Supplier Terms and Conditions forming the ContractImportant: please read this carefully before accepting
PAYMENT AND FEES
If an order is made, you may choose to pay online in full for the service or request an invoice for 50%. Invoices must be paid before the project can commence.The balance will be due 30 days after the assessment date or after receipt of invoice (this being “the Due Date”).If any payment by the Company under this Contract shall be overdue, then the Certification Body shall be entitled to charge interest upon such overdue payment from the Due Date at the rate of 8% over the Bank of England base rate as guided by the “Late payment of Commercial Debts (Interest) Act 1998”.In consideration of the provision of the Services, the Company shall pay each invoice submittedby the Certification Body according to the terms identified on the invoice.The fee includes a retest of up to one hour. Further retests will be chargeable on a time-related basis. If the Certifying Company is larger than initially declared an additional fee will be payable before work can be commenced.
CANCELLATION OF AUDIT DATES
Please note that Indelible Data Limited must be notified in writing of any cancellation at least 14 days prior to an audit date, otherwise a cancellation fee of £500 plus VAT will be incurred. Indelible Data Limited reserves the right to claim the appertaining daily audit charge for each scheduled audit day. If audit dates are cancelled or changed and rebooked for a later date, any audit activity that has already been conducted by Indelible Data Limited i.e. external scans, audit prep call, review of documentation offsite will be charged for at the point of cancellation or change. If there is a lapse in time of more than 1 month until the onsite audit dates are rebooked these activities will be reviewed and may need to be repeated which will incur extra cost.
CONTRACTThe Cyber Essentials scheme is owned by HM Government (the authority), The IASME Consortium is the Cyber Essentials Partner, and Indelible Data Limited is the Certification Body.This agreement is intended to govern the relationship between the Certification Body and the Trusted Partner which you wish to apply for certification on behalf of the Certifying Company under the scheme. The assessment for certification will be carried out only on the basis that you have paid the required fees and that you accept the terms and conditions of this agreement in full.If you are accepting on behalf of a corporate body, you represent to us that you are doing so as an authorised representative of that corporate body. If you are not so authorised nor deemed by law to have such authority, then you assume sole personal liability for the obligations set out in this agreement.This agreement is:
- Between The Trusted Partner (Company) and
- Indelible Data Limited (Certification Body), incorporated and registered in England and Wales with company number 07097244 whose registered office is at Studio 3, Maryport Business Centre, Main Road, Maryport Cumbria CA15 8NG (Certification Body).
SERVICES
- Assess and certify the Certifying Company against the Cyber Essentials Basic scheme if included in purchase.
- Assess and certify the Certifying Company against the Cyber Essentials Plus scheme.
You will receive a login and password to the Cyber Essentials Basic portal if included with this order.
A submission must be made on the portal before a date can be booked for the Cyber Essentials Plus Assessment.TERMS OF ENGAGEMENT
- The Trusted Partner shall engage the Certification Body and the Certification Body shall make available to the Trusted Partner the Individual to provide the Services on the terms of this agreement.
- The Engagement shall commence no later than 3 months from this order being placed and the Cyber Essentials Plus Assessment shall be completed no later than 5 months from the date of this order being placed.
- Should this deadline pass, The Certification Body will reimburse the Trusted Partner any payment held on account minus any costs incurred by The Certification Body and £300 plus VAT administration fee.
All contracts of supply of goods and services are made by the Certification Body subject to these Terms and Conditions, any printed conditions on the Company’s order form or on other documents shall not apply unless and to the extent only that they shall have been expressly accepted by the Certification Body in writing.The Terms and Conditions constitute the entire agreement between the parties hereto in relation to the Services and supersedes all prior agreements, understandings, representations and commitments, whether oral or in writing, between the parties concerning such subject matter. No charges, alterations or modifications to the Terms and Conditions shall be binding on either party unless in writing and signed by the authorised representative of such party.Any provisions hereof that are deemed to be illegal or unenforceable in a court of competent jurisdiction, the enforceability of effectiveness of the remainder of the Terms and Conditions shall not be affected and shall be enforceable without reference to the unenforceable provision.The section headings contained hereto are for reference purposes only and shall not in any way affect the meaning or interpretation of the Terms and Conditions.
