The following definitions and rules of interpretation apply in these Conditions.

 

1.1 Definitions:

Assessor: the Cyber Essentials or Cyber Essentials Plus assessor appointed by Protos to provide assessment services under this Contract.

Booked Session: a future-dated Session that is booked in the calendar of the Assessor.

Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.

Cancelled Session: a Session that has been booked but which has been cancelled on at least three Business Days’ notice in writing.

Charges: the charges payable by the Customer for the supply of the Services in accordance with clause 5.

Commencement Date: the commencement date specified on the Cover Sheet.

Conditions: these terms and conditions as amended from time to time in accordance with clause 11.5.

Contract: the contract between the Supplier and the Customer for the supply of Services in accordance with these Conditions.

Cover Sheet: the cover sheet at the beginning of this Contract, setting out the contract particulars.

Customer: the person or firm who purchases Services from the Supplier and whose details are provided on the Cover Sheet.

Customer Default: has the meaning set out in clause 4.2.

Delivered Session: a Session that has either been delivered by a Protos consultant or which has been cancelled by the Customer on less than three Business Days’ notice in writing.

Delivered Test Day: a Test Day that has either been delivered by a Protos consultant or which has been cancelled by either party in accordance with the terms of this Contract

Services: the services supplied by the Supplier to the Customer on the terms of this Contract, as specified in the Cover Sheet.

Session: a consultancy meeting with one of Protos’ consultants, delivered either virtually or in person.

Supplier: PROTOS NETWORKS LIMITED, incorporated in England and Wales with company number 07764959 whose registered office is Poplar House Park West, Sealand Road, Chester, England, CH1 4RN.

Supplier Materials: has the meaning set out in clause 4.1(g).

Testing Day: a date allocated by Protos for Cyber Essentials or Cyber Essentials Plus testing (as the case may be) to be carried out

 

1.2 Interpretation

(a) A reference to legislation or a legislative provision:

(i) is a reference to it as amended, extended or re-enacted from time to time; and
(ii) shall include all subordinate legislation made from time to time under that legislation or legislative provision.

(b) Any words following the terms including, include, in particular, for example or any similar expression, shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

(c) A reference to writing or written includes email but not fax.

3.1 Protos offers both Cyber Essentials self-assessment and Cyber Essentials Plus services depending on the Customer’s requirements. Occasionally, Protos will combine its services in a package (Package). This Services, details of any Package, and the expected consultancy Sessions and Testing Days are be detailed in the Cover Sheet.

3.2 Protos will not agree to any downgrade in the Package to an alternative package after the Commencement Date. In the event that the Customer decides not to complete its application, the Customer will not be entitled to a refund (in whole or in part).

3.3 Protos shall use all reasonable endeavours to meet any performance dates (including any expected consultancy Sessions and Testing Days) specified in the Cover Sheet, but any such dates shall be estimates only and time shall not be of the essence for performance of the Services.

3.4 Where our Services are purchased with support, this includes consultancy sessions and a pre-checks of the Customer’s self-assessment answers by one of Protos’ security consultants before the Customer’s first submission, to determine whether the Customer is likely to pass on that basis. If the Customer do not opt for support with its Cyber Essentials certification, no pre-check will be carried out and the Customer’s assessment will be marked based upon the answers provided by them.

3.5 If the Customer is not successful on its first submission of Cyber Essentials self-assessment, the Customer will have two working days to submit a further attempt for certification. If the Customer is not successful on its second submission, the Customer will be required to wait one month before reattempting (at the cost of a new application).

3.6 If the Customer fails its initial submission of a Cyber Essentials application, Protos will provide the Customer with details of any required actions. The delay between the failure notification and a resubmission should not exceed two working days.

3.7 A scoping document must be completed by the Customer in full prior any Cyber Essentials Plus testing engagements. The scoping document will form the basis of the engagement and will be used to structure the delivery of consultancy and testing. If this is later found to be inaccurate or untrue, a new scoping document must be completed, and a new quote provided to the Customer.

3.8 If the Customer is only applying for Cyber Essentials Plus certification support, the Customer must confirm that it holds a valid Cyber Essentials certificate which has been awarded within 90 days of applying for Cyber Essentials Plus certification. The Customer will be required to share a copy of the answers provided in achieving its recent Cyber Essentials certification along with its certificate number to Protos before Protos will arrange any Test Days.

3.9 The Customer must pass a Cyber Essentials Plus audit within 90 days of achieving its most recent Cyber Essentials certification in order to be awarded Cyber Essentials Plus certification.

