⏰ Request Early Access

Terms of Use

Last updated: May 10, 2026

These Terms of Service (“Terms”) govern access to and use of Syrix’s websites, web application, platform, products, services, trials, subscriptions, documentation, and related offerings (collectively, the “Services”).

These Terms are entered into between Syrix Ltd, doing business as Syrix  (“Syrix,” “we,” “our,” or “us”), and the organization or person accessing or using the Services (“Customer,” “you,” or “your”).

If you use the Services on behalf of an organization, you represent that you have authority to bind that organization to these Terms. If you do not have such authority, or if you do not agree to these Terms, you must not access or use the Services.

Table of Contents

  1. About Syrix
  2. Scope of these Terms
  3. Account registration and authorized users
  4. Customer environments and authorization
  5. The Services
  6. Automated and guided remediation
  7. Customer responsibilities
  8. MSP and partner use
  9. Trials, beta services, and previews
  10. Fees, billing, taxes, and subscriptions
  11. Cancellation and termination
  12. Customer Data
  13. Privacy and data processing
  14. Security
  15. Confidentiality
  16. Intellectual property
  17. Feedback
  18. Acceptable use
  19. Third-party services
  20. Compliance, security, and risk disclaimers
  21. Disclaimers
  22. Limitation of liability
  23. Indemnification
  24. Export, sanctions, and restricted use
  25. Changes to these Terms
  26. Governing law and disputes
  27. Notices
  28. General terms

1. About Syrix

Syrix provides a cloud security platform designed to help organizations monitor, evaluate, enforce, and improve security posture across Microsoft 365 and related cloud environments. The Services may include security posture management, configuration monitoring, automated and guided remediation, access governance, connected application visibility, security logging, audit evidence, compliance support, detection and response features, and related capabilities.

Syrix is designed for business use and is not intended for personal, household, or consumer use.

2. Scope of these Terms

These Terms apply to:

  • Use of the Syrix website and public materials.
  • Creation and administration of Syrix accounts.
  • Trials, beta access, subscriptions, and paid use of the Syrix platform.
  • Connection of Microsoft 365 tenants or other protected environments.
  • Use of Syrix dashboards, reports, recommendations, remediation workflows, logs, exports, and integrations.
  • Use of any documentation, APIs, support, or related services provided by Syrix.

If you enter into a separate written agreement, order form, partner agreement, data processing addendum, or other signed contract with Syrix, that document will apply together with these Terms. If there is a conflict, the signed agreement or order form will control for the specific Services covered by it.

3. Account registration and authorized users

To use certain Services, you may need to create an account. You agree to provide accurate and complete account information and to keep it updated.

You are responsible for:

  • All activity under your account and your authorized users’ accounts.
  • Maintaining the confidentiality of credentials, tokens, and access methods.
  • Ensuring that only authorized personnel access the Services.
  • Promptly disabling access for users who no longer require access.
  • Notifying Syrix promptly of any suspected unauthorized access or security incident involving your Syrix account.

Syrix may use authentication, identity, or access controls to protect the Services. You agree not to bypass, disable, or interfere with those controls.

4. Customer environments and authorization

To use the platform, you may authorize Syrix to connect to Microsoft 365, Microsoft Entra ID, or another protected environment (“Customer Environment”).

By connecting a Customer Environment, you represent and warrant that:

  • You have the right and authority to authorize Syrix to access and process data from that Customer Environment.
  • You have obtained any internal approvals required to grant Syrix access.
  • You will grant only the permissions needed for the Services you choose to use.
  • Your use of the Services complies with your agreements with Microsoft or other third-party providers.
  • You are responsible for configuring and maintaining your Customer Environment, including administrator accounts, permissions, break-glass access, backup procedures, and internal change-management processes.

Syrix may use authorized APIs, administrative interfaces, permissions, and integrations to read, evaluate, store, and act on relevant configuration, identity, access, security, audit, sharing, application, compliance, and operational metadata.

Customer-authorized integrations, such as Microsoft 365 and Microsoft Entra ID tenants connected by Customer, are used as Customer-designated data sources and protected environments for the Services.

5. The Services

Subject to these Terms, Syrix grants Customer a limited, non-exclusive, non-transferable, revocable right to access and use the Services during the applicable trial or subscription term for Customer’s internal business purposes.

The Services may include some or all of the following, depending on the plan, configuration, availability, licensing, and permissions granted:

  • Continuous or periodic security posture evaluation.
  • Detection of Microsoft 365 misconfigurations and configuration drift.
  • Security recommendations and prioritized actions.
  • Automated remediation for selected low-impact or safe issues.
  • Guided or approval-based remediation for higher-impact changes.
  • Rollback, recovery, or change-history features.
  • Guest and privileged access visibility and review workflows.
  • Connected application and OAuth permission visibility.
  • Security logs, audit logs, remediation logs, and evidence records.
  • Compliance mapping and audit-oriented exports.
  • Detection and response workflows for suspicious activity, where available.
  • MSP or multi-tenant management capabilities, where available.

Syrix may update, improve, modify, suspend, or discontinue features from time to time. We will make reasonable efforts to avoid materially reducing core functionality during an active paid subscription term, unless required for security, legal, technical, or operational reasons.

6. Automated and guided remediation

Syrix may provide remediation capabilities that change settings, policies, permissions, access, or configuration in a Customer Environment.

Remediation may be:

  • Automatic: applied by Syrix according to Customer’s configuration or selected service settings.
  • Approval-based: applied only after an authorized user reviews and approves the action.
  • Guided: presented as recommended steps for Customer to perform manually.

Customer acknowledges that security remediation may affect users, workflows, applications, integrations, sharing, access, mail flow, authentication, collaboration, or other business operations.

Customer is responsible for:

  • Reviewing remediation recommendations and impact previews.
  • Deciding whether a recommended action is appropriate for its environment.
  • Configuring automatic remediation settings.
  • Maintaining appropriate administrator and break-glass access.
  • Testing or reviewing business-impacting changes where appropriate.
  • Ensuring remediation decisions align with Customer’s internal policies and operational requirements.

Syrix may provide rollback or recovery capabilities for supported changes, but rollback may not be available for every action, environment, configuration, integration, third-party dependency, or Microsoft API behavior. Syrix does not guarantee that every change can be reversed or restored to a prior state.

7. Customer responsibilities

Customer is responsible for:

  • The accuracy, legality, quality, and integrity of Customer Data.
  • Obtaining all necessary rights, consents, notices, and authorizations for Syrix to process Customer Data.
  • Managing Customer’s users, administrators, roles, approvals, and access rights.
  • Reviewing security recommendations and remediation actions.
  • Maintaining backups, business continuity plans, break-glass accounts, and recovery procedures.
  • Ensuring that the Services are appropriate for Customer’s legal, regulatory, security, and business requirements.
  • Responding to alerts, findings, recommended actions, and security issues surfaced by the Services.
  • Complying with applicable laws and third-party service agreements.

Syrix is not responsible for Customer’s Microsoft 365 tenant configuration, third-party accounts, endpoints, networks, users, internal processes, business operations, or external systems except to the extent expressly provided in these Terms or a written agreement.

8. MSP and partner use

If Customer is a managed service provider, reseller, consultant, partner, or other service provider using Syrix on behalf of its own clients (“Managed Clients”), Customer represents and warrants that:

  • Customer has authority to access and manage each Managed Client environment through Syrix.
  • Customer has obtained all necessary permissions, agreements, and authorizations from its Managed Clients.
  • Customer is responsible for its acts and omissions and for the acts and omissions of its users with respect to Managed Client environments.
  • Customer will use appropriate access controls to prevent unauthorized access between Managed Client environments.
  • Customer will not represent that Syrix has a direct contractual relationship with a Managed Client unless Syrix has separately agreed in writing.

Syrix may provide multi-tenant or partner-portal functionality, but Customer remains responsible for its relationship with Managed Clients and for ensuring that use of Syrix complies with the Managed Client’s instructions and applicable law.

9. Trials, beta services, and previews

Syrix may offer free trials, beta features, preview features, pilots, proof-of-concept access, or evaluation access.

