Terms and Conditions for buying goods and services on our website
Version: 3.2. Issue date: 03/08/20
These terms and conditions apply to all transactions made on any website owned and/or operated by a GRC International Group plc company. These terms and conditions also apply to all transactions completed offline that involve products or services described online on any GRC International Group plc company website.
‘You’: the individual or entity visiting this website and/or purchasing products or services from us, whether on this website or offline.
‘Us’: the GRC International Group plc company that operates this website, any GRC International Group plc group company whose products or services you purchase, as well as GRC International Group plc itself.
‘Contract’: a formal contractual relationship in respect of any transaction only exists between you and us from the point at which we accept your order. This acceptance may be automated, where fulfilment is automated, or it may be manual and occur only when manual fulfilment is initiated.
Our Terms and Conditions
These terms and conditions together with our Privacy Notice and our Acceptable Use Policy (together, the ‘Terms’) provide you with information about us and apply to any contract between you and us. Please read these Terms carefully and make sure you understand them before ordering anything from our website. We will also notify you, at the point of purchase if there are any additional terms and conditions that may apply to any specific contract made between us.
- Our prices are as set out on our website, do not include packaging, shipping, insurance or travel costs, and are subject to the addition of applicable VAT or other state or national tax in line with any relevant regulations.
- We may vary our prices from time to time, which we will do by updating our website. Price changes will not be retrospective.
- The law says that, if you are a consumer, you have a legal right to cancel a contract during the period set out below; the law does not extend to business buyers, so in law the clauses below do not apply to transactions with organisations.
- Your legal right to cancel a contract starts from the date we confirm our acceptance of your order.
- During the relevant period, if you change your mind or decide for any other reason that you do not want to receive or keep a product, you can notify us of your decision to cancel the contract and receive a refund. Advice about your legal right to cancel the contract is available from your local Citizens Advice or Trading Standards office.
- This cancellation right does not apply in the case of:
- digital contents (software, e-books, audio books, PDFs, or other electronic templates, books or reports) once a download has started;
- any products that become mixed inseparably with other items after their delivery; or
- any products that are made to your specifications or are clearly personalised.
- Under this right to cancel, and where the first day for delivery of any service, whether training or consultancy, falls within a period of 14 days from the day on which the contract was established, you must make the cancellation at least one clear day prior to the planned first day of delivery; in other words, your right of cancellation does not apply on or after the last business day preceding the first day for delivery of that service.
- Under this right to cancel, where you do not specify a date on which you wish to attend a training course or on which consultancy delivery should start, your right to cancel does not apply after 14 days from the date of the contract and you have no right to a refund if you subsequently decide not to proceed with the service.
- There are further terms, set out below, that apply specifically to the purchase of training courses, Cyber Essentials, e-learning, self-paced online training courses (distance learning), toolkits and other products through our sites.
- Your deadline for cancelling the contract depends on what you have ordered and how it is delivered, as set out in the table below:
||End of cancellation period
Your contract is for a single product (which is not delivered in instalments on separate days).
|The end date is 14 days after the day on which you receive the product. For example, if we provide you with an order confirmation on 1 January and you receive the product on 10 January, you may cancel at any time between 1 January and the end of the day on 24 January.
Your contract is for either of the following:
- One product delivered in instalments on separate days.
- Multiple products delivered on separate days.
|The end date is 14 days after the day on which you receive the last instalment of the product or the last of the separate products ordered. For example, if we provide you with an order confirmation on 1 January and you receive the first instalment of your product or the first of your separate products on 10 January and the last instalment or last separate product on 15 January, you may cancel in respect of all instalments and any or all of the separate products at any time between 1 January and the end of the day on 29 January.
Your contract is for the regular delivery of a product over a set period.
The end date is 14 days after the day on which you receive the first delivery of the products. For example, if we provide you with an order confirmation on 1 January in respect of products to be delivered at regular intervals over a year and you receive the first delivery of your product on 10 January, you may cancel at any time between 1 January and the end of the day on 24 January. 24 January is the last day of the cancellation period in respect of all products to arrive during the year.