3.10 If the Customer does not pass the Cyber Essentials Plus audit within 90 days of achieving its most recent Cyber Essentials certification, the Customer will be required to re-certify to Cyber Essentials at the cost of a new application.

3.11 If Protos is required to do any additional work to help the Customer complete its application or audit outside of what is agreed on our initial sales quotation (as confirmed on the Cover Sheet), Protos may charge the Customer separately for that additional work.

3.12 For Cyber Essentials Plus applications, the Customer’s express written authorisation to test is required, as well as written authorisation from any additional parties involved in hosting any infrastructure or application that is within the scope of testing, before the start of any tests.

3.13 The Customer must notify Protos in writing of any limitations on the testing, such as a requirement for out-of-hours testing or weekend testing, or restrictions such as testing only during office hours, at the time of submitting its testing request. Any surcharges incurred for any out-of-hours testing will be agreed in advance and billed separately in advance.

3.14 If the Customer fails any of the Cyber Essentials Plus testing performed as part of the overall engagement, Protos will provide the Customer with details of further tests required. Any retesting that is required can be included as part of the initial engagement or scoped separately. The delay between the first Test Day and subsequent Test Days for retests should not exceed 30 days, including the creation of a report by Protos in its capacity as a Certification Body. The 30 day window rectifying any issues found during Cyber Essentials Plus testing is overridden by the requirement to pass Cyber Essentials Plus within 90 days of passing Cyber Essentials if that date is sooner. If retests are not included in the initial scope of the Services, they will be billed separately.

3.15 Where Protos is required to provide on-site consultancy or testing at a customer site within or outside of mainland Great Britain, travel expenses may be chargeable. These expenses will be billed separately.

3.16 Protos will only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools deployed by Protos. The Customer accepts that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and the Customer therefore agree that it will not, now or in the future, hold Protos to account for any such matters.

3.17 Protos will provide the Services in accordance with the requirements of IASME, which is the National Cyber Security Centre’s (NCSC) Cyber Essentials Partner for the delivery of the Cyber Essentials scheme. Protos will have no liability to the Customer outside the scope of those requirements.

3.18 From time to time, due to the ever-evolving nature of the cyber security sector, changes may be implemented by IASME or the NCSC. Such changes may cause increases to the Charges, which will be passed on to the Customer. Protos will notify the Customer of any increase to the Charges as soon as reasonably possible.

3.19 The Supplier shall use all reasonable endeavours to meet any performance dates specified in Cover Sheet, but any such dates shall be estimates only and time shall not be of the essence for performance of the Services.

3.20 Protos accepts no liability for damages caused to the Customer by any automated or non-automated attacks on your internet-facing infrastructure or its applications, irrespective of whether Protos’ security testing activity carried out under this Contract did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.

​3.21 Protos will identify vulnerabilities that its testing has exposed within the scope of the Cyber Essentials Plus Illustrative Test Specification. Wherever possible, Protos will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely the Customer’s responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.

3.22 The Supplier reserves the right to amend the Services if necessary to comply with any applicable law or regulatory requirement, or if the amendment will not materially affect the nature or quality of the Services, and the Supplier shall notify the Customer in any such event.

3.23 When the Customer is a UK-domiciled organisation with a turnover under £20 million and it achieves self-assessed certification covering the Customer’s whole organisation to the basic level of Cyber Essentials, the Customer is entitled to Cyber Liability Insurance (Insurance). The Insurance is underwritten by AXA XL, a division of AXA, and administered by Sutcliffe & Co Insurance Brokers. The terms of the Cyber Liability Insurance do not form part of these Conditions and the Customer is referred to the insurance provider’s terms and conditions which are available at: https://iasme.co.uk/cyber-essentials/cyber-liability-insurance/

3.24 Protos shall have no liability to the Customer in respect of the Insurance.

5.1 The Charges for the Services shall be charged based on the fees specified in the Cover Sheet.

 

5.2 The Supplier shall be entitled to charge the Customer for any expenses reasonably incurred by the individuals whom the Supplier engages in connection with the Services including travelling expenses, hotel costs, subsistence and any associated expenses, and for the cost of services provided by third parties and required by the Supplier for the performance of the Services, and for the cost of any materials.

​

5.3 The Supplier shall invoice the Customer in advance prior to the performance of the Services.

 

5.4 The Customer shall pay each invoice submitted by the Supplier:

(a) by the Payment Due Date or, where no Payment Due Date is specified on the Cover Sheet, within 28 days of the date of the invoice; and

(b) in full and in cleared funds to a bank account nominated in writing by the Supplier, and

time for payment shall be of the essence of the Contract.

