Cyber Essentials Terms & Conditions
THE CUSTOMER'S ATTENTION IS PARTICULARLY DRAWN TO THE PROVISIONS OF CLAUSE 8.
The following definitions and rules of interpretation apply in these Conditions.
Assessor: the Cyber Essentials or Cyber Essentials Plus assessor appointed by Protos to provide assessment services under this Contract.
Booked Session: a future-dated Session that is booked in the calendar of the Assessor.
Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.
Cancelled Session: a Session that has been booked but which has been cancelled on at least three Business Days’ notice in writing.
Charges: the charges payable by the Customer for the supply of the Services in accordance with clause 5.
Commencement Date: the commencement date specified on the Cover Sheet.
Conditions: these terms and conditions as amended from time to time in accordance with clause 11.5.
Contract: the contract between the Supplier and the Customer for the supply of Services in accordance with these Conditions.
Cover Sheet: the cover sheet at the beginning of this Contract, setting out the contract particulars.
Customer: the person or firm who purchases Services from the Supplier and whose details are provided on the Cover Sheet.
Customer Default: has the meaning set out in clause 4.2.
Delivered Session: a Session that has either been delivered by a Protos consultant or which has been cancelled by the Customer on less than three Business Days’ notice in writing.
Delivered Test Day: a Test Day that has either been delivered by a Protos consultant or which has been cancelled by either party in accordance with the terms of this Contract
Services: the services supplied by the Supplier to the Customer on the terms of this Contract, as specified in the Cover Sheet.
Session: a consultancy meeting with one of Protos’ consultants, delivered either virtually or in person.
Supplier: PROTOS NETWORKS LIMITED, incorporated in England and Wales with company number 07764959 whose registered office is Poplar House Park West, Sealand Road, Chester, England, CH1 4RN.
Supplier Materials: has the meaning set out in clause 4.1(g).
Testing Day: a date allocated by Protos for Cyber Essentials or Cyber Essentials Plus testing (as the case may be) to be carried out
(a) A reference to legislation or a legislative provision:
(i) is a reference to it as amended, extended or re-enacted from time to time; and
(ii) shall include all subordinate legislation made from time to time under that legislation or legislative provision.
(b) Any words following the terms including, include, in particular, for example or any similar expression, shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
(c) A reference to writing or written includes email but not fax.
2. BASIS OF CONTRACT
2.1 The Contract shall commence on the Commencement Date.
2.2 These Conditions apply to the Contract to the exclusion of any other terms that the Customer seeks to impose or incorporate, or which are implied by law, trade custom, practice or course of dealing.
2.3 Any quotation given by the Supplier shall not constitute an offer, and is only valid for a period of 20 Business Days from its date of issue.
3. SUPPLY OF SERVICES AND TESTING TERMS
3.1 Protos offers both Cyber Essentials self-assessment and Cyber Essentials Plus services depending on the Customer’s requirements. Occasionally, Protos will combine its services in a package (Package). This Services, details of any Package, and the expected consultancy Sessions and Testing Days are be detailed in the Cover Sheet.
3.2 Protos will not agree to any downgrade in the Package to an alternative package after the Commencement Date. In the event that the Customer decides not to complete its application, the Customer will not be entitled to a refund (in whole or in part).
3.3 Protos shall use all reasonable endeavours to meet any performance dates (including any expected consultancy Sessions and Testing Days) specified in the Cover Sheet, but any such dates shall be estimates only and time shall not be of the essence for performance of the Services.
3.4 Where our Services are purchased with support, this includes consultancy sessions and a pre-checks of the Customer’s self-assessment answers by one of Protos’ security consultants before the Customer’s first submission, to determine whether the Customer is likely to pass on that basis. If the Customer do not opt for support with its Cyber Essentials certification, no pre-check will be carried out and the Customer’s assessment will be marked based upon the answers provided by them.
