STANDARD TERMS AND CONDITIONS
THE SERVICE AND ONSECURITY'S OBLIGATIONS
- OnSecurity shall, provide the Service to the Client which the Client agrees to accept and pay for, including:
- the performance of IT Penetration Testing activities against Targets specified by the Client's Authorised Users. This may include; IT infrastructure, including websites, servers, networking equipment, buildings, email addresses, telephone numbers.
- provision of access to the Portal to the Client's Authorised Users.
- OnSecurity shall use commercially reasonable endeavours to make the Portal available to the Client 24 hours a day, seven days a week, except for: (i) planned maintenance carried out during the maintenance window of 1900 to 0300 GMT; and (ii) unscheduled maintenance performed outside usual business hours (0900 to 1800 GMT each business day).
- OnSecurity agrees not to test any Targets without the Client's prior authorisation.
- OnSecurity Normal Testing Hours are 0900 to 1800 GMT, each Business Day (Monday to Friday inclusive except for bank/public holidays). If the Client requires testing outside of this period this will have to be on agreement with OnSecurity. OnSecurity also has the right to charge an additional surcharge as agreed with the Client when conducting testing outside the OnSecurity Normal Testing Hours.
- OnSecurity hereby grants the Client the right to permit Authorised Users to use the Portal during solely for the Client's business operations.
- The Client may choose to stop Testing at any time via the portal or phone and OnSecurity will endeavour to cease testing as soon as practically possible.
- OnSecurity shall deliver the Service in a responsible and professional manner in accordance with the sector's best practices and shall use its best endeavour not to change or amend any applications, data, programs or components of the Client's network or computer system (including hardware and software).
- OnSecurity shall ensure that any personnel involved in the provision of the Service shall have qualifications and experience appropriate to the tasks to which they are allocated.
- OnSecurity shall retest any issues for free during a test and for 3 working days after the test ends. Once the 3 days are over any restesting will be have booked as a seperate test at the normal hourly rate.
- OnSecurity will immediately notify the Client via the Portal, email and phone, of any critical vulnerability that exposes an Target to immediate risk of compromise, or which exposes the Client to immediate risk of reputational, financial or operational loss.
- OnSecurity hereby warrants that it has all necessary rights, authorisations and licences to provide the Service and, in providing the Service, it is not infringing the intellectual property rights of any third party.
- OnSecurity shall not conduct any intentional Denial of Service (DoS) testing at any time.
- OnSecurity shall provide the Client with an estimate of any reasonable expenses that will be incurred prior to commencing any On-site Testing.
- The Client acknowledges and agrees that OnSecurity and/or its licensors own all intellectual property rights in the Service and the Portal. Except as expressly stated herein, this Agreement does not grant the Client any rights to, or in, patents, copyrights, database right, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Service.
- OnSecurity shall keep logs of actions taken and in line with its data retention procedure, these shall be retained, along with all other Client files, for six years and then destroyed.
- OnSecurity shall store all Client data within a secure data centre in the United Kingdom or other EU state which complies with ISO 9001, ISO 27001 and ISO 27018 standards. All Client data will be encrypted at rest using industry standard encryption algorithms.
Scan by OnSecurity
- Scan is an asset discovery, vulnerability management and vulnerability scanning service provided as is by OnSecurity to the Client. Since vulnerability scanning is a subset of the activities which take place during penetration testing; the terms set out in all sections of this agreement also apply to automated vulnerability scans performed on Client targets by the OnSecurity Scan vulnerability management service.
- The Client hereby grants OnSecurity the right to perform vulnerability scanning against any target marked by the Client as ‘enabled’ for scanning by Scan (using the ‘Target Management’ interface). This right is granted upon the Client clicking the ‘Play’ icon on the Scan dashboard, which initiates Scanning.
THE CLIENT'S RIGHTS AND OBLIGATIONS
- The Client hereby grants to OnSecurity the right to perform IT Penetration Testing activities as further described in Appendix A against authorised Targets. OnSecurity will not be held responsible for any incorrectly entered Target information.
- The Client understands OnSecurity shall only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools and methodologies deployed by OnSecurity. The Client accepts that it is in the nature of IT Penetration Testing activities that there may be vulnerabilities which will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and therefore agrees that it shall not, now or in the future, hold OnSecurity liable for such vulnerabilities.
- The Client shall identify and disclose to OnSecurity any third parties that may conceivably be affected by OnSecurity testing activities, and any damages and/or loss of service caused by the Client's failure to identify and/or disclose such third parties shall remain the sole responsibility of the Client. The Client therefore indemnifies OnSecurity against all and any costs or damages howsoever arising from such activities.
