Services Agreement Standard Terms
Parties
Supplier as defined in the Order Form.
Customer as defined in the Order Form.
Background
a. Supplier is in the business of providing the Services.
b. Customer wishes to receive and Supplier wishes to provide the Services on the terms set out in the Services Agreement.
The Parties agree as follows:
1. Interpretation
1.1 The following definitions and rules of interpretation apply in the Services Agreement:
Applicable Data Protection Laws:
(a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
(b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which Supplier is subject, which relates to the protection of personal data.
Annex: any schedule, appendix or other document referenced in or otherwise incorporated into the Order Form and thereby made a part of the Services Agreement.
Applicable Laws: all applicable laws, statutes, regulation and codes from time to time in force in any relevant jurisdiction, including Applicable Data Protection Laws and other data protection laws, and applicable to the Parties in relation to the Services under the Services Agreement (including without limitation export law and those governing the use of networks, scanners, encryption devices, user monitoring and related software).
Authorised Users: means the permitted users designated by Customer to access and use the Platform under a Platform License, up to the maximum number (if any) specified in the Order Form.
Business Day(s): a day, other than a Saturday, Sunday or US national holiday.
Business Hours: the period from 9.00 am to 5:00 pm EST/EDT on any Business Day or as set forth in the Order Form.
Commencement Date: the date of the last signature or as first set forth on the Order Form and agreed by the parties as the effective date of the Services Agreement.
Confidential Information: means any information whether supplied, made available or otherwise accessed or accessible in any form, wholly or in part, and whether or not marked confidential, by either party to the other under or in connection with the Services Agreement and includes (but is not limited to) information relating to software and hardware products, IT infrastructure, samples, equipment, drawings, specifications, information about a party's clients and including customer characteristics and identities, staff and subcontractors to a party including characteristics and identities, trade secrets, technical information and know-how, performance or process data, cost and financial information, market opportunities, business affairs, methods of doing business, strategic marketing, business plans and any information, operation of digital platform, reports or analysis derived from the Confidential Information, but does not information that is or becomes generally available to the public otherwise than as a result of a breach of this agreement, is already available to a receiving party on a non-confidential basis from a third party or is independently developed by a party without relying on Confidential Information supplied by the other party.
Customer: means the party referred to as Customer on the Order Form and any persons, third party agents, subcontractors, consultants, employees and those acting on its behalf.
Customer's Equipment: any equipment, including tools, systems, cabling or facilities, provided by Customer, its agents, employees, subcontractors or consultants which is used directly or indirectly in relation to the supply of the Services including any such items specified in the Order Form or Annex.
Customer Materials: all documents, information, items and materials in any form, whether owned by Customer or a third party, which are provided by Customer to Supplier in connection with the Services, including the items provided pursuant to clause 5.6(d) or otherwise specified in the Services Agreement.
Customer Personal Data: any personal data which Supplier processes in connection with the Services Agreement, in the capacity of a processor on behalf of Customer.
Customer’s System: means the system, application and/or network set forth in the Order Form or an Annex which Customer requires to be security tested.
Platform License: means, where applicable as set forth in the Order Form, a licence granted to Customer for access to and use the Platform for the provision of the Services and related Deliverables, subject to the terms of the Services Agreement.
Platform: means any software platform, application, portal or system (including any hosted, cloud-based or successor platform) owned, licensed or made available by Supplier to Customer under the Services Agreement, as specified in the applicable Order Form from time to time.
Deliverables: any output of the Services to be provided by Supplier to Customer as specified in the Order Form or in the Services Agreement Service-specific Terms.
EU GDPR: means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
Fees: the monetary amounts due for the Services as set forth in the Order Form.
Fixed Term: means a non-renewing term for the provision of the Services, as expressly specified as such in the applicable Order Form, which shall automatically expire at the end of the stated term unless otherwise expressly agreed in writing by the parties.
Good Industry Practice: means the exercise of that degree of skill, diligence and foresight which would reasonably and ordinarily be expected from a skilled and experienced service provider engaged in the provision of services similar to the Services under the same or similar circumstances as those applicable to the Services Agreement and which are in accordance with any codes of practice published by relevant trade associations.
Initial Term: the first term for the provision of the Services, as specified as such in the applicable Order Form, which may automatically renew in accordance with clause 3 (Commencement and duration).
Intellectual Property Rights or IPRs: patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, data, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Milestone: a date by which a part or all the Services is to be completed, as set forth in the Order Form.
Monthly Recurring Service Fees: means any monthly recurring fees for the applicable service payable by Customer as detailed on the Order Form.
Order Form(s): shall mean the request on Supplier’s standard Order Form from Customer to Supplier for Services to be provided pursuant to the terms of the Services Agreement which agreement, for the avoidance of doubt, applies in each case to a specific Order Form.
Order Form Services Addendum: has the meaning given in clause 7.1.
Professional Services: means consultant delivered Services, as defined by Supplier including, but not limited to, Penetration Testing and compliance Consultancy.
Service(s): means a Supplier service or multiple Supplier services (which may be packaged) that are ordered by Customer as set forth in the Order Form.
Services Agreement: shall mean these Services Agreement Standard Terms together with and which be read to include the Service-specific Terms and a specific Order Form pursuant to which Supplier makes the Services available to Customer, any related Annex and/or any related Order Form Services Addendum.
Supplier's Equipment: any equipment, including tools, systems, documentation, cabling or facilities, provided by Supplier to Customer and used directly or indirectly in the supply of the Services, including any such items specified in the Order Form but excluding any such items which are the subject of a separate agreement between the parties under which title passes to Customer.
Supplier Personal Data: any personal data that Supplier processes in connection with the Services Agreement, in the capacity of a controller.
UK GDPR: has the meaning given to it in section 3(10) as supplemented by section 205(4)) of the Data Protection Act 2018.
VAT: value added tax chargeable in the US.
1.2 Clause, Order Form, any Annex and any other Services Agreement headings shall not affect the interpretation of the Services Agreement.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).
1.4 Any Annex, the Services Agreement Service-specific Terms, the Order Form and/or Order Form Services Addendum forms part of the Services Agreement and shall have effect as if set out in full in the body of these Services Agreement Standard Terms, and any reference to the Services Agreement includes all the above.
1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.6 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.7 Unless the context otherwise requires, a reference to one gender shall include a reference to the other gender.
1.8 The Services Agreement shall be binding on, and inure to the benefit of, the parties to the Services Agreement and their respective personal representatives, successors and permitted assigns, and references to any party shall include that party's personal representatives, successors and permitted assigns.
1.9 Unless expressly provided otherwise in the Services Agreement, a reference to legislation or a legislative provision is a reference to it as amended, extended or re-enacted from time to time.
1.10 A reference to writing or written includes email.
1.11 Any obligation on a party not to do something includes an obligation not to allow that thing to be done.
1.12 A reference to the Services Agreement or to any other agreement or document is a reference to this agreement or such other agreement or document, in each case as varied or novated from time to time.
1.13 References to clauses and the Order Form or any Annex are to the clauses, Order Form and any Annexes of the Services Agreement and references to paragraphs are to paragraphs of the relevant Order Form or Annex.
1.14 The words including, include, in particular, for exampleor any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those words.
2. Structure and scope of the Services Agreement
2.1 The Services Agreement creates a contractual framework between Supplier and Customer under which:
(a) Customer requests from Supplier to provide Services pursuant to the terms of the Services Agreement; and
(b) Supplier agrees to provide the Services pursuant to the terms of the Services Agreement.
2.2 Each Service specified will be set forth in the Order Form and any applicable Annex.
2.3 In the event of any conflict or ambiguity, except where otherwise provided, the order of precedence for the Services Agreement shall be as follows:
(a) the applicable Annex or Order Form Services Addendum;
(b) the Services Agreement Service-specific Terms; and
(c) These Services Agreement Standard Terms.
2.4 The Customer and Supplier may agree to one or more Order Forms, each forming a separate Services Agreement, for the provision of Services.
2.5 For the Services Agreement to be valid and effective, the Order Form must be confirmed in writing and signed by an authorised representative of each party. Upon signature by both authorised representatives, the Services Agreement shall be binding (and incapable of cancellation other than through the termination provisions contained in clause 13 below) and the Fees and any other charges shall become due as set forth in the Order Form in accordance with the Services Agreement.
2.6 Each Party warrants to the other Party that it (1) has the full capacity and authority to enter into and perform the Services Agreement and that the Services Agreement is executed by a duly authorised representatives; (2) is the owner, or has the relevant consent from the owner, of all Systems, applications, networks, premises and any other asset that is set out in the Order Form; and (3) will comply with all Applicable Laws.
3. Commencement and duration
3.1 The Services Agreement shall commence on the Commencement Date and shall continue for the term specified in the applicable Order Form, which shall be either:
(a) a Fixed Term; or
(b) an Initial Term.
3.2 Where the Order Form specifies an Initial Term, the Services Agreement shall continue for the Initial Term and shall automatically renew for successive extension terms of the same duration as the Initial Term (each an “Extension Term”). unless either party gives the other not less than sixty (6) day’ written notice of termination prior to the expiry of the Initial Term of the then-current Extension Term.
3.3 If, at expiry or termination of the Services Agreement for any reason, there are incomplete Services under an Order Form, such Services shall, unless otherwise agreed in writing be completed and paid for in accordance with the Services Agreement.
3.4 Customer may procure any of the Services by executing the agreed Order Form with Supplier.
3.5 Supplier shall provide the Services from the Commencement Date or other date specified in the Order Form.
4. Provision of Services
4.1 Supplier will provide, and Customer will receive and have use of the Services and any related Deliverables (where applicable, by grant of a Platform Licence) in accordance with the Services Agreement for the Initial or Extension Term or for a Fixed Term, as applicable, set out in the Order Form whereby:
(a) each Service and/or Deliverable specified to be provided will be provided in accordance with the Order Form and any applicable Annex; and
(b) Supplier will provide, deliver or otherwise make available such Service and/or Deliverables with Good Industry Practice skill and care, in a timely manner and in accordance with the other provisions of the Services Agreement.
4.2 Supplier shall, where it deems appropriate, appoint a contact person in respect of the Services to be performed, such person shall be designated before the delivery of a relevant Service.
4.3 Where applicable, Supplier shall observe all health and safety and security requirements that apply at any of Customer's premises and that have been communicated to Supplier under clause 5.6(e), provided that Supplier shall not be liable under the Services Agreement if, as a result of such observation, it is in breach of any of its obligations under the Services Agreement.
4.4 Supplier may use a subcontractor, contracted under the Services Agreement terms, to assist with delivery of Services and will carry out the appropriate due diligence to ensure any such subcontractor has the required qualifications and experience to deliver the Services.
