Terms of Service

Effective Date: [24/02/2026] | Last Updated: [23/02/2026]

These Terms of Service ("Terms") govern the access to and use of the Sonark platform and related services (the "Service") provided by Sonark Protection Solutions Inc. ("Sonark", "we", "us"), located at 375 University Avenue, Suite 1100, Toronto, ON, Canada, M5G 2J5.

By accessing or using the Service, you agree to be bound by these Terms. If you are accepting these Terms on behalf of an organization ("Client"), you represent that you have the authority to bind that organization to these Terms.

1. Definitions

"Client" or "Tenant" means the organization that has subscribed to the Sonark Service.
"End User" means any individual authorized by the Client to access the Service, including managers and employees.
"Client Data" means all data submitted to or generated within the Service by or on behalf of the Client, including employee personal information, simulation results, training data, and risk scores.
"Phishing Simulation" means an authorized simulated phishing campaign conducted through the Service.
"Service" means the Sonark cybersecurity awareness platform accessible at app.sonark.ca, including all features, tools, and content provided therein.

2. Service Description

Sonark is a B2B multi-tenant cybersecurity awareness platform that provides the following capabilities:

Simulated phishing campaigns
Deep web credential leak monitoring
Employee cybersecurity risk scoring
SCORM-based security awareness training
Scam and threat alert notifications
Organizational security posture dashboards

The Service is available to authenticated users only. Access requires a valid account provisioned by a Client organization.

3. Account and Access

3.1 Client Responsibilities

The Client is responsible for:

Ensuring that all End Users are properly authorized to access the Service.
Managing End User accounts, including provisioning, deactivation, and role assignment.
Maintaining the security of login credentials and promptly reporting unauthorized access.
Complying with all applicable laws regarding the enrollment of employees on the platform, including providing appropriate notice to employees (see Section 7).

3.2 End User Responsibilities

End Users agree to:

Use the Service only for its intended purposes.
Not share login credentials with third parties.
Not attempt to circumvent security controls or access data belonging to other tenants.
Not use the Service to conduct unauthorized phishing or social engineering against parties outside their organization.

4. Phishing Simulation Authorization

IMPORTANT: By using the phishing simulation features of the Service, the Client explicitly authorizes Sonark to send simulated phishing emails to the Client's employees as configured by the Client's administrators. The Client acknowledges and agrees that:

Phishing simulations will be conducted only against the Client's own employees, as configured by the Client.
The Client has the legal authority to authorize simulated phishing campaigns targeting its employees.
The Client is solely responsible for ensuring that its use of the phishing simulation features complies with all applicable employment laws, internal policies, and collective agreements.
Sonark acts as a tool provider — the Client initiates and controls the parameters of each simulation campaign.
The Client will notify its employees that a cybersecurity awareness program is in place (see Section 7), though the specific timing and content of individual simulations need not be disclosed in advance.

5. Data Ownership and Processing

5.1 Client Data Ownership

The Client retains all ownership rights to Client Data. Sonark does not claim any ownership interest in Client Data.

5.2 Sonark as Data Processor

With respect to personal information contained in Client Data, the Client is the controller and Sonark is the processor. Sonark will process Client Data only as instructed by the Client and as necessary to provide the Service. The specific terms governing data processing are set out in the Data Processing Agreement, which forms part of these Terms.

5.3 Aggregated and Anonymized Data

Sonark may create aggregated, anonymized, or de-identified data derived from Client Data for the purpose of improving the Service, generating benchmarks, and conducting research. Such data will not identify any individual or Client organization.

6. Intellectual Property

All intellectual property rights in the Service (including software, design, training content, algorithms, and documentation) belong to Sonark. The Client is granted a limited, non-exclusive, non-transferable license to use the Service during the subscription period, subject to these Terms.

The Client may not reverse engineer, decompile, or create derivative works of the Service.

7. Employee Notice Obligation

  The Client agrees to inform its employees that a cybersecurity awareness program is in place and that their activity on the platform (including phishing simulation interactions, training completion, and security exercises) is monitored for security awareness purposes. Sonark provides a template employee notice that Clients may use or adapt. Failure to provide adequate employee notice is the sole responsibility of the Client.

