Terms of Service

1. Parties and Background

1.1 Supplier

1.2 Customer

The party engaging our services as identified in the Order Form or service agreement.

1.3 Background

CHMS Cyber Security is in the business of providing professional cybersecurity services including penetration testing, vulnerability assessments, red teaming, adversary simulation, training and awareness, monitoring and detection, incident response, and security consultancy. The Customer wishes to receive, and CHMS Cyber Security wishes to provide, the Services on the terms set out in this Agreement.

2. Interpretation and Definitions

The following definitions apply in this Agreement:

3. Structure and Scope of Agreement

3.1 Framework

This Agreement creates a contractual framework under which:

• Customer requests Services pursuant to this Agreement; and
• CHMS Cyber Security agrees to provide the Services pursuant to this Agreement.

3.2 Order of Precedence

In the event of any conflict or ambiguity, the order of precedence shall be:

1. The applicable Order Form
2. The applicable Annex or Order Form Services Addendum
3. These Standard Terms
4. The Service-Specific Terms

3.3 Validity

For this Agreement to be valid and effective, the Order Form must be confirmed in writing and signed by an authorised representative of each party. Upon signature, the Agreement shall be binding and the Fees shall become due as set forth.

3.4 Warranties

Each party warrants that it:

• Has full capacity and authority to enter into and perform this Agreement
• Is the owner, or has relevant consent from the owner, of all systems, applications, networks, and premises set out in the Order Form
• Will comply with all Applicable Laws

4. Commencement and Duration

4.1 Term

This Agreement shall commence on the Commencement Date and continue for the Initial Term unless terminated earlier in accordance with Clause 14. Following the Initial Term, the Agreement shall extend automatically for additional terms of the same duration (each an “Extension Term”) unless terminated on at least 60 days' prior written notice.

4.2 Incomplete Services

Any incomplete Service under the Order Form shall be completed and/or paid for prior to any termination of the Agreement.

5. Provision of Services

5.1 Service Delivery

CHMS Cyber Security will provide Services whereby:

• Each Service and/or Deliverable will be provided in accordance with the Order Form and any applicable Annex
• Services will be delivered with Good Industry Practice skill and care, in a timely manner

5.2 Contact Person

CHMS Cyber Security shall, where appropriate, appoint a contact person in respect of the Services to be performed.

5.3 Health and Safety

Where applicable, CHMS Cyber Security shall observe all health and safety and security requirements at Customer's premises that have been communicated in writing.

5.4 Subcontractors

CHMS Cyber Security may use subcontractors to assist with delivery of Services and will carry out appropriate due diligence to ensure any such subcontractor has the required qualifications and experience.

6. Use of Services

6.1 Customer Obligations

Customer will:

• Provide all necessary co-operation and access to information required for the Services
• Carry out all customer obligations in a timely and efficient manner
• Ensure Customer's equipment and systems comply with relevant specifications
• Maintain adequate internet connectivity to receive and enable use of Services
• Assign a contact person for the Services
• Provide access to premises, data, and facilities as reasonably required
• Inform CHMS Cyber Security of all health and safety requirements at premises
• Obtain and maintain all necessary licences and consents

6.2 Customer Restrictions

Customer shall not:

• Infringe any Intellectual Property Rights belonging to CHMS Cyber Security
• Upload any malicious code, viruses, or malware into the Services or Deliverables
• Copy, reverse engineer, decompile, or modify any Service or Deliverable
• Withhold information affecting our ability to provide Services
• Use Services to impersonate any person
• Engage in abusive or excessive usage of Services
• Make Services available to third parties without express consent
• Sell, resell, license, or sublicense any Service or Deliverable
• Access Services to build a competitive solution or benchmark against competitors

6.3 Indemnity

Customer agrees to indemnify CHMS Cyber Security from any losses suffered or liabilities incurred because of Customer's breach of Clause 6.2.

6.4 Business Continuity

Both parties shall maintain business continuity and disaster recovery plans to ensure continuity of the Services in the event of unforeseen interruption.