AGREED TERMS
- INTERPRETATION
The definitions and rules of interpretation in this clause apply in this agreement (unless the context requires otherwise).
| the Certification Body | means Indelible Data Ltd and its authorised employees, Company Number 07097244 registered office, Studio 3, Maryport Business Centre, Main Road, Maryport Cumbria CA15 8NG | |
| | |
| the Trusted Partner the Certifying Company | means the person, firm or company (Including its authorised employees) identified in the Trusted Partner field at purchase means the person, firm or company (Including its authorised employees) identified as the Company’s Client at purchase | |
| | |
| the Contract | which is deemed to have been accepted and executed by the Company upon receipt by the Certification Body of an instruction to proceed with the supply of goods and/or services, means these terms and conditions, the scope of supply as identified in the Contract and any attachments or supplemental terms and conditions herein referred to. | |
| | |
| the Contract Price | means the Delivery Payment exclusive of VAT plus any Subscription Fee which may be due under the Contract exclusive of VAT. | |
| Assessor | A representative of Indelible Data that is authorised to conduct Cyber Essentials Plus Assessments. | |
| Capacity | as agent, consultant, director, employee, owner, partner, shareholder or in any other capacity. | |
| Commencement Date | Commencement date of Cyber Essentials Plus assessment to be agreed via email. | |
| | | |
| Company Property | all documents, books, manuals, materials, records, correspondence, papers and information (on whatever media and wherever located) relating to the Business or affairs of the Company or its customers and business contacts, and any equipment, keys, hardware or software provided for the Certification Body or the Individual's use by the Company during the Engagement, and any data or documents (including copies) produced, maintained or stored by the Certification Body or the Individual on the computer systems or other electronic equipment of the Company, the Certification Body or the Individual during the Engagement. | |
| Confidential Information | information in whatever form (including, without limitation, in written, oral, visual or electronic form or on any magnetic or optical disk or memory and wherever located) relating to the business, customers, products, affairs and finances of the Company for the time being confidential to the Company and trade secrets including, without limitation, technical data and know-how relating to the Business of the Company or any of its suppliers, customers, agents, distributors, shareholders, management or business contacts and including (but not limited to) information that the Certification Body or the Individual creates, develops, receives or obtains in connection with this Engagement, whether or not such information (if in anything other than oral form) is marked confidential. | |
| | | |
| Engagement | the engagement of the Certification Body by the Company on the terms of this Contract. | |
| Individual | A representative of Indelible Data Ltd | |
| Insurance Policies | Professional Indemnity Insurance cover and Public Liability Insurance cover | |
| | | |
| Intellectual Property Rights | patents, rights to Inventions, copyright and related rights, trademarks, trade names and domain names, rights in get-up, rights in goodwill or to sue for passing off, rights in designs, rights in computer software, database rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for, and renewals or extensions of, such rights and all similar or equivalent rights or forms of protection which may now or in the future subsist in any part of the world. | |
| Pre-Contractual Statement | any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Contract or not) relating to the Engagement other than as expressly set out in this Contract [or any documents referred to in it]. | |
| Representative | An individual from The Company who has the authority to approve the Cyber Essentials Plus Vulnerability Assessment. | |
| Services | the services described in the Schedule | |
| Termination Date | the date of termination of this Contract. |
| Works | all records, reports, documents, papers, drawings, designs, transparencies, photos, graphics, logos, typographical arrangements, software programs, inventions, ideas, discoveries, developments, improvements or innovations and all materials embodying them in whatever form, including but not limited to hard copy and electronic form, prepared by the Certification Body or the Individual in connection with the provision of the Services. |
| | |
| | | |
- DUTIES
2.1 During the Engagement the Certification Body shall, and (where appropriate) shall procure that the Individual shall:
- provide the Services with reasonable care, skill and ability; and
- provide such information and reports as the Company may reasonably require in connection with matters relating to the provision of the Services or the Business of the Company.
2.2 If the Individual is unable to provide the Services due to illness or injury, the Certification Body shall advise the Company of that fact as soon as reasonably practicable. For the avoidance of doubt, no fee shall be chargeable in respect of any period during which the Services are not provided.2.3 The Certification Body shall use its reasonable endeavours to ensure that the Individual is available on reasonable notice to provide such assistance or information as the Company may require.2.4 Unless it or he has been specifically authorised to do so by the Company in writing:
- neither the Certification Body nor the Individual shall have any authority to incur any expenditure in the name of or for the account of the Company; and
- the Certification Body shall not, and shall procure that the Individual shall not, hold itself out as having authority to bind the Company.
2.5 The Certification Body may use a third party to perform any administrative, clerical or secretarial functions which are reasonably incidental to the provision of the Services provided that the Company will not be liable to bear the cost of such functions.
- OTHER ACTIVITIES
Nothing in this Contract shall prevent the Certification Body or the Individual from being engaged, concerned or having any financial interest in any Capacity in any other business, trade, profession or occupation during the Engagement.
