STANDARD TERMS AND CONDITIONS UPDATED 6TH MARCH 2024 ONSECURITY TECHNOLOGY LIMITED
UK Company Number; 14184026, Registered Address: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU
1. THE SERVICE AND ONSECURITY'S OBLIGATIONS
1.1. OnSecurity shall provide the agreed Services with reasonable skill and care.
1.2. OnSecurity shall use commercially reasonable endeavours to make the Portal available to the Client 24 hours a day, seven days a week. However, the Client acknowledges that OnSecurity cannot guarantee availability of the Portal.
1.3. OnSecurity shall:
1.3.1. conduct manual Penetration Testing during Normal Testing Hours; 0900 to 1800 GMT, each Business Day (Monday to Friday inclusive except for bank/public holidays), except by agreement in writing with the Client. OnSecurity may charge a surcharge for conducting testing outside Normal Testing Hours;
1.3.2. conduct vulnerability scanning and automated Penetration Testing any time from 00:00 to 23:59, 7 days a week. The Scan will typically take place at the same time on the Client subscription interval (daily, weekly, quarterly) as the first Scan was initiated.
1.3.3. retest any Penetration Testing issues without additional charge during the testing round and for the duration of the Aftercare Period (7 days unless otherwise agreed by the Parties in writing).
1.3.4. for a period of 60 days following the completion of the Penetration Testing, the Client may book retesting on the same Target via the Portal, which shall be charged for accordingly.
1.3.5. not accept requests for retesting of a Target more than 60 days following the completion of the Penetration Testing but the Client may book a new Penetration Test or test round via the Portal, which shall be charged for accordingly.
1.3.6. during Penetration Testing, immediately notify the Client via the Portal, of any critical vulnerability that exposes a Target to an immediate risk of compromise, or which exposes the Client to immediate risk of reputational, financial or operational loss;
1.3.7. provide the Client with an estimate of any reasonable expenses that will be incurred prior to commencing any on-site testing or any other testing likely to incur expenses;
1.3.8. keep logs of actions taken and in line with its data retention procedure, these shall be retained along with all other Client files, for six years and then destroyed; and
1.3.9. store all Client data within a secure data centre in the United Kingdom or European Union member state which complies with ISO 9001, ISO 27001 and ISO 27018 standards. All Client data will be encrypted at rest using industry standard encryption algorithms.
1.4. OnSecurity shall not:
1.4.1. test any Targets without prior authorisation in Portal, or any other appropriate communication medium, from the Client; or
1.4.2. conduct any intentional Denial of Service (DoS) testing at any time.
1.5. The Client may choose to stop testing at any time via the Portal and OnSecurity will endeavour to cease testing as soon as practically possible.
1.6. The Client acknowledges that:
1.6.1. OnSecurity may provide the Client with an estimate of how many hours it will take to test a Target prior to testing commencing, but estimates are not guaranteed delivery times. Testing may require more hours which the Client will need to purchase at the Rates in the Portal; and
1.6.2. OnSecurity shall only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools and methodologies deployed by OnSecurity. The Client accepts that it is in the nature of IT penetration testing activities that there may be vulnerabilities which will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and therefore agree that it shall not, now or in the future, hold OnSecurity liable for such vulnerabilities or for not identifying them.
1.7. OnSecurity warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement.
1.8. OnSecurity does not warrant that:
1.8.1. the Client's use of the Services will be uninterrupted or error-free; or
1.8.2. that the Services and/or the information obtained by the Client through the Services will meet the Client's requirements.
1.9. OnSecurity is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Client acknowledges that the Services and Documents may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
2. SCAN BY ONSECURITY
2.1. Scan is an asset discovery, vulnerability management and vulnerability scanning service provided as is by OnSecurity to the Client. Since vulnerability scanning is a subset of the activities which take place during penetration testing; the terms set out in all sections of this agreement also apply to automated vulnerability scans performed on the Client targets by OnSecurity Scan. OnSecurity makes further provision for the following:
2.1.1. The Client hereby grants OnSecurity the right to perform vulnerability scanning against any target marked by the Client as 'enabled' for scanning by Scan (using the 'Target Management' interface).