3.5 If the Customer is not successful on its first submission of Cyber Essentials self-assessment, the Customer will have two working days to submit a further attempt for certification. If the Customer is not successful on its second submission, the Customer will be required to wait one month before reattempting (at the cost of a new application).
3.6 If the Customer fails its initial submission of a Cyber Essentials application, Protos will provide the Customer with details of any required actions. The delay between the failure notification and a resubmission should not exceed two working days.
3.7 A scoping document must be completed by the Customer in full prior any Cyber Essentials Plus testing engagements. The scoping document will form the basis of the engagement and will be used to structure the delivery of consultancy and testing. If this is later found to be inaccurate or untrue, a new scoping document must be completed, and a new quote provided to the Customer.
3.8 If the Customer is only applying for Cyber Essentials Plus certification support, the Customer must confirm that it holds a valid Cyber Essentials certificate which has been awarded within 90 days of applying for Cyber Essentials Plus certification. The Customer will be required to share a copy of the answers provided in achieving its recent Cyber Essentials certification along with its certificate number to Protos before Protos will arrange any Test Days.
3.9 The Customer must pass a Cyber Essentials Plus audit within 90 days of achieving its most recent Cyber Essentials certification in order to be awarded Cyber Essentials Plus certification.
3.10 If the Customer does not pass the Cyber Essentials Plus audit within 90 days of achieving its most recent Cyber Essentials certification, the Customer will be required to re-certify to Cyber Essentials at the cost of a new application.
3.11 If Protos is required to do any additional work to help the Customer complete its application or audit outside of what is agreed on our initial sales quotation (as confirmed on the Cover Sheet), Protos may charge the Customer separately for that additional work.
3.12 For Cyber Essentials Plus applications, the Customer’s express written authorisation to test is required, as well as written authorisation from any additional parties involved in hosting any infrastructure or application that is within the scope of testing, before the start of any tests.
3.13 The Customer must notify Protos in writing of any limitations on the testing, such as a requirement for out-of-hours testing or weekend testing, or restrictions such as testing only during office hours, at the time of submitting its testing request. Any surcharges incurred for any out-of-hours testing will be agreed in advance and billed separately in advance.
3.14 If the Customer fails any of the Cyber Essentials Plus testing performed as part of the overall engagement, Protos will provide the Customer with details of further tests required. Any retesting that is required can be included as part of the initial engagement or scoped separately. The delay between the first Test Day and subsequent Test Days for retests should not exceed 30 days, including the creation of a report by Protos in its capacity as a Certification Body. The 30 day window rectifying any issues found during Cyber Essentials Plus testing is overridden by the requirement to pass Cyber Essentials Plus within 90 days of passing Cyber Essentials if that date is sooner. If retests are not included in the initial scope of the Services, they will be billed separately.
3.15 Where Protos is required to provide on-site consultancy or testing at a customer site within or outside of mainland Great Britain, travel expenses may be chargeable. These expenses will be billed separately.
3.16 Protos will only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools deployed by Protos. The Customer accepts that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and the Customer therefore agree that it will not, now or in the future, hold Protos to account for any such matters.
3.17 Protos will provide the Services in accordance with the requirements of IASME, which is the National Cyber Security Centre’s (NCSC) Cyber Essentials Partner for the delivery of the Cyber Essentials scheme. Protos will have no liability to the Customer outside the scope of those requirements.
3.18 From time to time, due to the ever-evolving nature of the cyber security sector, changes may be implemented by IASME or the NCSC. Such changes may cause increases to the Charges, which will be passed on to the Customer. Protos will notify the Customer of any increase to the Charges as soon as reasonably possible.
3.19 The Supplier shall use all reasonable endeavours to meet any performance dates specified in Cover Sheet, but any such dates shall be estimates only and time shall not be of the essence for performance of the Services.
3.20 Protos accepts no liability for damages caused to the Customer by any automated or non-automated attacks on your internet-facing infrastructure or its applications, irrespective of whether Protos’ security testing activity carried out under this Contract did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.