- The Client shall ensure that Targets are the property of the Client or shall be fully responsible for obtaining written consent to test the Targets from the legal owner prior to authorising such Targets for testing. OnSecurity will not be held responsible for any incorrectly entered Target information.
- The Client shall immediately notify OnSecurity in the case of any unexpected event or out-of-scope problems which may impact OnSecurity or the delivery of the Service.
- The Client warrants that each Authorised User shall keep a secure and confidential password for their use of the Portal and that such password shall be changed no less frequently than every 90 days.
- The Client shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Portal and, in the event of any such unauthorised access or use, promptly notify OnSecurity.
- The rights provided to the Client under this Agreement are granted to the Client only, and shall not be considered granted to any subsidiary or holding company of the Client.
- The Client shall not (except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement):
- attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Portal as part of the Service in any form or media or by any means; or
- attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Portal; or
- access all or any part of the Portal in order to build a product or service which competes with the Portal; or
- use the Portal to provide services to third parties; or
- license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Portal available to any third party except the Authorised Users, or
- attempt to obtain, or assist third parties in obtaining, access to the Portal, other than as provided under this clause 2.
- The Client shall be solely responsible for procuring and maintaining its network connections and telecommunications links from its Targets to OnSecurity's testing devices, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Client's network connections or telecommunications links or caused by the internet.
- The Client understands it has sole responsibility for the adequate protection and backup of data and/or equipment used in connection with this IT Penetration Testing and will not make a claim OnSecurity for lost data, re-run time, inaccurate output, work delays or lost profits resulting from the Service.
- In accordance with the European Convention on Human Rights, and the Human Rights Act 1998 OnSecurity respects that everyone has the right to respect for his private and family life, and commits to apply standards that provide adequate protection to clients and members of the public from unwarranted infringements of privacy.
- If OnSecurity processes any personal data as such term is defined in the Data Protection Act 1998 or, when applicable, the General Data Protection Regulation ("GDPR") (" Personal Data ) on the Client's behalf when performing its obligations under this Agreement, the parties record their intention that the Client shall be the Data Controller and OnSecurity shall be a Data Processor and in any such case:
- OnSecurity shall only process Client Personal Data on the written instructions of the Client;
- the Client shall ensure that it is entitled to transfer the Personal Data to OnSecurity so that OnSecurity may lawfully use, process and transfer the Personal Data in accordance with this Agreement on the Client's behalf;
- OnSecurity shall ensure that people processing the Personal Data are subject to a duty of confidence; take appropriate measures to ensure the security of processing; only engage sub-processors with the prior consent of the Client and provide reasonable assistance to the Client in ensuring compliance with relevant Data Protection legislation.
- OnSecurity shall not transfer any Client data (or Personal Data relating to Customers of the Client) outside the EU, or use this Personal Data for marketing purposes.
- If, in the course of its engagement the Client, OnSecurity has access to or will collect, access, use, store, process, dispose of or disclose credit, debit or other payment cardholder information, OnSecurity shall at all times remain in compliance with the Payment Card Industry Data Security Standard ("PCI DSS") requirements, including remaining aware at all times of changes to the PCI DSS and promptly implementing all procedures and practices as may be necessary to remain in compliance with the PCI DSS, in each case, at OnSecurity's sole cost and expense.
- OnSecurity warrants it shall take all reasonable steps to ensure that it secures its computer material against unauthorised access or modification by individuals or groups of individuals with a criminal motive in accordance with the 1990 Computer Misuse Act.
CHARGES AND PAYMENT
- The Client shall pay the Service Fee (and any other fees or expenses as agreed) to OnSecurity in consideration for the Service at the rates set out above.
- OnSecurity may unilaterally change its hourly fee rates but must inform the Client at least 30 calendar days in advance of the provision of Services. If the Client does not agree to pay the revised fee each Party will be entitled to terminate the Agreement.
- OnSecurity shall invoice the client for hours booked for testing on completion. Where there are hours unused these will remain as a credit on the Client's portal for 12 months from the date of purchase. Unused hours on the account cannot be refunded as cash.
- Time for payment shall be 30 days from the date of the invoice.
- The Client may purchase additional testing hours at any time via the Portal. Payment can be made electronically or it can be added to the next invoice.