Unless otherwise agreed in writing:

  • Trials, beta services, previews, and pilots are provided for evaluation only.
  • They may be limited in time, features, usage, support, retention, or availability.
  • They may be modified, suspended, or discontinued at any time.
  • They may contain errors, be incomplete, or change before general availability.
  • They are provided “as is” and without warranties to the maximum extent permitted by law.

Syrix may convert a trial to a paid subscription only according to the ordering, billing, and consent process presented to Customer or otherwise agreed in writing.

10. Fees, billing, taxes, and subscriptions

If Customer purchases a paid subscription, Customer agrees to pay all applicable fees according to the plan, order form, checkout flow, invoice, or written agreement.

Unless otherwise stated:

  • Fees are based on the selected plan, add-ons, billing frequency, and applicable usage metric.
  • Fees are non-refundable except as required by law or expressly stated in a written agreement.
  • Subscription terms renew automatically unless cancelled according to the applicable cancellation process.
  • Customer is responsible for all taxes, duties, levies, and governmental charges, excluding taxes based on Syrix’s net income.
  • Syrix may suspend or limit access for overdue amounts after reasonable notice, unless the amount is disputed in good faith.

For per-user pricing, billable users may be calculated according to Syrix’s then-current pricing page, order form, or written agreement. Unless otherwise stated in the applicable order, Syrix may exclude guests, shared mailboxes, service accounts, or other non-billable account types from billable user counts.

Syrix may change pricing for future subscription terms or new purchases. Price changes will not apply retroactively to an already-paid subscription term unless otherwise agreed.

11. Cancellation and termination

Customer may cancel its subscription according to the cancellation process made available by Syrix or as stated in an order form or written agreement.

Either party may terminate access to the Services if the other party materially breaches these Terms and fails to cure the breach within 30 days after written notice, unless the breach cannot be cured or requires faster action for security, legal, or operational reasons.

Syrix may suspend or terminate access immediately if:

  • Customer uses the Services in violation of law or these Terms.
  • Customer’s use creates a security, availability, legal, or operational risk.
  • Customer fails to pay undisputed overdue fees.
  • Customer attempts to interfere with, reverse engineer, abuse, or compromise the Services.
  • Syrix is required to do so by law or a third-party provider.

Upon termination or expiration:

  • Customer’s right to access the Services ends.
  • Customer remains responsible for fees incurred before termination.
  • Syrix may delete or anonymize Customer Data according to the Privacy Policy, applicable data processing terms, product settings, and legal obligations.
  • Sections that by their nature should survive termination will survive, including confidentiality, payment obligations, intellectual property, disclaimers, limitations of liability, indemnification, and dispute provisions.

12. Customer Data

“Customer Data” means data, content, metadata, logs, configuration information, account information, tenant information, security information, and other materials submitted to, connected to, generated by, or processed through the Services on behalf of Customer.

Customer retains all rights in Customer Data. Customer grants Syrix a limited right to process Customer Data only as necessary to:

  • Provide, operate, secure, support, and improve the Services.
  • Evaluate Customer Environments.
  • Generate findings, recommendations, logs, reports, evidence, and remediation workflows.
  • Perform actions authorized by Customer.
  • Prevent or address security, technical, legal, or service issues.
  • Comply with applicable law and contractual obligations.

Syrix does not sell Customer Data.

Syrix may generate aggregated or de-identified data from use of the Services, provided it does not identify Customer, Customer’s users, or any individual. Syrix may use aggregated or de-identified data for analytics, benchmarking, product improvement, security research, and business purposes.

13. Privacy and data processing

Syrix’s processing of personal data is described in the Syrix Privacy Policy, available at Privacy Policy.

Where Syrix processes personal data on behalf of Customer as a processor, such processing is governed by Syrix’s Data Processing Addendum or other applicable data processing terms.

Customer is responsible for providing any required notices and obtaining any required consents from its users, employees, contractors, guests, Managed Clients, or other individuals whose personal data may be processed through the Services.

14. Security

Syrix uses administrative, technical, and organizational measures designed to protect the Services and Customer Data. These measures may include encryption, access controls, logging, monitoring, secure development practices, vulnerability management, backup procedures, and vendor review.

Customer acknowledges that no system or service can be guaranteed to be completely secure. Customer is responsible for maintaining the security of its own accounts, credentials, devices, networks, Customer Environments, Microsoft 365 tenants, administrative permissions, and internal security practices.

Customer must promptly notify Syrix of any suspected unauthorized access to the Services or compromise involving Syrix credentials, integrations, tokens, or accounts.

15. Confidentiality

“Confidential Information” means non-public information disclosed by one party to the other that is marked confidential or should reasonably be understood to be confidential, including business, technical, product, security, financial, customer, and operational information.

The receiving party will:

  • Use Confidential Information only to perform or receive the Services.
  • Protect Confidential Information using reasonable care.
  • Not disclose Confidential Information except to personnel, contractors, advisors, service providers, or subprocessors who need to know it and are bound by confidentiality obligations.

Confidential Information does not include information that is publicly available, already known without confidentiality obligation, independently developed without use of the Confidential Information, or lawfully received from a third party without confidentiality obligation.

A party may disclose Confidential Information if required by law, regulation, court order, or governmental authority, provided that it gives the other party reasonable notice where legally permitted.

16. Intellectual property

Syrix and its licensors retain all rights, title, and interest in and to the Services, website, software, platform, documentation, designs, workflows, technology, models, templates, reports, product names, logos, trademarks, and related intellectual property.

Customer may not:

  • Copy, modify, adapt, translate, or create derivative works of the Services.
  • Reverse engineer, decompile, disassemble, or attempt to discover source code, underlying models, algorithms, or non-public APIs.
  • Remove proprietary notices.
  • Use the Services to build a competing product or service.
  • Benchmark or publish performance information about the Services without Syrix’s prior written consent.
  • Resell, sublicense, or make the Services available to third parties except as expressly permitted for MSP or partner use.

No rights are granted except as expressly stated in these Terms.

17. Feedback

If Customer or its users provide suggestions, ideas, enhancement requests, recommendations, or other feedback about Syrix, Customer grants Syrix a worldwide, perpetual, irrevocable, royalty-free right to use that feedback without restriction or compensation.

This feedback license does not give Syrix ownership of Customer Data, tenant data, support data, or Customer Confidential Information.

18. Acceptable use

Customer may not use the Services to:

  • Violate any law, regulation, or third-party right.
  • Access systems, tenants, accounts, or data without authorization.
  • Interfere with or disrupt the Services or related infrastructure.
  • Circumvent security, authentication, rate limits, or access controls.
  • Upload malicious code or conduct harmful activity.
  • Probe, scan, or test the vulnerability of Syrix systems without written authorization.
  • Reverse engineer or attempt to extract non-public functionality.
  • Use the Services to build or improve a competing service.
  • Misrepresent identity, authority, affiliation, or authorization.
  • Process data through the Services in a way that violates applicable law or contractual obligations.

Syrix may investigate suspected violations and may suspend access when necessary to protect the Services, customers, users, or third parties.

19. Third-party services

The Services may interact with or depend on third-party services, including Microsoft 365, Microsoft Entra ID, cloud providers, identity providers, payment processors, communication tools, analytics providers, or other integrations.

Third-party services are governed by their own terms and privacy policies. Syrix is not responsible for third-party services, changes to third-party APIs, outages, data handling by third-party providers, or Customer’s relationship with those providers.

Certain Syrix functionality may depend on third-party permissions, licenses, APIs, service availability, or product changes. Syrix does not guarantee that every feature will be available for every Customer Environment, license level, geography, tenant configuration, or third-party service plan.

20. Compliance, security, and risk disclaimers

Syrix is designed to help identify, prioritize, remediate, monitor, and evidence certain security configuration, access, SaaS, and compliance-related risks.

