By initiating, continuing, or responding to any communication with any @protected.is address — including replying to an email, continuing a phone call, or sending any electronic message — you confirm that you have read, understood, and unconditionally agreed to this Agreement in its entirety. If you do not agree, you must cease all communication immediately.
This Communications & Data Liability Agreement and Policy ("Agreement") governs all communications with, or involving, any address, user, or system operating under the @protected.is domain. It supplements and, where applicable, supersedes the general Privacy Notice published at protected.is/privacy.
This Policy establishes binding obligations on both parties. In consideration of the Communicating Party's acceptance of this Policy, the Operator of @protected.is agrees to:
In exchange, the Communicating Party accepts the obligations set forth in this Policy as a binding condition of communication.
As a condition of communicating with any @protected.is address, the Communicating Party acknowledges that this Agreement governs all data handling obligations and liabilities arising from or relating to Protected Information transmitted in such communications. The Communicating Party agrees that acceptance of this Agreement is a prerequisite to communication and that this Agreement defines the minimum standard of care owed with respect to Protected Information.
The Operator maintains a record of this Agreement's publication date and version history. The Communicating Party's continued engagement constitutes their representation that they have had a reasonable opportunity to review this Agreement. This Agreement is publicly accessible at protected.is/policy and is referenced in all email communications from @protected.is addresses. Ignorance of this Agreement's terms does not constitute grounds for non-enforcement.
To the extent permitted by applicable law, where any conflict exists between this Agreement and any privacy policy, terms of service, disclaimer, or other legal notice published or maintained by the Communicating Party or any third party through whose platform the communication is transmitted, this Agreement shall define the minimum obligations owed to the Operator with respect to Protected Information. The Communicating Party's own policies do not limit or alter their obligations under this Agreement.
The Communicating Party acknowledges that, in the course of communication with @protected.is addresses, information belonging to or associated with the Operator ("Protected Information") may be transmitted to, stored by, processed on, or made accessible through the Communicating Party's systems, platforms, servers, devices, or third-party services used by the Communicating Party.
The Communicating Party represents and warrants that it maintains reasonable and industry-appropriate administrative, technical, and physical safeguards designed to protect Protected Information from unauthorized access, disclosure, use, alteration, or destruction, no less rigorous than those required under applicable data protection laws.
In the event that Protected Information is compromised, exposed, accessed without authorization, lost, published, or otherwise made available to unauthorized parties as a result of — or materially contributed to by — any failure, negligence, misconfiguration, vulnerability, or inadequacy in the Communicating Party's systems or security practices (a "Security Incident"), the Communicating Party agrees to pay the Operator:
The $5,000 represents a reasonable pre-estimate of minimum harm. Additional remediation costs are recoverable in full with no cap. The parties acknowledge that actual damages from a Security Incident are inherently difficult to quantify, and that this formula is compensatory — not a penalty.
For the avoidance of doubt, "Documented Remediation Costs" includes, without limitation, all of the following:
The Communicating Party must notify the Operator at privacy@protected.is within seventy-two (72) hours of becoming aware of any actual or reasonably suspected Security Incident. Failure to provide timely notification constitutes an independent and separate breach of this Policy, entitling the Operator to the liquidated damages in Section 3.3, irrespective of whether the underlying Security Incident caused demonstrable harm.
The damages provisions above shall not limit the Operator's right to seek additional equitable relief, injunctive relief, specific performance, or any other remedy available under applicable law.
By initiating or continuing an email conversation with any @protected.is address — including by sending an initial email or replying to any email from a @protected.is address — the Communicating Party is bound by this Agreement.
The following notice is incorporated by reference into every email sent to or received from a @protected.is address:
Whether or not this footer appears in any specific email, it constitutes constructive notice to any party who has at any point accessed protected.is/policy or communicated with a @protected.is address.
Note on unique addresses: The Operator may use distinct @protected.is email addresses assigned exclusively to individual correspondents or services. Transmission of any such address to, or use of any such address by, any party other than the designated correspondent constitutes an unauthorized use and a breach of this Policy.
