Client account or Client-provided access.

8.1. Opsinel may improve, change, temporarily limit, or discontinue individual Platform features where necessary for security, legal compliance, maintenance, supplier changes, or service improvement. Opsinel will provide advance notice of material adverse changes where reasonably possible.

8.2. Opsinel may refuse service or registration if there are reasonable concerns about identity, authority, payment, domain control, reputational risk, legality, or sanctions requirements.

8.3. The Platform is provided according to the selected plan and actual technical availability. Opsinel does not guarantee uninterrupted or error-free operation or freedom from third-party outages, but applies commercially reasonable measures to maintain service stability and security.

8.4. To the extent permitted by applicable law, Opsinel is not liable for indirect, special, incidental, or consequential damages, lost profits, reputational harm, the Client's internal employment disputes, employee claims, or third-party system failures.

8.5. Opsinel's total liability under these Terms will not exceed the amount paid by the Client to Opsinel during the 3 months preceding the event giving rise to the claim. This limit does not apply where liability cannot be limited under mandatory law.

9.1. Opsinel acts as data controller for Client account and contract data. For Client employee and campaign recipient data, Opsinel generally acts as data processor and the Client acts as data controller.

9.2. The Client is responsible for the lawful basis for processing employee and recipient data, notices, legitimate interest assessments, employment law requirements, data subject rights, and other controller obligations.

9.3. Opsinel processes personal data submitted on behalf of the Client under these Terms, the Privacy Policy, the Data Processing Agreement (DPA), the Client's documented instructions, and applicable law.

9.4. Under GDPR Article 28, processing must be governed by a contract or other binding document setting out the subject matter, duration, nature, purpose, data types, categories of data subjects, and the parties' obligations. By using the Platform, the Client agrees that the DPA and Privacy Policy form an integral part of the agreement.

9.5. Opsinel may engage subprocessors necessary to provide the Platform, such as hosting, database, email delivery, analytics, payment, or support providers. Subprocessors must be bound by applicable data protection requirements.

9.6. The Client must not upload excessive, special category, children's, health, financial, state secret, or other high-risk data unless Opsinel has agreed in writing in advance and the parties have agreed additional safeguards.

10.1. Fees, plan limits, billing periods, and included features are specified in the selected plan, order, invoice, or separate agreement between the parties.

10.2. Fees are payable without set-off and exclude taxes, duties, and bank charges unless expressly stated otherwise. The Client is responsible for applicable VAT and other mandatory charges.

10.3. If payment is overdue, Opsinel may send a notice. If the Client does not pay within 7 calendar days of the notice, Opsinel may suspend paid features, campaign sending, or the entire account. If non-payment continues for more than 14 calendar days, Opsinel may terminate the agreement.

10.4. Opsinel uses a paid 7-calendar-day trial and money-back model for the first subscription payment: the Client pays before full access opens, and within 7 calendar days from payment may cancel in the Platform billing area or in writing and request a refund of the first subscription payment.

10.5. If cancellation is submitted within the 7-day refund window, Opsinel may immediately suspend paid functions, mark the subscription as cancelled, and initiate the refund through the payment provider or manual accounting review. The refund does not apply to separately ordered custom work, custom training, domain or mailbox setup where work has already started or been delivered, unless otherwise agreed in writing.

10.6. After the 7-day refund window, the subscription may be cancelled at any time, but access generally continues until the end of the paid period and fees are non-refundable except where required by law or agreed by Opsinel in writing.

10.7. Opsinel may change prices and plan terms by giving advance notice of material changes. If the Client disagrees with a price change, it may cancel before the change takes effect.

11.1. All rights in the Platform, software code, design, data models, training materials, templates, documentation, trademarks, and other Opsinel-created content belong to Opsinel or its licensors.

11.2. The Client receives a limited, non-exclusive, non-transferable, non-sublicensable right to use the Platform only for its internal cybersecurity training under the selected plan and these Terms.

11.3. The Client retains rights in recipient lists, configuration, and other lawfully submitted content, but grants Opsinel the right to use such content as necessary to provide services, ensure security, investigate abuse, and comply with legal requirements.

11.4. The Client may not copy, modify, distribute, resell, publish, reproduce, decompile, or otherwise use the Platform or its content beyond the scope expressly permitted in these Terms.

12.1. Each party must protect the other party's confidential business, technical, financial, security, commercial, and other non-public information.

12.2. Confidentiality obligations apply during the agreement and for at least 3 years after termination. Trade secrets remain protected for as long as they remain trade secrets.

12.3. Confidentiality does not apply to information that was public, lawfully received from a third party, independently developed without use of confidential information, or required to be disclosed by law, court, or authority.

13.1. The agreement begins when the Client accepts these Terms, registers, signs an order, or starts using the Platform, and continues until terminated or all ordered plans expire.

13.2. The Client may terminate by email request or through Platform cancellation tools where available. Termination does not release the Client from amounts accrued before termination.

13.3. Opsinel may terminate with 30 days' notice, or immediately for material breach under Section 6.

13.4. After termination, the Client may request export of core Client data within 30 days if the account was not terminated for unlawful use and export would not breach law or third-party rights.

13.5. After applicable retention periods, Opsinel deletes or anonymises Client data under the Privacy Policy and DPA, except data that must be retained for accounting, disputes, security, audit, or legal requirements.

14.1. These Terms are governed by the laws of the Republic of Lithuania, without regard to conflict-of-law rules.

14.2. The parties first seek to resolve disputes amicably. A claim must be submitted in writing, and the other party has 30 calendar days to respond unless urgent interim measures are necessary.

14.3. If a dispute cannot be resolved amicably, it will be heard by competent Lithuanian courts at Opsinel's registered office, unless mandatory law requires another jurisdiction.

14.4. Opsinel may amend these Terms by notifying material changes by email, through the Platform, or on the website at least 14 days in advance. Changes required for legal, security, or abuse-prevention reasons may take effect sooner.

14.5. If the Client disagrees with changes, it must stop using the Platform before the changes take effect. Continued use after the effective date constitutes acceptance.

14.6. These Terms, together with the Privacy Policy, DPA, order, plan, and Client-approved legal consents, constitute the entire agreement regarding Platform use. If any provision is held invalid, the remaining provisions remain in effect.

Contact for queries: info@opsinel.com