5. Use of the Service(s)
5.1 Customer will:
(a) provide to Supplier all necessary co-operation in relation to the Services Agreement including the Order Form and any applicable Annex; and all necessary access to such information as may be required by Supplier to provide the Services including, but not limited to, relevant Customer staff and/or agents, customer data, security access information and configurations services;
(b) carry out all customer obligations in a timely and efficient manner;
(c) ensure that Customer’s Equipment including network and systems comply with the relevant specification and use restrictions provided by Supplier from time to time and comply with any security, information security and technical procedures and requirements in relation to the Services and/or any Deliverables.
5.2 Customer is responsible for having and maintaining an adequate Customer environment and uninterrupted internet connectivity to receive and/or enable the use of the Services and/or Deliverables. Supplier shall not be liable for any incompatibility, failure, use or misuse by Customer related to Customer’s environment.
5.3 Customer shall not:
(a) infringe any Intellectual Property Rights that belong to or are licensed to Supplier;
(b) create, upload, download, access, store, into the Services and/or any Deliverable any malicious code, programs, viruses, malware or other types of malicious software or material, or links to such software, that are unlawful, insider or confidential information, advertisements or solicitation for any products or services, or could disrupt or harm the operation of such Service and/or Deliverables or incite another to do so; or
(c) copy, reverse engineer, decompile, disassemble or modify a Service and/or any Deliverable or any part, feature, function or user interface thereof, or otherwise reduce to human-perceivable form all or any part of Service and/or any Deliverable, or use or attempt to use any automated program to access any Service and/or any Deliverable, or to search, display, or obtain links to any part of a Service and/or any Deliverable.
5.4 Customer agrees to indemnify Supplier from any losses suffered, or liabilities incurred because of Customer’s breach of clause 5.3.
5.5 Customer shall not:
(a) knowingly withhold information which may affect Supplier’s ability to provide any of the Services and/or Deliverables to Customer or to others (including, where applicable, Authorised Users), or security or integrity of any of the Services and/or Deliverables;
(b) use any Service and/or Deliverable to impersonate any person, or to misrepresent Customer’s or any Platform User’s identity;
(c) engage in sending unsolicited messages to any number or users or via the internet by using any Service and/or Deliverable;
(d) use the Service and/or Deliverables in a way which in Supplier reasonable opinion is not within the intended use of such Service or Deliverable;
(e) engage in abusive or excessive usage of any Service and/or Deliverable which is usage significantly in excess of average usage patterns, as determined by Supplier, that adversely affects the speed, responsiveness, stability, availability or functionality of any Service and/or Deliverable for other users;
(f) make any Service and/or Deliverable available to, or use any Service and/or Deliverable for the benefit of, anyone other than Customer, unless and to the extent expressly stated otherwise in the Order Form;
(g) lend, sell, resell, license, sublicense, distribute, make available, rent or lease any Service and/or Deliverable, or include any Service and/or Deliverable in a service or outsourcing offering, unless otherwise agreed in writing with Supplier;
(h) access any Service and/or Deliverable to build a competitive solution or service or to benchmark with a non-Supplier service; or
(i) use any Service and/or Deliverable in Customer’s own products or services, commercially exploit or otherwise make any Service and/or Deliverable available to any third party in any way, unless expressly consented to by Supplier.
5.6 Customer shall:
(a) co-operate with Supplier as reasonably requested in all matters relating to the Services;
(b) assign a contact person in respect of the Services to be performed under the Order Form, as identified in the Order Form;
(c) provide, for Supplier, its agents, subcontractors, consultants and employees, in a timely manner and at no charge, access to Customer's premises, office accommodation, data and other facilities as reasonably required by Supplier to carry out the Services, including any such access as is specified in the Order Form;
(d) provide to Supplier in a timely manner all documents, information, items and materials in any form (whether owned by Customer or a third party) and meeting attendance by the assigned contact person, project manager and/or any key staff as set forth in the Order Form or otherwise reasonably requested by Supplier in connection with the Services and ensure that they are accurate and complete;
(e) inform Supplier in writing of all health and safety and security requirements that apply at any of Customer's premises;
(f) ensure that all Customer's Equipment is in good working order and suitable for the purposes for which it is used in relation to the Services and conforms to all relevant Applicable Law requirements or standards;
(g) obtain and maintain all necessary licences and consents in accordance with relevant Applicable Law and comply with all relevant legislation as required to enable Supplier to provide the Services;
(h) at the request of Supplier, agree to a service review with Supplier once every 6 months or as otherwise reasonably requested; and
(i) where applicable as designated in the Order Form, in respect of each Platform Licence granted, appoint Authorised Users, up to the maximum number specified in the Order Form, who shall be the only users permitted to access the Platform and be provided with the Services and/or Deliverables.
5.7 If Supplier's performance of its obligations under the Services Agreement is prevented or delayed by any act or omission of Customer, its agents, subcontractors, consultants or employees or any other third-party supplier then, without prejudice to any other right or remedy it may have, Supplier shall be allowed an extension of time to perform its obligations equal to the delay caused by Customer or other third-party supplier or for as long as Supplier deems at its discretion the prevention or delay necessitates.
5.8 Both Parties shall maintain business continuity and disaster recovery plans to ensure the continuity of the Services in the event of an unforeseen interruption and any other prudent procedures and measures that are reasonably necessary to prevent the disruption of the Services. Customer shall, in the event of an unforeseen interruption, use best efforts to cooperate with Supplier to ensure the uninterrupted provision of Services.
6. Non-solicitation and employment
6.1 Each party shall not, without the prior express written consent of the other party, at any time until the expiry of 24 months after the completion of such Services, solicit or entice away from the other party or directly attempt to employ any person who is, or has been, engaged as an employee, consultant or subcontractor of the other party.
7. Order Form Services Addendum
7.1 Either party may propose changes to the scope or execution of the Services but no proposed changes shall come into effect until a relevant Order Form Services Addendum has been formally agreed by both parties. The Order Form Services Addendum shall be a document (or email where permitted by Supplier at its sole discretion) citing to the Order Form and setting out the proposed changes and the effect that those changes will have on the Service(s), Fees, any timetable and/or any other Order Form terms.
7.2 If Supplier wishes to make a material change to the Services provided to Customer it shall provide a draft Order Form Services Addendum to Customer.
7.3 If Customer wishes to make a change to the Services it shall notify Supplier and provide as much detail as Supplier reasonably requires of the proposed changes, including the timing of the proposed change; and Supplier shall, as soon as reasonably practicable after receiving the information, provide a draft Order Form Services Addendum to Customer.
7.4 If the parties agree to the Order Form Services Addendum, they shall sign it and that Order Form Services Addendum shall amend the relevant Order Form. If the parties are unable to agree the Order Form Services Addendum, either party may request termination of the affected Service, such termination to take effect as expressly agreed by the parties; however, termination of a Service under this clause shall not affect Customer’s payment obligations (as of the date of any such Service termination) under the Services Agreement.
8. Fees, other charges and payment
8.1 In consideration of the administration and allocation of ready resources for the provision of the Services by Supplier, Customer shall pay the Fees upon invoice including where Services cannot be delivered due to Customer’s failure to meet any of its obligations under the Services Agreement.
8.2 Supplier will invoice Customer in accordance with the Order Form or, where not specified in the Order Form, immediately following the Commencement Date of the Order Form on 30-day payment terms.
8.3 All Services shall be used and, in any event, paid for in full as set forth in this Clause 8 or in the Order Form. Any Services which are unused by Customer during a Fixed Term, Initial Term or a relevant Extension Term will expire and shall not be credited, or refunded unless otherwise expressly agreed by the parties in writing.
8.4 The Fees exclude the following, which shall be payable by Customer monthly in arrears (provided that Supplier has obtained the written consent of Customer, which shall not be unreasonably delayed or withheld), as incurred:
(a) the cost of hotel, subsistence, travelling and any other ancillary expenses reasonably incurred by the individuals whom Supplier engages in connection with the Services; and
(b) the cost to Supplier of any materials or services procured from time to time by Supplier, as it deems appropriate, from third parties for the provision of any Service where such items and their cost are approved by Customer in advance, and for any materials or services reasonably deemed necessary to procure by Supplier, in its absolute discretion, where such items and their costs are notified to Customer in advance.
8.5 The Fees also exclude services related to non-Supplier delay, cancellation and rescheduling charges, for costs related directly to the administration, system, personnel, facilities, third party and/or other allocated resources associated with scheduled Services. The following charges will apply to any Customer short-term cancellation and rescheduling requested within 10 Business Days before the schedule start date for delivery of any Services Supplier may charge up to 100% of the scheduled Service Fees of the cancelled or rescheduled Service(s) as liquidated damages for administrative, scoping and preparation etc. services and delivery resource allocation.
8.6 Supplier may choose to increase the Fees on an annual basis with effect from each anniversary of the date of the Services Agreement, to cover, e.g., any increased Supplier costs, in line with the higher of five percent (5%) or the percentage increase in the Consumer Price Index in the preceding 12-month period, and the first such increase shall take effect, at Supplier’s discretion, on the first anniversary of the date of the Services Agreement and shall be based on the latest available annual figure for the percentage increase in the Consumer Prices Index.
8.7 Supplier may, at any time during the Fixed Term, Initial Term and during any Extension Term thereafter, vary the Fees payable by Customer by giving at least 30 days prior written notice in the event of new taxation laws, or the introduction or increase in any taxes, levies, costs or expenses, including any taxes, levies which relate to the Services;
8.8 Supplier will invoice Customer for the Fees as set forth in the Order Form or as set forth in the Services Agreement or as otherwise expressly agreed in writing.
8.9 Customer shall pay each invoice submitted to it by Supplier based on the following terms:
(a) on 30-day terms where indicated by Supplier or any other terms as set forth on the Order Form;
(b) by credit card on immediate receipt of the invoice;
(c) by direct debit with payments taken 14 days after date of invoice, where credit terms are agreed; or
(d) by payment in advance at any time required by Supplier, where Customer’s credit score is insufficient to meet the total value of the contract.
8.10 Without prejudice to any other right or remedy that it may have, if Customer fails to pay Supplier any sum due under the Services Agreement on the due date:
(a) All sums payable under the Services Agreement for services delivered and to be delivered shall become due and payable by Customer.
(b) Customer shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after a court judgment. Interest under this clause will accrue each day at 4% a year above the Bank of England base rate from time to time, but at 4% a year for any period when that base rate is below 0%; and
(c) Supplier may suspend or cancel part or all the Services if payment is not received within 10 days of the due date until payment has been made in full (subject to any other rights and/or remedies under the Services Agreement).