3.21 Protos will identify vulnerabilities that its testing has exposed within the scope of the Cyber Essentials Plus Illustrative Test Specification. Wherever possible, Protos will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely the Customer’s responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.
3.22 The Supplier reserves the right to amend the Services if necessary to comply with any applicable law or regulatory requirement, or if the amendment will not materially affect the nature or quality of the Services, and the Supplier shall notify the Customer in any such event.
3.23 When the Customer is a UK-domiciled organisation with a turnover under £20 million and it achieves self-assessed certification covering the Customer’s whole organisation to the basic level of Cyber Essentials, the Customer is entitled to Cyber Liability Insurance (Insurance). The Insurance is underwritten by AXA XL, a division of AXA, and administered by Sutcliffe & Co Insurance Brokers. The terms of the Cyber Liability Insurance do not form part of these Conditions and the Customer is referred to the insurance provider’s terms and conditions which are available at: https://iasme.co.uk/cyber-essentials/cyber-liability-insurance/
3.24 Protos shall have no liability to the Customer in respect of the Insurance.
4. CUSTOMER'S OBLIGATIONS
4.1 The Customer shall:
(a) co-operate with the Supplier in all matters relating to the Services;
(b) complete the Services in full within twelve-months of the first Session date. Any applications not completed within that period will be marked as void and the Customer’s account will automatically be archived. Protos will not issue, and you agree that you will not be entitled to, any refund of or reduction in the Charges where the Customer fails to comply with this clause 4.1(b);
(c) provide the Supplier, its employees, agents, consultants and subcontractors, with access to the Customer’s premises, office accommodation and other facilities as reasonably required by the Supplier;
(d) provide the Supplier with such information and materials as the Supplier may reasonably require in order to supply the Services, and ensure that such information is complete and accurate in all material respects;
(e) prepare the Customer’s premises for the supply of the Services;
(f) obtain and maintain all necessary licences, permissions and consents which may be required for the Services before the date on which the Services are to start; and
(g) keep all materials, equipment, documents and other property of the Supplier (Supplier Materials) at the Customer’s premises in safe custody at its own risk, maintain the Supplier Materials in good condition until returned to the Supplier, and not dispose of or use the Supplier Materials other than in accordance with the Supplier’s written instructions or authorisation
4.2 The Customer must disclose to Protos the names and details of third parties that may conceivably be affected by Protos’ testing activities, together with details of how those third parties may be affected. The Customer shall indemnify and hold harmless Protos against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other reasonable professional costs and expenses) suffered or incurred by Protos arising directly or indirectly from the Customer’s failure to identify and/or disclose the existence of any third parties in accordance with this clause
4.3 The Customer’s authorisation to commence testing activities is deemed to include confirmation that any relevant internal or external parties have been appropriately notified to Protos, and that all necessary permissions from such parties for Protos to commence testing have been provided to Protos.
4.4 If the Supplier’s performance of any of its obligations under the Contract is prevented or delayed by any act or omission by the Customer or failure by the Customer to perform any relevant obligation (Customer Default):
(a) without limiting or affecting any other right or remedy available to it, the Supplier shall have the right to suspend performance of the Services until the Customer remedies the Customer Default, and to rely on the Customer Default to relieve it from the performance of any of its obligations in each case to the extent the Customer Default prevents or delays the Supplier’s performance of any of its obligations;
(b) in the event that the Customer does not complete the Services in full within twelve-months of the first Session date, passing the accreditation, Protos shall not be obliged to provide the Services past that date and the Contract will be terminated with immediate effect;
(c) the Supplier shall not be liable for any costs or losses sustained or incurred by the Customer arising directly or indirectly from the Supplier’s failure or delay to perform any of its obligations as set out in this clause 4.2; and
(d) the Customer shall reimburse the Supplier on written demand for any costs or losses sustained or incurred by the Supplier arising directly or indirectly from the Customer Default.
