Latest Update: December 17, 2025
MASTERCARD INTERNATIONAL INCORPORATED
2000 Purchase Street
Purchase, New York 10577
These Terms and Conditions (“Terms and Conditions”) contain the terms and conditions that govern your access to and use of the Services, Deliverables and Platform (as defined below) and is an agreement between the applicable Mastercard Party (as defined below) and the institution (“User” or “you”) on whose behalf you will access and use the Services, Deliverables and Platform. These Terms take effect when you click check box presented with these Terms or, if earlier, when you use any of the Services, Deliverables or Dashboard (the “Effective Date”). You represent to us that you are lawfully able to enter into contracts. If you are entering into these Terms for an entity, such as the institution you work for, you represent to us that you have legal authority to bind that entity.
“Parties” shall mean the applicable Mastercard Party and User.
1. Contractual Relationship
A. These Terms and Conditions will apply to Mastercard and User for the purchase or use of Cyber Quant Platform (“Dashboard”) and/or Cyber Quant Reports (“CQA Reports”) (together the “Services”).
B. “Affiliate” means, in relation to a Party to these Terms and Conditions, any natural person, corporation, general or limited partnership, limited liability company, or other legal entity or organization (each a “Person”) that the Party Controls or is Controlled by or is under common control with from time to time for so long as such Party or such Person remains so Controlled. “Control” means the power to direct or control the management and policies of a Person through the ownership of voting securities, by contract or otherwise.
2. Services
A. The Services provided to User are a risk exposure evaluation of the User’s, cyber security processes, technology infrastructure, and workforce security practices. The Service evaluates the maturity levels of 50 types of security measures across 3 areas (infrastructural, preventive, and detective) to understand the financial risk exposure of the User’s company, in accordance with the contextual threat landscape. Once provided with accurate and complete information from User (the “User Data”), Mastercard shall provide the User outcome such as a CQA Report, enabling the User to conduct cyber risk assessments.
B. The Services shall only be used by the User with respect to its issuing business located in the markets contemplated in the applicable bulletin or agreement entered between the User and Mastercard (such markets, the “Territory”).
3. Responsibilities
A. Mastercard may also use the services of third parties in providing the Services (“Mastercard Suppliers”). All data, insights, reports, databases, systems, tools and other materials provided by Mastercard in connection with the Services may be developed using data, databases, systems, tools and information provided by third parties (“Third Party Data”) and may contain certain errors, omissions or inaccuracies. Mastercard shall have no responsibility for any errors, omissions or inaccuracies in the Third Party Data and/or CQA Reports, created based on User Data. User Data and CQA Reports generated based on this data are at the total responsibility of the User. Mastercard has no responsibility for the accuracy or actual relevance of any data stored in the Dashboard.
B. The Services are solely a tool for informational purposes and not as investment or legal advice.
C. Mastercard is responsible for obtaining all applicable consents, information and materials, other than required by the User under these Terms, including from Mastercard Suppliers, needed for Mastercard to provide the Services. Mastercard represents and warrants that its provision of the Services is permitted under (x) all applicable laws and regulations, and privacy policies or other statement or disclosure, and (y) the terms of Mastercard’s contracts with its customers, contractors, suppliers or other third parties.
D. User is responsible for: (i) obtaining all consents, information and materials necessary from third parties (other than Mastercard Suppliers) for Mastercard to provide the Services; and (ii) User’s use of and/or operation of all Dashboard and CQA Reports as well as its implementation of any advice or recommendations provided in the CQA Reports. User represents and warrants that: (i) its provision of any User Data to Mastercard or a Mastercard Supplier, or such party’s receipt of User Data from the User or another party, in connection with the Services, and (ii) the use, analysis, and processing of such User Data by Mastercard (and Mastercard Suppliers) to perform the Services, are permitted under (x) all applicable laws and regulations, and privacy policies or other statement or disclosure to which such User Data is subject and (y) the terms of User’s contracts with its customers, contractors, suppliers or other third parties.
E. User understands and acknowledges that its CQA Reports is materially based on the User Data provided by the User. User shall be solely responsible to ensure that the User has fully and accurately filled in any User Data required by Mastercard in order to generate the CQA Reports, and reviewed such data provided prior to submitting it to the Mastercard.