To cancel a contract, you need to let us know that you have decided to cancel. The easiest way to do this is to email firstname.lastname@example.org, identifying the website from which you purchased and quoting the electronic purchase sale number, the date of the transaction and the items purchased. This email must contain a categorical statement that goods that have been delivered have not been copied, duplicated or used in any way. If there are physical goods to return, please also obtain a Returns Number at the time of notifying us of your decision to cancel, and we will at that time also notify you of our returns address.
If you cancel your contract, we will:
- refund you the price you paid for the products. However, please note that we are permitted by law to reduce your refund to reflect any reduction in the value of the goods if this has been caused by your handling them in a way that would not be permitted in a shop. If we refund you the price paid before we are able to inspect the goods and later discover you have handled them in an unacceptable way, you must pay us an appropriate amount.
- refund any return delivery costs you have paid, although, as permitted by law, the maximum refund will be the costs of delivery by the least expensive delivery method we offer (provided that this is a common and generally acceptable method). For example, if we offer delivery of a product within 3–5 days at one cost but you choose to have the product returned within 24 hours at a higher cost, we will only refund what you would have paid for the cheaper delivery option.
- make any refunds due to you as soon as possible and in any event within the deadlines indicated below:
- if you have received the product and we have not offered to collect it from you, we will make any refund due 28 days after the day on which we receive the product back from you or, if earlier, the day on which you provide us with legal evidence that you have sent the product back to us.
- if you have not received the product, or you have received it and we have offered to collect it from you: 28 days after you inform us of your decision to cancel the contract.
- If you have returned the product to us because it is faulty or not as described, we will refund the price of the product in full, together with any applicable delivery charges, and any reasonable costs you incur in returning the item to us.
- refund you on the credit or debit card you used to pay. If you used vouchers to pay for the product, we may refund you in vouchers. If you paid via PayPal or a similar payment processor, or via bank transfer, we will make the refund by the same route.
If a product has been delivered to you before you decide to cancel the contract:
- you must return it to us without undue delay and in any event not later than 14 days after the day on which you let us know that you wish to cancel the contract. You should send the product back to the address stated on our website.
- If you cancel your contract, we will:
- refund you the price you paid for the products. However, please note that we are permitted by law to reduce your refund to reflect any reduction in the value of the goods, if this has been caused by your handling them in a way that would not be permitted in a shop. If we refund you the price paid before we are able to inspect the goods and later discover you have handled them in an unacceptable way, you must pay us an appropriate amount. refund any delivery costs you have paid, although, as permitted by law, the maximum refund will be the costs of delivery by the least expensive delivery method we offer (provided that this is a common and generally acceptable method). For example, if we offer delivery of a product within 3-5 days at one cost but you choose to have the product delivered within 24 hours at a higher cost, then we will only refund what you would have paid for the cheaper delivery option.
- unless the product is faulty or not as described, you will be responsible for the cost of returning the product to us. If the product is one that cannot be returned by post, we estimate that if you use the carrier that delivered the product to you, these costs should not exceed the sums we charged you for delivery.
The legal rights of consumers are not affected by the rights of return and refund outlined above or anything else in these terms; advice about the legal rights of consumers is available from your local Citizens Advice or Trading Standards office.
Recurring Payment Authority (Subscription Products)
- A number of our products are sold on subscription, and our deliverables are provided on a recurring or cyclical basis. These products include, but are not limited to, staff awareness (e-learning) training, Cyber Essentials, scanning services, software and toolkits.
- Subscription periods (monthly or annual) are set out on individual product pages on our websites.
- Where your initial subscription is made online by means of a payment card, you enter into a Recurring Payment Authority (‘RPA’) that authorises us to collect recurring payments from you until you formally cancel the RPA.
- The RPA can be cancelled in your My Account area of our website at any time; cancelling the RPA will cancel all access to the relevant service at the end of the billing period for which we have received payment.
- Unless and until you cancel your contract for a recurring or cyclical deliverable, we will automatically invoice and/or collect payment in line with the subscription period you selected when entering the contract.
- You agree to keep your payment card details current and valid throughout the subscription period and agree to meet any and all additional costs we may incur as a result of your failure to keep these details current.