Customer acknowledges that:

  • Syrix does not guarantee that all vulnerabilities, misconfigurations, threats, incidents, exposures, attacks, data loss events, or compliance gaps will be detected, prevented, remediated, or reported.
  • Syrix does not replace Customer’s security program, IT administration, legal advice, compliance program, auditors, managed SOC, MDR, SIEM, incident response provider, or regulatory obligations.
  • Syrix recommendations are based on available data, permissions, product logic, supported integrations, and third-party APIs, which may be incomplete, delayed, unavailable, or changed by third parties.
  • Compliance mappings, reports, dashboards, and evidence are provided to support Customer’s compliance efforts and do not constitute legal advice, audit certification, regulatory approval, or a guarantee of compliance.
  • Customer is responsible for determining whether a recommendation, remediation, policy, report, or control is appropriate for its business, risk tolerance, legal obligations, and technical environment.

21. Disclaimers

To the maximum extent permitted by law, the Services are provided “as is” and “as available.” Syrix disclaims all warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, non-infringement, uninterrupted operation, error-free operation, and availability.

Syrix does not warrant that:

  • The Services will meet all Customer requirements.
  • The Services will be uninterrupted, secure, timely, or error-free.
  • Findings, recommendations, reports, or evidence will be complete or accurate in every case.
  • All issues can be remediated or rolled back.
  • The Services will prevent breaches, incidents, misconfigurations, data exposure, or non-compliance.

Some jurisdictions do not allow certain warranty exclusions, so some exclusions may not apply to a particular Customer.

22. Limitation of liability

To the maximum extent permitted by law, neither party will be liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages, or for lost profits, lost revenue, lost business, lost goodwill, lost data, business interruption, or cost of substitute services, even if advised of the possibility of such damages.

To the maximum extent permitted by law, each party’s total aggregate liability arising out of or relating to these Terms or the Services will not exceed the amounts paid or payable by Customer to Syrix for the Services giving rise to the claim during the 12 months before the event giving rise to liability.

The above liability cap does not apply to:

  • Customer’s payment obligations.
  • Customer’s misuse of the Services.
  • Customer’s violation of Syrix intellectual property rights.
  • A party’s confidentiality obligations.
  • A party’s indemnification obligations, if applicable.
  • Liability that cannot be limited under applicable law.

23. Indemnification

Customer will defend, indemnify, and hold harmless Syrix and its affiliates, officers, directors, employees, contractors, and agents from and against claims, damages, liabilities, costs, and expenses, including reasonable attorneys’ fees, arising from:

  • Customer Data.
  • Customer’s use of the Services in violation of these Terms or applicable law.
  • Customer’s Customer Environment or third-party accounts.
  • Customer’s remediation decisions, approvals, configurations, or instructions.
  • Customer’s relationship with Managed Clients, if applicable.
  • Allegations that Customer lacked authority to connect a Customer Environment or process data through the Services.

Syrix will promptly notify Customer of any claim for which it seeks indemnification and will reasonably cooperate in the defense. Customer may not settle a claim in a way that admits fault by Syrix or imposes obligations on Syrix without Syrix’s prior written consent.

24. Export, sanctions, and restricted use

Customer may not use, export, re-export, or transfer the Services in violation of applicable export control, sanctions, or trade compliance laws.

Customer represents that it and its users are not prohibited from using the Services under applicable sanctions, export control, or trade restrictions.

25. Changes to these Terms

Syrix may update these Terms from time to time. When we make changes, we will update the “Last updated” date above.

If changes are material, Syrix will make reasonable efforts to provide notice, such as by posting a notice on the website, providing notice in the platform, or sending an email to account administrators.

Updated Terms will apply from the effective date stated in the notice or, if no date is stated, from the date they are posted. If Customer continues to use the Services after updated Terms become effective, Customer agrees to the updated Terms.

For an active paid subscription, material changes that substantially reduce Customer’s rights or increase Customer’s obligations will not apply until the next renewal term, unless the change is required for legal, security, regulatory, or operational reasons.

26. Governing law and disputes

These Terms are governed by the laws of Tel Aviv, Israel, without regard to conflict-of-law principles.

The courts located in Tel Aviv, Israel will have exclusive jurisdiction over disputes arising out of or relating to these Terms or the Services, and each party consents to that jurisdiction and venue.

Nothing in these Terms prevents either party from seeking injunctive or equitable relief to protect intellectual property, Confidential Information, security, or unauthorized use of the Services.

27. Notices

Syrix may provide notices by email, through the Services, through the website, or by other reasonable means.

Customer may provide legal notices to Syrix at: Email: legal@syrix.io 

Privacy-related requests should be sent to: Email: privacy@syrix.io

Security-related notices should be sent to: Email: security@syrix.io

Data processing inquiries should be sent to: Email: dpa@syrix.io

28. General terms

Customer may not assign or transfer these Terms without Syrix’s prior written consent, except to a successor in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets, provided the successor is not a competitor of Syrix and agrees to be bound by these Terms. Syrix may assign these Terms in connection with a merger, acquisition, corporate reorganization, sale of assets, or by operation of law.

If any provision of these Terms is found unenforceable, the remaining provisions will remain in effect, and the unenforceable provision will be interpreted to best accomplish its intended purpose.

Failure to enforce a provision is not a waiver.

These Terms, together with any applicable order form, written agreement, Privacy Policy, Data Processing Addendum, and referenced policies, constitute the entire agreement between the parties regarding the Services.

No agency, partnership, joint venture, employment, or fiduciary relationship is created by these Terms.

Headings are for convenience only and do not affect interpretation.

Data Processing Addendum

Last updated: May 10, 2026

This Data Processing Addendum (“DPA”) forms part of the Syrix Terms of Service, order form, subscription agreement, partner agreement, or other written agreement governing Customer’s use of the Syrix Services (the “Agreement”).

This DPA applies when Syrix, doing business as Syrix (“Syrix,” “we,” “our,” or “us”), processes Personal Data on behalf of Customer in connection with the Services.

If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls to the extent of the conflict.

Table of Contents

  1. Definitions
  2. Roles of the parties
  3. Scope of processing
  4. Customer instructions
  5. Customer responsibilities
  6. Syrix processing obligations
  7. Confidentiality
  8. Security measures
  9. Subprocessors
  10. International data transfers
  11. Assistance with data subject requests
  12. Assistance with compliance obligations
  13. Personal Data Breach notification
  14. Deletion and return of Personal Data
  15. Audits and information rights
  16. Government and third-party requests
  17. MSP and partner use
  18. Use of aggregated or de-identified data
  19. Order of precedence
  20. Contact Schedule 1 — Details of Processing Schedule 2 — Subprocessors Schedule 3 — Technical and Organizational Measures Schedule 4 — International Transfers

1. Definitions

For purposes of this DPA:

“Applicable Data Protection Laws” means all privacy, data protection, and data security laws and regulations applicable to the processing of Personal Data under the Agreement, which may include the GDPR, UK GDPR, applicable U.S. state privacy laws, applicable Israeli privacy law, and other applicable privacy laws.

“Customer” means the organization or person that has entered into the Agreement with Syrix and uses the Services.

“Customer Data” has the meaning given in the Agreement and includes data, content, metadata, logs, configuration information, account information, tenant information, security information, and other materials submitted to, connected to, generated by, or processed through the Services on behalf of Customer.

“Customer Environment” means a Microsoft 365 tenant, Microsoft Entra ID tenant, cloud environment, SaaS environment, or other protected environment connected to or monitored by Syrix on behalf of Customer.

“Data Subject,” “Controller,” “Processor,” “Subprocessor,” “Personal Data,” “Personal Data Breach,” “Process,” “Processing,” and “Supervisory Authority” have the meanings given under Applicable Data Protection Laws. Where Applicable Data Protection Laws use equivalent terms, such as “business,” “service provider,” “contractor,” “consumer,” or “personal information,” those terms will be interpreted consistently with the applicable law.

“Services” means the Syrix websites, web application, platform, products, services, trials, subscriptions, documentation, and related offerings provided under the Agreement.

“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission for international transfers of Personal Data, as updated, replaced, or supplemented from time to time.

“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner’s Office, as updated, replaced, or supplemented from time to time.

2. Roles of the parties

2.1 Customer as Controller

For Personal Data processed by Syrix on behalf of Customer through the Services, Customer is the Controller and Syrix is the Processor, unless otherwise required by Applicable Data Protection Laws.