2.1.2. Vulnerability scanning performed by Scan can take place at any time, 7 days a week. The Scan will typically take place at the same time on the Client subscription interval (daily, weekly, quarterly) as the first Scan was initiated. ‘On-demand’ scanning, initiated by the Client, will take place as soon as reasonably possible, using the on-demand feature on the Scan interface.
2.1.3. the Client assumes responsibility for the accuracy of the Targets provided to Scan for vulnerability scanning. The Client shall ensure the targets provided to Scan (even those identified by OnSecurity's enumeration tools) are the property of the Client, or that the Client has written consent to permit OnSecurity to commence vulnerability scanning of the Targets.
2.1.4. The Client accepts any liability that may arise from the vulnerability scanning of targets provided which are not the property of the Client, or that the Client did not have written consent to commence vulnerability scanning on.
3. RADAR BY ONSECURITY
3.1. Radar is an open source intelligence gathering, active and passive scanning service provided as is by OnSecurity to the Client.
3.2. Radar searches various databases of Open Source data, as well as carrying out passive checks on Client assets to identify potential threats to the Client.
3.3. A 'threat' in this instance is defined as a piece of information which, in the opinion of OnSecurity's in-house experts, could be used to potentially cause harm or to form the basis of an attack against the Client organisation.
3.4. Searches of the data are made on the Targets enabled by the Client. The initial target created is the Client domain which is inferred from the Client user’s email address suffix.
3.5. OnSecurity has no control over the data in 3rd party data stores, and cannot remove items such as client credentials from these data stores.
3.6. The Client accepts that OnSecurity may present information (such as historical passwords) which the Client is already aware of.
3.7. OnSecurity makes recommendations in relation to any finding that Radar identifies. These recommendations are for guidance only, and the Client should exercise judgement and caution in relation to applying each recommendation to the unique requirements of the Client’s organisation.
3.8. The Client assumes responsibility for the outcome of any recommendation which the Client chooses to apply, in relation to Radar findings.
3.9. The Client hereby grants OnSecurity the right to perform active scanning against any Target marked by the Client as 'enabled' for scanning by Radar (using the 'Target Management' interface).
4. CLIENT OBLIGATIONS
4.1. The Client grants to OnSecurity the right to perform IT penetration testing activities, vulnerability scanning or any other security assessment related activities against Targets. OnSecurity shall not be held responsible or liable for any incorrectly entered Target information.
4.2. The Client will:
4.2.1. cooperate with OnSecurity as necessary under this Agreement including provided all necessary information to allow OnSecurity to provide the Services including the Client Data, security accessing information;
4.2.2. carry out all Client responsibilities set out in this Agreement in a timely and efficient manner. In the event of delays caused by the Client, OnSecurity may adjust any agreed timetable or delivery schedule as reasonably required by OnSecurity;
4.2.3. except as otherwise expressly provided in this Agreement, solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to OnSecurity's data centers, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Client's network connections or telecommunications links or caused by the internet.
4.3. The Client shall:
4.3.1. use all reasonable endeavors to prevent any unauthorised access to, or use of, the Services. In the event of any such unauthorised access or use, immediately notify OnSecurity on becoming aware of such unauthorised access or use;
4.3.2. ensure that, where it is aware that or suspects that its own network and systems have been compromised (including any attack on its systems such as a denial of service attack or ransomware), it shall notify OnSecurity immediately;
4.3.3. identify and disclose to OnSecurity any third parties that may conceivably be affected by OnSecurity’s Services, and any damages and/or loss of service caused by the Client’s failure to identify and/or disclose such third parties shall remain the sole responsibility and liability of the Client. The Client therefore indemnifies OnSecurity against all costs or damages howsoever arising from such activities;
4.3.4. ensure that Targets are the property of the Client or shall be fully responsible for obtaining written consent to test the Targets from the legal owner prior to authorising such Targets for testing;
4.3.5. immediately notify OnSecurity in the case of any unexpected event or out-of-scope problem which may impact OnSecurity or the delivery of the Services;
4.3.6. ensure that each User shall keep a secure and confidential password for their use of the Portal and that such password shall be changed no less frequently than every 90 days.
4.4. Failure to notify OnSecurity of events mentioned in clause 4.3 shall be considered a material breach of this Agreement.