- Where your initial subscription is made by means of a purchase order, you agree that subsequent invoices for the recurring deliverables will be paid on your standard agreed credit terms until you formally cancel the contract.
- We will notify you at least 28 days in advance of any changes in price or of deliverable so that you can decide whether or not you wish to cancel the RPA at its next renewal date.
- On cancellation of an RPA, we will cancel access to digital products and remove any related certifications with effect from the end of the subscription period for which you have paid.
Online credit purchasing agreements
- If you have applied for and been granted an approved credit account, you are authorised to place orders through our websites using a purchase order, as documented in your Online Purchasing Agreement. Any purchases made by means of a purchase order will be invoiced in line with your specific agreement with us, with payment due in full 28 days from the invoice date. Title in goods purchased by means of a purchase order does not pass to you until you have paid the invoice in full.
- Time of payment is of the essence and, where sums due under a contract are not paid by the due date, we may charge interest at 8% above the HSBC base rate (with interest accruing on a daily basis from the date the payment became due until the payment is made in full) as well as recovering from you all the costs, including legal and court costs, we incur in order to obtain payment.
Cyber Essentials and Cyber Essentials Plus
The following terms apply to all purchases of Cyber Essentials and Cyber Essentials Plus (both of which are annual subscription products) (the “Cyber Services”):
- You must complete and submit the completed Cyber Essentials Self-Assessment Questionnaire (SAQ) on the IT Governance branded IASME portal (‘Cyber Essentials Portal’) within six months of purchasing the Cyber Services. Any applications not completed within that period will be marked as void and your account will automatically be archived; in these circumstances, we cannot issue a refund and you agree that you will not be entitled to any refund of or reduction in the fee.
- Our certificate guarantee is based on your organisation meeting all the required controls.
- All our Cyber Essentials packages include a pre-check of your self-assessment answers by one of our security experts prior to submission, to ensure you have addressed all compliance requirements. If you submit your application without this check, our certification guarantee is invalidated.
- If you are not successful on your first submission for Cyber Essentials, you have two working days to submit a further attempt for certification. If you are not successful on your second submission, you will be required to wait one month before reattempting at the cost of a new application.
- Before applying for Cyber Essentials Plus certification you must confirm that you hold a Cyber Essentials certification achieved through an IASME Consortium Ltd licensed certification body within three months of applying.
- You will need to complete the Cyber Essentials Plus audit within three months of achieving your last basic-level Cyber Essentials certification. If your Cyber Essentials Plus application is unsuccessful, your Cyber Essentials certification may be revoked.
- For Cyber Essentials Plus applications, all scans including the internal and external vulnerability scans must be completed and passing within one month of the workstation assessment/technical audit, including time to allow review by us (in our capacity as the certification body).
- If FOR ANY REASON you do not meet the deadlines outlined in the Terms and Conditions, then we will be under no obligation to provide the Cyber Services nor to refund any part of the fee. Conversely, if we are required to do any additional work to help you complete your application, we may charge you separately for that work.
- We will provide these services in accordance with the requirements of the IASME Consortium, which is the National Cyber Security Centre’s (NCSC’s) Cyber Essentials Partner for the delivery of the Cyber Essentials Scheme and we will have no liability to you outside the scope of those requirements. From time to time, due to the ever-evolving nature of the cyber security sector, changes may be implemented by IASME or the NCSC. Such changes may cause price increases, which will be passed on to you.
- For Cyber Essentials Plus applications, your explicit authorisation is required, as well as that from any additional parties involved in hosting any infrastructure or application that is in scope, before the start of any tests; this should be submitted in writing alongside the list of scan targets/IPs.
- Any limitations on the testing, such as a requirement for out-of-hours testing or weekend testing, or restrictions such as testing only during office hours, should be stipulated at the time of submitting the testing request. Any surcharges incurred for any out-of-hours testing will be agreed in advance and billed separately in advance.
- Unless otherwise agreed, we reserve the right to list your name and/or logo on our website as evidence that certification has been achieved.