Customer determines the purposes and means of Processing Personal Data in Customer Data, including Personal Data from Customer Environments.

2.2 Syrix as Processor

Syrix Processes Personal Data on behalf of Customer to provide, operate, secure, support, and improve the Services according to Customer’s instructions and the Agreement.

2.3 Syrix as Controller

Syrix may act as an independent Controller for certain Personal Data processed outside the processor relationship, such as website visitor data, sales and marketing contacts, billing contacts, account administration data, security and operational data needed to protect Syrix, and business relationship records. Such processing is described in the Syrix Privacy Policy and is not governed by this DPA except where expressly stated.

3. Scope of processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Schedule 1 — Details of Processing.

Customer authorizes Syrix to Process Personal Data as necessary to provide the Services, including to:

  • Connect to Customer Environments authorized by Customer.
  • Evaluate security posture, configurations, access, permissions, apps, sharing, audit logs, alerts, and related security metadata.
  • Generate findings, recommendations, remediation previews, security logs, audit logs, access review evidence, compliance evidence, reports, and exports.
  • Perform remediation actions authorized by Customer or configured by Customer for automatic execution.
  • Provide product functionality, support, troubleshooting, security, monitoring, availability, backup, recovery, and service improvement.
  • Comply with applicable legal, security, and contractual obligations.

4. Customer instructions

Customer instructs Syrix to Process Personal Data as necessary to provide the Services under the Agreement and this DPA.

Customer’s instructions include:

  • The Agreement.
  • This DPA.
  • Customer’s use and configuration of the Services.
  • Permissions and integrations authorized by Customer.
  • Remediation, approval, suppression, rollback, retention, export, and other workflow decisions made by Customer or its authorized users.
  • Written instructions mutually agreed by the parties.

Syrix will not Process Personal Data for purposes other than those described in the Agreement, this DPA, or Customer’s documented instructions, unless required by law. If Syrix is required by law to Process Personal Data contrary to Customer’s instructions, Syrix will notify Customer unless legally prohibited from doing so.

If Syrix believes that an instruction violates Applicable Data Protection Laws, Syrix will inform Customer where legally permitted. Syrix may suspend Processing affected by such instruction until the issue is resolved.

5. Customer responsibilities

Customer is responsible for:

  • Complying with Applicable Data Protection Laws.
  • Having a lawful basis for collecting, using, sharing, and Processing Personal Data through the Services.
  • Providing notices and obtaining consents where required.
  • Ensuring that Customer has the right to authorize Syrix to access and Process Personal Data from Customer Environments.
  • Ensuring that Customer’s instructions to Syrix are lawful.
  • Configuring access permissions, integrations, retention, remediation, and user roles appropriately.
  • Managing authorized users and preventing unauthorized access.
  • Responding to Data Subject requests where Customer is the Controller.
  • Ensuring that Personal Data submitted to the Services is appropriate and not excessive for the Services.

Customer will not submit special categories of Personal Data, highly sensitive Personal Data, or regulated data to the Services unless necessary for Customer’s use of the Services and permitted under the Agreement, this DPA, and Applicable Data Protection Laws.

6. Syrix processing obligations

Syrix will:

  • Process Personal Data only according to Customer’s documented instructions.
  • Ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.
  • Implement appropriate technical and organizational measures designed to protect Personal Data.
  • Assist Customer with Data Subject requests, security obligations, breach notification obligations, data protection impact assessments, and consultations with Supervisory Authorities, as required by Applicable Data Protection Laws and taking into account the nature of the Processing and information available to Syrix.
  • Use Subprocessors only as described in this DPA.
  • Delete or return Personal Data as described in this DPA and the Agreement.
  • Make available information reasonably necessary to demonstrate compliance with this DPA, subject to the audit terms below.

7. Confidentiality

Syrix will ensure that persons authorized to Process Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Syrix will restrict access to Personal Data to personnel, contractors, advisors, service providers, and Subprocessors who need access to provide, secure, support, or operate the Services.

8. Security measures

Syrix will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

The measures are described in Schedule 3 — Technical and Organizational Measures.

Customer acknowledges that security measures may evolve over time. Syrix may update or modify its security measures, provided that such updates do not materially decrease the overall security of the Services during an active subscription term.

9. Subprocessors

Customer authorizes Syrix to use Subprocessors to provide, secure, support, and improve the Services.

Syrix will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective, in substance, than those in this DPA, to the extent applicable to the services provided by the Subprocessor.

A current list of Syrix Subprocessors is set out in Schedule 2 — Subprocessors. Customer may request the current list or additional subprocessor information by contacting dpa@syrix.io.

Syrix may update its Subprocessor list from time to time. Where required by Applicable Data Protection Laws or the Agreement, Syrix will provide notice of new Subprocessors before authorizing them to Process Personal Data.

Customer may object to a new Subprocessor on reasonable data protection grounds by notifying Syrix within 15 days after notice. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected Services to the extent the new Subprocessor is necessary for those Services. Unless otherwise required by law or agreed in writing, termination under this section will not entitle Customer to a refund for Services already provided.

Syrix remains responsible for the performance of its Subprocessors’ obligations as required by Applicable Data Protection Laws.

10. International data transfers

Syrix and its Subprocessors may Process Personal Data in multiple jurisdictions where Syrix or its Subprocessors operate.

Where Personal Data is transferred internationally, Syrix will use appropriate transfer mechanisms as required by Applicable Data Protection Laws. These mechanisms may include adequacy decisions, data processing agreements, the SCCs, the UK Addendum, contractual safeguards, or other lawful transfer mechanisms.

Additional international transfer terms are described in Schedule 4 — International Transfers.

11. Assistance with data subject requests

Taking into account the nature of the Processing and the information available to Syrix, Syrix will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise rights under Applicable Data Protection Laws.

If Syrix receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, Syrix may refer the request to Customer unless otherwise required by law. Syrix will not independently respond to such requests except to confirm that the request relates to Customer or as legally required.

Customer is responsible for responding to Data Subject requests where Customer is the Controller.

12. Assistance with compliance obligations

Taking into account the nature of the Processing and information available to Syrix, Syrix will provide reasonable assistance to Customer with Customer’s obligations under Applicable Data Protection Laws, including obligations relating to:

  • Security of Processing.
  • Personal Data Breach notifications.
  • Data protection impact assessments.
  • Prior consultation with Supervisory Authorities, where required.

Syrix may charge reasonable fees for assistance that is outside the standard functionality of the Services or requires substantial additional effort, unless the assistance is required due to Syrix’s breach of this DPA.

13. Personal Data Breach notification

Syrix will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed by Syrix on behalf of Customer, and in any event within 72 hours after becoming aware of the Personal Data Breach, unless legally prohibited or where notification is not reasonably possible within that timeframe due to the nature of the incident.

The notification will include information reasonably available to Syrix, which may include:

  • The nature of the Personal Data Breach.
  • The categories and approximate number of affected Data Subjects, where known.
  • The categories and approximate number of affected records, where known.
  • Likely consequences, where known.
  • Measures taken or proposed to address the Personal Data Breach.
  • Contact information for follow-up.

Syrix’s notification of or response to a Personal Data Breach is not an admission of fault or liability.

Customer is responsible for determining whether notification to Data Subjects, Supervisory Authorities, customers, regulators, or other third parties is required.

14. Deletion and return of Personal Data

Upon termination or expiration of the Services, Syrix will delete or return Personal Data processed on behalf of Customer according to the Agreement, product functionality, Customer configuration, and applicable law.

Unless otherwise agreed in writing or required by law, Syrix will delete or anonymize Customer tenant data within a reasonable period after termination or expiration of the Services.

Syrix may retain Personal Data where required or permitted for legal, security, compliance, dispute-resolution, backup, audit, accounting, or legitimate business purposes, subject to the confidentiality and security obligations in this DPA.

Backups may retain Personal Data for a limited period according to Syrix’s backup and disaster recovery practices before being overwritten or deleted.

15. Audits and information rights

Syrix will make available information reasonably necessary to demonstrate compliance with this DPA.