4.5. Where OnSecurity has been notified of any of the events under clause 4.3 above, OnSecurity shall be entitled to temporarily suspend the Services, without liability to the Client, until OnSecurity is satisfied that it is able to provide the Services to the Client without the risk that:
4.5.1. the Services may be accessed by an unauthorised person; or
4.5.2. that OnSecurity’s own network and systems could be compromised.
4.6. The Client shall have sole responsibility for:
4.6.1. procuring and maintaining its network connections and telecommunications links from its Targets on OnSecurity’s testing devices, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Client’s network connections or telecommunications links or caused by the internet;
4.6.2. the adequate protection and backup of data and/or equipment used in connection with this IT penetration testing and will not make a claim against OnSecurity for lost data, re-run time, inaccurate output, work delays or lost profits resulting from the Services; and
4.6.3. the legality, reliability, integrity, accuracy and quality of all such Client Data which is not Personal Data.
5. SERVICE FEES AND PAYMENT
5.1. OnSecurity may unilaterally change its Penetration Testing or Service hourly fee but must inform the Client at least 30 calendar days in advance of the provision of Services. If the Client does not agree to pay the revised fee each Party will be entitled to terminate the Agreement.
5.2. The hourly rate will be fixed at the time of booking a testing round and any subsequent rate changes shall not apply to an already booked testing round and additionally this fixed hourly rate shall apply to retesting on the same Target outside of the Aftercare period.
5.3. OnSecurity shall invoice the Client on the dates stated in the Portal.
5.4. The Client shall pay each invoice:
5.4.1. immediately on the date of such invoice for all Split Billing purchases;
5.4.2. immediately on the date of such invoice for electronic automatable means such as direct debit or payment card non-Split Billing purchases; and
5.4.3. within 14 days after the date of such invoice for BACS non-Split Billing purchases.
5.5. OnSecurity may provide the Client with an estimate of how many hours it will take to complete Penetration Testing against a Target prior to testing commencing, however it is understood by the client that estimates are just that, they are not guaranteed delivery times. Penetration Testing may require more hours which the Client will have to purchase at the standard hourly rate.
5.6. If OnSecurity has not received payment on the due date specified on the invoice, it shall be under no obligation to provide any Services while the invoice remains unpaid and reserves the right to charge interest on the overdue amounts at a rate of 4% above the base rate of the Bank of England from the due date until the date of payment.
5.7. OnSecurity may, without liability to the Client, disable the Client’s passwords, accounts and access to all or part of the Services for the period of time where any unpaid invoices remain unpaid.
5.8. OnSecurity is an innovative technology led services business, therefore certain elements of Penetration Tests or other services/products may be partially delivered using our proprietary software. OnSecurity may include platform fees for the use of our software partially in-lieu of manual testing. Any platform fees will not be additional costs and are a replacement for previously manual efforts.
5.9. Unless specified by OnSecurity, prices and charges are exclusive of VAT.
5.10. Where there are hours unused, these will remain as a cash balance on the Portal for 12 months from the date of purchase (the “Cash Balance”). Unused Cash Balance cannot be refunded. Cash balance will expire 12 months following the date purchase, following which it will not show in the Portal.
6. SCAN AND RADAR FEES AND PAYMENT
6.1. For subscription services where payment is required (such as Scan and Radar) such subscription fee will be advised to the Client on the Portal, the Client's first payment will be made prior to the commencement of the subscription.
6.2. The Subscription Period will commence immediately once payment is made.
6.3. The Client shall pay each subscription service invoice:
6.3.1. immediately on the date of such invoice for electronic automatable means such as direct debit or payment card purchases; and
6.3.2. within 14 days after the date of such invoice for BACS purchases.
6.4. OnSecurity may unilaterally change its subscription rate but must inform the Client at least 30 calendar days in advance of the change to the subscription rate. If the Client does not agree to pay the revised subscription rate each Party will be entitled to terminate the Agreement.
6.5. The subscription rate may be changed immediately upon the written agreement of the parties.
6.6. OnSecurity reserves the right to unilaterally modify any subscription, provided 30 calendar days’ notice is given to the Client.
6.7. Any subscription fee will be billed before each Subscription Period in perpetuity until such time as the Client cancels the subscription.
6.8. The Client may cancel the subscription at any time using the functionality provided in the Portal.
6.9. When a subscription is cancelled, OnSecurity will continue to provide the services until the end of the current Subscription Period. The subscription rate for the remaining Subscription Period is non-refundable.