- If you fail your initial submission of a Cyber Essentials application, we will provide you with details of required action. Any retesting that is required can be included as part of the initial engagement or scoped separately. The delay between the “fail” notification and a resubmission should not exceed two working days.
- If you fail any of the Cyber Essentials Plus testing performed as part of the overall engagement, we will provide you with details of further tests required. Any retesting that is required can be included as part of the initial engagement or scoped separately. The delay between the original assessment and retest should not exceed one month including completion of the application and including time to allow review by us (in our capacity as the certification body). These tests will be billed separately.
- Where we are required to provide on-site consultancy or testing at a customer site within or outside of the mainland United Kingdom, travel time and costs, accommodation and subsistence expenses may be chargeable. These expenses will be billed separately.
- Your subscription product cannot be downgraded to an alternative package and, should you decide not to complete your application, you will not be entitled to a refund.
- When a UK-domiciled organisation with a turnover under £20 million achieves self-assessed certification covering their whole organisation to the basic level of Cyber Essentials, they are entitled to Cyber Liability Insurance, terms apply. The cover is underwritten by AXA XL, a division of AXA, and administered via Sutcliffe & Co Insurance Brokers. This Cyber Liability Insurance does not form part of our own T&Cs. Please visit https://iasme.co.uk/cyber-essentials/cyber-liability-insurance/.
Penetration testing, including for Cyber Essentials Plus certification and vulnerability scanning.
- You must identify and disclose to us any third parties that may conceivably be affected by our testing activities, and any damages and/or loss of service caused by your failure to identify and/or disclose such third parties will remain your sole responsibility, and you therefore indemnify us against all and any costs or damages howsoever arising from such activities. Your authorisation to commence testing activities is deemed to include confirmation that any relevant internal or external parties have been appropriately notified, and that all necessary permissions from such parties for us to commence testing have been provided to us.
- We will only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools we deploy. You accept that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and you therefore agree that you will not, now or in the future, hold us to account for any such matters.
- We will accept no liability for damages caused to you by any automated or non-automated attacks on your Internet-facing infrastructure or its applications, irrespective of whether or not our security testing activity carried out under this Agreement did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.
- We will identify vulnerabilities that our testing has exposed and, wherever possible, we will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely your responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.
- All our public training courses, including all those for which we act as booking agents for third-party training providers, are subject to the terms and conditions set out below. By booking a training course or a third-party training course through us, you accept these terms and conditions. All our in-house training courses are subject to a parallel set of General Terms and Conditions, which are available separately at the time of booking.
- Prices for individual courses are as advertised on our website and are exclusive of VAT. Where required, VAT will be added to the advertised price to arrive at the final total cost. The course price includes trainers’ time, provision of training rooms and necessary facilities, all necessary training materials and, as appropriate, morning, lunch and/or afternoon refreshments. It does not include travelling or other subsistence costs.
- Exam costs are either included in the course cost or are an extra charge; we set out which option applies on our product pages.
- Bookings, which are in all cases subject to the availability of places on courses and, for third-party courses, on confirmation to us by the training provider that the course will actually run, will be accepted by us, and the rights and responsibilities in respect of cancellation will apply from the date on which the booking is accepted by us.
- We reserve the right to refuse admittance to any public course unless:
- the full purchase price has been paid through the booking page for your chosen course on our website;
- a valid purchase order has been received by us from a UK local authority, other UK public-sector organisation or a company that has an approved credit account with us; or
- the full purchase price has been received by us in advance of the course start date.
- Delegates will not be permitted to enter the classroom if payment has not been made as set out above. The cancellation terms below will also apply.
- Once we have accepted your booking, the below cancellation terms apply:
- There is no cancellation fee providing we receive written notice more than 31 days prior to the start of the relevant training course.
- Written cancellations received between 31 and 21 days prior to the start of the training course will be subject to a 25% cancellation fee.
- Written cancellations received between 20 and 11 days prior to the start of the training course will be subject to a 50% cancellation fee.
- No refunds will be given for written cancellations received 10 days or less before the start of the training course.
- No refunds will be given if you fail to attend a course for which you have made a booking.