- OnSecurity may provide the Client with an estimate of how many hours it will take to test a Target prior to testing commencing, however it is understood by the client that estimates are just that, they are not guaranteed delivery times. Testing may require more hours which the Client will have to purchase at the rate agreed above.
- In cases where the Client has testing hours remaining, the Client may use them on another Target.
- Once the Client has used all the hours they have purchased no future tests can be scheduled.
- If OnSecurity has not received payment within 14 days after the due date specified on the invoice, it shall be under no obligation to provide any Services while the invoice remains unpaid and reserves the right to charge interest on the overdue amounts at a rate of 4% above the base rate of the Bank of England from the due date until the date of payment.
- Unless specified by OnSecurity, prices and charges are exclusive of VAT.
- Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. ("Confidential Information") means information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information. Confidential Information shall not be deemed to include information that: (a) is or becomes publicly known other than through any act or omission of the receiving party; or (b) was in the other party's lawful possession before the disclosure; is lawfully disclosed to the receiving party by a third party without restriction on disclosure; is independently developed by the receiving party, which independent development can be shown by written evidence; or is required to be disclosed by law including but not limited to The Freedom of Information Act 2000.
- Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement.
- Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
- Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.
- The Client acknowledges that details of the Service, and the results of the Service, constitute OnSecurity's Confidential Information.
- These clauses 42) to 47) shall survive termination of this Agreement, however arising.
LIABILITY AND INDEMNITIES
- The Client shall indemnify and keep indemnified OnSecurity (its officers, directors and employees) against all claims, costs, expenses, damages and losses (including reasonable legal and other professional fees) which may arise as a result of any claim made against OnSecurity (its officers, directors and employees) and arising out of or in connection with the Client's breach of its obligations, representations, warranties or covenants under this Agreement.
- The Client shall not to hold OnSecurity liable for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, punitive, incidental, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement.
- OnSecurity's total aggregate liability arising in connection with the performance or contemplated performance of this Agreement shall be limited to the total Service Fee paid for the Service during the twelve (12) months immediately preceding the date on which the claim arose.
- Subject only to OnSecurity exercising reasonable due diligence and using reasonable endeavours to procure any Third Party Services required in connection with the Service ("Third Party Services") on the best available terms, OnSecurity shall have no liability to the Client to the extent OnSecurity cannot perform its obligations to the Client under this Agreement by reason of any failure, outage or interruption in such Third Party Services nor shall OnSecurity be liable to the Client in respect of any breach of this Agreement in relation to any matter which is wholly or primarily within the control of any provider of Third Party Services.
TERM AND TERMINATION
- This Agreement shall, unless otherwise terminated, commence on the effective specified above.
- Either party may terminate this Agreement at any time by serving 30 (thirty) days prior written notice to the other party.
- Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate this Agreement without liability to the other if the other party commits a material breach of any of the material terms of this Agreement and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing of the breach.
- On termination of this Agreement for any reason:
- all licences granted under this Agreement shall immediately terminate;
- each party shall return and make no further use of any equipment, property, documentation and other items (and all copies of them) belonging to the other party;
- the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.
- Force majeure: OnSecurity shall have no liability to the Client under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lockouts or other industrial disputes (whether involving the workforce of OnSecurity or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors, provided that the Client is notified of such an event and its expected duration.
- Waiver: A waiver of any right under this Agreement is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and to the circumstances for which it is given.
- Severance: If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
- Assignment: The Client shall not, without the prior written consent of OnSecurity, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. OnSecurity may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. This Agreement shall be binding upon and ensure to the benefit of the respective parties and their respective personal representatives, successors and permitted assigns.
- No partnership or agency : Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
- Notices : Any notice required or permitted to be given hereunder shall be in writing, addressed to the relevant party as set out in the Terms Agreed Between The Parties.
- Inadequacy of damages : Without prejudice to any other rights or remedies that OnSecurity may have, the Client acknowledges and agrees that damages alone would not be an adequate remedy for any breach (other than breach of the Client's payment obligations hereunder) of the Terms of this Agreement by the Client. Accordingly, OnSecurity shall be entitled, without proof of special damages, to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the Terms of this Agreement.
- Governing law and jurisdiction: The validity, construction and performance of this Agreement, and all contractual and non-contractual matters arising out of it, shall be governed by English law and shall be subject to the exclusive jurisdiction of the English courts to which the Parties submit.
- Entire Agreement: This agreement constitutes the entire agreement between parties related to the Service. No change, alterations or modifications shall be valid unless in writing, dated and signed by both parties.
END OF DOCUMENT