7. SPLIT BILLING (OPTIONAL)
7.1. When purchasing the Services, or any other service or product offered by OnSecurity that OnSecurity considers eligible, the Client may be given the option to split the purchase price into multiple payments (the concept of “Split Billing”) made over a period of time (normally 12 months) the “Split Billing Purchase Period”.
7.2. Split Billing is optional and the Client must positively indicate that they are selecting Split Billing in the Portal prior to completing the purchase.
7.3. The Services are considered to be purchased when the Client has authorised the purchase on the Portal, unless agreed otherwise between the parties.
7.4. A purchase with Split Billing is referred to as a “Split Billing Purchase” and the amount of that purchase is the total cost for the service or product purchased, the “Split Billing Purchase Amount”.
7.5. When a Split Billing Purchase is created the Client’s Cash Balance is immediately credited with the Split Billing Purchase Amount.
7.6. Payments for Split Billing occur at a regular interval, the “Split Billing Payment Interval” (normally monthly):
7.6.1. as set out in the Portal (“Split Billing Payment Dates”);
7.6.2. must be collected via an electronic automatable means such as direct debit or payment card; this is the “Split Billing Payment Method”; and
7.6.3. Client agrees to pay all Split Billing Purchase Instalments on the Split Billing Payment Date and ensure that the Split Billing Payment Method is up-to-date.
7.7. The amount of the Split Billing Payments is defined by dividing the total cost of the Split Billing Purchase by the number of Split Billing Payment Dates. The Split Billing Payment amount is referred to as a “Split Billing Purchase Instalment”:
7.7.1. An example would be a £12,000 Split Billing Purchase paid monthly will have 12 Split Billing Purchase Instalments of £1,000 which are paid in 12 Split Billing Payments).
7.8. Throughout the Split Billing Purchase Period the Split Billing Purchase has a “Split Billing Purchase Liability” which is defined as the total Split Billing Purchase less the total amount of Split Billing Purchase Instalments that have been paid.
7.9. The Split Billing Purchase Liability decreases throughout the Split Billing Purchase Period after each payment is made.
7.10. OnSecurity may include a set-up fee to a Split Billing Purchase which will be added to the first Split Billing Purchase Instalment, the set-up fee will be clearly communicated to the Client prior to completing the Split Billing Purchase. Any set-up fee will be shown in the Portal prior to purchase.
7.11. The Split Billing Purchase will automatically renew at the end of the Split Billing Purchase Period (normally 12 months).
7.12. This renewal (the “Split Billing Purchase Renewal”) is considered a new Split Billing Purchase for the same cost as the previous Split Billing Purchase.
7.13. The Split Billing Purchase Renewal will immediately credit the Client’s Cash Balance with the total Split Billing Purchase cost (i.e. the price of the pentest)
7.14. The Client may modify the renewal at any time prior to the Split Billing Purchase Renewal.
7.15. The Client may opt-out of automatic renewal at any time before the end of the Split Billing Purchase Period.
7.16. A Client may have multiple Split Billing Purchases running concurrently.
7.17. All Split Billing Purchases are collectively defined as the “Split Billing Subscription”.
7.17.1. The Split Billing Subscription is considered active when any Split Billing Purchase Instalments are due in the future or;
7.17.2. Any Split Billing Purchase Renewals have not been opted-out of.
7.18. For efficiency all Purchase Instalment Payment Dates will be on the same date wherever possible and combined into as few payments as possible (typically a single payment). These payments collectively are the “Split Billing Subscription Instalments”
7.19. At any time the Client may choose to cancel their Split Billing Subscription and pay the total amount of all of their Split Billing Purchase Liability combined, referred to as the “Split Billing Subscription Liability”.
7.20. When cancelled the entire Subscription Purchase Liability will become immediately due for payment by the Client.
7.21. If the Client does not pay the total amount of the Split Billing Subscription Instalment within 24 hours of the date due OnSecurity may cancel the Split Billing Subscription and Client’s access to the Portal and the Services with cease immediately.
7.22. OnSecurity may at its discretion modify Split Billing Purchases dates, amounts or other aspects with the prior approval of the Client.
