Cyberbay SimuCall Platform
Terms of Use, Data Processing Notice and Client Responsibilities
These Terms of Use (the “Terms”) constitute a legally binding agreement between Cyberbay Pte. Ltd. (“Cyberbay”, “we”, “us”, or “our”) and the entity accessing or using the SimuCall platform (the “Client”, “you”, or “your”).
By accessing, executing, configuring, or otherwise using the SimuCall platform (the “Platform”), the Client agrees to be bound by these Terms. If the Client does not agree, the Client must immediately cease all access to and use of the Platform.
1. Purpose and Nature of the Platform
The Platform is a controlled human risk simulation system designed to enable organisations to model, simulate, and analyse susceptibility to social engineering, including voice-based phishing (vishing) scenarios.
The Platform provides functionality including, but not limited to:
- automated and/or AI-assisted voice interaction simulations;
- configurable social engineering scenarios;
- behavioural response capture and analysis; and
- reporting and risk insight generation.
The Client acknowledges and agrees that the Platform:
- constitutes a simulation and awareness tool only;
- operates in a non-adversarial, controlled testing context; and
- does not replicate real-world attacker capability, intent, or impact with fidelity.
The Platform does not and shall not be construed to:
- constitute a security control, safeguard, or protective measure;
- replace technical, administrative, or physical security controls;
- provide incident detection, prevention, or response capabilities; or
- satisfy regulatory, audit, or compliance obligations.
2. Data Protection Roles and Allocation of Responsibility
For the purposes of applicable data protection laws, including but not limited to the GDPR and PDPA:
- the Client acts as Data Controller (or equivalent designation); and
- Cyberbay acts solely as a Data Processor (or sub-processor, where applicable).
The Client determines the purposes, scope, legal basis, and means of processing all Personal Data submitted to or processed through the Platform (“Client Data”).
Cyberbay shall process Client Data solely:
- on documented instructions from the Client; and
- as necessary to provide the Platform and associated services.
The Client represents, warrants, and undertakes that it:
- has established a valid lawful basis for all processing activities;
- has provided all required notices to, and obtained all necessary consents from, Data Subjects;
- complies with all applicable privacy, employment, telecommunications, and surveillance laws; and
- has conducted any required impact assessments (including DPIAs, where applicable).
Cyberbay shall have no obligation to verify the Client's compliance and expressly disclaims all liability arising from the Client's failure to meet its legal obligations.
3. Permitted Use and Scope Restrictions
The Client shall use the Platform solely for legitimate internal purposes, including:
- employee security awareness and training;
- controlled social engineering simulations;
- behavioural risk assessment; and
- internal cybersecurity programme development.
The Client shall not, and shall ensure that its authorised users do not:
- conduct unlawful interception, monitoring, or surveillance;
- deploy simulations in violation of employment, labor, or communications laws;
- target individuals outside the Client's organisational control without lawful basis and authorization;
- use the Platform to conduct real-world phishing, fraud, or malicious campaigns; or
- misrepresent simulated interactions as genuine external communications.
All use must remain strictly within the Client's authorised organisational boundary and defined simulation scope.
4. Simulation Governance and Duty of Care
The Client acknowledges that the Platform simulates realistic social engineering conditions, including deception-based interaction models.
Accordingly, the Client assumes full responsibility for:
- defining simulation parameters and targeting criteria;
- ensuring proportionality, necessity, and appropriateness of simulations;
- implementing internal governance controls and escalation procedures; and
- mitigating risks of psychological, reputational, or professional harm.
The Client shall ensure that simulations are conducted in a manner consistent with:
- applicable employment obligations;
- internal policies and codes of conduct; and
- principles of fairness and transparency (where required).
Cyberbay does not control, monitor, or approve individual simulation campaigns and shall bear no liability for outcomes arising from Client-configured scenarios.
5. Data Processing and Use Limitations
Cyberbay shall process Client Data exclusively for the following purposes:
- execution of simulation scenarios, including voice call delivery;
- capture and processing of interaction data;
- generation of analytics, reporting, and risk insights;
- system performance, integrity, and security; and
- troubleshooting, diagnostics, and support.
Cyberbay shall not, except as expressly permitted:
- use Client Data for marketing, advertising, or promotional purposes;
- sell, rent, or commercially exploit Client Data;
- disclose Client Data to third parties except as required to provide the Platform or as required by law; or
- access Client Data beyond what is strictly necessary for service delivery.
Cyberbay may process aggregated and irreversibly anonymised data, provided that such data cannot reasonably be used to identify the Client or any individual.