7. Non-Solicitation and Employment

Each party shall not, without prior express written consent, until the expiry of 24 months after completion of Services, solicit or entice away from the other party, or directly attempt to employ, any person engaged as an employee, consultant, or subcontractor of the other party.

8. Amendments to Services

8.1 Change Process

Either party may propose changes to the scope or execution of Services, but no proposed changes shall come into effect until a relevant Order Form Services Addendum has been formally agreed by both parties.

8.2 Addendum Content

The Order Form Services Addendum shall set out the proposed changes and their effect on Services, Fees, timetable, and any other Order Form terms.

9. Fees and Payment

9.1 Payment Obligation

Customer shall pay the Fees upon invoice, including where Services cannot be delivered due to Customer's failure to meet obligations under this Agreement.

9.2 Invoicing

CHMS Cyber Security will invoice Customer in accordance with the Order Form or, where not specified, immediately following the Commencement Date on 30-day payment terms.

9.3 Unused Services

Any Services unused during the Initial Term or Extension Term will expire and shall not be credited or refunded unless otherwise expressly agreed in writing.

9.4 Additional Costs

The Fees exclude:

• Hotel, subsistence, travelling, and ancillary expenses reasonably incurred
• Third-party materials or services procured with Customer's advance approval

9.5 Cancellation Charges

The following charges apply to short-term cancellation and rescheduling:

• 7-14 days before scheduled start: 50% of scheduled Service Fees
• Within 7 days of scheduled start: 100% of scheduled Service Fees

9.6 Fee Increases

CHMS Cyber Security may increase Fees annually in line with the higher of 5% or the CPI percentage increase in the preceding 12-month period.

9.7 Late Payment

If Customer fails to pay on the due date:

• All sums payable under the Agreement become immediately due
• Interest accrues at 4% per year above the Bank of England base rate
• CHMS Cyber Security may suspend or cancel Services if payment is not received within 10 days of the due date

9.8 VAT

All amounts are exclusive of VAT. Customer shall pay applicable VAT on receipt of a VAT invoice.

10. Intellectual Property Rights

10.1 Ownership

CHMS Cyber Security and its licensors retain ownership of all IPRs in the Services and Deliverables, excluding Customer Materials.

10.2 Licence to Customer

CHMS Cyber Security grants Customer a fully paid, worldwide, non-exclusive, royalty-free, revocable licence during the term to copy and modify Deliverables for the purpose of receiving and using the Services in Customer's business.

10.3 Customer Materials

Customer and its licensors retain ownership of all IPRs in Customer Materials. Customer grants CHMS Cyber Security a licence to copy and modify Customer Materials for the purpose of providing the Services.

10.4 IPR Indemnity

CHMS Cyber Security shall indemnify Customer against claims for infringement of third-party IPRs arising from the receipt or use of Services and Deliverables, subject to the limitations in Clause 13.

11. Data Protection

11.1 Compliance

Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause is in addition to, and does not replace, obligations under such laws.

11.2 Processing Obligations

CHMS Cyber Security shall, in relation to Customer Personal Data:

• Process data only on documented instructions of Customer unless required by law
• Implement appropriate technical and organisational security measures
• Ensure personnel are committed to confidentiality
• Assist Customer in responding to data subject requests
• Notify Customer without undue delay of any personal data breach
• Delete or return Customer Personal Data on termination unless required by law to retain
• Maintain records demonstrating compliance

11.3 Sub-processors

Customer provides general authorisation for CHMS Cyber Security to appoint processors to process Customer Personal Data, provided such processors comply with Applicable Data Protection Laws.

11.4 International Transfers

Any transfers of Customer Personal Data outside the UK shall be made in accordance with Applicable Data Protection Laws using appropriate safeguards.

12. Confidentiality

12.1 Obligation

Each party undertakes not to use or disclose Confidential Information of the other party except as permitted by this clause.