8.11 All amounts payable to Supplier under the Services Agreement:
(a) are exclusive of any applicable VAT, and Customer shall in addition pay an amount equal to any applicable VAT on those sums on receipt of a VAT invoice; and
(b) shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law) and are excluded from Force Majeure clause 15.
9. Intellectual property rights
9.1 In relation to the Services and any Deliverables:
(a) Supplier and its licensors shall retain ownership of all IPRs in the Services and the Deliverables, excluding Customer Materials;
(b) Supplier grants Customer, or shall procure the direct grant to Customer of, a fully paid, worldwide, non-exclusive, royalty-free revocable licence during the term of the Services Agreement to copy and modify the Deliverables for the purpose of receiving and using the Services and the Deliverables in its business; and
(c) Customer shall not sub-licence, assign or otherwise transfer the rights granted in clause 9.1(b) to any of its customers or other third parties, unless expressly agreed in writing with Supplier.
9.2 In relation to Customer Materials, Customer:
(a) and its licensors shall retain ownership of all IPRs in Customer Materials; and
(b) grants to Supplier a fully paid, non-exclusive, royalty-free, non-transferable licence to copy and modify Customer Materials for the term of the Services Agreement, and as required by law thereafter, for the purpose of providing the Services to Customer.
9.3 Supplier:
(a) warrants that the receipt, use of the Services and the Deliverables by Customer shall not infringe the IPRs of any third party;
(b) shall indemnify Customer against all liabilities, costs, expenses, damages and losses suffered or incurred or paid by Customer arising out of or in connection with any claim brought against Customer for actual or alleged infringement of a third party’s Intellectual Property Rights arising out of, or in connection with, the receipt or use of the Services and Deliverables;
(c) shall not be in breach of the warranty at clause 9.3(a), and Customer shall have no claim under the indemnity at clause 9.3(b), to the extent the infringement arises from:
(i) the use of Customer Materials in the development of, or the inclusion of Customer Materials in the Services or any Deliverable;
(ii) any modification of the Services or any Deliverbale, other than by or on behalf of Supplier as authorised by Supplier; and
(iii) compliance with Customer's specifications or instructions, where infringement could not have been avoided while complying with such specifications or instructions and provided that Supplier shall notify Customer if it knows or suspects that compliance with such specification or instruction may result in infringement.
9.4 Customer:
(a) warrants that the receipt and use in the performance of the Services Agreement by Supplier, its agents, employees, subcontractors or consultants of Customer Materials shall not infringe the rights, including any Intellectual Property Rights, of any third party; and
(b) shall indemnify Supplier against all liabilities, costs, expenses, damages and losses suffered or incurred or paid by Supplier arising out of or in connection with any claim brought against Supplier, its agents, employees, subcontractors or consultants for actual or alleged infringement of a third part's Intellectual Property Rights, to the extent that the infringement or alleged infringement arises out of, or in connection with, the receipt or use of Customer Materials in the performance of the Services Agreement.
9.5 If either party (Indemnifying Party) is required to indemnify the other party (Indemnified Party) under this clause 9, the Indemnified Party shall:
(a) notify the Indemnifying Party in writing of any claim against it in respect of which it wishes to rely on the indemnity at clause 9.3(b) or clause 9.3(b) (as applicable) (IPRs Claim);
(b) allow the Indemnifying Party, at its own cost, to conduct all negotiations and proceedings and to settle the IPRs Claim, provided that the Indemnifying Party shall obtain the Indemnified Party's prior approval of any settlement agreement, such not to be unreasonably withheld, delayed, or conditioned;
(c) provide the Indemnifying Party with such reasonable assistance regarding the IPRs Claim as is required by the Indemnifying Party, subject to reimbursement by the Indemnifying Party of the Indemnified Party's costs so incurred; and
(d) not, without prior consultation with the Indemnifying Party, make any admission relating to the IPRs Claim or attempt to settle it, provided that the Indemnifying Party considers and defends any IPRs Claim diligently, using counsel and in such a way as not to bring the Indemnified Party’s reputation into disrepute.
9.6 Neither Party shall use any Intellectual Property Rights except with express prior written consent, which consent shall not be unreasonably withheld.
10. Data protection
10.1 For the purposes of this clause 10, controller, processor, data subject, personal data, personal data breachand processing shall have the meaning given to them in the UK GDPR.
10.2 Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 10 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under Applicable Data Protection Laws.
10.3 Customer consents to, (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by Supplier in connection with the processing of Customer Personal Data, provided these are in compliance with the then-current version of Supplier's privacy policy available at https://wn.worknest.com/privacy-notice-worknest-cyber-us (Privacy Policy). In the event of any inconsistency or conflict between the Privacy Policy and the Services Agreement, the Privacy Policy will take precedence.
10.4 The subject matter, duration, nature and purpose of the processing, the types of Customer Personal Data, the categories of data subjects and the categories of processors are set out in the Schedules of Processing available at https://www2.worknest.com/secure/terms/schedules-of-processing (Schedules of Processing), as updated from time to time in accordance with this Agreement.
10.5 Customer will ensure that it has all necessary consents and notices in place to enable lawful transfer of Customer Personal Data to Supplier for the duration and purposes of the Services Agreement.
10.6 Without prejudice to the generality of clause 10.2 and 10.3, Supplier shall, in relation to Customer Personal Data:
(a) process that Customer Personal Data only on the documented instructions of Customer unless Supplier is required by Applicable Laws to otherwise process that Customer Personal Data (Purpose). Where Supplier is relying on Applicable Laws as the basis for processing Customer Personal Data, Supplier shall notify Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying Customer on important grounds of public interest. Supplier shall inform Customer if, in the opinion of Supplier, the instructions of Customer infringe Applicable Data Protection Laws;
(b) implement technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
(c) ensure that any personnel engaged and authorised by Supplier to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;
(d) assist Customer insofar as this is possible (taking into account the nature of the processing and the information available to Supplier), and at Customer's cost and written request, in responding to any request from a data subject and in ensuring Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
(e) notify Customer without undue delay on becoming aware of a personal data breach involving Customer Personal Data; Where such breach is notifiable to the Information Commissioner’s Office (ICO), Supplier shall notify the ICO or other relevant supervisory authority of such breach at the end of any statutorily required notice period where the requisite notice has not been sent earlier either by Customer or Supplier at Customer’s instruction;
(f) at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer on termination of the Services Agreement unless Supplier is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 10.5(f) Customer Personal Data shall be considered deleted where it is put beyond further use by Supplier;
(g) will only process personal data in an identifiable form for no longer than is necessary for the purposes for which it is processed, including but not limited to complying with its obligations under the Payment Card Industry Data Security Standard (PCI DSS) rules which prohibits the storage of payment card verification codes once a transaction has been authorised; and
(h) maintain records to demonstrate its compliance with this clause 10, and allow for reasonable audits by Customer or Customer's designated auditor, for this purpose, on reasonable written notice to a maximum of once annually.
10.7 Customer provides its prior, general authorisation for Supplier to:
(a) appoint processors to process Customer Personal Data, provided that Supplier:
(i) shall ensure that the Services Agreement on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Supplier in this clause 10;
(ii) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of Supplier; and
(b) transfer Customer Personal Data outside of the UK as required for the Purpose, provided that Supplier shall ensure that all such transfers are made in accordance with Applicable Data Protection Laws. For these purposes, Customer shall promptly comply with any reasonable request of Supplier, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the ICO from time to time (where the UK GDPR applies to the transfer).
10.8 Either party may, at any time on not less than 30 days' written notice, revise this clause 10 by replacing it with any applicable controller to processor standard clauses or similar agreement forming part of an applicable certification scheme (which shall apply when replaced by Annex to the Services Agreement).
10.9 Supplier's liability for losses arising from breaches of this clause 10 is as set out in Clause 12 (Limitation of Liability).
11. Confidentiality
11.1 Each party undertakes that it shall not at any time use or disclose to any person any Confidential Information of the other party or of any member of the group of companies to which the other party belongs, except as permitted by clause 11.2.
11.2 Each party may disclose Confidential Information:
(a) to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of exercising the party's rights or carrying out its obligations under or in connection with the Services Agreement. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party'/ confidential information comply with this clause 11; and
(b) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
11.3 No party shall use the other party's confidential information for any purpose other than to exercise its rights and perform its obligations under or in connection with the Services Agreement.
12. Limitation of liability
12.1 Scope of this clause. References to liability in this clause 12 (Limitation of liability) are subject always to clause 12.3 (liabilities which cannot legally be limited), but otherwise include every kind of liability arising under or in connection with the Services Agreement including but not limited to liability in contract, tort (including negligence), misrepresentation, restitution or otherwise.
12.2 No limitation of Customer's payment obligations.Nothing in this clause 12 shall limit Customer's payment obligations under the Services Agreement.
12.3 Liabilities which cannot legally be limited. Nothing in the Services Agreement limits any liability which cannot legally be limited, including but not limited to liability for:
(a) death or personal injury caused by negligence; or
(b) fraud or fraudulent misrepresentation;
12.4 Cap on liability. SUBJECT TO CLAUSE 12.3 (LIABILITIES WHICH CANNOT LEGALLY BE LIMITED), AND TO CLAUSE 12.6, THE LIABILITY OF EACH OF THE PARTIES SHALL NOT EXCEED THE FEES PAID IN THE 12 MONTH PERIOD PRECEDING THE CLAIM OR, WHERE LESS THAN 12 MONTHS HAVE PASSED, THE EQUIVALENT OF 12 MONTHS’ WORTH OF FEES, PER CLAIM AND IN AGGREGATE.
12.5 Specific heads of excluded loss. SUBJECT TO CLAUSE 12.2 (NO LIMITATION OF CUSTOMER'S PAYMENT OBLIGATIONS), CLAUSE 12.3 (LIABILITIES WHICH CANNOT LEGALLY BE LIMITED), THIS CLAUSE 12.5 SPECIFIES THE TYPES OF LOSSES THAT ARE EXCLUDED:
(a) LOSS OF PROFITS;
(b) LOSS OF REVENUES, LOSS OF GOODWILL;
(c) LOSS OF AGREEMENTS, LOSS OF BUSINESS OPPORTUNITY;
(d) LOSS OF BUSINESS;
(e) DEPLETION OF GOODWILL OR SIMILAR LOSSES;
(f) INDIRECT PURE ECONOMIC LOSS; AND
(g) FOR ANY INDIRECT OR CONSEQUENTIAL LOSS, COSTS, DAMAGES, CHARGES OR EXPENSES HOWEVER ARISING.