6. Voice Data, Telephony, and Simulation Outputs
The Platform may process and generate voice-based content, including:
- AI-generated synthetic voice interactions;
- uploaded or provided voice samples;
- telephony metadata;
- call recordings; and
- transcripts and derived analytics.
The Client represents and warrants that:
- it has obtained all necessary rights, licenses, and consents to use any submitted voice data;
- such use complies with all applicable telecommunications, consent, and recording laws; and
- it has provided any legally required disclosures to call recipients.
The Client acknowledges that:
- voice outputs are synthetic approximations and may not accurately reflect any individual;
- simulation behaviour does not necessarily correspond to real-world human responses; and
- Cyberbay makes no representation as to authenticity, accuracy, or behavioural validity.
Cyberbay expressly disclaims liability arising from:
- unlawful call execution;
- unauthorized recording or monitoring;
- disputes relating to voice likeness or identity; or
- misuse of generated voice content.
7. Data Retention, Security, and Integrity
Cyberbay shall implement commercially reasonable technical and organisational measures designed to protect Client Data against unauthorized access, loss, or alteration.
Client Data may be retained for:
- active campaign execution;
- reporting and analytics;
- system logging, audit, and security monitoring; and
- legal and regulatory compliance.
Retention periods shall be determined in accordance with Cyberbay's internal policies and/or contractual arrangements.
Cyberbay reserves the right to delete, anonymise, or otherwise dispose of Client Data at its discretion, subject to applicable law.
The Platform is not intended to function as a system of record or long-term data repository.
8. Technical and Acceptable Use Restrictions
The Client shall not, and shall not permit any third party to:
- reverse engineer, decompile, or disassemble the Platform;
- attempt to derive underlying algorithms, models, or simulation methodologies;
- interfere with or disrupt system integrity or performance;
- conduct penetration testing or vulnerability scanning without prior written authorization;
- use automated extraction, scraping, or data harvesting tools; or
- use the Platform for competitive analysis, benchmarking, or product replication.
Cyberbay reserves the right to monitor usage and to suspend or terminate access in the event of suspected misuse or violation.
9. No Security, Risk, or Compliance Guarantee
The Client acknowledges that the Platform:
- does not prevent, detect, or respond to actual cyber threats;
- does not eliminate or quantify human risk with certainty; and
- does not ensure regulatory compliance or audit readiness.
All outputs are indicative only and must be interpreted within the broader context of the Client's security programme.
10. Disclaimer of Warranties
To the fullest extent permitted by law, the Platform is provided on an “as is” and “as available” basis.
Cyberbay disclaims all warranties, whether express, implied, or statutory, including:
- merchantability;
- fitness for a particular purpose;
- non-infringement;
- accuracy, completeness, or reliability of outputs; and
- uninterrupted or error-free operation.
11. Limitation of Liability
To the maximum extent permitted by applicable law, Cyberbay shall not be liable for:
- indirect, incidental, special, or consequential damages;
- loss of profits, revenue, business, or opportunity;
- employee or third-party claims arising from simulations;
- regulatory penalties or enforcement actions;
- reputational harm; or
- any decisions made based on Platform outputs.
In all circumstances, the Client assumes full responsibility for deployment, configuration, and use of the Platform.
12. Indemnification
The Client shall indemnify, defend, and hold harmless Cyberbay and its affiliates against any and all claims, liabilities, damages, losses, and expenses arising out of or in connection with:
- the Client's use or misuse of the Platform;
- failure to obtain required consents or provide required notices;
- violation of applicable laws or regulations;
- employment-related disputes arising from simulations; or
- third-party claims relating to data submitted or processed.
13. Intellectual Property Rights
All right, title, and interest in and to the Platform, including all:
- software, models, and algorithms;
- simulation frameworks and methodologies;
- user interfaces and workflows; and
- documentation and materials,
shall remain the exclusive property of Cyberbay.
No rights are granted except for the limited, non-exclusive, non-transferable right to use the Platform in accordance with these Terms.
14. Regulatory and Advisory Disclaimer
The Platform:
- does not constitute legal, regulatory, or professional advice;
- does not provide compliance certification or audit evidence; and
- does not substitute for independent security assessment.
The Client remains solely responsible for regulatory compliance.
15. Modifications
Cyberbay reserves the right to modify the Platform and/or these Terms at any time.
Continued use of the Platform following such modifications constitutes acceptance of the updated Terms.
16. Acknowledgement
By using the Platform, the Client acknowledges and agrees that:
- it retains full control and responsibility over all data submitted;
- it is solely responsible for lawful and appropriate use;
- simulations must be governed and deployed responsibly; and
- Cyberbay bears no responsibility for Client-specific deployment decisions or outcomes.