- CONFIDENTIAL INFORMATION AND COMPANY PROPERTY
4.1 The Certification Body acknowledges that in the course of the Engagement it and the Individual will have access to Confidential Information. The Certification Body has therefore agreed to accept the restrictions in this
clause 4.4.2 The Certification Body shall not, and shall procure that the Individual shall not (except in the proper course of its or his duties), either during the Engagement or at any time after the Termination Date, use or disclose to any third party any Confidential Information. This restriction does not apply to:
- any use or disclosure authorised by the Company, required by or which is properly disclosable pursuant to law or regulating authorities;
- any information which is already in, or comes into, the public domain otherwise than through the Certification Body's or the Individual's unauthorised disclosure.
4.3 At any stage during the Engagement, the Certification Body will promptly on request return to the Company all and any Company Property in its or the Individual's possession.
- DATA PROTECTION
5.1 The Certification Body may collect personal information about the Company’s personnel for the purpose of the Individual providing the Services.5.2 The Certification Body will not pass this information to third parties without the Company’s consent unless:
- disclosure is necessary to provide the Services; or
- disclosure is required by law.
- INTELLECTUAL PROPERTY
6.1 All Intellectual Property rights and all other rights in the Works created by the Individual shall be owned by the Certification Body.6.2 The Certification Body hereby licenses all such rights to the Company free of charge and on a non-exclusive world-wide basis to such extent as is necessary to enable the Company to make reasonable use of the Services as is envisaged by the parties.
- INSURANCE AND LIABILITY
7.1 The following provisions set out the entire financial liability of the Certification Body (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Company in respect of:
- any breach of the Contract howsoever arising;
- any use made by the Company of the Services; and
- any representation, misrepresentation (whether innocent or negligent), statement or tortious act or omission (including negligence) arising under or in connection with the Contract.
7.2 All warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from the Contract.7.3 Nothing in these conditions excludes the liability of the Certification Body:
- for death or personal injury caused by the Certification Body's negligence; or
- for fraud or fraudulent misrepresentation.
7.4 Subject to
condition 7.2 and
condition 7.3:
- the Certification Body shall not in any circumstances be liable, whether in tort (including for negligence or breach of statutory duty howsoever arising), contract, misrepresentation (whether innocent or negligent) or otherwise for:
- loss of profits; or
- loss of business; or
- depletion of goodwill or similar losses; or
- loss of anticipated savings; or
- loss of goods; or
- loss of contract; or
- loss of use; or
- loss or corruption of data or information; or
- any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.
- the Certification Body's total liability in contract, tort (including negligence or breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of the Contract shall be limited to the price paid for the Services.
- TERMINATION
8.1 This Contract shall terminate automatically on completion of the Services.8.2 Without prejudice to any other rights or remedies which the parties may have, either party may terminate this Contract without liability to the other immediately on giving notice to the other if:
- the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than 30 days after being notified in writing to make such payment; or
- the other party suspends, or threatens to suspend, payment of its debts, is unable to pay its debts as they fall due, admits inability to pay its debts or (being a company) is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986; or
- the other party commences negotiations with all, or any class of, its creditors with a view to rescheduling any of its debts, or makes a proposal for, or enters into any compromise or arrangement with, its creditors; or
- a petition is filed, a notice is given, a resolution is passed, or an order is made, for or on connection with the winding up of that other party; or
- an application is made to court, or an order is made, for the appointment of an administrator, a notice of intention to appoint an administrator is given, or an administrator is appointed over the other party; or
- a floating charge holder over the assets of that other party has become entitled to appoint, or has appointed, an administrative receiver; or
- a person becomes entitled to appoint a receiver over the assets of the other party, or a receiver is appointed over the assets of the other party; or
- a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of its assets and such attachment or process is not discharged within 14 days; or
- any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 8.2(d) to clause 8.2(j) (inclusive); or
- the other party suspends or ceases, or threatens to suspend or cease, to carry on all or a substantial part of its business.
8.3 The Certification Body may terminate this Contract without liability to the Company immediately on giving notice to the Company if the Company:
- fails to provide, within reasonable time, any information and/or documentation reasonably required by the Certification Body for the delivery of the Services; or
- commits a material or repeated breach of any of the terms of this Contract and (if such a breach is remediable) fails to remedy that breach within 30 days of being notified in writing of the breach.