Where available, Syrix may satisfy audit requests by providing security documentation, compliance reports, certifications, third-party audit summaries, questionnaires, or other relevant materials.

Customer may request an audit no more than once per calendar year, unless required by a Supervisory Authority or following a confirmed Personal Data Breach affecting Customer Personal Data.

Any audit must be:

  • Conducted on reasonable prior written notice.
  • Limited to Syrix’s Processing of Personal Data on behalf of Customer.
  • Conducted during normal business hours.
  • Subject to confidentiality obligations.
  • Designed to avoid unreasonable disruption to Syrix’s business, systems, security, and other customers.

Customer may not access data, systems, or information relating to other Syrix customers. Syrix may require audits to be conducted by an independent third-party auditor that is not a competitor of Syrix.

Customer will bear its own audit costs. Syrix may charge reasonable fees for support with audits that require substantial additional effort, unless the audit is required due to Syrix’s breach of this DPA.

16. Government and third-party requests

If Syrix receives a legally binding request from a government authority, court, regulator, law enforcement agency, or third party seeking access to Personal Data processed on behalf of Customer, Syrix will notify Customer unless legally prohibited from doing so.

Syrix will make reasonable efforts to redirect the requesting party to Customer where appropriate and legally permitted.

17. MSP and partner use

If Customer uses the Services on behalf of Managed Clients, Customer is responsible for ensuring that it has all rights, permissions, notices, consents, agreements, and instructions needed to authorize Syrix to Process Personal Data from Managed Client environments.

As between Syrix and Customer, Customer is responsible for its Managed Clients and for ensuring that Customer’s use of the Services complies with all applicable data protection obligations owed to those Managed Clients.

Customer will not represent that Syrix has a direct processor relationship with a Managed Client unless Syrix has separately agreed in writing.

18. Use of aggregated or de-identified data

Syrix may create and use aggregated or de-identified data derived from the Services, provided that such data does not identify Customer, Customer’s users, Managed Clients, or any individual.

Syrix may use aggregated or de-identified data for analytics, benchmarking, product improvement, security research, threat analysis, and business purposes.

19. Order of precedence

If there is a conflict between documents regarding the Processing of Personal Data, the following order applies:

  1. Standard Contractual Clauses or other mandatory transfer terms, where applicable.
  2. This DPA.
  3. The Agreement.
  4. The Privacy Policy.
  5. Product documentation or website materials.

20. Contact

For data processing inquiries, contact:

Email: dpa@syrix.io

For privacy requests, contact:

Email: privacy@syrix.io

For security matters, contact:

Email: security@syrix.io

Legal entity: [Insert Syrix legal entity name]

Schedule 1 — Details of Processing

1. Subject matter

Syrix’s Processing of Personal Data on behalf of Customer in connection with the provision of the Syrix cloud security platform and related Services.

2. Duration

For the duration of Customer’s subscription, trial, pilot, beta, or other use of the Services, plus any post-termination period required for deletion, return, backup retention, legal compliance, dispute resolution, audit, or security purposes.

3. Nature of Processing

Syrix may perform the following Processing activities:

  • Collection and retrieval.
  • Connection to Customer Environments.
  • Reading and evaluation of configuration, identity, access, app, security, audit, sharing, and compliance metadata.
  • Hosting and storage.
  • Analysis and correlation.
  • Monitoring and alerting.
  • Report and evidence generation.
  • Logging and audit trail creation.
  • Remediation preview and execution.
  • Approval, suppression, rollback, and recovery workflow processing.
  • Export and display within the Services.
  • Support, troubleshooting, maintenance, backup, security, and service improvement.
  • Deletion, anonymization, or return.

4. Purpose of Processing

The purpose of Processing is to provide the Services, including:

  • Security posture management.
  • Microsoft 365 configuration monitoring.
  • Misconfiguration detection.
  • Configuration drift detection.
  • Automated and guided remediation.
  • Access governance.
  • Guest and privileged user access reviews.
  • Connected app and OAuth permission visibility.
  • Security logging and audit logging.
  • Rollback and recovery features.
  • Compliance mapping and audit evidence.
  • Detection and response workflows, where available.
  • Customer support and service operations.

5. Categories of Data Subjects

Personal Data may relate to:

  • Customer administrators.
  • Customer employees.
  • Customer contractors.
  • Customer service accounts where associated with identifiable individuals.
  • Customer guests and external collaborators.
  • Customer users of Microsoft 365 or other connected environments.
  • MSP, partner, reseller, or consultant users.
  • Managed Client users, where applicable.
  • Customer support contacts.
  • Customer billing or business contacts.

6. Categories of Personal Data

Personal Data may include:

  • Name, display name, username, email address, UPN, user ID, object ID, tenant ID, account ID, role, group membership, and administrator role metadata.
  • Business contact details.
  • Authentication and access metadata.
  • MFA, Conditional Access, password policy, and identity security configuration metadata.
  • Guest access, external sharing, link sharing, permission, and access metadata.
  • Application, OAuth, service principal, app consent, publisher, permission, and activity metadata.
  • Audit logs, security logs, sign-in logs, alert metadata, and event metadata.
  • Remediation records, approval decisions, suppressions, rollback records, recovery records, and policy decisions.
  • Access review records, attestation records, compliance evidence, and export data.
  • Support ticket content and diagnostic data.
  • IP address, device, browser, and usage metadata associated with platform use.

7. Sensitive or special category data

The Services are not designed to intentionally collect or process special categories of Personal Data or highly sensitive personal data.

However, such data may appear incidentally in Customer Data, logs, file names, group names, user attributes, support requests, audit records, or metadata provided by Customer or Customer’s connected environments.

Customer is responsible for avoiding unnecessary submission of sensitive data to the Services and for ensuring that any such Processing is lawful.

8. Processing frequency

Continuous, periodic, event-based, and customer-initiated Processing, depending on Customer configuration, product features, scan schedules, integrations, and support needs.

Schedule 2 — Subprocessors

Syrix uses Subprocessors to provide, secure, support, and improve the Services. The list below should be completed and kept current before publication.

Current Subprocessors

Subprocessor

Purpose

Data processed

Location / transfer safeguard

Amazon Web Services (AWS)

Cloud hosting, infrastructure, storage, networking, security, backups

Customer account data, platform data, Customer Environment metadata, logs, security evidence, operational data

[Insert region / safeguards]

Microsoft 365

Internal business productivity, email, document collaboration, customer communications

Business contact data, customer communications, support/security/DPA correspondence, internal documents

[Insert region / safeguards]

Customer-authorized integrations

Customer-authorized integrations are not listed as Subprocessors solely because Customer connects them to Syrix. They are Customer-designated data sources and protected environments used to provide the Services.

Integration

Role

Data processed

Microsoft 365 / Microsoft Entra ID

Customer-authorized protected environment and data source

Microsoft 365 configuration, identity, role, guest, sharing, audit, security, app consent, and remediation metadata as authorized by Customer

Schedule 3 — Technical and Organizational Measures

Syrix will maintain appropriate technical and organizational measures designed to protect Personal Data processed on behalf of Customer.

1. Access control

  • Role-based access controls.
  • Least-privilege access practices.
  • Administrative access restricted to authorized personnel.
  • Access reviews for personnel with elevated access, where applicable.
  • Removal or adjustment of access when no longer needed.

2. Authentication and authorization

  • Authentication controls for Syrix personnel and platform users.
  • Support for secure login methods where available.
  • Protection of administrative interfaces.
  • Controls designed to prevent unauthorized access to customer accounts and environments.

3. Encryption

  • Encryption in transit using industry-standard protocols.
  • Encryption at rest for production systems where supported by the underlying infrastructure and service architecture.
  • Secure handling of credentials, tokens, and secrets.

4. Logging and monitoring

  • Logging of relevant administrative, security, and operational events.
  • Monitoring for suspicious or unauthorized activity affecting the Services.
  • Use of logs for troubleshooting, security, audit, and service integrity.

5. Segregation of customer data

  • Logical separation of customer accounts and tenant data.
  • Controls designed to prevent unauthorized access between customer environments.
  • Multi-tenant access controls for MSP and partner use, where applicable.