F. The User agrees and acknowledges that i) the CQA Reports are used by the User at its own risk and that Mastercard does not guarantee that implementation of the CQA Reports will cover all risks that the User is facing; ii) the results of the CQA Reports may vary, due to lack or inaccuracy of information, as well as due to passage of time; and iii) Mastercard may utilize the anonymized User Data for improving its financial risk impact analysis calculations and benchmarks.
4. Compliance with Laws.
A. The Parties shall ensure that their respective obligations under these Terms and Conditions and business activities related thereto are performed in accordance with all applicable laws and regulations, including, but not limited to, all applicable anti-bribery and corruption laws including the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and other applicable laws. User shall not import or export, directly or indirectly, any Dashboard and CQA Reports acquired from Mastercard under these Terms and Conditions to any country for which the U.S. Government or any agency thereof at the time of export requires an export license or other Government approval without first obtaining such license or approval.
B. The Parties will comply with: (i) all applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements relating in any way to the privacy, confidentiality or security of Personal Information, as defined in the Mastercard's Global Privacy notice (see link below) including, without limitation: EU General Data Protection Regulation 2016/679; the Gramm-Leach-Bliley Act; laws regulating unsolicited email communications; security breach notification laws; laws imposing minimum security requirements; laws requiring the secure disposal of records containing certain personal data; and all other similar international, federal, state, provincial, and local requirements, and (ii) the Payment Card Industry Data Security Standards, in each case, to the extent they apply to the Services. Subject to any applicable law, User agrees that Mastercard may transfer data to any country in which any Mastercard Affiliate does business. Any processing of Personal Information for the Services shall be governed by Mastercard's Global Privacy notice.
C. The Parties acknowledge and agree that the analyses and data included in the Services shall be subject to all relevant laws and regulations for each applicable country, as well as Mastercard’s contractual obligations and internal confidentiality, privacy, and data analytics guidelines and policies (“Applicable Standards”). In no event will Mastercard be obligated to supply or share any information or data which Mastercard determines, in its sole discretion, would cause Mastercard to be in violation of any such Applicable Standards. Mastercard reserves the right, in its sole discretion, to apply adjustments in order to achieve conformance with such Applicable Standards. The User agrees that it will not take any adverse decision against individuals or merchants (as the case may be) based on the metrics which Mastercard provides to the User.
5. Ownership of Dashboard and CQA Reports
Except for the limited license granted in Section 6 below, the Parties acknowledge and agree that Mastercard owns all right, title and interest in and to the Dashboard and CQA Reports, the underlying data and information contained in the Dashboard and CQA Reports (except for any User Data).
6. License and Restrictions on Use
A. The Dashboard and all CQA Reports provided by Mastercard to User pursuant to the Services, as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard Supplier in connection with the Services, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). User retains ownership of User Data and any other confidential information it provides to Mastercard. All Deliverables (including the CQA Reports) provided by Mastercard to User pursuant to the Services, as well as all materials, concepts, processes and methodologies employed by Mastercard or a Mastercard Supplier in connection with the Services, are and will remain the sole and exclusive property of Mastercard (or such Mastercard Supplier). Mastercard hereby grants to User a limited, non-exclusive right to use the Dashboard and CQA Reports without the right to assign, transfer or sublicense the Dashboard and CQA Reports in any way, solely for User’s internal business purposes. User acknowledges and agrees that the Dashboard and CQA Reports provided will not be used to benefit any Mastercard competitor(s) (including, but not limited to, Visa, American Express, Discover/Novus, JCB and Diners Club). User shall not create any derivative works of and from the Dashboard and CQA Reports without the express prior written consent of Mastercard in each instance, provided that User may use data from the Dashboard and CQA Reports in internal reports and internal presentations. User shall not remove any identification, copyright or proprietary or other notices from the CQA Reports, or any copies thereof.
B. User shall not use the data analytics and insights found in the Dashboard and CQA Reports, either directly or indirectly:
I. in a manner which would violate any applicable law, regulation, or third party rights;
II. for the benefit of, or on behalf of, any third party;
III. in connection with the resale, assignment, transfer or disclosure of such Dashboard and CQA Reports, aspect thereof, or data or information contained therein, to a third party(ies) under any circumstances; or
IV. in a manner so as to reverse engineer or aid any other party to reverse engineer the data contained in the Dashboard and/or CQA Reports.