12.2 Permitted Disclosure

Each party may disclose Confidential Information:

• To employees, officers, contractors, or advisers who need to know for the purposes of this Agreement
• As required by law, court, or regulatory authority

12.3 Purpose Limitation

No party shall use the other party's Confidential Information for any purpose other than to exercise its rights and perform its obligations under this Agreement.

13. Limitation of Liability

13.1 Unlimited Liability

Nothing in this Agreement limits liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Breach by proven breach of applicable criminal law

13.2 Cap on Liability

SUBJECT TO CLAUSE 13.1, THE LIABILITY OF EACH PARTY SHALL NOT EXCEED THE FEES PAID IN THE 12-MONTH PERIOD PRECEDING THE CLAIM, OR WHERE LESS THAN 12 MONTHS HAVE PASSED, THE EQUIVALENT OF 12 MONTHS' WORTH OF FEES, PER CLAIM AND IN AGGREGATE.

13.3 Excluded Losses

The following types of losses are excluded:

• Loss of profits, revenues, or goodwill
• Loss of business opportunity
• Pure economic loss
• Indirect or consequential loss

13.4 Data Loss Risk

Customer acknowledges that Services may lead to loss or corruption of data, and this is an inherent risk even when performed with Good Industry Practice. Customer agrees to back up data prior to delivery of any Service.

13.5 Computer Misuse Act

Customer warrants that it has full authority to instruct CHMS Cyber Security to deliver the Services and will not hold CHMS Cyber Security liable for any violation of the Computer Misuse Act 1990 or other applicable laws.

14. Termination

14.1 Grounds for Termination

Either party may immediately terminate this Agreement if the other party:

• Commits a material breach and fails to remedy it within 30 days of written notice
• Is unable to pay its debts as they fall due
• Enters into negotiations with creditors regarding debt rescheduling
• Has a petition filed for winding up
• Has an administrator appointed
• Has a receiver appointed over any assets
• Suspends or ceases carrying on business

14.2 Material Breach

“Material breach” means a breach having a serious effect on the benefit the terminating party would otherwise derive from a substantial portion of this Agreement.

14.3 Payment Default

CHMS Cyber Security may terminate immediately if Customer fails to pay any amount due and remains in default more than 30 days after notification.

15. Consequences of Termination

15.1 Upon Termination

Upon termination or expiry:

• All licences, access, and rights to Services terminate
• Customer shall return any Supplier equipment and destroy Confidential Information
• Customer shall immediately pay all outstanding invoices and related interest

15.2 Survival

Any provision intended to continue after termination shall remain in full force and effect. Termination shall not affect any accrued rights or liabilities.

16. Force Majeure

16.1 Force Majeure Events

Force Majeure Events include (except for payment obligations):

• Acts of God, flood, drought, earthquake, or natural disaster
• Epidemic, pandemic, or government-mandated lockdowns
• Terrorist or cyber-attack, war, civil commotion, or sanctions
• Nuclear, chemical, or biological contamination
• Government action or failure to grant necessary licences
• Collapse of buildings, fire, explosion, or accident
• Labour disputes, strikes, or industrial action
• Interruption or failure of utility services

16.2 Effect

If a party is prevented from performing due to a Force Majeure Event, it shall not be in breach provided it notifies the other party within 10 days and uses reasonable endeavours to mitigate the effect.

16.3 Extended Duration

If the Force Majeure Event continues for more than six weeks, either party may terminate on 21 days' written notice.

17. General Provisions

17.1 Assignment

Customer shall not assign or transfer any rights or obligations without prior written consent from CHMS Cyber Security. CHMS Cyber Security may assign or transfer its rights with prior notice to Customer.

17.2 Amendment

No amendment shall be effective without express written consent signed by both parties, except that CHMS Cyber Security may update these Terms upon 90 days' written notice.

17.3 Waiver

A waiver of any right is only effective if given in writing and shall not constitute a waiver of any subsequent right.

17.4 Severance

If any provision is found invalid or unenforceable, it shall be deemed deleted without affecting the validity of the remaining provisions.

