STANDARD TERMS AND CONDITIONS
UPDATED 26 JANUARY 2022
THE SERVICE AND ONSECURITY'S OBLIGATIONS
- OnSecurity shall, provide the Service to the Client which the Client agrees to accept and pay for, including:
- the performance of Security Assessment Services against Targets specified by the Client's Authorised Users. This may include; IT infrastructure, including websites, servers, networking equipment, buildings, email addresses, telephone numbers.
- provision of access to the Portal to the Client's Authorised Users.
- OnSecurity shall use commercially reasonable endeavours to make the Portal available to the Client 24 hours a day, seven days a week, except for: (i) planned maintenance carried out during the maintenance window of 1900 to 0300 GMT; and (ii) unscheduled maintenance performed outside usual business hours (0900 to 1800 GMT each business day).
- OnSecurity agrees not to test any Targets without the Client's prior authorisation.
- OnSecurity normal Penetration Testing Hours are 0900 to 1800 GMT, each Business Day (Monday to Friday inclusive except for bank/public holidays). If the Client requires testing outside of this period this will have to be in agreement with OnSecurity. OnSecurity also has the right to charge an additional surcharge as agreed with the Client when conducting testing outside the OnSecurity Normal Testing Hours.
- Vulnerability scanning performed by Scan can take place at any time from 00:00 to 23:59, 7 days a week. The Scan will typically take place at the same time on the Client subscription interval (daily, weekly, quarterly) as the first Scan was initiated.
- The Client may choose to stop penetration testing at any time either via the Portal, email or phone and OnSecurity will endeavour to cease testing as soon as practically possible.
- OnSecurity shall deliver the Service with a high degree of skill, competence and expertise in a responsible and professional manner in accordance with the sector's best practices and shall use its best endeavour not to change or amend any applications, data, programs or components of the Client's network or computer system (including hardware and software).
- OnSecurity shall ensure that any personnel involved in the provision of the Service shall have qualifications and experience appropriate to the tasks to which they are allocated.
- OnSecurity shall retest any Penetration Testing issues for free during test and for 14 days after the test ends.
- OnSecurity will immediately notify the Client via either the Portal, email or phone, of any critical vulnerability that exposes an Target to immediate risk of compromise, or which exposes the Client to immediate risk of reputational, financial or operational loss.
- OnSecurity hereby warrants that it has all necessary rights, authorisations and licences to provide the Service and, in providing the Service, it is not infringing the intellectual property rights of any third party.
- OnSecurity shall not conduct any intentional Denial of Service (DoS) testing at any time.
- OnSecurity shall provide the Client with an estimate of any reasonable expenses that will be incurred prior to commencing any onsite testing.
- The Client acknowledges and agrees that OnSecurity and/or its licensors own all intellectual property rights in the Service and the Portal. Except as expressly stated herein, this Agreement does not grant the Client any rights to, or in, patents, copyrights, database right, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Service.
- OnSecurity shall keep logs of actions taken and in line with its data retention procedure, these shall be retained, along with all other Client files, for six years and then destroyed.
- OnSecurity shall store all Client data within a secure data centre in the United Kingdom or other EU state which complies with ISO 9001, ISO 27001 and ISO 27018 standards. All Client data will be encrypted at rest using industry standard encryption algorithms.
SCAN BY ONSECURITY
- Scan is an asset discovery, vulnerability management and vulnerability scanning service provided as is by OnSecurity to the Client. Since vulnerability scanning is a subset of the activities which take place during penetration testing; the terms set out in all sections of this agreement also apply to automated vulnerability scans performed on Client targets by the OnSecurity Scan vulnerability management service. OnSecurity makes further provision for the following:
- The Client hereby grants OnSecurity the right to perform vulnerability scanning against any target marked by the Client as 'enabled' for scanning by Scan (using the 'Target Management' interface). This right is granted upon the Client clicking the 'Play' icon on the Scan dashboard, which initiates Scanning.
- Vulnerability scanning performed by Scan can take place at any time from 00:00 to 23:59, 7 days a week. The Scan will typically take place at the same time on the Client subscription interval (daily, weekly, quarterly) as the first Scan was initiated.
- As per clause 53 below, the Client assumes responsibility for the accuracy of the Targets provided to Scan for vulnerability scanning. The Client shall ensure the targets provided to Scan (even those identified by OnSecurity’s sub-domain enumeration tools) are the property of the Client, or that the Client has written consent to permit OnSecurity to commence vulnerability scanning of the Targets.
- The Client accepts any liability that may arise from the vulnerability scanning of targets provided which are not the property of the Client, or that the Client did not have written consent to commence vulnerability scanning on.
Phish by OnSecurity
- Phish is an automated simulated phishing service provided as is by OnSecurity to the client.