7.23. When creating a Split Billing Purchase the total Split Billing Purchase Amount is added to the Cash Balance.
7.24. At no time will OnSecurity refund monies already received by Split Billing Purchase Instalments.
7.25. In circumstances where Split Billing Purchases are no longer required the unused Split Billing Purchase Amount will be returned to the Cash Balance.
7.26. The Split Billing Purchase Amount may be used by providing services or products to the client. The amount used will be deducted from the Cash Balance.
7.27. The Client agrees to adhere to all terms under Split Billing when selecting Split Billing during any purchase.
8. INTELLECTUAL PROPERTY RIGHTS
8.1. The Client acknowledges and agrees that OnSecurity and/or its licensors own all intellectual property rights in the Services and the Documents. Except as expressly stated in this Agreement, this Agreement does not grant the Client any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licenses in respect of the Services or the Documents.
8.2. OnSecurity confirms that it has all the rights in relation to the Services and the Documents that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this Agreement.
8.3. OnSecurity acknowledges and agrees that the Client and/or its licensors own all intellectual property rights in the Client Data. Except as expressly stated in this Agreement, this Agreement does not grant the Client any rights to, under or in, any patents or copyright, database right, trade secrets, trade names, trade makes (whether registered or unregistered), or any other rights or licenses in respect of the Client’s intellectual property rights.
8.4. The Client provides OnSecurity with permission to use the Client’s trade mark or trade name on its website or on any marketing materials.
8.5. The Client shall not (except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement:
8.5.1. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Portal as part of the Service in any form or media or by any means;
8.5.2. attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Portal;
8.5.3. access all of any part of the Portal in order to build a product or service which competes with the Portal;
8.5.4. use the Portal to provide services to third parties;
8.5.5. license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Portal available to any third party;
8.5.6. attempt to obtain, or assist third parties in obtaining, access to the Portal, other than as provided under this Agreement.
9. DATA PROTECTION
9.1. The parties agree to comply with their obligations under the Data Protection Laws. This is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Laws.
9.2. The parties agree to comply with all applicable data protection and privacy legislation in force in the United Kingdom including (i) the GDPR to the extent that it forms local laws arising from Section 3 of the European Union (Withdrawal Act) 2018 (UK GDPR); (ii) the General Data Protection Regulation ((EU) 2016/679) (GDPR); (iii) the Data Protection Act 2018; (iv) the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended and any amendments to these laws as updated from time to time; and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection or supervisory authority.
10. CONFIDENTIALITY
10.1. Each party agrees that, they will not at any time disclose to any person any Confidential Information belonging to the other party except as permitted by clause 9.4.
10.2. The Client acknowledges that details of the Services constitute OnSecurity's Confidential Information.
10.3. OnSecurity acknowledges that the Client Data is the Confidential Information of the Client.
10.4. Each party may disclose the other party's Confidential Information:
10.4.1. to those of its employees, officers, representatives or advisers who need to know such information for the purposes of exercising the party's rights or carrying out its obligations under or in connection with this Agreement. Each party will ensure that its employees, officers, representatives or advisers to whom it discloses the other party's Confidential Information are aware of that party’s obligations underthis clause 9; and
10.4.2. as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
10.4.3. No party will use any other party's Confidential Information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Agreement.
10.5. Without prejudice to any other rights or remedies the parties may have, each party acknowledges and agrees that damages alone would not be an adequate remedy for breach of its obligations under this clause 9 .Accordingly, the other party shall be entitled, without proof of special damages, to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of this clause 9.
11. INDEMNITIES
11.1. The Client shall defend, indemnify and hold harmless OnSecurity (including its officers, directors and employees) against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal and other professional fees):
11.1.1. arising out of or in connection with the Client's use of the Services;
11.1.2. arising out of or in connection with the Client’s breach of its obligations, representations or warranties under this Agreement; and/or
11.1.3. for infringement of any Intellectual Property Right or right of confidentiality arising out of OnSecurity’s provision of the Services,
11.2. Each provided that:
11.2.1. the Client is given prompt notice of any such claim;
11.2.2. OnSecurity provides reasonable cooperation to the Client in the defence and settlement of such claim, at the Client's expense; and
11.2.3. the Client is given sole authority to defend or settle the claim.