5. CHARGES AND PAYMENT
5.1 The Charges for the Services shall be charged based on the fees specified in the Cover Sheet.
5.2 The Supplier shall be entitled to charge the Customer for any expenses reasonably incurred by the individuals whom the Supplier engages in connection with the Services including travelling expenses, hotel costs, subsistence and any associated expenses, and for the cost of services provided by third parties and required by the Supplier for the performance of the Services, and for the cost of any materials.
5.3 The Supplier shall invoice the Customer in advance prior to the performance of the Services.
5.4 The Customer shall pay each invoice submitted by the Supplier:
(a) by the Payment Due Date or, where no Payment Due Date is specified on the Cover Sheet, within 28 days of the date of the invoice; and
(b) in full and in cleared funds to a bank account nominated in writing by the Supplier, and
time for payment shall be of the essence of the Contract.
5.5 All amounts payable by the Customer under the Contract are exclusive of amounts in respect of value added tax chargeable from time to time (VAT). Where any taxable supply for VAT purposes is made under the Contract by the Supplier to the Customer, the Customer shall, on receipt of a valid VAT invoice from the Supplier, pay to the Supplier such additional amounts in respect of VAT as are chargeable on the supply of the Services at the same time as payment is due for the supply of the Services.
5.6 If the Customer fails to make a payment due to the Supplier under the Contract by the due date, then, without limiting the Supplier’s remedies under clause 9, the Customer shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgment. Interest under this clause
5.6 will accrue each day at 8% a year above the Bank of England’s base rate from time to time, but at 8% a year for any period when that base rate is below 0%.
5.7 All amounts due under the Contract shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
6. LIMITATION OF LIABILITY
THE CUSTOMER’S ATTENTION IS PARTICULARLY DRAWN TO THIS CLAUSE.
6.1 Neither party may benefit from the limitations and exclusions set out in this clause in respect of any liability arising from its deliberate default.
6.2 Nothing in this clause 8 shall limit the Customer’s payment obligations under the Contract.
6.3 Nothing in the Contract limits any liability which cannot legally be limited, including liability for:
(a) death or personal injury caused by negligence;
(b) fraud or fraudulent misrepresentation; and
(c) breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession).
6.4 Subject to clause 8.3 (No limitation in respect of deliberate default), and clause 8.5 (Liabilities which cannot legally be limited), the Supplier’s total liability to the Customer for all loss or damage shall not exceed £1000 or an amount equal to 100% of the Charges paid under this Contract, whichever is lower.
6.5 Subject clause 8.3 (No limitation in respect of deliberate default), clause 8.4 (No limitation of customer’s payment obligations) and clause 8.5 (Liabilities which cannot legally be limited), this clause 8.8 sets out the types of loss that are wholly excluded:
(a) loss of profits.
(b) loss of sales or business.
(c) loss of agreements or contracts.
(d) loss of anticipated savings.
(e) loss of use or corruption of software, data or information.
(f) loss of or damage to goodwill; and
(g) indirect or consequential loss.
6.6 The Supplier has given commitments as to compliance of the Services with relevant specifications in clause 3. In view of these commitments, the terms implied by sections 3, 4 and 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from the Contract.
6.7 Unless the Customer notifies the Supplier that it intends to make a claim in respect of an event within the notice period, the Supplier shall have no liability for that event. The notice period for an event shall start on the day on which the Customer became, or ought reasonably to have become, aware of the event having occurred and shall expire 3 months from that date. The notice must be in writing and must identify the event and the grounds for the claim in reasonable detail.
6.8 This clause 8 shall survive termination of the Contract.
7. CANCELLATION AND TERMINATION
7.1 Protos reserves the right to charge in full for Testing Days or Booked Sessions where the Customer cancels any Testing Days or Booked Sessions on less than three Business Days’ notice. Where such Testing Days or Booked Sessions are cancelled on less than three Business Days’ notice, the Customer will be required to purchase additional consultancy days.