- The purpose of the simulated phishing email is to mimic a real-world phishing attack, enticing the user to open the email, click a link in the email (the link being to to an OnSecurity-owned web property), and entering credentials in the web property.
- The Client hereby grants OnSecurity the right to send benign simulated phishing emails to all the email addresses provided by the Client in the ‘Manage Targets’ section of the Phish dashboard. This right is granted when the Client clicks ‘Start Campaign’ (or ‘Play’ or the ‘Play’ icon) next to a campaign on the OnSecurity Phish dashboard, which initiates the simulated phishing campaign.
- Phish is not a test of technical email defences such as phishing or spam detection. It is the responsibility of the Client to ensure that each phishing email is not blocked by any defences which may be in place, and that the sending domain of the simulated phish is whitelisted by any relevant technologies and mail service providers. OnSecurity accepts no responsibility for the deliverability or otherwise of the simulated phishing emails.
- OnSecurity records only the actions taken by individuals in relation to the simulated phishing campaigns, and does not record any data inputted, such as credentials.
- The Client is expressly forbidden to add simulated phish targets of individuals outside of their own organisation. OnSecurity reserves the right to immediately terminate the Client subscription, and revoke access to the OnSecurity platform, should OnSecurity detect that simulated phish campaigns were launched against users outside of the Client organisation.
- OnSecurity shall not be liable for the accuracy of the target email addresses added by the Client. Any emails delivered to individuals in error shall be the sole responsibility of the Client.
- The Client accepts any liability that may arise from the simulated phishing of individual targets entered incorrectly in the ‘Manage Targets’ interface.
- The Client further accepts any liability that may arise as a result of running any of the campaigns against individuals in your organisation. The campaigns are provided as is and it is for the Client to decide whether they are suitable for the needs of the Client organisation.
- The number of campaigns executed depends on which plan the Client is subscribed to. Starter plan entitles the Client to two simulated phishing campaigns per year. Scale plan entitles the Client to four simulated phishing campaigns per year.
Radar by OnSecurity
- Radar is an open source intelligence gathering and passive scanning service provided as is by OnSecurity to the Client.
- Radar searches a database of Open Source data, as well as carrying out passive checks on Client assets to identify potential threats to the Client.
- A ‘threat’ in this instance is defined as a piece of information which, in the opinion of OnSecurity’s in-house experts, could be used to potentially cause harm or to form the basis of an attack against the Client organisation.
- Searches of the data are made on the basis of the Client domain, which is typically inferred from the initial Client user’s email address suffix.
- OnSecurity has no control over the data in 3rd party data stores, and can not remove items such as client credentials from these data stores.
- The Client accepts that OnSecurity may present information (such as historical passwords) which the Client is already aware of.
- OnSecurity makes recommendations in relation to any finding Radar identifies. These recommendations are for guidance only, and the Client should exercise judgement and caution in relation to applying each recommendation to the unique requirements of the Client organisation.
- The Client assumes responsibility for the outcome of any recommendation which the Client chooses to apply, in relation to Radar findings.
Prospector by OnSecurity
- OnSecurity Prospector is a sales intelligence tool designed to be used during the sales process for Managed Service Providers, Value Added Resellers, Systems Distributors and Systems Integrators.
- Prospector is primarily designed as a tool to be used for identifying cross-sell and upsell opportunities for security products and services in existing client lists.
- OnSecurity does not approve the use of Prospector for speculative sales opportunities on businesses the Prospector user has no existing relationship with.
- Since Prospector uses the OnSecurity Scan and Radar products, the conditions set out in Clauses 19-23 and Clauses 34-41 above also apply to the Prospector service.
- Prospector active and passive scans are billed using a credit system, and payment for credit top-ups must be made in advance via debit or credit card before credits are applied to the account.
- Prospector Credits are non-refundable.
- Further to Clause 22 above, OnSecurity reserves the right to immediately terminate, without refund, the account of any user or client organisation that launches an Active Scan which OnSecurity deem that the Client does not have the permission of the asset/target owner to Scan.
- OnSecurity reserves the right to immediately terminate, without refund, the account of any user or company, should OnSecurity receive an abuse report from our hosting providers in relation to a Prospector Scan executed from that account.
THE CLIENT'S RIGHTS AND OBLIGATIONS
- The Client hereby grants to OnSecurity the right to perform Security Assessment Services against authorised Targets. OnSecurity will not be held responsible for any incorrectly entered Target information.
- The Client understands OnSecurity shall only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools and methodologies deployed by OnSecurity. The Client accepts that it is in the nature of Security Assessment Services that there may be vulnerabilities which will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and therefore agrees that it shall not, now or in the future, hold OnSecurity liable for such vulnerabilities.