12.6 EACH PARTY’S TOTAL LIABILITY TO THE OTHER FOR LOSSES FOR BREACHES OF CLAUSE 9 (INTELLECTUAL PROPERTY RIGHTS), CLAUSE 10 (DATA PROTECTION), CLAUSE 5 (CUSTOMER INDEMNITY) AND CLAUSE 11 (CONFIDENTIALITY), SHALL BE LIMITED TO AND SHALL NOT EXCEED GB£3,000,000.
12.7 Customer acknowledges that there is a risk that a Service may lead to the loss or corruption of Customer’s data affected by the Services, and that the same is an inherent risk of receiving a Service even when performed in accordance with Good Industry Practice. Customer agrees to back up its data prior to delivery of any Service set forth in the Order Form. Except where otherwise provided herein, Supplier will not be liable for any such loss of data.
12.8 Supplier disclaims and excludes any and all warranties, terms or conditions (not expressly stated in the Services Agreement) as permitted by law, including implied warranties, terms or conditions relating to the acceptable quality and fitness for purpose. Customer is solely responsible for the suitability of the Services chosen.
12.9 Customer warrants that it has the full capacity and authority to instruct Supplier to deliver the Services and will not hold Supplier liable for any violation of the Computer Misuse Act 1990 or any other local applicable laws, rules or regulations.
12.10 Except as expressly provided for in the Services Agreement, Customer hereby acknowledges that Services set forth in the Order Form are delivered on an as is basis and Supplier shall only be liable to the extent set forth in the Services Agreement.
13. Termination
13.1 Either party may immediately terminate the Services Agreement without payment of compensation or other damages caused to the other solely by such termination by giving notice to the other if any one or more of the following occurs:
(a) the other party commits a material breach of any term of the Services Agreement and such breach is irremediable or (if such breach is remediable) fails to remedy that breach within 30 days after being notified in writing to do so;
(b) the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or (being a company or limited liability partnership) is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986, or (being an individual) is deemed either unable to pay its debts or as having no reasonable prospect of so doing, in either case, within the meaning of section 268 of the Insolvency Act 1986, or (being a partnership) has any partner to whom any of the foregoing apply;
(c) the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with any of its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(d) a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party (being a company) other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(e) an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party (being a company);
(f) the holder of a qualifying floating charge over the assets of that other party (being a company) has become entitled to appoint or has appointed an administrative receiver;
(g) a person becomes entitled to appoint a receiver over all or any of the assets of the other party or a receiver is appointed over all or any of the assets of the other party;
(h) a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party's assets and such attachment or process is not discharged within 14 days;
(i) any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 13.1(b) to clause 13.1(h) (inclusive); or
(j) the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business.
13.2 For the purposes of clause 13.1(a) material breach means a breach (including an anticipatory breach) that is serious in the widest sense of having a serious effect on the benefit which the terminating party would otherwise derive from a substantial portion of the Services Agreement.
13.3 Without affecting any other right or remedy available to it, including payment by Customer of all fees due under the Services Agreement, Supplier may terminate the Services Agreement with immediate effect by giving written notice to Customer if Customer is in material breach of any other Supplier Order Form/Services Agreement or fails to pay any amount due under any Services Agreement on the due date for payment and remains in default more than 30 days after being notified to make such payment.
13.4 Customer may send express written notice of its intention to terminate the Services Agreement within 30 days of the date it receives 90 days express written notice from Supplier of any material update to the Standard Terms (under clause 17) where that updated term cannot by law or policy, applicable at the time, be accepted by Customer. All fees otherwise due and payable under the Services Agreement must be paid in accordance with the Services Agreement including, without limitation, all fees for any delivered services.
14. Consequences of termination and survival
14.1 Consequences of termination or expiry. Except as otherwise provided, the termination or expiry of the Services Agreement shall terminate all licences, access and other rights to the Services and/or Platform and Customer shall deliver any Supplier Equipment in its possession to Supplier and destroy all copies of Supplier Confidential Information. Except as otherwise provided, Supplier shall destroy any copies of Customer confidential information. Customer shall immediately pay to Supplier all of Supplier's outstanding unpaid invoices, invoices to be submitted for Services supplied to the date of termination and related interest and, except where Customer has rightfully terminated for Supplier’s material breach, Supplier may submit an invoice payable upon receipt in respect of the Services to be supplied but for which no invoice has been submitted.
14.2 Survival. On termination, where Customer has terminated for Supplier’s material breach, or expiry of the Services Agreement, any existing Order Form shall continue until the Services have been completed or, before completion, at Customer’s reasonable request. Any provision of the Services Agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of the Services Agreement shall remain in full force and effect. Termination or expiry of the Services Agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of the Services Agreement which existed at the date of termination or expiry.
15. Force majeure
15.1 Force Majeure Event means any circumstance, except for Customer’s payment obligations, not within a party's reasonable control including, without limitation:
(a) acts of God, flood, drought, earthquake or other natural disaster;
(b) epidemic or pandemic or Government mandated lockdowns or other related restrictions;
(c) terrorist or cyber-attack, civil war, civil commotion or riots, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, or breaking off of diplomatic relations;
(d) nuclear, chemical or biological contamination or sonic boom;
(e) any law or any action taken by a government or public authority, including without limitation imposing an export or import restriction, quota or prohibition, or failing to grant a necessary licence or consent;
(f) collapse of buildings, fire, explosion or accident;
(g) any labour or trade dispute, strikes, industrial action or lockouts (other than in each case by the party seeking to rely on this clause, or companies in the same group as that party);
(h) non-performance by suppliers or subcontractors (other than by companies in the same group as the party seeking to rely on this clause); and
(i) interruption or failure of a utility service.
15.2 Provided it has complied with clause 15.4, if a party is prevented, hindered or delayed in or from performing any of its obligations under the Services Agreement by a Force Majeure Event (Affected Party), the Affected Party shall not be in breach of the Services Agreement or otherwise liable for any such failure or delay in the performance of such obligations.
15.3 The corresponding obligations of the other party will be suspended, and its time for performance of such obligations extended, to the same extent as those of the Affected Party.
15.4 The Affected Party shall:
(a) as soon as reasonably practicable after the start of the Force Majeure Event but no later than ten days from its start, notify the other party of the Force Majeure Event, the date on which it started, its likely or potential duration, and the effect of the Force Majeure Event on its ability to perform any of its obligations under the Services Agreement; and
(b) use all reasonable endeavours to mitigate the effect of the Force Majeure Event on the performance of its obligations.
15.5 If the Force Majeure Event prevents, hinders or delays the Affected Party's performance of its obligations for a continuous period of more than six weeks, the party not affected by the Force Majeure Event may terminate the Services Agreement by giving 21 days’ written notice to the Affected Party.
16. Assignment and other dealings
16.1 Customer shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Services Agreement, without prior express written consent from Supplier, such consent not to be unreasonably withheld.
16.2 Supplier may mortgage, charge, delegate, assign, novate or otherwise transfer any or all its rights under the Services Agreement. Supplier shall not novate or assign its rights and obligations under the Services Agreement to another service party without prior notice to Customer.
17. Amendment
17.1 No amendment or variation of the Services Agreement shall be effective without express written consent signed by the parties (or their authorised representatives) except that Supplier may from time to time update the Services Agreement Standard Terms or Services Agreement Service-specific Terms upon 90 days express written notice to Customer upon which Customer may send express written notice of its intent to terminate the Services Agreement as provided for in clause 13.4.
18. Waiver
18.1 A waiver of any right or remedy under the Services Agreement or by law is only effective if given expressly in writing and shall not be deemed a waiver of any subsequent right or remedy.
18.2 A failure or delay by a party to exercise any right or remedy provided under the Services Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Services Agreement or by law shall prevent or restrict the further exercise of that or any other right or remedy.
19. Rights and remedies
19.1 The rights and remedies provided under the Services Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
20. Severance
20.1 If any provision or part-provision of the Services Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the Services Agreement.
20.2 If any provision or part-provision of the Services Agreement is deemed deleted under clause 20.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
21. Entire Agreement
21.1 The Services Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, contracts, promises, assurances, warranties, representations and understandings between them, whether written, oral or by conduct, relating to its subject matter.
21.2 Each party agrees it shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Services Agreement. Each party agrees it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Services Agreement.
22. No partnership or agency
22.1 Nothing in the Services Agreement is intended or shall be deemed to establish a partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.
22.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.
23. Anti-Bribery and Anti-Corruption
23.1 Each Party shall, and shall ensure any of its agents, employees, consultants, contractors and subcontractors shall, comply with all applicable laws, statutes, regulation, and codes relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010 and shall establish, maintain and enforce its own policies and procedures to ensure compliance.
24. Anti-Slavery and Human Trafficking
24.1 Each Party shall, in performing its obligations under the Services Agreement, comply with all applicable anti-slavery and human trafficking laws, statutes and regulations from time to time in force including the Modern Slavery Act 2015; and each party represents and warrants that it has not been convicted of any offence involving slavery and human trafficking or been the subject of any investigation, inquiry or enforcement proceedings regarding any offence or alleged offence of or in connection with such trafficking.
25. Third party rights
25.1 Except as otherwise agreed, the Services Agreement does not give rise to any third-party statutory rights to enforce any of its terms.
26. Notices
26.1 Any notice given to a party under or in connection with the Services Agreement shall be in writing and shall be delivered by e-mail, by hand or by tracked post or courier service at the recipient party’s registered office (if a company) or its principal place of business (in any other case).
26.2 Any notice shall be deemed to have been received:
(a) if by e-mail, at the time of transmission (assuming no failure notification or other indication of non-delivery is received);
(b) if delivered by hand, at the time the notice is left at the proper address; or
(c) if sent tracked and signed-for delivery by national courier, at the time such courier confirms delivery.
26.3 This clause does not apply to the service of any proceedings or any documents in any legal action or, where applicable, any arbitration or other formal method of dispute resolution.
26.4 A notice given under the Services Agreement is valid if received.
27. Governing law, venue and dispute resolution
27.1 The Services Agreement shall be governed and construed in accordance with New York law.
27.2 Any dispute arising under or related to the Services Agreement that is not resolved by good faith discussion among the parties, at their discretion, shall be resolved by binding expedited American Arbitration Association (AAA) arbitration in New York with the exception of an action brought in any court having jurisdiction to enforce terms of an arbitration award under this clause or for injunctive relief or, for Supplier at its discretion, where the sole or primary dispute regards payment by Customer.