- Delegates can be transferred from one course to another, or alternative delegates can be substituted for those already booked on a course. For this to happen, the following fees apply:
- There is no fee where we receive written notification more than 31 days prior to the start of the relevant training course.
- Where the written request is received between 31 and 21 days prior to the start of the training course, there is a 25% transfer fee.
- Where the written request is received between 20 and 11 days prior to the start of the training course, there is a 50% transfer fee.
- Where a transfer request is received 10 days or less in advance of a course, there will be a 100% transfer fee.
- Where the course booking is for multiple delegates, or you are not yourself the delegate, we need to know the names of delegates five working days in advance of the start of the course, so that we can ensure that exams are correctly organised, as well as to provide attendance certificates at the end of the training course. If you do not provide the names of the delegates prior to the five working day window described in this clause, the cancellation clauses above will apply to those delegates and a 100% cancellation fee will apply.
- We (and our selected training partners) reserve the right to cancel training courses but will endeavour not to do so within ten working days of the start of the course. If a training course is cancelled, our only obligation to you will be, at our discretion, either to reschedule the cancelled course within four months or to refund in full the fees paid by you for the training course. To the fullest extent permitted by law, we will not be liable to you in contract, tort, negligence or otherwise for any loss, damage, costs or expenses of any nature whatsoever incurred or suffered by you as a direct, indirect, special or consequential nature arising from such a cancellation.
- Delegates from outside the UK may require visas in order to attend a training course in the UK. We will endeavour to provide you with reasonable support to obtain a visa, but the actual issue of a visa is beyond our control and we have no liability to you in respect of the issue of such a visa. We will only issue appropriate invitation letters once you have booked and paid for the course(s) you wish to attend, and our visa invitation letters will only be in respect of such course(s). If your visa is not issued in time for you to travel to the UK to attend your chosen course, we will, at your discretion, arrange for you to attend an alternative course at a later date or we will, without deduction, refund any course fees paid. We will not under any circumstances be responsible for travel costs you may have incurred. If your visa is issued in sufficient time for you to attend your course but you do not attend, then our standard cancellation clauses will apply, including your liability to make payment in full.
- You are responsible for ensuring that the backgrounds of you or your delegates are suitable for the training course(s) that they are attending. We will not be liable for any refund if delegates decide that the course material is inappropriate for them or where they are unable to participate fully for any reason. In no circumstances will we be liable to refund any amount in excess of the agreed and paid price for any training course. This applies in particular (but is not limited) to any travelling, subsistence or consequential expenses of any sort incurred by delegates.
- All copyright and other intellectual property rights in or relating to any course materials provided or made available in connection with the course are and remain our sole property and/or that of our third-party providers. Course materials may not be used, copied, reproduced, stored in a retrieval system, distributed or transmitted in whole or in part, or in any form or by any means, whether electronically, mechanically or otherwise, or translated into any language, without the prior written permission of us and/or our third-party providers.
- Any standards you purchase from us are for your internal business use.
- Your end users are permitted to print a single copy of the publication.
- Neither you nor your end users may remove any proprietary markings or electronic watermarks, including original publisher copyrights and trademarks.
- Your end users will not copy, transfer, sell, license, lease, give, download, modify, publish, assign, transmit or otherwise reproduce, disclose or make available to others or create derivative works from the standards or any portion thereof.
Staff awareness e-learning
- We license you and, as set out in your sales receipt, the maximum number of your users to access on our e-learning portal, the specific e-learning course(s) you have selected for the length of time you have purchased.
- If we have agreed to it, we will provide a single session of training for one or more administrators nominated by you to enable you to administer the e-learning portal for your users.
- Where you have purchased a corporate e-learning licence, your identified administrator may personalise your e-learning portal with your corporate branding (including colours and logos) as well as relevant corporate content such as procedure and contact information.
- You agree to:
- ensure that each of your users accesses the e-learning portal using one of the following:
- Microsoft Internet Explorer versions 9 or later
- Apple Safari v6 or later
- Mozilla Firefox v25 or later
- Google Chrome v30 or later
- permit us to place cookies on your users’ computers to facilitate provision of our e-learning staff awareness training courses;
- establish connectivity to the e-learning portal; and
- ensure that your users are instructed in the proper use of our e-learning portal and any e-learning staff awareness courses.