- OBLIGATIONS ON TERMINATION
On termination of this Contract or any reason:
- the Company shall immediately pay to the Certification Body all of the Certification Body's outstanding unpaid invoices and interest and, in respect of Services provided but for which no invoice has been submitted, the Certification Body may submit an invoice, which shall be payable immediately on receipt;
- the accrued rights, remedies, obligations and liabilities of the parties as at termination shall not be affected, including the right to claim damages in respect of any breach of the Contract which existed at or before the date of termination;
- clauses which expressly or by implication have effect after termination shall continue in full force and effect, including the following clauses: clause 6 (Intellectual property rights), clause 4 (Confidentiality), clause 7 (Limitation of liability) and clause 16 (Governing law and Jurisdiction).
- STATUS
The relationship of the Certification Body (and the Individual) to the Company will be that of independent contractor and nothing in this a Contract shall render it (nor the Individual) an employee, worker, agent or partner of the Company and the Certification Body shall not hold itself out as such and shall procure that the Individual shall not hold himself out as such.
- NOTICES
11.1 Any notice given under this Contract shall be in writing and signed by or on behalf of the party giving it and shall be served by delivering it personally or sending it by pre-paid recorded delivery or registered post to the relevant party at its registered office for the time being. Any such notice shall be deemed to have been received:
- if delivered personally, at the time of delivery.
- in the case of pre-paid recorded delivery or registered post, 48 hours from the date of posting; and
- in the case of fax, at the time of transmission.
11.2 In proving such service it shall be sufficient to prove that the envelope containing such notice was addressed to the address of the relevant party and delivered either to that address or into the custody of the postal authorities as a pre-paid recorded delivery or registered post (or that the notice was transmitted by fax to the fax number of the relevant party).
- ENTIRE AGREEMENT
Each party on behalf of itself acknowledges and agrees with the other party that:
- this Contract together with any documents referred to in it constitute the entire agreement and understanding between the Certification Body and the Company and supersedes any previous agreement between them relating to the Engagement (which shall be deemed to have been terminated by mutual consent);
- in entering into this Contract neither party has relied on any Pre-Contractual Statement; and
- the only remedy available to it or arising out of or in connection with any Pre-Contractual Statement shall be for breach of contract. Nothing in this Contract shall, however, operate to limit or exclude any liability for fraud.
- VARIATION
No variation of this Contract or of any of the documents referred to in it shall be valid unless it is in writing and signed by or on behalf of each of the parties.
- COUNTERPARTS
This Contract may be executed in any number of counterparts, each of which, when executed, shall be an original, and all the counterparts together shall constitute one and the same instrument.
- THIRD PARTY RIGHTS
A person who is not a party to this Contract shall not have any rights under or in connection with it.
- GOVERNING LAW AND JURISDICTION
16.1 This Contract and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law.16.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Contract or its subject matter or formation (including non-contractual disputes or claims).This document has been executed as a deed and is delivered and takes effect on the date stated at the beginning as the Effective Date.
- DELIVERY
Whilst the Certification Body will do its best to meet the delivery date requested by the Company, if for any unforeseen reasons, delivery is delayed, the Certification Body will keep the Company duly informed, but will not be liable for any loss, costs damages or expenses (direct, indirect or consequential) suffered by the Company as a result of delayed delivery, unless specific terms are agreed for a specific project, duly agreed and signed by both parties.
- DATA
All data will be archived for 18 months in line with our Data Retention policies and duties as a Cyber Essentials Certification Body.
- INSTALMENT CONTRACT
Where goods and/or services are to be delivered in instalments in accordance with the Contract, failure to pay any invoice raised in respect of the instalments and the goods and/or services delivered, shall (without prejudice to the Certification Body’s rights under section 3), entitle the Certification Body to withhold further supplies and/or services, until such a time as the Company’s breach of contract is resolved.
- FORCE MAJEURE
The Certification Body shall have the right without incurring the liability of the Company, to terminate the Contract or reduce the volume of goods delivered, if it is prevented or hindered in delivering the goods as a result of any circumstances beyond its control including (but not limited to) industrial action, war, fire, or prohibition or enactment of any kind.
- SUB-CONTRACTING
The Certification Body shall be entitled to sub-contract any of its obligations under the contract, however the Certification Body shall remain liable for their actions.