27.3 Attorney’s Fees. If any arbitration, suit, or proceeding is instituted to interpret, enforce, or rescind this Agreement, or otherwise in connection with the subject matter of this Agreement, including but not limited to any proceeding brought under the United States Bankruptcy Code, the prevailing party on a claim will be entitled to recover with respect to the claim, and in addition to any other relief awarded on the basis of the claim, the prevailing party’s reasonable attorney’s fees and other fees, costs, and expenses of every kind incurred in connection with the arbitration, action, suit, or proceeding, any appeal or petition for review, the collection of any award or the enforcement of any order, as determined by the arbitrator or court.
28. Counterparts
28.1 The Services Agreement Order Form may be executed and delivered electronically or by hardcopy in any number of counterparts, each of which shall constitute a duplicate original, but all counterparts together constitute the one Services Agreement Order Form. No counterpart shall be effective until each party has executed at least one counterpart.
Service Specific Terms
(incorporated into the Services Agreement Order Form and incorporating the Services Agreement Standard Terms, any Annex and any Order Form Services Addendum, all together the “Services Agreement”)
Supplier will provide Customer the following Service(s) as set forth on the Order Form:
1. Consultancy
Supplier will remotely provide Customer advice and support covering information security topics, including, without limitation, frameworks such as ISO 27001, NIST, CIS, ISO22301, Applicable Data Protection Laws, other data protection laws and data protection in general. Where specified, Supplier will assist Customer to work toward improvement of its business performance in terms of operations, management, structure and/or strategy regarding cyber security and/or data protection compliance. On-site visits may be arranged with Customer in exceptional circumstances.
a. Cyber Security Assessment
Supplier will provide an experienced Information Security Consultant to assess the current level of information/cyber security in Customer’s organisation. This will be based on the NIST CSF and ISO 27001/27002 controls and the output will be a report detailing the level of compliance against each of the requirements along with recommendations on how to achieve compliance.
b. Data Privacy Advisor (DPA)
Supplier will provide Customer access to up to 2 hours per month of remote support for queries and questions relating to GDPR and data privacy matters. Customers can contact the DPA service via a centralised mailbox initially and then queries can be dealt with via email, phone or video conferencing.
c. GDPR Audit
Supplier will provide an experienced GDPR consultant to audit the current level of compliance to GDPR. The output of the audit will be a report that will outline any non-conformities. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit.
d. GDPR Gap Analysis
Supplier will provide an experienced GDPR consultant to undertake a gap analysis against the requirements of GDPR. The output of the gap analysis will be a report detailing the current level of compliance to each of the requirements along with a document review (which will include a maximum of 20 GDPR related policies, procedures or documents) with recommendations and an action plan outlining what needs to be done to achieve compliance. During the gap analysis, which will be conducted via a series of online interviews with key stakeholders, Customer will be required to provide documents, e.g., policies and procedures that are currently in place for assessment.
e. GDPR Implementation / Consultancy Days
Supplier will provide an experienced GDPR consultant to deliver the GDPR implementation project. The service, which will be delivered remotely, will include preparation of all required documentation along with advice and support on how to ensure current processes are compliant. Customer will be required to play an active part in the implementation through interviews and workshops.
f. DORA Audit
Supplier will provide an experienced DORA consultant to audit the current level of compliance to DORA. The output of the audit will be a report that will outline any non-conformities. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit.
g. DORA Gap Analysis
Supplier will provide an experienced DORA consultant to undertake a gap analysis against the requirements of DORA. The output of the gap analysis will be a report detailing the current level of compliance to each of the requirements along with a document review (which will include a maximum of 20 GDPR related policies, procedures or documents) with recommendations and an action plan outlining what needs to be done to achieve compliance. During the gap analysis, which will be conducted via a series of online interviews with key stakeholders, Customer will be required to provide documents, e.g., policies and procedures that are currently in place for assessment.
h. DORA Implementation
Supplier will provide an experienced DORA consultant to deliver the DORA implementation project. The service, which will be delivered remotely, will include preparation of all required documentation along with advice and support on how to ensure current processes are compliant. Customer will be required to play an active part in the implementation through interviews and workshops.
i. Maturity Assessment Gap Analysis
Supplier will provide an experienced consultant to undertake a maturity assessment gap analysis against the relevant requirements and recognised good practice. The output of the maturity assessment gap analysis will be a report detailing the current level of maturity against each of the assessed areas, along with a document review (which will include a maximum of 20 relevant policies, procedures or documents) with recommendations and an action plan outlining what needs to be done to address identified gaps and improve maturity. During the maturity assessment gap analysis, which will be conducted via a series of online interviews with key stakeholders, the Customer will be required to provide documents, e.g. policies and procedures, that are currently in place for assessment.
j. InfoSec Consultancy
Supplier will provide an experienced information security consultant. The service, which will be delivered remotely, will include preparation of all required documentation along with advice and support on how to ensure current processes are aligned with applicable information security requirements and recognised good practice. The Customer will be required to play an active part in the implementation through interviews and workshops.
k. ISO Gap Analysis (including but not limited to 27001, 9001, 27701, 22301)
Supplier will provide an experienced ISO consultant to undertake a Gap Analysis against, as appropriate, the version of the ISO standard ISO requested by Customer in accordance with the agreed scope. The output of the gap analysis will be a report detailing the current level of compliance to each of the requirements of ISO with recommendations on what needs to be done to achieve compliance. During the Gap Analysis, which will be conducted via a series of online interviews with key stakeholders, Customer will be required to provide documents, e.g., policies and procedures that are currently in place for assessment.
l. ISO Implementation (including but not limited to 27001, 9001, 27701, 22301)
Supplier will provide an experienced ISO lead implementer to deliver an ISO implementation project to enable Customer’s readiness for certification by an external UKAS accredited certification body. The implementation service, which will be delivered remotely, will include training of all staff on the Information Security Management System the consultant is implementing and preparation of all required documentation. Customer will be required to play an active part in the implementation through interviews and workshops.
m. ISO Internal Audit (including but not limited to 27001, 9001, 27701, 22301)
Supplier will provide an experienced ISO auditor to conduct an internal audit against the agreed requirements and scope of the Information Security Management System. The output of the internal audit will be a report, written in accordance with the requirements of the ISO standard that will outline any non-conformities and opportunities for improvement. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit.
n. Managed Phishing Campaigns
Supplier will perform tailored Phishing simulations (campaigns) to test Customer staff’s vigilance and identify any weaknesses in their security knowledge. Supplier will provide a report documenting the results of the Phishing Campaigns through a secure portal. Customer will work closely with Suppliers to agree the scope, requirements of the test, schedule, track results and take remediation steps following the outcome of the test. Customer will provide target employee details including, e.g., their email address, role and full name.
o. Payment Card Industry Data Security Standard (PCI DSS) Consultancy
Supplier will provide an experienced information security consultant to provide a range of PCI DSS consultancy services to ensure Customer has implemented all the necessary policies, procedures and technical controls to achieve PCI DSS certification. Where available, Customer will be required to provide an asset inventory for systems in scope for PCI along with a network diagram and data flow diagram along with any other relevant supporting policies, procedures and documentation.
p. Service Organisation Control (SOC) 2
Supplier will provide an experienced information security consultant to provide a range of SOC2 consultancy services to assist Customer in the implementation of all necessary policies, procedures and technical controls in preparation for an audit by a Certified Public Accountant (CPA).
q. Training
Supplier will provide a range of standard training courses covering both cyber security awareness and Applicable Data Protection Law and other data protection awareness. These can be delivered through an online portal with built in reporting, allowing the Customer to track that staff have watched the videos. Other delivery methods include on-site training and virtual training using video conferencing tools. Bespoke training courses covering specific information security, cyber security or data protection topics can also be developed and delivered for Customers in any format, be that video, online training or, where agreed, physically on site. Supplier will provide a copy of any training materials to Customer in pdf format upon completion of the training.
2. Cyber Essentials
Supplier will assist Customer to achieve certification under the NCSC Cyber Essentials scheme. Support is provided in line with the level of service Customer has contracted for as per the following:
Feature | Cyber Essentials | Cyber Essentials Premium | Cyber Essentials Plus | Cyber Essentials Plus Premium |
Cyber Essentials certification | Included | Included | Included | Included |
Up to 25k FREE cyber insurance | Included | Included | Included | Included |
Cyber Essentials Plus certification |
|
| Included | Included |
Tailored policy documents |
| Included |
| Included |
Remote support | 2 hrs included | 4 hrs included | 4 hrs included | 6 hrs included |
Free retest | 1 free retest | 2 free retests | 1 free retest | 2 free retests |
Supplier in addition will provide:
Additional cyber protection tools as specified on the Order Form such as: vulnerability scanning, endpoint protection, online training and exams and Asset Profile.
Remote support via telephone, email or video conferencing. Additional support time required is available at our standard rate.
*Cyber Insurance:
Free cyber insurance, provided by the UK Government via a third party insurer, is made available to eligible companies as part of the NCSC Cyber Essentials scheme to UK companies (or companies with their head office domiciled in the UK or Crown Dependencies) as part of the scheme if the basic certification covers the entire organisation and the company’s gross annual turnover is less than £20 million. Details of the insurance cover can be requested from the insurer. Certification covers the entire organisation. Cyber insurance is provided subject to opt in by the Customer only.
Customer acknowledges that the Cyber Essentials scheme is intended to reflect that the certificated organisation has established the cyber security profile set out in the Cyber Essentials scheme documents only and that receipt of a scheme certificate does not indicate or certify that the certificate holder is free from cyber security vulnerabilities. Customer acknowledges that Supplier has not warranted or represented the Cyber Essentials scheme or certification under the Cyber Essentials scheme as conferring any benefit to Customer other than as set forth herein.
a. Cyber Essentials (excluding Cyber Essentials Plus)
After purchasing Cyber Essentials, Customer will be required to confirm via email when they are ready to complete their assessment. The Cyber Essentials team will send an email after initial purchase, asking to be informed when Customer is ready to proceed. Customer will not be given access to complete their assessment until a response is received.
Customer shall complete and submit the self-assessment form within a month of being added to the portal.
Customer shall comply with the Cyber Essentials scheme documentation and all reasonable directions made to Customer by the Authority, a Cyber Essentials Partner or a certification body.
Subject to Customer’s completion of a Cyber essentials self-assessment (the “Questionnaire”), Supplier will assess the Customer-completed Questionnaire against the Cyber Essentials Scheme criteria.
The Questionnaire account will remain open and accessible unless and until it is archived by the Supplier or removed by IASME (including as a result of question set changes). Following submission and marking of the Questionnaire, and once the assessment has been returned to the Customer, the Questionnaire will remain open and accessible for six (6) months or until the end of the Services Agreement, whichever occurs first. If Customer has not completed the assessment within this period, the assessment will expire and no refund will be permitted. If Customer wishes to complete the Questionnaire after expiration, it will be required to order Cyber Essentials again.