- In relation to the e-learning portal, we agree that:
- with the exception of Internet outages and scheduled downtime, the e-learning portal will be available for 99.5% of each calendar month;
- we will provide you with at least 72 hours’ email notification of scheduled downtime (that is, any planned or scheduled interruption of services from the e-learning portal, for the purposes of e-learning portal or infrastructure upgrades, software patching, software improvement, or for the replacement of any hardware or software); and
- we will make regular backups of all data on the e-learning portal and will retain them for 60 days.
- We reserve the right to deny access to the e-learning portal by any of your users who are, or we reasonably suspect may be, engaged in any illegal activity or which may in any way affect the performance of the e-learning portal or its continued use by any of our users.
- You also agree that we own the copyright in all the content material (whether text, graphics, designs, guidance notes, or information of any kind) (‘Courseware’), as well as in any upgrades or updates of any sort that may, from time to time, be made available to you on our e-learning portal.
DPO as a Service/Privacy as a Service: Specific terms
Scope of Work
- You agree that you will be solely responsible for obtaining appropriate legal advice on any matters on which you need legal advice and that you will be solely responsible for agreeing and settling any legal fees arising in respect of that advice.
- We rely on you to ensure that all your directors and authorised officers fully understand these Terms and that any instructions or questions on the Terms from such directors, officers or any other individuals are authorised by you.
- You agree to provide us with appropriate resources and access to relevant data and processes in order for us to provide the Services.
- You will make available a Board Member to whom we can report in respect of the Services.
- You agree that you alone are responsible for your compliance with the GDPR and any other relevant laws and regulations, not limited to those relating to personal data.
- You agree that the Services are provided by us, and not by any employees of ours, and that our liability in respect of the Services is limited to us. You agree that you will under no circumstances seek to bring any form of action, legal or otherwise, against any employee of ours in relation to the Services.
- We will not be liable for any delay in providing advice or guidance within the scope of the Services where this is caused by circumstances beyond our reasonable control.
- We will not be liable for failure or delay in performance by you in respect of advice, guidance or instructions given within the scope of the Services where this is due to causes beyond our reasonable control. Where the Services require us to deal with third parties on behalf of you, we do not accept any liability in relation to such third parties.
- If there are other advisers or third parties involved in any matter on which we are also engaged, the extent to which any loss or damage will be recoverable by you from us will be limited, without prejudice, in proportion to the overall fault for such loss or damage or as agreed in advance with the other parties. If our ability to claim a contribution to our costs under these circumstances from a third party is prejudiced by any limitation of liability agreed by you with that third party, we will not be liable to you for any amount that we would have been able to recover from that third party but for that limitation of liability.
- In respect of obtaining advice on any issue that is within scope of the Services, it is your responsibility to engage with us in a timely manner. We will not be held liable for any delay in you engaging the Services and any associated delay in us delivering the Services.
- It is your responsibility to follow the advice provided by us within the scope of the Services. Should you not follow the advice provided by us, we will not be held liable for any consequences, financial or otherwise, experienced by you as a result. If you fail to follow any advice provided by us within the scope of the Services, we will be entitled to terminate this Agreement with immediate effect and without any obligation to make any refund of any fees already paid under the Agreement.
- Unless otherwise agreed in writing, we are not responsible for reminding you of key dates or other time-sensitive actions or information.
People responsible for delivering on behalf of the Company
- We undertake to ensure that those of our employees who are deployed to provide the Services have the necessary skills, knowledge and experience. You agree that we alone will determine what skills, knowledge and experience are necessary in relation to the Services.
- The Services will be carried out by a team of our employees and the contact details for the team will be provided in the Agreement.
- We will identify a lead manager within the team who has ultimate responsibility for delivery of our Services to you. If we change the lead manager for any reason, we will notify you as quickly as possible.
Processes and Procedures
GDPR and UK DPA 2018 advice and guidance, including helpline
- We will provide email and telephone advice only to nominated contacts of yours, such nominations to be made in writing.