12. LIMITATION OF LIABILITY AND INDEMNITY
12.1. Except as expressly and specifically provided in this Agreement:
12.1.1. the Client assumes sole responsibility for results obtained from the use of the Services by the Client, and for conclusions drawn from such use. OnSecurity shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to OnSecurity by the Client in connection with the Services, or any actions taken by OnSecurity at the Client's direction;
12.1.2. all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement; and
12.1.3. the Services are provided to the Client on an "as is" basis.
12.2. In no event shall OnSecurity, its employees, agents and subcontractors be liable to the Client to the extent that an alleged infringement is based on:
12.2.1. a modification of the Services or Documents by anyone other than OnSecurity; or
12.2.2. the Client's use of the Services or Documents in a manner contrary to the instructions given to the Client by OnSecurity; or
12.2.3. the Client's use of the Services or Documents after notice of the alleged or actual infringement from OnSecurity or any appropriate authority.
12.3. OnSecurity shall have no liability either:
12.3.1. to the extent OnSecurity cannot perform its obligations under this Agreement by reason of any failure, outage or interruption in any third party services required in connection with the Services (provided OnSecurity has exercised reasonable due diligence in procuring such third party services); or
12.3.2. in respect of any breach of this Agreement in relation to any matter which is wholly or primarily within the control of any provider of such third party services.
12.4. Neither party excludes nor limits any liability for:
12.4.1. personal injury (including sickness and death) to the extent that such injury results from the negligence or wilful default of a party or its employees;
12.4.2. fraud or fraudulent misrepresentation; or
12.4.3. any other liability to the extent it cannot be excluded or limited by law.
12.5. In addition to clause 11.2 and clause 11.3, the Supplier shall not be liable for whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for:
12.5.1. any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement;
12.5.2. any loss of profits, loss of business, depletion of goodwill and/or similar losses;
12.5.3. loss or corruption of data or information;
12.5.4. pure economic loss; or
12.5.5. anticipated savings.
12.6. OnSecurity’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited to an amount equal to the total Fees paid or payable by the Client to OnSecurity during the 12 months immediately preceding the date on which the claim arose.
13. GENERAL TERMS
13.1. Force majeure: OnSecurity shall have no liability to the Client under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lockouts or other industrial disputes (whether involving the workforce of OnSecurity or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors, provided that the Client is notified of such an event and its expected duration.
13.2. Costs: Each party is responsible for its legal and other costs in relation to the preparation and performance of this Agreement.
13.3. Relationship of the parties: The parties are independent businesses and not partners, principal and agent, or employer and employee, or in any other relationship of trust to each other.
13.4. Third party rights: For the purposes of the Contracts (Rights of Third Parties) Act 1999, this Agreement is not intended to and does not give any person who is not a party to it any right to enforce any of its provisions. However, this does not affect any rights or remedy of such a person that exists or is available apart from that Act.
13.5. Assignment: The Client shall not, without the prior written consent of OnSecurity, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. OnSecurity may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. This Agreement shall be binding upon and ensure to the benefit of the respective parties and their respective personal representatives, successors and permitted assigns.
13.6. Entire Agreement: This Agreement contains the whole agreement between the parties relating to its subject matter and supersedes any prior agreements, representations or understandings between them unless expressly incorporated by reference in this agreement. Each party acknowledges that it has not relied on, and will have no remedy in respect of, any representation (whether innocent or negligent) made but not expressly embodied in this agreement. Nothing in this clause limits or excludes any liability for fraud or fraudulent misrepresentation.
13.7. Severability: If any clause in this Agreement (or part thereof) is or becomes illegal, invalid or unenforceable under applicable law, but would be legal, valid and enforceable if the clause or some part of it was deleted or modified (or the duration of the relevant clause reduced), the relevant clause (or part thereof) will apply with such deletion or modification as may be required to make it legal, valid and enforceable, and the parties will promptly and in good faith seek to negotiate a replacement provision consistent with the original intent of this agreement as soon as possible.
13.8. Waiver: No delay, act or omission by either party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
13.9. Notices: Any notice required or permitted to be given hereunder shall be in writing, addressed to the relevant party as set out in the Terms Agreed Between the Parties.