If the completed Questionnaire assessment meets the Cyber Essentials scheme criteria (which Supplier shall assess in accordance with the IASME marking scheme) Supplier will notify Customer and, subject to Customer meeting its obligations, Supplier will arrange for the issue of a IASME Certificate to Customer.
If a certification only service has been purchased by Customer, no support will be provided by Supplier other than assistance gaining access to the Questionnaire.
If Customer has not submitted its application after a month of being added to the portal, reminders will be sent to Customer as follows:
After 4 weeks of inactivity – one reminder email will be sent to the main contact on the application.
After another 2 weeks a second reminder will be sent if Customer has still not submitted its application.
After another 2 weeks a third reminder will be sent if Customer has still not submitted its application.
After another 2 weeks a fourth and final reminder will be sent if Customer has still not submitted its application.
If the above reminders do not result in a Customer reply with an offered date or a submission, Customer will be invoiced either at the point where their assessment expires (being six (6) months after the marked questionnaire has been returned to the Customer) or when their contract ends, whichever is sooner.
Where Customer’s order has not been completed within 12 months from the date it was placed, the assessment will be marked as a ‘fail’ and Customer will be invoiced.
In addition, where IASME releases a new question set, Customer with an account under a previous question set will have six (6) months from the date or release of the new question set to complete and pass the assessment. If the assessment is not completed and passed within that period, the account will be archived by IASME and any further attempt to complete the assessment will require a new purchase.
Cancellation of orders is not possible due to the systems and third parties involved in providing the service. Therefore, incomplete applications will be marked as a ‘fail’ and Customer will be invoiced.
b. Cyber Essentials Plus
Customer must achieve an additional cyber essential level within 90 days of certifying against Cyber Essentials (excluding Plus). Any free retest offerings must be used within the 90-day deadline for completing Cyber Essentials Plus.
If Customer is unable to pass within that time through no fault of Supplier, the application will be marked as a ‘fail’.
Where Customer fails the Cyber Essentials Plus test, Customer will have 30 days to remediate any issues found and get a retest (within the 90 days).
Where Customer refuses or fails to provide the access required to conduct the test, the test will be marked as a ‘fail’.
The following charges will apply to any Customer short-term cancellation and rescheduling:
cancellation or rescheduling requested between 7 and 14 days before the scheduled start date for delivery of any Services: 50% of the scheduled Service Fees of the cancelled or rescheduled Service(s); or
for cancellation or rescheduling requested within 7 days before the scheduled start date for delivery of any Services: 100% of the scheduled Service Fees of the cancelled or rescheduled Service(s).
Customer agrees to allow Supplier to conduct a discovery exercise as part of the Cyber Essentials Plus test. This may be, but not limited to:
Establishing enrolled devices via Customer’s MDM system.
Establishing connected devices via Customer’s managed firewall.
Establishing connected devices via Customer’s managed Antivirus.
Establishing devices connected to Customer’s Network by performing a network scan against the Customer’s corporate network using a network scanning tool such as Nmap.
Establishing number of users against a provided list of devices through a review of Customer’s managed Email service.
Supplier reserves the right to conduct the discover exercise multiple times to ensure that the information is valid and true.
Supplier reserves the right to conduct more than one of the above listed bullet point exercises to ensure accuracy.
If a discovery exercise is not possible, or if the result of the exercise shows major inconsistencies between the provided device list and the answers to Customer’s Cyber Essentials Basic Self-Assessment, the Cyber Essentials Plus test will be marked as a Fail and will not be able to progress or eligible for a refund.
Supplier must hold all data relating to the Cyber Essentials Plus test for the term of Customer’s Cyber Essentials Plus certificate (i.e., 12 months).
3. GuardNest Packages
GuardNest is Supplier’s platform that streamlines vulnerability management by combining real-time insights, continuous testing, and direct collaboration with consultants into one intuitive platform. Unlike static PDF reports, GuardNest centralises findings and maps them to compliance frameworks and supports remediation tracking. It adapts to meet the specific needs of your organisation, helping you identify threats faster, simplify remediation, and maintain control.
GuardNest is provided on a tiered basis. The Customer shall receive access only to the features, functionality, scanning allowances and services expressly included in the package tier purchased.
GuardNest Essentials:
Under GuardNest Essentials, the Supplier shall provide the Customer with baseline access to the GuardNest platform to enable centralised visibility of vulnerability findings generated through Supplier Services.
a. Customisable Vulnerability Dashboard
Supplier will provide Customer access to a web-based dashboard enabling the Customer to view, filter and prioritise vulnerability findings identified through Supplier assessments.
b. Digital Vulnerability Report
Supplier will provide Customer access to dynamic digital reports for penetration testing. Customer will receive real-time email notifications whenever a vulnerability is discovered or a major change occurs during testing. This includes vulnerability updates and notifications when a report is completed or a retest is finished.
c. Role-Based Access Control
Supplier will provide Customer access to features to allow Customer to create and customise user groups, ensuring the right people have access to the right data and provide Customer with the ability to allocate different access permissions to Users based on role.
d. Monthly External Vulnerability Scanning
Supplier will provide Customer access to automated external vulnerability scanning of up to 5 internet-facing IP addresses per calendar month. Scan results will be integrated into the GuardNest dashboard for review and remediation tracking.
GuardNest Core:
Under GuardNest Core, in addition to all GuardNest Essential features, the Supplier shall provide enhanced vulnerability visibility, contextual threat intelligence and increased scanning capacity.
a. Threat Intelligence Dashboard
Supplier will provide Customer access to a consolidated dashboard presenting threat intelligence data relevant to the Customer’s identified vulnerabilities, enabling improved risk context and prioritisation.
b Live Reporting
Supplier will provide Customer access to real-time access to vulnerability findings during active Supplier-led testing engagements, allowing the Customer to monitor progress as testing is performed.
c. Monthly External Vulnerability Scanning
Supplier will provide Customer access to automated external vulnerability scanning of up to 50 internet-facing IP addresses per calendar month. Scan results will be integrated into the GuardNest dashboard for review and remediation tracking.
d. E-Learning
Supplier will provide Customer access to platform-based access to a range of Supplier-provided e-learning and awareness materials for up to ten 10 named users.
GuardNest Advanced:
Under GuardNest Advanced, in addition to all GuardNest Core features, the Supplier shall provide a comprehensive vulnerability management capability designed for organisations requiring high-volume scanning, integrations and proactive alerting.
a. Enhanced Vulnerability Alerting
Supplier will provide to Customer access to automated alerts within the platform triggered by newly identified vulnerabilities or material changes to existing vulnerability risk levels.
b. Third-Party Integrations
Supplier will provide Customer access to integration with supported third-party tools (such as Jira, Slack and Microsoft Azure) to facilitate remediation workflows, subject to technical compatibility.
c. Monthly External Vulnerability Scanning
Supplier will provide Customer with access to automated external vulnerability scanning of unlimited internet-facing IP addresses per calendar month. Scan results will be integrated into the GuardNest dashboard for review and remediation tracking.
d. Monthly Web App Scanning
Supplier will provide Customer with access to automated vulnerability scanning of up to 2 web application URLs per calendar month.
e. Global Asset & Vulnerability View
Supplier will provide Customer with a consolidated view of vulnerabilities across all Customer-registered assets within the platform, enabling enterprise-level oversight.
E-Learning
Supplier will provide Customer access to platform-based access to a range of Supplier-provided e-learning and awareness materials for up to 50 named users.
Scanning limits, user limits (where applicable) and feature availability are strictly enforced by package tier. Customer may upgrade its package tier during the Term, subject to payment of applicable fees. Supplier makes no commitment to provide any functionality, scanning capacity or service not expressly included within Customer’s active package tier. Supplier may enhance, modify or replace platform features provided that the overall functionality of Customer’s package tier is not materially reduced.
4. Incident Response
Supplier will provide Customer assistance within three hours via a Platform which is available 24x7x365. The emergency request will consist of an initial assessment and triage via phone to discover and confirm the nature and impact of the incident within Customer's environment, including the collection and analysis of all relevant information, and to provide advice based on the nature of the incident. Customer will provide all necessary resources and information to ensure the success of the service. If more detailed analysis is required or the incident has been confirmed as a data breach the service will provide additional support to investigate the extent of the incident which may include forensic analysis supported onsite (Digital Forensics) where required at an additional cost as defined in the Services Agreement Standard Terms. Digital Forensics support will be charged, as required, at a day rate of ~£1,500.00 as updated by Suppler from time to time.
a. Customer shall provide and coordinate Supplier’s access to the systems to be investigated. Before any system access is granted, Customer shall inform Supplier in writing and in advance of any security and access standards or requirements that may change.
b. During an assessment, the configuration of Customer’s network will be kept as stable as possible (i.e., no new systems or configuration changes). If changes are required, Customer shall inform Supplier, and a mutually acceptable testing schedule shall be agreed upon.
c. During the initial notification call, Customer shall provide Supplier with information below to create an incident ticket. Customer shall appoint an authorised contact person for every incident raised. The appointed contact person shall be preregistered with Supplier.
Customer Name
i. Locations affected by the incident
ii. Priority of the incident
iii.Information on how the incident was identified
Contact Name
iv. Contact Phone Number
v. Details of incident
vi. Information on when the incident was first identified
Note: Should Customer consider the nature of the incident to preclude the support desk being provided with these details, Customer contact may simply state that the incident is a ‘flash priority’ at which point Supplier support personnel will request no further details and will immediately initiate the response procedures.
d. It is also the responsibility of Customer to provide details of the priority classification for discussion prior to rollout of the services. Further to this, it is considered Customer’s responsibility to make the following information available and the processes followed. Supplier will work closely with Customer (as a separate engagement) to ensure that all responsibilities can be met.
e. Customer shall maintain accurate network diagrams and make these diagrams available to Supplier as required.
f. Customer shall maintain accurate process maps and diagrams, detailing the systems involved with the transmission, storage, or processing of sensitive information.
g. Customer shall provide an updated list (per incident) of personnel with which the aspects of the incident may be openly discussed. All other personnel will simply be directed toward their own management for information.
h. Customer shall provide contact information for senior personnel related to affected departments or systems to be contacted for further information (see previous point).
5. Managed Detection & Response
Supplier will provide a SaaS based security information and event management platform to deliver real-time analysis of potential cybersecurity threats. Supplier’s security analysts will analyse Customer logs 24x7x365 to identify security threats and raise events to Customer for investigation. Customer will install, with the support of Supplier, relevant software and virtual hardware to support the delivery of the Service.
a Definitions
The following additional definitions shall apply to this Service:
“APT” or “Advance Persistent Threat” means a set of stealthy and continuous computer hacking processes.