- We will record and track all requests for advice or guidance or other types of calls received from you. A quarterly report will be generated by us and sent to the nominated contacts. This report will also record the trends in terms of the categories of requests, highlighting root causes of issues raised and potential organisational issues.
Review of GDPR and UK DPA 2018 policies
- You will provide us with copies of all your policies and procedures that relate to data protection and compliance with EU data protection legislation.
- We will review all documents provided in relation to their compliance with applicable laws and regulations. We will provide written feedback to you, highlighting areas for improvement, as soon as possible.
GDPR and UK DPA 2018 audit
- We will allocate an appropriate consultant(s) to carry out privacy audits as may be required for the Services.
- Such audits will be scoped and planned in consultation with you. For the avoidance of doubt, audits will not be conducted by the lead manager.
- Audit reports, with recommendations for improvement or otherwise, will be provided to you after completing the data gathering phase of the audit and after undergoing any necessary further review.
GDPR and UK DPA 2018 updates
- We will provide your nominated contacts with regular updates on issues critical to data protection compliance.
- The copyright in all the updates (whether text, graphics, designs, guidance notes, or information of any kind) may belong to us or to other third parties.
- You may distribute internally any update material to which we own the copyright, but you are hereby notified that any third- party material may have different copyright restrictions and that you are solely responsible for complying with any restrictions in respect of such third- party material.
Availability of Services
- Unless otherwise agreed between us, we will provide the Services between the hours of 9:00 am and 5:00 pm in the United Kingdom, on a day, other than a Saturday, Sunday or bank holiday, on which clearing banks are open for non-automated commercial business in the City of London.
- Calls received outside of the standard hours of service will go through to an answerphone service and will not be accessed by us until the next working day.
- Emails received outside of the standard hours of service will be received by our server, but no action will be taken by us until the next working day.
Cyber Security as a Service (CSaaS): Specific terms
The following terms apply to all purchases of Cyber Security Advice Service and Cyber Security as a Service (both of which are annual subscription products that you will be billed for monthly).
The service package applies to single-entity organisations with up to 1,000 employees, in any sector or industry. Services are provided in accordance with the size of your organisation.
Organisation sizes are classified as follows:
- Micro 1–10 employees
- Small 11–250 employees
- Medium 251–500 employees
- Corporate 501–1,000 employees
Cyber Security Advice Service
- Our unlimited Cyber Security Advice Service is available 9.00 am – 5.00 pm Monday – Fridays (BST/GMT).
- The Cyber Security Advice Service is limited to providing advice on how to address cyber risks within your organisation from our cyber security experts. It covers common cyber security concerns and best practices. Wherever possible, recommendations to control and reduce cyber risk will be provided that are appropriate to your organisation.
- The Cyber Security Advice Service is available to your nominated point of contact and can be delivered by email, phone, or Microsoft Teams during our usual business hours.
- Where additional support is needed to implement advice, you are entitled to a discounted rate on pre-paid blocks of consultancy hours. The level of this discount will depend on the level of services purchased in accordance with the size of your organisation. Such consultancy will be billed separately.
- We will provide you, insofar as we are reasonably able, with information about the latest cyber threats and risks. This will be delivered via email as a monthly newsletter.
Cyber Security as a Service
You will be provided with a dedicated point of contact. Your specific cyber security expert will be available via phone, email and Microsoft Teams during office hours on weekdays.
You should nominate a project coordinator or a single point of contact in a senior role to coordinate delivery of this service with us.
Our Cyber Security as a Service includes all the elements of the above Cyber Security Advice Service. Depending on the level of services purchased in accordance with the size of your organisation, we will provide you with the following additional services:
Cyber security assessment
Our Cyber Security Assessment is designed to establish whether your organisation has basic security controls in place to protect you against commonly occurring cyber threats. The output of the assessment indicates where you might need to increase your defences to reduce the risk of suffering a cyber incident.
Data breach and incident response planning support
Depending on the level of services purchased, we will provide you with access to an incident response expert as part of these Services. The level of support provided will depend on the services purchased. The scope of this service will be:
- Year 1: help you develop an effective incident response process.
- Year 2 onwards: help test your incident response capability and provide advice on improving and maintaining it.