13.10. No partnership or agency : Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
13.11. Termination: Either party may terminate this Agreement upon providing written notice if the other party breaches any material term or condition of the Agreement and fails to remedy such breach within 30 days of receiving written notice specifying the breach. Additionally, either party may terminate this Agreement immediately if the other party becomes insolvent, files for bankruptcy, or undergoes a change in control. Upon termination, the Client shall pay for all Services (including Penetration Testing and Finding Retests) performed by OnSecurity up to the termination date.
13.12. Governing law and jurisdiction: This Agreement is governed by the law of England and Wales. All disputes under this agreement will be subject to the exclusive jurisdiction of the courts of England and Wales.
14. DEFINITIONS AND INTERPRETATION
14.1. Agreement - the OnSecurity Terms and Conditions.
14.2. Aftercare Period - 7 days unless otherwise agreed by the Parties in writing.
14.3. Business Day - a day, other than a Saturday, Sunday or public holiday in England, when the banks in London are open for business.
14.4. Confidential Information - all data or information (whether technical, commercial, financial or of any other type) in any form acquired under, arising from or in connection with, this Agreement and any information used in or relating to the business of OnSecurity (including information relating to OnSecurity’s products (bought, manufactured, produced, distributed or sold), services (bought or supplied), operations, processes, formulae, methods, plans, strategy, product information, know-how, design rights, trade secrets, market opportunities, Client lists, commercial relationships, marketing, sales materials and general business affairs), and which are for the time being confidential to OnSecurity.
14.5. Client - entity or person accepting this agreement.
14.6. Client Data - the data inputted by the Client (including their affiliates, employees, directors) into the Portal or otherwise provided to OnSecurity as part of the Client’s use of Services.
14.7. Client Personal Data - the personal data processed by OnSecurity on behalf of the Client.
14.8. Data Protection Laws - all applicable data protection and privacy legislation in force in the United Kingdom including (i) the GDPR to the extent that it forms local laws arising from Section 3 of the European Union (Withdrawal Act) 2018 (UK GDPR); (ii) the General Data Protection Regulation ((EU) 2016/679) (GDPR); (iii) the Data Protection Act 2018; (iv) the Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) as amended and any amendments to these laws as updated from time to time; and the guidance and codes of practice issued by the Information Commissioner or other relevant data protection or supervisory authority.
14.9. Documents - the document(s) made available to the Client by OnSecurity online via https://app.onsecurity.io/ or such other web address notified by OnSecurity to the Client from time to time which sets out a description of the Services and the user instructions for the Services.
14.10. Fees - the fees listed in the Portal.
14.11. Finding Retest - a retest booked via the Portal of a particular security issue on one or more Targets discussed during a Penetration Test.
14.12. Intellectual Property Rights - copyright, patents, rights in confidential information, know-how, trade secrets, trademarks, trade names, design right, get-up, database rights, chip topography rights, mask works, utility models, domain names, rights in computer software and all similar rights of whatever nature and, in each case:
* whether registered or not;
* including any applications to protect or register such rights;
* including all renewals and extensions of such rights or applications;
* whether vested, contingent or future; and wherever existing.
14.13. Normal Testing Hours - 0900 to 1800 GMT each Business Day.
14.14. Penetration Testing - the penetration testing security testing and/or consultancy services provided by OnSecurity to the Client as agreed between the parties in writing or through the Portal from time to time during the term of this Agreement. This may include but not limited to:
* Infrastructure Penetration Testing (External & Internal);
* Web Application Penetration Testing;
* Mobile Application Penetration Testing;
* Cloud Audits and Penetration Testing;
* Social Engineering and Physical Penetration Testing; and
* Phishing Simulations, and Penetration Test shall be construed accordingly.
14.15. Personal Data Breach - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data.
14.16. Portal - the secure online interface at https://app.onsecurity.io through which the Client can manage the Services and other associated applications located on subdomains of app.onsecurity.io.
14.17. Services - the security testing and/or consultancy services provided by OnSecurity to the Client as agreed between the parties in writing or through the Portal from time to time during the term of this Agreement.
14.18. Subscription Period - the period of time selected by the Client when subscribing to subscription services where payment is required (such as Scan), typically annually or monthly.
14.19. Services Start Date - the start date for the Services as agreed between the parties in writing or through the Portal from time to time.
14.20. Target - an element of the Client’s IT infrastructure approved by a Portal User.
14.21. User - individual who is authorised to use the Portal.
END OF DOCUMENT