“Attack” means the inflow of malicious or illegitimate call requests to an infrastructure or web platform for malicious intent. The purpose of this is to gain access or to deliver disruption to the infrastructure.
“Critical” means the classification by Supplier of a Security Event as defined in the Managed Detection & Response Service Level Agreement (MDR SLA) that will receive the highest level of response from Supplier's designated trained security professionals.
“Incident Response Plan” means the overarching framework for both parties’ efficient and professional reactions during a security incident.
“Non-Critical” means a Security Event as defined in the MDR SLA that does not require immediate attention because it is deemed not to be critical.
“Runbook” means a routine compilation of procedures and operations which designated employees will use as a reference.
“Security Event” means a change in the everyday operations of a network or information technology service, which indicates that a security policy may have been violated or a security safeguard may have failed.
“Security Incident” means a situation where an adverse impact has resulted from a Security Event.
“SIEM” means software products and services combining security information management (SIM) and security event management (SEM) that provide real-time analysis of security alerts generated by network hardware and software applications.
“Threat Investigation” means any actions taken by Supplier to validate a Security Event as a real threat and to rule out the possibility of it being a false alert.
“Threat Signatures” means any information provided by Vendors to help identify any threats that could impact Customer’s network or infrastructure.
“Vendors” means third parties who provide Supplier with infrastructure, products, intelligence or expertise to allow us to provide the Services, including but not limited to dedicated hardware appliances, Threat Signatures, and vulnerability scanning services.
“Zero-day” means an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch.
b. Supplier Obligations
Supplier will provide the following in accordance with the Order Form, the MDR SLA and Runbooks.
Active monitoring of all systems in scope for Security Event using a threat intelligence SIEM module.
Correlate various logs to identify any Security Events that may carry a potential threat.
Interpretation of logs and audit trail and focus on threats that matter most to Customer.
Incident investigation from triggered alerts and abnormal behaviour in accordance with a well-defined and agreed Runbook.
Customer notification and incident reporting in accordance with the agreed incident response plan.
Provide recommendations for dealing with incidents.
Ongoing management and maintenance of the threat (SIEM) appliances: installation, migration and configuration of the SIEM hardware or software.
All configuration files will be kept and backed-up for a minimum of 30 days with daily restore points covering one week, unless an alternative period is formally requested by Customer and agreed by Supplier.
All logs will be kept and backed-up for a minimum period of 30 days, with immediate access and 1 year in archive.
Incident reports will be generated within 24 hours following any critical Security Event as soon as the investigation has been completed. Upon request, Supplier will provide incident reports for any critical Security Events that have occurred.
Access to an online portal which will contain up-to-date incident reports and change control information.
c. Customer Obligations
Customer agrees to perform the obligations and that Supplier’s ability to perform its obligations and its liability are dependent on Customer’s compliance with the following:
Customer is required to make appropriate staff available to help Supplier with the following items (if applicable):
i. Runbooks
ii. Incident Response Plan
iii. Any other documents or procedures required to provide the Services.
iv. Any infrastructure or platform used to provide the Services
v. Any other procedures required to provide the Services
In the case of a Security Event occurring, Customer agrees to work in line with agreed Runbooks.
Customer agrees and understands that the effectiveness of the Services depends on the collaboration during the on-boarding phase that will define and assess the processes, escalation points and on-going communication channels.
Customer must inform Supplier of any changes that could affect any individual Runbook or the Incident Response Plan. This also includes the escalation procedures, availability and contact details of personnel, reliability, performance and any other security or compliance related requirements.
d. Supplier MDR SLA
Supplier will work in line with the agreed Runbooks.
Supplier will monitor all key components used in the delivery of the Services 24x7x365.
In the event of any issues arising, Supplier will work to identify and resolve any threats or issues as quickly as possible.
Supplier will provide technical staff 24x7x365 to support the Services provided and to assist Customer with any issues that may arise. A 24-hour telephone number will be available for Customers. Email support will also be provided but should not be used for emergencies.
If a Critical event occurs, Supplier will perform an initial Threat Investigation and then notify Customer within 30 minutes of the Security Event if it has been deemed by Supplier to have become a Critical event.
If a Security Event occurs of a Non-Critical nature, Supplier will take actions in line with the agreed Runbook.
If a Security Event occurs Supplier will first carry out a Threat Investigation and will then respond to Customer within the timeframes listed in the table below.
For any Security Event which Supplier deems to be Critical prior to the Threat Investigation being completed, Supplier will contact and regularly update Customer.
The Security Event severity is typically set via the stage at which the event comes in the attack kill chain. The further along this process the more severe the event.
Platform MDR SLA’s where Platform EDR deployed:
Severity level | Example | Communication method | Automated response time |
Critical | Command and Control communication established / outbound connection to known bad actor address | Phone, portal and email | 30 minutes |
High | Brute-force activity against externally facing systems with legitimate accounts | Portal and email | Detection time will be within sixty (60) minutes for ninety percent (90%) of High Severity Cases measured on a monthly basis |
Medium | Infrastructure or system version Information disclosure | Portal and email | Within 24 hours |
Low | Administrator account lockout | ||
Informational | Reconnaissance such as Port Scanning |
EXCLUSIONS
Supplier will not be liable under the following conditions:
i. Where scheduled maintenance was being carried out;
ii. Where there has been any act or omission of Customer (or its Representatives) in breach of the Services Agreement;
iii. For any security breaches caused by any Customer changes of which Supplier was not made aware;
iv. For any security breaches where Supplier takes an action requested by Customer which has not been agreed or tested as part of creating the relevant Runbook;
v. Where Threat Signatures were not available by the Vendors to allow Supplier to identify a threat including but not limited to Zero-day Attacks and APTs.
6. Outsourced Data Protection Officer (DPO)
A managed service where Customer can purchase a number of days (smallest amount is 0.5 days) per month for DPO services. Where Customer does not use the total amount of time in any given month, that time may be carried over to the subsequent month (but not longer).
Supplier will provide virtual consultation to Customer, information, advice and other related services, in accordance with the DPO Service Levels below, to ensure that Customer processes the personal data of its staff, customers, service providers or any other individuals (also referred to as data subjects) in compliance with Applicable Data Protection Laws and best practice.
a. Supplier Obligations
Supplier will:
Act as the Data Protection Officer (DPO) for Customer in accordance with Applicable Data Protection Laws;
Facilitate Customer compliance with the UK/EU GDPR and other applicable data protection legislation by ensuring effective systems and controls are in place to enable Customer to comply with their legal obligations;
Act as Customer’s intermediary between relevant stakeholders, including supervisory authorities, data subjects, and business units;
Report notifiable data breaches identified and notified to Supplier by Customer to the Information Commissioner’s Office (ICO) and any relevant supervisory authority at the end of any statutorily required notice period where the requisite notice has not been sent earlier either by Customer or Supplier at Customer’s instruction; and
Inform and advise Customer’s senior management (where appointed to do so) in accordance with Supplier’s position as DPO of Customer.
b. Customer Obligations
Customer will ensure compliance with all Applicable Data Protection Laws and in particular Customer will:
Report all notifiable and potential data breaches to Customer assigned DPO [email protected] as soon as Customer becomes aware of the breach;
Submit details of data breach(es) to Supplier for reporting to the ICO and any relevant supervisory authority without undue delay; and
Where Customer fails to comply with reporting obligations above, Supplier shall not be liable and Customer will indemnify Supplier for any penalties imposed by the ICO, any relevant supervisory authority or any third-party claims, because of failure and or delay in reporting notifiable breaches.
c. DPO Service Levels
Priority levels will be addressed in line with the following Service Levels.
Priority | Acknowledgement | Response | Resolution |
Critical | 1 hour | 1 hour | 1 day |
Urgent | 4 hours | 4 hours | 2 days |
Standard | 1 day | 3 days | 5 days |
Scheduled | 1 day | Mutual agreement | Mutual agreement |
All Service Levels apply only from 9:00am to 5:30pm GMT Monday to Friday excluding UK bank holidays (“Working Hours”). All DPO Service requests must originate with an email sent to the allocated DPO and copied to [email protected] and the subject line must contain the priority in accordance with the following:
i. Critical:
e.g., Serious incident (mass data breaches or live data threat such as ongoing data theft for instance) where immediate support to contain or reduce the impact is warranted
1 hour, issue to be raised by emailing consultants and DPO mailbox (add critical to subject heading and add “high importance flag” added) and phoning it in
ii. Urgent:
e.g., incident/ breach which has essentially stopped, other topics with high time pressures and financial or reputational risks for the business
4 hours to 1 day, issue to be raised by emailing consultants and copying in DPO mailbox (add urgent to subject line and “high importance flag” added)
iii. Standard Priority:
e.g., advice and guidance on matters with shorter timescales (regulatory response, DSARs, etc.,)
next 1-3 business days (to be agreed based on circumstances), issue to be raised by emailing consultants and copying in DPO mailbox or agreed over Teams or other conversation with the actual timeline agreed in initial reply
iv. Scheduled:
Anything else, development, DPIA process, project support…
Timescales to be agreed on a case-by-case basis, typically around 1 week but longer for larger items with higher complexity and amenable lead times, raised by emailing consultants, DPO mailbox, or other conversation
7. Penetration Testing (Standard and Simulated Attack)
a. Standard Penetration Testing
Supplier will perform penetration testing that evaluates Customer systems to validate and exploit known vulnerabilities by assessing critical external and/or internal assets and/or APIs and/or web applications and /or mobile applications and/or cloud infrastructure and/or wireless infrastructure and/or physical security controls/sites and/or hardware and/or exposed online content (OSINT) and/or staff security awareness (Social Engineering/phishing) using experienced penetration testers to determine if Customer’s organisation is susceptible to attacks. Supplier will provide a report in both online and downloadable versions within ten (10) working days of completion of a test.
a.1 Definitions
“Late Availability Test” where Customer contacts Supplier to conduct Penetration Tests with five working days or less notice.
“Test Start Time” means the provisional or definitive date and time listed in the Order Form (or otherwise later expressly agreed by the parties in writing) that determines when the Services will commence.
“Open-Source Intelligence (OSINT)” – the collection and analysis of publicly available information to verify what information can be extracted about an organisation or individual before any hypothetical attack would take place.
“Social Engineering (Phishing/Vishing)” – the conduct of controlled phishing campaigns to allow an organisation to test its resilience, such exercises being customisable to target specific departments, remote workers, executive level staff or everyone across the business, allowing Customer to determine whether more training or stricter policies are required.
a.2 Customer Obligations
To submit, by upload into the Platform, any necessary further scope details at least 10 Business Days prior to the start of the Penetration Tests for efficient scheduling of necessary resources and time.