Staff awareness training – additional terms & conditions apply. See "Staff awareness e-learning"
We will provide you with licences for three staff awareness e-learning courses: Information Security and Cyber Security, GDPR: Email Misuse, and Phishing. The number of licences will depend on the level of services purchased. Additional licences are available to purchase at additional cost.
If the number of additional licences purchased is more than the number of employees stated in our organisation sizes above, you may be charged for the higher organisation package. You should select the services appropriate to the number of employees as classified.
Policies and procedures
Template document policies and procedures are provided that can be tailored to your organisation or used as the basis for developing your own information security management system documentation.
Internal network vulnerability scans and external vulnerability scanning.
We will provide you with access to our external vulnerability scanning service. This service will allow unlimited access to automated scans for your external infrastructure. Access will be provided for up to four IP addresses. Scans for additional IP addresses can be provided at an additional cost.
Depending on the level of services purchased, this service includes an annual internal vulnerability scan of your internal infrastructure and endpoint devices. Under some circumstances, this service can be provided remotely.
Where we are required to provide on-site consultancy or testing at a customer site within or outside of the mainland United Kingdom, travel time and costs, accommodation and subsistence expenses may be chargeable. These expenses will be billed separately.
All our testing services are subject to the conditions set out further above in respect of penetration testing and vulnerability scanning.
Processing as a Data Controller:
- We process personal data in line with the requirements of the EU General Data Protection Regulation (‘GDPR’) and the UK Data Protection Act (‘DPA’) 2018. Our Privacy Notice (https://www.itgovernance.co.uk/privacy-notice) sets out the specific bases on which, as a Data Controller, we process personal data.
Processing as a Data Processor:
- In respect of personal data that you upload to our e-learning portal, or to any other facility that we offer as part of our services to you, we act as a Data Processor and process that data securely, in line with our obligations under the EU GDPR and the UK DPA 2018 and to your order.
- In the event of a data breach (as defined by law) we will notify you within the time frame required by law. It will be your obligation to determine whether or not the incident has to be reported to the relevant supervisory authority.
- Where we act as a Data Processor, we will not sub-contract any processing to any sub-processor without first notifying you.
- We will not hold any personal data beyond the completion of a service agreement other than at your instruction.
Taking account of the nature of the processing, and the risks to the rights and freedoms of natural persons, we apply appropriate measures of security to protect the confidentiality, integrity and availability of all personal data that we process.
- You acknowledge that we own the intellectual property (including copyright) in our websites or in any/all products or services purchased from us. In some cases, where the product is provided by a third party, you acknowledge that the intellectual property in that product is owned by the third party.
- You also acknowledge that use of our website, or purchase of products or services from our website, does not provide any licence for the use and/or modification of our intellectual property (including trademarks and other copyrights) other than in circumstances specifically identified and provided for in relation to a specific product. You therefore agree that, if you do use any of our intellectual property without our prior explicit permission, we may require you to cease and desist from such use and/or pay us an appropriate fee for that use and/or pay us a penalty fee for that use.
Limitation of liability
- Our total liability under or in respect of any contract will not exceed the amounts paid by you under that contract.
- We will also not be liable for consequential, indirect or special losses of any sort.
- If any of these terms is at any time held in any jurisdiction to be void, invalid or unenforceable, then it will be treated as changed or reduced only to the extent minimally necessary to bring it within the laws of that jurisdiction and to prevent it from being void, and it will be binding in that changed or reduced form.
- Subject to that, each provision will be interpreted as severable and will not in any way affect any other of these terms.
- No waiver by us in exercising any right, power or provision hereunder will operate as a waiver of any other right or of that same right at a future time; nor will any delay in exercise of any power or right be interpreted as a waiver.
- These terms will be governed by and construed in accordance with the laws of England and you explicitly accept that only the law courts of England have jurisdiction to deal with any matter arising from or in any way, whether directly or indirectly, related to the use of this website and, accordingly, you explicitly waive all and any rights to bring any action of any sort in relation to this website, or to any transaction carried out with it, or any data stored on it or provided to it in any court anywhere else in the world.