6. Secure development and change management

  • Secure development practices appropriate to the nature of the Services.
  • Review and testing of material changes before production deployment, where appropriate.
  • Change tracking and deployment controls.

7. Vulnerability and risk management

  • Reasonable measures to identify, assess, and address vulnerabilities.
  • Security updates and patching according to risk and operational requirements.
  • Review of security-relevant third-party dependencies where appropriate.

8. Backup and recovery

  • Backup and recovery practices designed to support availability and resilience.
  • Backup retention according to Syrix’s operational practices.
  • Recovery procedures tested or reviewed periodically, where appropriate.

9. Personnel security

  • Confidentiality obligations for personnel with access to Personal Data.
  • Access limited to personnel with a business need.
  • Security awareness or training appropriate to roles, where applicable.

10. Subprocessor management

  • Review of Subprocessors that Process Personal Data.
  • Written agreements imposing confidentiality and data protection obligations.
  • Updates to Subprocessor list as required.

11. Incident response

  • Procedures for identifying, investigating, escalating, and responding to security incidents.
  • Customer notification procedures for Personal Data Breaches as described in this DPA.

12. Data retention and deletion

  • Retention according to the Agreement, Privacy Policy, product configuration, and legal obligations.
  • Deletion, anonymization, or return of Customer Data following termination or expiration, subject to backup, legal, security, and compliance exceptions.

Schedule 4 — International Transfers

1. General transfer mechanism

Where Syrix transfers Personal Data internationally, Syrix will rely on lawful transfer mechanisms as required by Applicable Data Protection Laws.

These mechanisms may include:

  • Adequacy decisions.
  • Standard Contractual Clauses.
  • UK Addendum.
  • Data processing agreements.
  • Subprocessor contractual safeguards.
  • Other lawful mechanisms available under Applicable Data Protection Laws.

2. EEA transfers

Where Personal Data subject to the GDPR is transferred to a country that has not been recognized as providing an adequate level of protection, the SCCs will apply as required.

For purposes of the SCCs:

  • Customer is the data exporter.
  • Syrix is the data importer.
  • Module Two, Controller to Processor, will apply where Customer is a Controller and Syrix is a Processor.
  • The details of Processing are described in Schedule 1.
  • Technical and organizational measures are described in Schedule 3.
  • Subprocessors are described in Schedule 2.

3. UK transfers

Where Personal Data subject to the UK GDPR is transferred to a country that has not been recognized as providing an adequate level of protection, the UK Addendum will apply as required.

4. Transfer impact assessments

Taking into account the nature of the Services and information available to Syrix, Syrix will provide reasonable information to Customer to support transfer impact assessments where required by Applicable Data Protection Laws.

Terms of Use

Last updated: May 10, 2026

These Terms of Service (“Terms”) govern access to and use of Syrix’s websites, web application, platform, products, services, trials, subscriptions, documentation, and related offerings (collectively, the “Services”).

These Terms are entered into between Syrix Ltd, doing business as Syrix  (“Syrix,” “we,” “our,” or “us”), and the organization or person accessing or using the Services (“Customer,” “you,” or “your”).

If you use the Services on behalf of an organization, you represent that you have authority to bind that organization to these Terms. If you do not have such authority, or if you do not agree to these Terms, you must not access or use the Services.

Table of Contents

  1. About Syrix
  2. Scope of these Terms
  3. Account registration and authorized users
  4. Customer environments and authorization
  5. The Services
  6. Automated and guided remediation
  7. Customer responsibilities
  8. MSP and partner use
  9. Trials, beta services, and previews
  10. Fees, billing, taxes, and subscriptions
  11. Cancellation and termination
  12. Customer Data
  13. Privacy and data processing
  14. Security
  15. Confidentiality
  16. Intellectual property
  17. Feedback
  18. Acceptable use
  19. Third-party services
  20. Compliance, security, and risk disclaimers
  21. Disclaimers
  22. Limitation of liability
  23. Indemnification
  24. Export, sanctions, and restricted use
  25. Changes to these Terms
  26. Governing law and disputes
  27. Notices
  28. General terms

1. About Syrix

Syrix provides a cloud security platform designed to help organizations monitor, evaluate, enforce, and improve security posture across Microsoft 365 and related cloud environments. The Services may include security posture management, configuration monitoring, automated and guided remediation, access governance, connected application visibility, security logging, audit evidence, compliance support, detection and response features, and related capabilities.

Syrix is designed for business use and is not intended for personal, household, or consumer use.

2. Scope of these Terms

These Terms apply to:

  • Use of the Syrix website and public materials.
  • Creation and administration of Syrix accounts.
  • Trials, beta access, subscriptions, and paid use of the Syrix platform.
  • Connection of Microsoft 365 tenants or other protected environments.
  • Use of Syrix dashboards, reports, recommendations, remediation workflows, logs, exports, and integrations.
  • Use of any documentation, APIs, support, or related services provided by Syrix.

If you enter into a separate written agreement, order form, partner agreement, data processing addendum, or other signed contract with Syrix, that document will apply together with these Terms. If there is a conflict, the signed agreement or order form will control for the specific Services covered by it.

3. Account registration and authorized users

To use certain Services, you may need to create an account. You agree to provide accurate and complete account information and to keep it updated.

You are responsible for:

  • All activity under your account and your authorized users’ accounts.
  • Maintaining the confidentiality of credentials, tokens, and access methods.
  • Ensuring that only authorized personnel access the Services.
  • Promptly disabling access for users who no longer require access.
  • Notifying Syrix promptly of any suspected unauthorized access or security incident involving your Syrix account.

Syrix may use authentication, identity, or access controls to protect the Services. You agree not to bypass, disable, or interfere with those controls.

4. Customer environments and authorization

To use the platform, you may authorize Syrix to connect to Microsoft 365, Microsoft Entra ID, or another protected environment (“Customer Environment”).

By connecting a Customer Environment, you represent and warrant that:

  • You have the right and authority to authorize Syrix to access and process data from that Customer Environment.
  • You have obtained any internal approvals required to grant Syrix access.
  • You will grant only the permissions needed for the Services you choose to use.
  • Your use of the Services complies with your agreements with Microsoft or other third-party providers.
  • You are responsible for configuring and maintaining your Customer Environment, including administrator accounts, permissions, break-glass access, backup procedures, and internal change-management processes.

Syrix may use authorized APIs, administrative interfaces, permissions, and integrations to read, evaluate, store, and act on relevant configuration, identity, access, security, audit, sharing, application, compliance, and operational metadata.

Customer-authorized integrations, such as Microsoft 365 and Microsoft Entra ID tenants connected by Customer, are used as Customer-designated data sources and protected environments for the Services.

5. The Services

Subject to these Terms, Syrix grants Customer a limited, non-exclusive, non-transferable, revocable right to access and use the Services during the applicable trial or subscription term for Customer’s internal business purposes.

The Services may include some or all of the following, depending on the plan, configuration, availability, licensing, and permissions granted:

  • Continuous or periodic security posture evaluation.
  • Detection of Microsoft 365 misconfigurations and configuration drift.
  • Security recommendations and prioritized actions.
  • Automated remediation for selected low-impact or safe issues.
  • Guided or approval-based remediation for higher-impact changes.
  • Rollback, recovery, or change-history features.
  • Guest and privileged access visibility and review workflows.
  • Connected application and OAuth permission visibility.
  • Security logs, audit logs, remediation logs, and evidence records.
  • Compliance mapping and audit-oriented exports.
  • Detection and response workflows for suspicious activity, where available.
  • MSP or multi-tenant management capabilities, where available.

Syrix may update, improve, modify, suspend, or discontinue features from time to time. We will make reasonable efforts to avoid materially reducing core functionality during an active paid subscription term, unless required for security, legal, technical, or operational reasons.

6. Automated and guided remediation

Syrix may provide remediation capabilities that change settings, policies, permissions, access, or configuration in a Customer Environment.

Remediation may be:

  • Automatic: applied by Syrix according to Customer’s configuration or selected service settings.
  • Approval-based: applied only after an authorized user reviews and approves the action.
  • Guided: presented as recommended steps for Customer to perform manually.