VULNERABILITY ASSESSMENT AUTHORISATION
In order to assess and certify the Company against the Cyber Essentials Plus scheme, a representative of Indelible Data Limited will conduct a vulnerability assessment in line with the Cyber Essentials Plus Common Test Specification v3.1.A copy of the specification may be downloaded from:
Cyber Essentials Plus: Illustrative Test SpecificationThe aim of the testing is to identify vulnerabilities within an organisation’s Internet-facing infrastructure and user workstations that provide a high level of exposure to potential attackers with a low level of skill.This level of testing assumes no specific threats against an organisation need to be addressed and that the likely level of attack is the broad, untargeted style of unsophisticated attacks. This level of testing is not suitable for organisations that may be the target of Advanced Persistent Threat (APT) style attacks.The scope of the vulnerability assessment reflects the scope defined in the self-assessment questionnaire, which must be returned by the company to Indelible Data Limited for pre-assessment.The assessment activity involves scanning servers and other connected devices.By accepting these Terms and Conditions, the Trusted Partner as an authorised representative of the Certifying Company attests to the following taking place:
- A manual inspection of certain BYOD devices may be carried out by the Assessor/tester and all appropriate personnel have been informed.
- The Assessor, representing Indelible Data Limited has permission to connect their device to the Certifying Company’s network or install cloud agents on the Certifying Company’s network and scan the organisation's computer equipment to find vulnerabilities in line with the Common Test Specification v3.1.
- If the Assessor is not granted permission to connect their device to the Certifying Company’s network, the Company must have approved scanning software already installed on their equipment that can be used by the Assessor.
- The Representative of the Company has the authority to grant this permission for testing the organisation's Information Technology assets.
- An audit of a company’s internet-connected infrastructure should not be construed as a definitive review of the organisation’s security.
- Please grant permission for vulnerability assessment by accepting these Terms and Conditions. Dates for the assessment will be subsequently agreed via email.
All vulnerability scanning has a degree of risk. Though our scans do not seek to exploit vulnerabilities (they only highlight them) they can, never-the-less, cause unforeseen issues and potential damage.Indelible Data Limited cannot be held liable for any loss of service, date or technical or performance issues that may occur during or after the audit.The Company must ensure the Certifying Company has a full system back-up is in place and that all devices can be recovered in the event of an unforeseen issue.Intentionally providing false or incorrect IP addresses is contrary to the Computer Misuse Act 1990.
AUTHORISATION
By accepting these Terms and Conditions:
- I confirm I accept the quote
- I confirm I have read and understood the Contract of Engagement
- I authorise that a Representative of the Certifying Company has granted permission for testing to take place. Should the Assessor not be granted access to connect their device to the network, then an approved scanning tool will be supplied by the Company.
CYBER ESSENTIALS PRIVACY NOTICE
Indelible Data Ltd collects your name, address, telephone number and email address so that we can contact you to enable us to enter into a contract in order to achieve Cyber Essentials Certification for the Certifying Company.If you are a sole trader, or have an office at home, the IP address you mention in this document may be classed as personal information and may also be kept along with the responses for a period of 18 months.The data controller is Indelible Data Limited, Studio 3, Maryport Business Centre, Main Road, Maryport. CA15 8NGOur Data and privacy manager is Tony Wilson, and you can contact him by emailing
info@indelibledata.co.uk, or telephoning 01900 818000.We are required to retain information collected to achieve Cyber Essentials for 18 months to meet our regulatory requirements, after which it will be securely deleted.In order to complete your certification and issue you with your certificate we will need to share your details with the IASME Consortium. Their privacy policy can be found here (
https://iasme.co.uk/privacy-statement/)We store our data within the European Economic Area. We take all reasonable steps to ensure that we have technical and organisational controls in place to safeguard your data.As a Data Subject you are entitled to exercise your rights to access your data, request rectification of any data that is inaccurate, or request erasure of your data. You also have the right to restrict processing if you feel data is inaccurate, processing is unlawful, or you want to oppose the erasure of your data, or if you wish your data to be retained beyond our retention period for the establishment, exercise or defence of a legal claim. You also have the right to receive your personal data in a commonly used machine-readable form, to transmit it to another controller. You also have the right to object to the processing of your personal data. Please contact Tony Wilson to assist you with exercising your rights or if you have any questions or comments regarding this privacy notice at
info@indelibledata.co.uk or Indelible Data Limited, Studio 3, Maryport Business Centre, Main Road , Maryport. CA15 8NGYou have a right to lodge a complaint with the supervisory authority, which is the ICO, details can be found here
www.ico.org.uk.
/-3.5042587517567103,%2054.70635734010168,15.5/300X450@2X?access_token=pk.eyJ1Ijoid29tYmF0Y2hyaXMiLCJhIjoiY2pqaGEyd2lzMDQ3ZDN2bWQ4OTBsa2pmayJ9.ksVq6arM13qYhr76pco33w)