7.2 In the event that Protos attends a Session or Test Day, either virtually or in-person, but is unable to deliver the agreed Session or Testing Day activities (for whatever reason), Protos will be entitled to consider this as a Delivered Session or Delivered Test Day.
7.3 Without affecting any other right or remedy available to it, either party may terminate the Contract by giving the other party one months’ written notice.
7.4 Without affecting any other right or remedy available to it, either party may terminate the Contract with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any term of the Contract and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing to do so;
(b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), applying to court for or obtaining a moratorium under Part A1 of the Insolvency Act 1986, being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction;
(c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or
(d) the other party’s financial position deteriorates to such an extent that in the terminating party’s opinion the other party’s capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.
7.5 Without affecting any other right or remedy available to it, the Supplier may terminate the Contract with immediate effect by giving written notice to the Customer if the Customer fails to pay any amount due under the Contract on the due date for payment.
7.6 Without affecting any other right or remedy available to it, the Supplier may suspend the supply of Services under the Contract or any other contract between the Customer and the Supplier if:
(a)the Customer fails to pay any amount due under the Contract on the due date for payment;
(b)the Customer becomes subject to any of the events listed in clause 9.2(c) or clause 9.2(d), or the Supplier reasonably believes that the Customer is about to become subject to any of them; and
(c) the Supplier reasonably believes that the Customer is about to become subject to any of the events listed in clause 9.2(b).
8. CONSEQUENCES OF TERMINATION
8.1 On termination or expiry of the Contract:
(a) the Customer shall immediately pay to the Supplier all of the Supplier’s outstanding unpaid invoices and interest and, in respect of Services supplied but for which no invoice has been submitted, the Supplier shall submit an invoice, which shall be payable by the Customer immediately on receipt;
(b) the Customer shall return all of the Supplier Materials which have not been fully paid for. If the Customer fails to do so, then the Supplier may enter the Customer’s premises and take possession of them. Until they have been returned, the Customer shall be solely responsible for their safe keeping and will not use them for any purpose not connected with the Contract.
8.2 Termination or expiry of the Contract shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any breach of the Contract which existed at or before the date of termination or expiry.
8.3 Any provision of the Contract that expressly or by implication is intended to come into or continue in force on or after termination or expiry of the Contract shall remain in full force and effect.
9.1 Force majeure. Neither party shall be in breach of the Contract nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.
9.2 Assignment and other dealings.
(a) The Supplier may at any time assign, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under the Contract.
(b) The Customer shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Contract.
(a) Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 11.3(b).
(b) Each party may disclose the other party’s confidential information:
(i) to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of carrying out the party’s obligations under the Contract. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this clause 11.3; and
(ii) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
(c) Neither party shall use the other party’s confidential information for any purpose other than to perform its obligations under the Contract.
9.4 Entire agreement.
(a) The Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
(b) Each party acknowledges that in entering into the Contract it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Contract.
(c) Nothing in this clause shall limit or exclude any liability for fraud.
9.5 Variation. Except as set out in these Conditions, no variation of the Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
9.6 Waiver. A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy. A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.
9.7 Severance. If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. If any provision or part-provision of this Contract deleted under this clause 11.7 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
(a) Any notice given to a party under or in connection with the Contract shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or sent by fax to its main fax number or sent by email to the address specified for that party on the Cover Sheet.
(b) Any notice shall be deemed to have been received:
(i) if delivered by hand, at the time the notice is left at the proper address;
(ii) if sent by pre-paid first-class post or other next working day delivery service, at 9:00 am on the second Business Day after posting; or
(iii) if sent by email at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this clause 11.8(b)(iii), business hours means 9:00am to 5:00pm Monday to Friday on a day that is not a public holiday in the place of receipt.
(c) This clause 11.8 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.
9.9 Third party rights.
(a) Unless it expressly states otherwise, the Contract does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Contract.
(b) The rights of the parties to rescind or vary the Contract are not subject to the consent of any other person.
9.10 Governing law. The Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with the law of England and Wales.
9.11 Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Contract or its subject matter or formation.