 

5.5 All amounts payable by the Customer under the Contract are exclusive of amounts in respect of value added tax chargeable from time to time (VAT). Where any taxable supply for VAT purposes is made under the Contract by the Supplier to the Customer, the Customer shall, on receipt of a valid VAT invoice from the Supplier, pay to the Supplier such additional amounts in respect of VAT as are chargeable on the supply of the Services at the same time as payment is due for the supply of the Services.

 

5.6 If the Customer fails to make a payment due to the Supplier under the Contract by the due date, then, without limiting the Supplier’s remedies under clause 9, the Customer shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgment. Interest under this clause

 

5.6 will accrue each day at 8% a year above the Bank of England’s base rate from time to time, but at 8% a year for any period when that base rate is below 0%.

 

5.7 All amounts due under the Contract shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).

7.1 Protos reserves the right to charge in full for Testing Days or Booked Sessions where the Customer cancels any Testing Days or Booked Sessions on less than three Business Days’ notice. Where such Testing Days or Booked Sessions are cancelled on less than three Business Days’ notice, the Customer will be required to purchase additional consultancy days.

 

7.2 In the event that Protos attends a Session or Test Day, either virtually or in-person, but is unable to deliver the agreed Session or Testing Day activities (for whatever reason), Protos will be entitled to consider this as a Delivered Session or Delivered Test Day.

 

7.3 Without affecting any other right or remedy available to it, either party may terminate the Contract by giving the other party one months’ written notice.

 

7.4  Without affecting any other right or remedy available to it, either party may terminate the Contract with immediate effect by giving written notice to the other party if:

(a) the other party commits a material breach of any term of the Contract and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing to do so;

(b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), applying to court for or obtaining a moratorium under Part A1 of the Insolvency Act 1986, being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction;

(c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or

(d) the other party’s financial position deteriorates to such an extent that in the terminating party’s opinion the other party’s capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.

 

7.5 Without affecting any other right or remedy available to it, the Supplier may terminate the Contract with immediate effect by giving written notice to the Customer if the Customer fails to pay any amount due under the Contract on the due date for payment.

 

7.6 Without affecting any other right or remedy available to it, the Supplier may suspend the supply of Services under the Contract or any other contract between the Customer and the Supplier if:

(a)the Customer fails to pay any amount due under the Contract on the due date for payment;

(b)the Customer becomes subject to any of the events listed in clause 9.2(c) or clause 9.2(d), or the Supplier reasonably believes that the Customer is about to become subject to any of them; and

(c) the Supplier reasonably believes that the Customer is about to become subject to any of the events listed in clause 9.2(b).

9.1 Force majeure. Neither party shall be in breach of the Contract nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.

 

9.2 Assignment and other dealings.

(a) The Supplier may at any time assign, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under the Contract.

(b) The Customer shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Contract.

 

9.3 Confidentiality.

(a) Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 11.3(b).

(b) Each party may disclose the other party’s confidential information:

(i)  to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of carrying out the party’s obligations under the Contract. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this clause 11.3; and

(ii) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.

(c) Neither party shall use the other party’s confidential information for any purpose other than to perform its obligations under the Contract.

 

9.4 Entire agreement.

(a) The Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

(b) Each party acknowledges that in entering into the Contract it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Contract.

(c) Nothing in this clause shall limit or exclude any liability for fraud.

 

9.5 Variation. Except as set out in these Conditions, no variation of the Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

 

9.6 Waiver. A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy. A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.

 

9.7 Severance. If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. If any provision or part-provision of this Contract deleted under this clause 11.7 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

 

9.8  Notices.

(a) Any notice given to a party under or in connection with the Contract shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or sent by fax to its main fax number or sent by email to the address specified for that party on the Cover Sheet.

(b) Any notice shall be deemed to have been received:

(i) if delivered by hand, at the time the notice is left at the proper address;

(ii) if sent by pre-paid first-class post or other next working day delivery service, at 9:00 am on the second Business Day after posting; or

(iii) if sent by email at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 11.8(b)(iii), business hours means 9:00am to 5:00pm Monday to Friday on a day that is not a public holiday in the place of receipt.

(c) This clause 11.8 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.

 

9.9 Third party rights.

(a) Unless it expressly states otherwise, the Contract does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Contract.

(b) The rights of the parties to rescind or vary the Contract are not subject to the consent of any other person.

 

9.10 Governing law. The Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with the law of England and Wales.

 

9.11 Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Contract or its subject matter or formation.