Customer acknowledges that security remediation may affect users, workflows, applications, integrations, sharing, access, mail flow, authentication, collaboration, or other business operations.

Customer is responsible for:

  • Reviewing remediation recommendations and impact previews.
  • Deciding whether a recommended action is appropriate for its environment.
  • Configuring automatic remediation settings.
  • Maintaining appropriate administrator and break-glass access.
  • Testing or reviewing business-impacting changes where appropriate.
  • Ensuring remediation decisions align with Customer’s internal policies and operational requirements.

Syrix may provide rollback or recovery capabilities for supported changes, but rollback may not be available for every action, environment, configuration, integration, third-party dependency, or Microsoft API behavior. Syrix does not guarantee that every change can be reversed or restored to a prior state.

7. Customer responsibilities

Customer is responsible for:

  • The accuracy, legality, quality, and integrity of Customer Data.
  • Obtaining all necessary rights, consents, notices, and authorizations for Syrix to process Customer Data.
  • Managing Customer’s users, administrators, roles, approvals, and access rights.
  • Reviewing security recommendations and remediation actions.
  • Maintaining backups, business continuity plans, break-glass accounts, and recovery procedures.
  • Ensuring that the Services are appropriate for Customer’s legal, regulatory, security, and business requirements.
  • Responding to alerts, findings, recommended actions, and security issues surfaced by the Services.
  • Complying with applicable laws and third-party service agreements.

Syrix is not responsible for Customer’s Microsoft 365 tenant configuration, third-party accounts, endpoints, networks, users, internal processes, business operations, or external systems except to the extent expressly provided in these Terms or a written agreement.

8. MSP and partner use

If Customer is a managed service provider, reseller, consultant, partner, or other service provider using Syrix on behalf of its own clients (“Managed Clients”), Customer represents and warrants that:

  • Customer has authority to access and manage each Managed Client environment through Syrix.
  • Customer has obtained all necessary permissions, agreements, and authorizations from its Managed Clients.
  • Customer is responsible for its acts and omissions and for the acts and omissions of its users with respect to Managed Client environments.
  • Customer will use appropriate access controls to prevent unauthorized access between Managed Client environments.
  • Customer will not represent that Syrix has a direct contractual relationship with a Managed Client unless Syrix has separately agreed in writing.

Syrix may provide multi-tenant or partner-portal functionality, but Customer remains responsible for its relationship with Managed Clients and for ensuring that use of Syrix complies with the Managed Client’s instructions and applicable law.

9. Trials, beta services, and previews

Syrix may offer free trials, beta features, preview features, pilots, proof-of-concept access, or evaluation access.

Unless otherwise agreed in writing:

  • Trials, beta services, previews, and pilots are provided for evaluation only.
  • They may be limited in time, features, usage, support, retention, or availability.
  • They may be modified, suspended, or discontinued at any time.
  • They may contain errors, be incomplete, or change before general availability.
  • They are provided “as is” and without warranties to the maximum extent permitted by law.

Syrix may convert a trial to a paid subscription only according to the ordering, billing, and consent process presented to Customer or otherwise agreed in writing.

10. Fees, billing, taxes, and subscriptions

If Customer purchases a paid subscription, Customer agrees to pay all applicable fees according to the plan, order form, checkout flow, invoice, or written agreement.

Unless otherwise stated:

  • Fees are based on the selected plan, add-ons, billing frequency, and applicable usage metric.
  • Fees are non-refundable except as required by law or expressly stated in a written agreement.
  • Subscription terms renew automatically unless cancelled according to the applicable cancellation process.
  • Customer is responsible for all taxes, duties, levies, and governmental charges, excluding taxes based on Syrix’s net income.
  • Syrix may suspend or limit access for overdue amounts after reasonable notice, unless the amount is disputed in good faith.

For per-user pricing, billable users may be calculated according to Syrix’s then-current pricing page, order form, or written agreement. Unless otherwise stated in the applicable order, Syrix may exclude guests, shared mailboxes, service accounts, or other non-billable account types from billable user counts.

Syrix may change pricing for future subscription terms or new purchases. Price changes will not apply retroactively to an already-paid subscription term unless otherwise agreed.

11. Cancellation and termination

Customer may cancel its subscription according to the cancellation process made available by Syrix or as stated in an order form or written agreement.

Either party may terminate access to the Services if the other party materially breaches these Terms and fails to cure the breach within 30 days after written notice, unless the breach cannot be cured or requires faster action for security, legal, or operational reasons.

Syrix may suspend or terminate access immediately if:

  • Customer uses the Services in violation of law or these Terms.
  • Customer’s use creates a security, availability, legal, or operational risk.
  • Customer fails to pay undisputed overdue fees.
  • Customer attempts to interfere with, reverse engineer, abuse, or compromise the Services.
  • Syrix is required to do so by law or a third-party provider.

Upon termination or expiration:

  • Customer’s right to access the Services ends.
  • Customer remains responsible for fees incurred before termination.
  • Syrix may delete or anonymize Customer Data according to the Privacy Policy, applicable data processing terms, product settings, and legal obligations.
  • Sections that by their nature should survive termination will survive, including confidentiality, payment obligations, intellectual property, disclaimers, limitations of liability, indemnification, and dispute provisions.

12. Customer Data

“Customer Data” means data, content, metadata, logs, configuration information, account information, tenant information, security information, and other materials submitted to, connected to, generated by, or processed through the Services on behalf of Customer.

Customer retains all rights in Customer Data. Customer grants Syrix a limited right to process Customer Data only as necessary to:

  • Provide, operate, secure, support, and improve the Services.
  • Evaluate Customer Environments.
  • Generate findings, recommendations, logs, reports, evidence, and remediation workflows.
  • Perform actions authorized by Customer.
  • Prevent or address security, technical, legal, or service issues.
  • Comply with applicable law and contractual obligations.

Syrix does not sell Customer Data.

Syrix may generate aggregated or de-identified data from use of the Services, provided it does not identify Customer, Customer’s users, or any individual. Syrix may use aggregated or de-identified data for analytics, benchmarking, product improvement, security research, and business purposes.

13. Privacy and data processing

Syrix’s processing of personal data is described in the Syrix Privacy Policy, available at Privacy Policy.

Where Syrix processes personal data on behalf of Customer as a processor, such processing is governed by Syrix’s Data Processing Addendum or other applicable data processing terms.

Customer is responsible for providing any required notices and obtaining any required consents from its users, employees, contractors, guests, Managed Clients, or other individuals whose personal data may be processed through the Services.

14. Security

Syrix uses administrative, technical, and organizational measures designed to protect the Services and Customer Data. These measures may include encryption, access controls, logging, monitoring, secure development practices, vulnerability management, backup procedures, and vendor review.

Customer acknowledges that no system or service can be guaranteed to be completely secure. Customer is responsible for maintaining the security of its own accounts, credentials, devices, networks, Customer Environments, Microsoft 365 tenants, administrative permissions, and internal security practices.

Customer must promptly notify Syrix of any suspected unauthorized access to the Services or compromise involving Syrix credentials, integrations, tokens, or accounts.

15. Confidentiality

“Confidential Information” means non-public information disclosed by one party to the other that is marked confidential or should reasonably be understood to be confidential, including business, technical, product, security, financial, customer, and operational information.

The receiving party will:

  • Use Confidential Information only to perform or receive the Services.
  • Protect Confidential Information using reasonable care.
  • Not disclose Confidential Information except to personnel, contractors, advisors, service providers, or subprocessors who need to know it and are bound by confidentiality obligations.

Confidential Information does not include information that is publicly available, already known without confidentiality obligation, independently developed without use of the Confidential Information, or lawfully received from a third party without confidentiality obligation.

A party may disclose Confidential Information if required by law, regulation, court order, or governmental authority, provided that it gives the other party reasonable notice where legally permitted.

16. Intellectual property

Syrix and its licensors retain all rights, title, and interest in and to the Services, website, software, platform, documentation, designs, workflows, technology, models, templates, reports, product names, logos, trademarks, and related intellectual property.