The Operator is under no obligation to respond to any communication, inquiry, request, or message within any particular timeframe, or at all. This includes but is not limited to emails, voicemails, messages sent through third-party platforms, and any other form of correspondence directed to any @protected.is address.
No inference of acceptance, agreement, acknowledgment, waiver, consent, or approval shall be drawn from the Operator's delay in responding or failure to respond to any communication. Silence does not constitute agreement to any terms, proposals, or requests made by the Communicating Party.
Where the Communicating Party operates under their own response time requirements or service level agreements, such requirements do not bind the Operator and the Operator's obligations — if any — are governed solely by this Agreement and applicable law.
This provision does not affect the Operator's separate notification obligations in the event of a Security Incident as described in Section 3.5, which are governed by applicable law and the 72-hour notification window in that section.
Where the Communicating Party operates a platform, service, application, or website through which the Operator creates an account, subscribes to a service, or otherwise registers using a @protected.is email address, the Communicating Party's acceptance of this Agreement shall be deemed to occur at the moment the Operator submits that @protected.is address during registration or signup — regardless of whether the Communicating Party has separately acknowledged this Agreement in writing.
The act of accepting a @protected.is address as a valid registration credential constitutes the Communicating Party's representation that they have had a reasonable opportunity to review the Agreement associated with that domain, accessible at protected.is/policy. By processing, storing, or using that address in any way — including sending automated, transactional, or marketing emails to it — the Communicating Party accepts the terms of this Agreement in full.
Where the Communicating Party sends communications to a @protected.is address from a no-reply, automated, or unmonitored address (including addresses of the form noreply@, donotreply@, automated@, or similar), the inability of the Operator to deliver a reply to that address does not:
The Communicating Party operating a no-reply sender is responsible for maintaining an alternative contact channel — such as a legal notices address, abuse address, or support channel — through which the Operator may deliver formal notices. Failure to maintain such a channel does not relieve the Communicating Party of their obligations under this Agreement.
This Agreement is publicly accessible at protected.is/policy and has been so since its effective date. Any Communicating Party who sends communications to, receives communications from, or stores a @protected.is address in any system is deemed to have constructive notice of this Agreement, regardless of whether they have individually accessed or read it. The public availability of this Agreement at a stable URL associated with the @protected.is domain constitutes sufficient notice under applicable law.
Formal legal notices to the Operator — including dispute notices, data breach notifications, and regulatory correspondence — must be sent to privacy@protected.is. Communications sent to no-reply addresses, automated systems, or unmonitored channels by the Communicating Party do not constitute valid legal notice to the Operator.
Any telephone or voice communication involving a party with a @protected.is email address is subject to this Policy. The following disclaimer is deemed given at the commencement of any such call:
Where this disclaimer is recited at the start of a call and the recipient continues the call, that continuation constitutes affirmative acceptance of this Agreement. Where the call is initiated by a party who has previously communicated with a @protected.is address, acceptance is presumed from prior constructive notice.
This Policy is governed by the following dual jurisdictional framework. The Operator reserves the right to elect the applicable jurisdiction based on the location of the Communicating Party and the circumstances of the claim:
For Communicating Parties located in the United States, this Policy is governed by the laws of the State of Illinois and applicable United States federal law. The parties consent to the exclusive jurisdiction of the federal and state courts located in Illinois. The Communicating Party waives any objection to venue or personal jurisdiction in such courts.
For Communicating Parties located in the European Economic Area, or for communications transmitted through Icelandic infrastructure associated with the .is domain, this Policy is governed by Icelandic law and the General Data Protection Regulation (GDPR) as implemented under Icelandic law. The parties consent to the jurisdiction of Icelandic courts.
The Operator's election of jurisdiction shall be communicated in writing at the commencement of any dispute. If no election is made within thirty (30) days of a dispute arising, Illinois law shall govern by default.
Any dispute arising from or relating to this Policy shall proceed as follows:
This Agreement may be updated at any time. The current version is always available at protected.is/policy. The version number and effective date at the top of this document identify the governing version. Continued communication with any @protected.is address following an update constitutes acceptance of the revised Agreement. Material changes will be reflected in an updated version number.