C. User grants Mastercard a worldwide, fully paid-up license to copy, display and use User’s name and logo (“Client Marks”): (i) as necessary to perform Services; (ii) to identify User as a customer of Mastercard and its Affiliates on its website and marketing materials; and (iii) with User’s prior written approval, to issue publicity or announcements concerning Mastercard’s engagement with the Client for the purpose of a case study or investor relations announcements. User warrants and represents to Mastercard that User owns all right, title, and interest in and to Client’s Marks and has the authority to license to Mastercard the rights granted hereunder. Except as otherwise set out in these Terms and Conditions, each Party will obtain the written consent of the other Party prior to the issuance of any press release, announcement or any other form of publicity, concerning the Services.
7. Indemnification
Subject to the limitations of liability set forth in Section 8, User shall defend, indemnify and hold Mastercard harmless, and its employees, officers, agents, Affiliates, representatives, and contractors from and against any claims, demands, loss, damage or expense (including reasonable attorneys’ fees) relating to or arising solely out of third party claims (i) with respect to a breach by a User of its confidentiality obligations under these Terms and Conditions; (ii) relating to User’s s acts of gross negligence or willful misconduct relating to these Terms and Conditions; (iii) for breach of its representations or warranties set forth herein; or (iv) relating to the combination, modification or use of the Dashboard and/or CQA Reports with materials not provided by Mastercard.
8. Limitations of Liability
NOTWITHSTANDING ANY OTHER PROVISION TO THE CONTRARY SET FORTH IN THESE TERMS AND CONDITIONS, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY UNDER ANY LEGAL THEORY, TORT, CONTRACT, OR STRICT LIABILITY, FOR ANY SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES, FOR LOSS OF PROFITS, GOODWILL, OR ECONOMIC LOSS, REGARDLESS OF WHETHER A PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES; PROVIDED, HOWEVER, THAT MASTERCARD’S WAIVER OF ITS RIGHT TO RECEIVE SPECIAL, INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES SHALL NOT APPLY IN THE EVENT OF A BREACH OF A PARTY’S CONFIDENTIALITY OBLIGATIONS DESCRIBED IN SECTION 9.
EXCEPT AS SPECIFICALLY DESCRIBED HEREIN, MASTERCARD MAKES NO WARRANTIES, EXPRESS OR IMPLIED, CONCERNING THE DASHBOARD AND CQA REPORTS AND WITHOUT LIMITATION, MASTERCARD HEREBY EXCLUDES AND DISCLAIMS ALL EXPRESS OR IMPLIED WARRANTIES AND CONDITIONS TO THE EXTENT PERMITTED BY LAW, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTY OF MERCHANTABILITY, COURSE OF DEALING, NON-INFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE.
The maximum aggregate liability of Mastercard to User arising out of or relating to these Terms and Conditions regardless of whether such liability is based on breach of contract, tort, strict liability, breach of warranties, failure of essential purpose or otherwise, shall be limited in all respects to the fees paid for the Services and/or value of the Dashboard and CQA Reports, where fees paid include amounts allocated to User and/or funded on User’s behalf by Mastercard.
9. Confidentiality
A. Confidential Information means any information, Dashboard, CQA Reports, insights, User Data, Mastercard Supplier data, reports, data, materials, processes, methodologies and concepts, in whatever form embodied (e.g., oral, written, electronic) owned by Mastercard or User, including any non-public information about cardholders, applicants or other consumers of Mastercard or User and/or their Affiliates, no matter how or by what party such information, materials, or concepts were transmitted, where such information is transmitted or collected in the course of the performance of these Terms and Conditions.
B. Confidentiality. During the period which Mastercard provides the User the Services and for a period of seven (7) years thereafter, the Party receiving Confidential Information (“Receiving Party”) from the other Party (“Disclosing Party”) shall maintain the Confidential Information in strict confidence and shall: (i) use Confidential Information only as authorized in accordance with these Terms and Conditions ; (ii) not copy any Confidential Information; (iii) not disclose Confidential Information to any third party except as expressly permitted in writing by the Disclosing Party and then only if such third party has executed a confidentiality, privacy and data protection agreement in form and substance satisfactory to the Disclosing Party; and (iv) limit dissemination of Confidential Information to employees or Mastercard Supplier with a “need to know” and who are subject to confidentiality, privacy and data protection obligations no less restrictive than those set forth herein.