Customer may not:

  • Copy, modify, adapt, translate, or create derivative works of the Services.
  • Reverse engineer, decompile, disassemble, or attempt to discover source code, underlying models, algorithms, or non-public APIs.
  • Remove proprietary notices.
  • Use the Services to build a competing product or service.
  • Benchmark or publish performance information about the Services without Syrix’s prior written consent.
  • Resell, sublicense, or make the Services available to third parties except as expressly permitted for MSP or partner use.

No rights are granted except as expressly stated in these Terms.

17. Feedback

If Customer or its users provide suggestions, ideas, enhancement requests, recommendations, or other feedback about Syrix, Customer grants Syrix a worldwide, perpetual, irrevocable, royalty-free right to use that feedback without restriction or compensation.

This feedback license does not give Syrix ownership of Customer Data, tenant data, support data, or Customer Confidential Information.

18. Acceptable use

Customer may not use the Services to:

  • Violate any law, regulation, or third-party right.
  • Access systems, tenants, accounts, or data without authorization.
  • Interfere with or disrupt the Services or related infrastructure.
  • Circumvent security, authentication, rate limits, or access controls.
  • Upload malicious code or conduct harmful activity.
  • Probe, scan, or test the vulnerability of Syrix systems without written authorization.
  • Reverse engineer or attempt to extract non-public functionality.
  • Use the Services to build or improve a competing service.
  • Misrepresent identity, authority, affiliation, or authorization.
  • Process data through the Services in a way that violates applicable law or contractual obligations.

Syrix may investigate suspected violations and may suspend access when necessary to protect the Services, customers, users, or third parties.

19. Third-party services

The Services may interact with or depend on third-party services, including Microsoft 365, Microsoft Entra ID, cloud providers, identity providers, payment processors, communication tools, analytics providers, or other integrations.

Third-party services are governed by their own terms and privacy policies. Syrix is not responsible for third-party services, changes to third-party APIs, outages, data handling by third-party providers, or Customer’s relationship with those providers.

Certain Syrix functionality may depend on third-party permissions, licenses, APIs, service availability, or product changes. Syrix does not guarantee that every feature will be available for every Customer Environment, license level, geography, tenant configuration, or third-party service plan.

20. Compliance, security, and risk disclaimers

Syrix is designed to help identify, prioritize, remediate, monitor, and evidence certain security configuration, access, SaaS, and compliance-related risks.

Customer acknowledges that:

  • Syrix does not guarantee that all vulnerabilities, misconfigurations, threats, incidents, exposures, attacks, data loss events, or compliance gaps will be detected, prevented, remediated, or reported.
  • Syrix does not replace Customer’s security program, IT administration, legal advice, compliance program, auditors, managed SOC, MDR, SIEM, incident response provider, or regulatory obligations.
  • Syrix recommendations are based on available data, permissions, product logic, supported integrations, and third-party APIs, which may be incomplete, delayed, unavailable, or changed by third parties.
  • Compliance mappings, reports, dashboards, and evidence are provided to support Customer’s compliance efforts and do not constitute legal advice, audit certification, regulatory approval, or a guarantee of compliance.
  • Customer is responsible for determining whether a recommendation, remediation, policy, report, or control is appropriate for its business, risk tolerance, legal obligations, and technical environment.

21. Disclaimers

To the maximum extent permitted by law, the Services are provided “as is” and “as available.” Syrix disclaims all warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, non-infringement, uninterrupted operation, error-free operation, and availability.

Syrix does not warrant that:

  • The Services will meet all Customer requirements.
  • The Services will be uninterrupted, secure, timely, or error-free.
  • Findings, recommendations, reports, or evidence will be complete or accurate in every case.
  • All issues can be remediated or rolled back.
  • The Services will prevent breaches, incidents, misconfigurations, data exposure, or non-compliance.

Some jurisdictions do not allow certain warranty exclusions, so some exclusions may not apply to a particular Customer.

22. Limitation of liability

To the maximum extent permitted by law, neither party will be liable for indirect, incidental, special, consequential, exemplary, punitive, or enhanced damages, or for lost profits, lost revenue, lost business, lost goodwill, lost data, business interruption, or cost of substitute services, even if advised of the possibility of such damages.

To the maximum extent permitted by law, each party’s total aggregate liability arising out of or relating to these Terms or the Services will not exceed the amounts paid or payable by Customer to Syrix for the Services giving rise to the claim during the 12 months before the event giving rise to liability.

The above liability cap does not apply to:

  • Customer’s payment obligations.
  • Customer’s misuse of the Services.
  • Customer’s violation of Syrix intellectual property rights.
  • A party’s confidentiality obligations.
  • A party’s indemnification obligations, if applicable.
  • Liability that cannot be limited under applicable law.

23. Indemnification

Customer will defend, indemnify, and hold harmless Syrix and its affiliates, officers, directors, employees, contractors, and agents from and against claims, damages, liabilities, costs, and expenses, including reasonable attorneys’ fees, arising from:

  • Customer Data.
  • Customer’s use of the Services in violation of these Terms or applicable law.
  • Customer’s Customer Environment or third-party accounts.
  • Customer’s remediation decisions, approvals, configurations, or instructions.
  • Customer’s relationship with Managed Clients, if applicable.
  • Allegations that Customer lacked authority to connect a Customer Environment or process data through the Services.

Syrix will promptly notify Customer of any claim for which it seeks indemnification and will reasonably cooperate in the defense. Customer may not settle a claim in a way that admits fault by Syrix or imposes obligations on Syrix without Syrix’s prior written consent.

24. Export, sanctions, and restricted use

Customer may not use, export, re-export, or transfer the Services in violation of applicable export control, sanctions, or trade compliance laws.

Customer represents that it and its users are not prohibited from using the Services under applicable sanctions, export control, or trade restrictions.

25. Changes to these Terms

Syrix may update these Terms from time to time. When we make changes, we will update the “Last updated” date above.

If changes are material, Syrix will make reasonable efforts to provide notice, such as by posting a notice on the website, providing notice in the platform, or sending an email to account administrators.

Updated Terms will apply from the effective date stated in the notice or, if no date is stated, from the date they are posted. If Customer continues to use the Services after updated Terms become effective, Customer agrees to the updated Terms.

For an active paid subscription, material changes that substantially reduce Customer’s rights or increase Customer’s obligations will not apply until the next renewal term, unless the change is required for legal, security, regulatory, or operational reasons.

26. Governing law and disputes

These Terms are governed by the laws of Tel Aviv, Israel, without regard to conflict-of-law principles.

The courts located in Tel Aviv, Israel will have exclusive jurisdiction over disputes arising out of or relating to these Terms or the Services, and each party consents to that jurisdiction and venue.

Nothing in these Terms prevents either party from seeking injunctive or equitable relief to protect intellectual property, Confidential Information, security, or unauthorized use of the Services.

27. Notices

Syrix may provide notices by email, through the Services, through the website, or by other reasonable means.

Customer may provide legal notices to Syrix at: Email: legal@syrix.io 

Privacy-related requests should be sent to: Email: privacy@syrix.io

Security-related notices should be sent to: Email: security@syrix.io

Data processing inquiries should be sent to: Email: dpa@syrix.io

28. General terms

Customer may not assign or transfer these Terms without Syrix’s prior written consent, except to a successor in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets, provided the successor is not a competitor of Syrix and agrees to be bound by these Terms. Syrix may assign these Terms in connection with a merger, acquisition, corporate reorganization, sale of assets, or by operation of law.

If any provision of these Terms is found unenforceable, the remaining provisions will remain in effect, and the unenforceable provision will be interpreted to best accomplish its intended purpose.

Failure to enforce a provision is not a waiver.

These Terms, together with any applicable order form, written agreement, Privacy Policy, Data Processing Addendum, and referenced policies, constitute the entire agreement between the parties regarding the Services.

No agency, partnership, joint venture, employment, or fiduciary relationship is created by these Terms.

Headings are for convenience only and do not affect interpretation.

Request Early Access

Be among the first to implement continuously enforced Microsoft 365 security

    • No agents required
    • 30-minute onboarding
    • Direct Microsoft 365 API integration
    Beta Sign Up