Where Customer fails to submit the necessary scope details within 10 Business Days prior to the start of the Penetration Tests, Supplier shall reschedule the Penetration Test.
Customer and Supplier will agree dates promptly after the Commencement Date or as set forth in the Order Form for Supplier to deliver the Services within 12 months of the execution of the Order Form and, where Customer fails to agree dates for the Services through no fault of Supplier, Customer will forfeit their right to the Services for the relevant 12-month period and, for the avoidance of doubt, no refund or waiver of Fees or related costs, all owed upon execution of the Order Form, will be issued by Supplier.
Where Customer requests a Late Availability Test and fails to timely provide Supplier with the necessary information to commence the Penetration Test, Supplier shall not be obliged to carry out the relevant Services and Customer will not be entitled to any refunds or waiver of Fees or related costs.
Customer acknowledges that the Service will be provided remotely unless explicitly requested and agreed otherwise. If onsite access is required to facilitate testing, Supplier will provide the option of customer present equipment (CPE) to facilitate remote testing from Supplier’s secure remote location. In person tests may be provided upon request by Customer or Supplier, subject to approval by Supplier.
Customer acknowledges that a Penetration Test is a snapshot in time and that it is limited to the actions set out on the Order Form (which actions may be agreed in an incorporated scope Annex document).
Customer shall comply with any rules imposed by any third party whose content or services are accessed via the Services.
Customer shall inform Supplier forthwith if any of the Services are subject to interference or malfunction.
Customer, prior to Penetration Tests, must proactively and appropriately backup all critical data from its Systems that will form part of the Penetration Tests.
For hardware/device assessments, Customer is required to provide the hardware in scope at least two (2) weeks before the start date of the assessment to allow adequate time for Supplier to confirm connectivity. The following are also required where possible:
Any cables, interfaces or power supplies that would be required for normal hardware operation
Where the tester would be allowed to open the device up, any hardware security/anti-tamper devices should be disabled (for example if testing card payment terminals, these automatically become unusable/self-wipe if opened)
Product and API documentation if applicable
Schematics (depending on scope of the engagement)
Firmware images (depending on scope of the engagement)
b. Simulated Attack Penetration Testing (Red, Purple and Black Teams)
Supplier will perform a special form of penetration testing -- a simulated cyber-attack that will aim to achieve specific goals set by Customer and evaluate customer systems to validate and exploit known vulnerabilities in critical systems and/or physical onsite locations using experienced penetration testers to determine if Customer’s organisation is susceptible to real-world attack vectors. Supplier will provide a report in both online and downloadable versions within 5 working days of completion of a test.
b.1 Definitions
In addition to the Penetration Testing definitions in 7.A.1 above, the following apply:
“Red Team” - A red team engagement is an objective driven assessment that uses tactics, techniques, and procedures (TTPs) to emulate real-world threats. This engagement is comprised of various activities (chained or not) to assess the possibility of accessing particular systems/data or physical locations (Black Team assessments). Such activities aim to attack people, processes, and technology to reach pre-defined goals as opposed to solely measuring their defensive effectiveness. The methodology of a Red Team is bespoke and is created during the scoping phase depending on the goals and attack paths Customer wants to explore during the assessment. These attack paths predominantly focus on Physical Locations, Staff and Infrastructure & Technology as each possess their own threat profiles.
“Purple Team” – A purple team engagement is a Red Team engagement with a higher level of collaboration and feedback between the offensive and defensive teams. Ultimately, this tends to provide a higher level of coverage within the assessment’s time period as the collaboration can help guide the offensive team to focus on specific areas of weakness or to tailor attacks against software and systems in use. This also gives the opportunity for defensive teams to tune their detection, response and containment capabilities.
“Black Team” - This is a Physical Security assessment that utilises a bespoke scope to satisfy Customer’s specific aims and goals. The assessments highlight the strengths and weaknesses of the physical security controls in place and provide in-depth recommendations on how each reviewed site could improve their overall physical security posture. Often, the security of IT infrastructure and data that is only available “internally” is prioritised less in the ongoing hardening and issue remediation campaigns within an organisation. This can lead to security gaps as the only limitation from accessing these resources may be the fact that an attacker needs to be physically inside the premises. These exercises help show the viability of an external attacker gaining this level of access and highlights the subsequent risk landscape if this situation was to arise in the real world.
b.2 Additional Customer Obligations
All engagement options require trusted parties to attend an enhanced scoping and planning workshop prior to the start of the engagement. This must be completed a minimum of two (2) weeks prior to the start of any complex red team engagement (Black Team, Purple Team, Red Team). This workshop is mandatory to ensure the safe and correct delivery of the engagement, failure to complete this workshop will affect project start dates.
Customer must ensure that the required technical and trusted contacts are available throughout the engagement. Emergency and out of hours contact processes will be put in place and both Customer and Supplier must adhere to these.
Customer acknowledges that the Service will be provided remotely unless explicitly requested and agreed otherwise, dependent on the rules of engagement. If onsite access is required to facilitate testing, a minimum of two emergency contacts must be provided and available for contact throughout any on-site phases. Further to this, a letter of authorisation is required for Customer/operatives to verify their identity and authority to be onsite if questioned by Customer. Customer is responsible for ensuring that this authorisation letter and the emergency contacts possess sufficient authority to authorise Supplier and provide a suitable level of indemnity from any situations that may involve law enforcement escalations or internal security.
Where onsite presence is required, Customer is required to highlight any environmental factors, restricted areas, equipment or security controls that may impact the safety of Supplier.
Customer will adhere to any rules of engagement, processes and any additional obligations agreed upon in the scoping and planning workshop. These will be clearly defined and provided to Customer in writing following the workshop and prior to the start of the engagement, any changes to this document must be agreed on by both parties.
Customer may be required to ensure operational secrecy is maintained within the organisation. Any failure in this process may impact the results and outcomes of the engagement, Supplier will ensure any concerns around operational secrecy and its impact are raised in writing to the trusted parties prior to adding caveats and amendments to report findings.
Customer must provide all information required during scoping and planning sessions and ensure this information is accurate to the best of their knowledge, attempts to deliberately hinder or manipulate the engagement will be documented and included in the final report.
Where Customer engages Supplier to provide a Simulated Attack engagement, Customer further represents and warrants to Supplier that Customer: a) has the necessary authority to instruct Supplier to provide the Red Team engagement; and b) shall sign a letter of authority (duly signed by an authorised member of the executive board or equivalent) in the eventuality that Supplier requires it.
Simulated Attack Cancellation charges:
In addition to the charges set forth in the Services Agreement Standard Terms for services related to non-Supplier delay, cancellation and rescheduling charges, for costs related directly to the administration, system, personnel, facilities, third party and/or other allocated resources associated with scheduled Services, the following charges will apply to any Customer short-term cancellation and rescheduling:
a. cancellation or rescheduling requested between 30 and 20 days before the scheduled start date for delivery of any Services: 20% of the scheduled Service Fees of the cancelled or rescheduled Service(s); or
b. for cancellation or rescheduling requested between 19 and 15 days before the scheduled start date for delivery of any Services: 40% of the scheduled Service Fees of the cancelled or rescheduled Service(s) ; or
c. for cancellation or rescheduling requested within 14 days before the scheduled start date for delivery of any Services: 100% of the scheduled Service Fees of the cancelled or rescheduled Service(s).
b.3 Additional Supplier Obligations
Supplier will make commercially reasonable efforts to ensure testing activities are carried out professionally and minimise risk to Customer’s operations. Simulated Attack activities will be logged and any actions that cannot be reverted by the Supplier during clean-up phases will be included in the report as "Clean Up Actions" with clear instructions to enable Customer to remove all traces of Simulated Attack activity at the conclusion of the project.
Supplier will notify Customer and cease testing should evidence of real ongoing threat activity be discovered during the engagement.
Supplier will ensure all communication channels used during the engagement are encrypted at all points and any operational data including log sources are backed up and securely encrypted within controlled networks.
All Red Team actions by all team members during the engagement are recorded. Operations Logs can be made available to Customer at any point during the engagement on request. At a minimum the following data is provided for all activities; time, date, source, target and action.
Where onsite presence is required, the Health & Safety of the operatives is the responsibility of Supplier during the assessment. Due to this, the safety of the operatives and the risks from each activity will be continuously reviewed by the Team Leader of each assessment. If it is found that the security controls in place or conditions of a site in scope may present a risk to the operatives, the team may decide that it is unsafe to proceed. Examples of this would include unsafe areas under construction, the use of armed guards, electric fences or guard dogs. In such an event, the operatives will raise these concerns in writing to Customer.
For onsite Black Team assessments, a number of key points will be adhered to for every assessment:
No use of violence, threat of violence or threatening behavior will be used on any engagement
Unless otherwise specified, no action will be performed that has a high likelihood of damaging Customer site or its assets. This includes acts such as lock picking or pushing open weak magnetic door locks
The impersonation of a Police officer, Fire Officer or Health & Safety Inspector is not permitted
No unlawful activity is permitted
A full record of each visit will be maintained
8. Virtual Chief Information Security Officer (VCISO)
Supplier will provide a remote managed service that includes an experienced Information Security Consultant to build and implement information security strategy for Customers. The service may require an initial Cyber Security Assessment to establish the current security posture of Customer’s organisation and enable Supplier’s Consultant to build a strategy. This Service can also provide support to manage existing security frameworks such as Cyber Essentials and ISO 27001. On-site visits may be arranged, where agreed, with Customer in exceptional circumstances.
a. Supplier Obligations
Supplier will provide regular updates to Customer where reasonably requested;
Supplier will provide regular (at least monthly, at Supplier’s discretion) updates on the progress of the implementation of the agreed security strategy;
Supplier will only amend any agreed strategy with the written agreement of Customer; and
Supplier will work with third party suppliers of Customer where reasonably requested (e.g., outsourced IT providers).
b. Customer Obligations
Customer will notify Supplier’s designated VCISO of changes to Customer’s business including, interpreted broadly:
a. Structural/organisation changes e.g., acquisitions, sales;
b. Critical role and responsibility changes;
c. Key Customer supplier changes that may impact on information security;
d. New Customer supplier onboarding that may impact information security;
e. New software/solutions/hardware/cloud services that are planned; and
f. Key personnel changes.
Customer will notify the VCISO of any security incidents or data breaches of which it becomes aware.
Customer will notify VCISO of any Customer regulatory, legislative and/or contractual requirements.
Customer will, when raising a request for assistance from its VCISO, ensure that [email protected] is copied on all messages.