C. Exceptions. Confidential Information shall not include any information which: (i) is already in the public domain at the time of disclosure through a source other than the Receiving Party; (ii) enters the public domain after disclosure through no fault of the Receiving Party; (iii) is already known to the Receiving Party at the time of disclosure (as evidenced by written records); (iv) was independently developed by the Receiving Party without use of or reference to any Confidential Information (as evidenced by written records); or (v) is subsequently disclosed to the Receiving Party by third parties having no obligation of confidentiality to the Disclosing Party.
D. Confidential Information Upon Termination. Upon termination of these Terms and Conditions, or such earlier time as the Disclosing Party requests, the Receiving Party shall return to the Disclosing Party or its designee, or at the Disclosing Party’s request, securely destroy or render unreadable or undecipherable, each and every original and copy in every media of all Confidential Information in the Receiving Party’s possession, custody or control. The foregoing shall not apply to the extent information must be retained pursuant to applicable legal or regulatory requirements or for purposes of the Receiving Party’s commercially reasonable disaster recovery procedures, provided such information shall continue to be subject to this Section.
10. Use of AI-Powered “Auto-Answer Questionnaire” Feature
Where the User elects to use the “Auto-Answer Questionnaire” feature powered by Whistic, the User acknowledges and agrees that this feature may incorporate third-party artificial intelligence (“AI”) technologies, including generative AI and non-generative AI such as predictive analytics, information retrieval, and classification (including non-generative natural language processing classifications).
Outputs generated by the AI components are provided for informational purposes only and must not be relied upon as the sole basis for any decision-making. The User remains solely responsible for validating AI-generated content within the context of the Services before making any operational or compliance decision.
Mastercard disclaims any liability arising from reliance on AI-generated outputs.
For more information on Mastercard’s Data and Technology Responsibility Principles, please refer to the https://www.mastercard.com/privacy-and-data-responsibility page.
11. Miscellaneous
A. Assignment. You may not assign or transfer these Terms and Conditions in whole or in part without Mastercard’s prior written approval. You give your approval to Mastercard for it to assign or transfer these Terms and Conditions in whole or in part.
B. Governing Law. These Terms and Conditions and the respective rights and obligations of the Parties shall be governed by the laws of the applicable Governing Law Jurisdiction without reference to its conflict-of-laws or similar provisions that would mandate or permit application of the substantive law of any other jurisdiction. The courts located in the applicable Governing Law Jurisdiction shall have the exclusive jurisdiction over any actions or disputes related to these Terms and Conditions.
C. Mastercard Party. “Mastercard Party” means the party identified in the table below based on the applicable Territory and is referred to in these Terms and Conditions as “Mastercard”. “Governing Law Jurisdiction” means the jurisdiction indicated in the table below which corresponds to the applicable Mastercard Party.
| Market | Mastercard Party | Address | Governing Law Jurisdiction |
| Any market in the Europe Region | Mastercard Europe SA | 198/A Chaussée de Tervuren, 1410 Waterloo, Belgium | Belgium |
| Any market in the Asia/Pacific Region | Mastercard Asia/Pacific Pte. Ltd. | 3 Fraser Street, DUO Tower #17 - 21/28, Singapore 189352 | Singapore |
| Any market in the Canada Region | Mastercard Canada ULC | 121 Bloor St. East, Ste 600, Toronto, Canada M4W 3M5 | Province of Ontario and the federal laws of Canada |
| Any market in the United States Region | Mastercard International Incorporated | 2000 Purchase Street, Purchase, New York 10577 | New York |
| Any market in the Latin America and the Caribbean Region (except Argentina and Brazil) | Mastercard International Incorporated | 2000 Purchase Street, Purchase, New York 10577 | New York |
| Any market in the Middle East and Africa Region | Mastercard Asia/Pacific Pte. Ltd. | 3 Fraser Street, DUO Tower #17 - 21/28, Singapore 189352 | Singapore |
| Argentina | Mastercard Cono Sur S.R.L. | Olga Cossettini 771, Ciudad de Buenos Aires, C1107CDA | Buenos Aires and the federal laws of Argentina |
| Brazil | Mastercard Brasil Soluções de Pagamento Ltda. | Av. das Nações Unidas, 14171, São Paulo, SP, 04794-000 | São Paulo, SP and the federal laws of Brazil |