8. Acceptable Use

The Client and its End Users agree not to:

Use the Service for any unlawful purpose.
Use phishing simulations to target individuals outside the Client's organization.
Use the Service to harass, discriminate against, or take adverse employment action against employees based solely on simulation or training results.
Attempt to access, modify, or interfere with another tenant's data or environment.
Use automated tools (bots, scrapers) to interact with the Service unless authorized by Sonark.
Redistribute, resell, or sublicense the Service to third parties.
Upload malicious content, malware, or harmful code to the platform.

9. Service Availability

Sonark will use commercially reasonable efforts to maintain the availability of the Service. However, we do not guarantee uninterrupted or error-free operation. Scheduled maintenance will be communicated to Clients in advance when possible.

Sonark is not liable for downtime caused by factors beyond its reasonable control, including third-party service outages, internet connectivity issues, or force majeure events.

10. Disclaimers and Limitation of Liability

10.1 General Disclaimer

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY LAW, SONARK DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

10.2 Specific Disclaimers

Risk Scores: Risk assessments are estimates based on available data and behavioral indicators. They do not constitute professional security advice, audits, or certifications.
Deep Web Leak Data: Credential leak information is sourced from third-party intelligence feeds. This data may not be exhaustive, may contain false positives, and should not be relied upon as the sole basis for security decisions.
Scam Alerts: Alerts are informational only. Sonark is not responsible for decisions made or actions taken based on alert content.
Training Content: Security awareness training is educational in nature and does not guarantee the prevention of security incidents.

10.3 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

Sonark's total aggregate liability under these Terms shall not exceed the fees paid by the Client in the twelve (12) months preceding the event giving rise to the claim.
In no event shall Sonark be liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, business opportunities, or goodwill.
Sonark shall not be liable for any actions taken by the Client or its employees based on risk scores, leak data, or alerts provided through the Service.

11. Indemnification

The Client agrees to indemnify and hold Sonark harmless from any claims, damages, or expenses (including reasonable legal fees) arising from:

The Client's use of the Service in violation of these Terms.
The Client's failure to obtain proper authorization or provide required employee notices.
Any employment disputes related to phishing simulations or security training conducted through the Service.
The Client's violation of applicable laws.

12. Subscription and Payment

The Service is provided on a subscription basis. Subscription terms, pricing, and payment schedules are set out in the applicable order form or service agreement between Sonark and the Client. Unless otherwise specified:

Subscriptions renew automatically for successive periods of the same duration.
Either party may decline renewal by providing written notice at least 30 days before the end of the current term.
Fees are non-refundable unless otherwise specified in the applicable agreement.

13. Termination

13.1 Termination for Convenience

Either party may terminate the subscription by providing written notice in accordance with the applicable service agreement.

13.2 Termination for Cause

Either party may terminate immediately if the other party materially breaches these Terms and fails to cure the breach within 30 days of written notice.

13.3 Effect of Termination

Upon termination:

The Client's access to the Service will be suspended.
Client Data will be retained for 30 days to allow export, after which it will be permanently deleted, unless otherwise required by law.
Provisions that by their nature should survive termination (including Sections 5, 10, 11, and 15) will remain in effect.

14. Modifications to Terms

Sonark reserves the right to modify these Terms. Material changes will be communicated to Clients at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the modified Terms.

15. Governing Law and Dispute Resolution

These Terms are governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein. Any dispute arising under these Terms shall be subject to the exclusive jurisdiction of the courts located in Toronto, Ontario, Canada.

16. General Provisions

Entire Agreement: These Terms, together with the Data Processing Agreement, any applicable order forms, and the Privacy Policy, constitute the entire agreement between the parties.
Severability: If any provision of these Terms is found unenforceable, the remaining provisions remain in full force.
Assignment: The Client may not assign these Terms without Sonark's prior written consent. Sonark may assign these Terms in connection with a merger, acquisition, or sale of substantially all of its assets.
Waiver: Failure to enforce any provision of these Terms shall not constitute a waiver of that provision.
Force Majeure: Neither party is liable for delays or failures caused by events beyond reasonable control.

17. Contact

For questions about these Terms, contact:

Sonark Protection Solutions Inc.
375 University Avenue, Suite 1100
Toronto, ON, Canada, M5G 2J5
Email: support@sonark.ca