- The Client shall identify and disclose to OnSecurity any third parties that may conceivably be affected by OnSecurity testing activities, and any damages and/or loss of service caused by the Client's failure to identify and/or disclose such third parties shall remain the sole responsibility of the Client. The Client therefore indemnifies OnSecurity against all and any costs or damages howsoever arising from non-disclosure.
- The Client shall ensure that Targets are the property of the Client or shall be fully responsible for obtaining written consent to test the Targets from the legal owner prior to authorising such Targets for testing. OnSecurity will not be held responsible for any incorrectly entered Target information.
- The Client shall immediately notify OnSecurity in the case of any unexpected event or out-of-scope problems which may impact OnSecurity or the delivery of the Service.
- The Client warrants that each Authorised User shall keep a secure and confidential password for their use of the Portal and that such password shall be changed no less frequently than every 90 days.
- The Client shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Portal and, in the event of any such unauthorised access or use, promptly notify OnSecurity.
- The rights provided to the Client under this Agreement are granted to the Client only, and shall not be considered granted to any subsidiary or holding company of the Client.
- The Client shall not (except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement):
- attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Portal as part of the Service in any form or media or by any means; or
- attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Portal; or
- access all or any part of the Portal in order to build a product or service which competes with the Portal; or
- use the Portal to provide services to third parties; or
- license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Portal available to any third party except the Authorised Users, or
- attempt to obtain, or assist third parties in obtaining, access to the Portal, other than as provided under this clause 2.
- The Client shall be solely responsible for procuring and maintaining its network connections and telecommunications links from its Targets to OnSecurity's testing devices, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Client's network connections or telecommunications links or caused by the internet.
- The Client understands it has sole responsibility for the adequate protection and backup of data and/or equipment used in connection with OnSecurity Assessment Services and will not make a claim OnSecurity for lost data, re-run time, inaccurate output, work delays or lost profits resulting from the Service.
- OnSecurity reserves the right to terminate, with no notice, the account or accounts of any Client deemed to have created multiple accounts for the purposes of bypassing usage or tier limits on the platform or it’s products.
- In accordance with the European Convention on Human Rights, and the Human Rights Act 1998 OnSecurity respects that everyone has the right to respect for his private and family life, and commits to apply standards that provide adequate protection to clients and members of the public from unwarranted infringements of privacy.
- If OnSecurity processes any personal data as such term is defined in the Data Protection Act 1998 or, when applicable, the General Data Protection Regulation ("GDPR") (" Personal Data ) on the Client's behalf when performing its obligations under this Agreement, the parties record their intention that the Client shall be the Data Controller and OnSecurity shall be a Data Processor and in any such case:
- OnSecurity shall only process Client Personal Data on the written instructions of the Client;
- the Client shall ensure that it is entitled to transfer the Personal Data to OnSecurity so that OnSecurity may lawfully use, process and transfer the Personal Data in accordance with this Agreement on the Client's behalf;
- OnSecurity shall ensure that people processing the Personal Data are subject to a duty of confidence; take appropriate measures to ensure the security of processing; only engage sub-processors with the prior consent of the Client and provide reasonable assistance to the Client in ensuring compliance with relevant Data Protection legislation.
- OnSecurity shall not transfer any Client data (or Personal Data relating to Customers of the Client) outside the EU, or use this Personal Data for marketing purposes.
- OnSecurity warrants it shall take all reasonable steps to ensure that it secures its computer material against unauthorised access or modification by individuals or groups of individuals with a criminal motive in accordance with the 1990 Computer Misuse Act.
CHARGES AND PAYMENT
- OnSecurity may unilaterally change its Penetration Testing hourly fee or Scan subscription rates but must inform the Client at least 30 calendar days in advance of the provision of Services. If the Client does not agree to pay the revised fee each Party will be entitled to terminate the Agreement.
- OnSecurity shall invoice the client for hours booked for Penetration Testing on completion. Where there are hours unused these will remain as a credit on the Client's portal for 12 months from the date of purchase. Unused hours on the account cannot be refunded as cash.
- Time for payment shall be 30 days from the date of the invoice. All invoices and supporting documentation shall be emailed to the primary client administrator. A different email for invoicing can be nominated by contacting OnSecurity.
- The Client may purchase additional testing hours at any time via the Portal. Payment can be made electronically or it can be added to the next invoice.
- OnSecurity may provide the Client with an estimate of how many hours it will take to complete Penetration Testing against a Target prior to testing commencing, however it is understood by the client that estimates are just that, they are not guaranteed delivery times. Testing may require more hours which the Client will have to purchase at the standard hourly rate.
- In cases where the Client has testing hours remaining, the Client may use them to complete Penetration Testing on another Target.
- Once the Client has used all the hours they have purchased no future Penetration Tests can be scheduled until more testing hours are purchased.
- If OnSecurity has not received payment within 14 days after the due date specified on the invoice, it shall be under no obligation to provide any Services while the invoice remains unpaid and reserves the right to charge interest on the overdue amounts at a rate of 4% above the base rate of the Bank of England from the due date until the date of payment.
- Unless specified by OnSecurity, prices and charges are exclusive of VAT.
- For subscription services where payment is required (such as Scan), the Client's first monthly payment will be made prior to the commencement of the subscription, with the subscription period commencing immediately once payment is made.
- Any monthly subscription fee will be the fee advised to the client on the OnSecurity billing portal during Client onboarding.
- Any subscription fee will be billed monthly on the same date of the month (or the nearest date possible) as the first subscription fee.
- Any subscription fee will be billed monthly in perpetuity until such time as the Client cancels the subscription.
- OnSecurity reserves the right to unilaterally modify any subscription, provided 30 calendar days notice is given to the Client.
- The Client may cancel the subscription at any time using the functionality provided in the portal.
- When a subscription is cancelled, OnSecurity will continue to provide the services until the end of the monthly subscription period.
- The Client reserves the right to withhold payment of any invoice in respect of: the suspension of any performance of the Service by OnSecurity; or any work or element of the Service which does not comply with the terms of this Agreement, in each case until the circumstances giving rise to the withholding are resolved, and provided the Client gives OnSecurity written notice setting out the reasons for withholding payment promptly following its decision to do so.
- Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. ("Confidential Information") means information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information. Confidential Information shall not be deemed to include information that: (a) is or becomes publicly known other than through any act or omission of the receiving party; or (b) was in the other party's lawful possession before the disclosure; is lawfully disclosed to the receiving party by a third party without restriction on disclosure; is independently developed by the receiving party, which independent development can be shown by written evidence; or is required to be disclosed by law including but not limited to The Freedom of Information Act 2000.
- Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement.
- Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
- Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.
- The Client acknowledges that details of the Service, and the results of the Service, constitute OnSecurity's Confidential Information.
LIABILITY AND INDEMNITIES
- The Client shall indemnify and keep indemnified OnSecurity (its officers, directors and employees) against all claims, costs, expenses, damages and losses (including reasonable legal and other professional fees) which may arise as a result of any claim made against OnSecurity (its officers, directors and employees) and arising out of or in connection with the Client's breach of its obligations, representations, warranties or covenants under this Agreement.
- The Client shall not to hold OnSecurity liable for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, punitive, incidental, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement.
- OnSecurity's total aggregate liability arising in connection with the performance or contemplated performance of this Agreement shall be limited to the total Service Fee paid for the Service during the twelve (12) months immediately preceding the date on which the claim arose.
- Subject only to OnSecurity exercising reasonable due diligence and using reasonable endeavours to procure any Third Party Services required in connection with the Service ("Third Party Services") on the best available terms, OnSecurity shall have no liability to the Client to the extent OnSecurity cannot perform its obligations to the Client under this Agreement by reason of any failure, outage or interruption in such Third Party Services nor shall OnSecurity be liable to the Client in respect of any breach of this Agreement in relation to any matter which is wholly or primarily within the control of any provider of Third Party Services.
- Force majeure: OnSecurity shall have no liability to the Client under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lockouts or other industrial disputes (whether involving the workforce of OnSecurity or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors, provided that the Client is notified of such an event and its expected duration.
- Waiver: A waiver of any right under this Agreement is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and to the circumstances for which it is given.
- Severance: If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
- Assignment: The Client shall not, without the prior written consent of OnSecurity, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. OnSecurity may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. This Agreement shall be binding upon and ensure to the benefit of the respective parties and their respective personal representatives, successors and permitted assigns.
- No partnership or agency : Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
- Notices : Any notice required or permitted to be given hereunder shall be in writing, addressed to the relevant party as set out in the Terms Agreed Between The Parties.
- Inadequacy of damages : Without prejudice to any other rights or remedies that OnSecurity may have, the Client acknowledges and agrees that damages alone would not be an adequate remedy for any breach (other than breach of the Client's payment obligations hereunder) of the Terms of this Agreement by the Client. Accordingly, OnSecurity shall be entitled, without proof of special damages, to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the Terms of this Agreement.
- Governing law and jurisdiction: The validity, construction and performance of this Agreement, and all contractual and non-contractual matters arising out of it, shall be governed by English law and shall be subject to the exclusive jurisdiction of the English courts to which the Parties submit.
- Entire Agreement: This agreement constitutes the entire agreement between parties related to the Service. No change, alterations or modifications shall be valid unless in writing, dated and signed by both parties.
END OF DOCUMENT