17.5 Entire Agreement

This Agreement constitutes the entire agreement between the parties and supersedes all previous agreements, warranties, and representations.

17.6 No Partnership

Nothing in this Agreement establishes a partnership or joint venture, or authorises either party to act as agent for the other.

17.7 Anti-Bribery and Anti-Corruption

Each party shall comply with all applicable anti-bribery and anti-corruption laws including the Bribery Act 2010.

17.8 Anti-Slavery

Each party shall comply with applicable anti-slavery and human trafficking laws including the Modern Slavery Act 2015.

17.9 Third Party Rights

This Agreement does not give rise to any third-party rights to enforce any of its terms.

17.10 Notices

Any notice shall be in writing and delivered by email, hand, or tracked post. Notices are deemed received at time of transmission (email), delivery (hand), or confirmed delivery (courier).

18. Governing Law and Dispute Resolution

18.1 Governing Law

This Agreement shall be governed and construed in accordance with English law.

18.2 Jurisdiction

The courts of England and Wales shall have exclusive jurisdiction to settle any dispute arising out of or in connection with this Agreement.

B1. Penetration Testing

B1.1 Service Description

CHMS Cyber Security will perform penetration testing that evaluates Customer systems to validate and exploit known vulnerabilities by assessing critical external and/or internal assets, APIs, web applications, mobile applications, cloud infrastructure, and/or wireless infrastructure using experienced penetration testers.

B1.2 Deliverables

CHMS Cyber Security will provide a report in both online and downloadable versions within 5 working days of completion of a test.

B1.3 Customer Obligations

• Submit necessary scope details at least five working days prior to the start of testing
• Agree dates within 12 months of Order Form execution; failure to do so forfeits the right to Services for that period
• Acknowledge that a penetration test is a snapshot in time limited to actions set out in the Order Form
• Back up all critical data prior to testing
• For Red Team tests, sign a letter of authority from an authorised board member if required

B1.4 Service Delivery

Services will be provided remotely unless otherwise agreed. On-site or in-person tests may be provided upon request, subject to approval.

B2. Vulnerability Assessments

B2.1 Service Description

CHMS Cyber Security will provide automated vulnerability scans to assess systems or applications for known security flaws and weaknesses. The service identifies assets prone to attacks and provides actionable remediation advice.

B2.2 Customer Obligations

• Define the scope of automated scans
• Take measures to patch or remediate threats as provided
• Add assets to ensure correct scanning coverage

B3. Red Teaming & Adversary Simulation

B3.1 Service Description

CHMS Cyber Security will provide advanced adversary simulation exercises that test Customer's defensive capabilities against realistic threat scenarios.

B3.2 Letter of Authority

Customer warrants that it has necessary authority to instruct CHMS Cyber Security to provide Red Team services and shall sign a letter of authority (from an authorised executive) if required.

B3.3 Scope

Testing scope shall be defined in the Order Form or a separate scope Annex document.

B4. Incident Response

B4.1 Service Description

CHMS Cyber Security will provide Customer assistance via a 24x7x365 emergency hotline. The service consists of initial assessment and triage to discover and confirm the nature and impact of security incidents.

B4.2 Response Process

During the initial notification call, Customer shall provide:

• Customer name and affected locations
• Priority of the incident
• How the incident was identified
• Contact name and number
• Details of incident and when first identified

B4.3 Digital Forensics

If more detailed analysis or forensic investigation is required, support will be provided at additional cost as defined in the Order Form.

B4.4 Customer Obligations

• Maintain accurate network diagrams
• Maintain process maps detailing systems involved with sensitive information
• Provide updated list of personnel authorised to discuss incident details
• Coordinate access to systems being investigated

B5. Training & Awareness

B5.1 Training Services

CHMS Cyber Security will provide training courses covering cyber security awareness and related topics. Delivery methods include online training, virtual training via video conferencing, or on-site training where agreed.

B5.2 Training Materials

CHMS Cyber Security will provide a copy of training materials to Customer in PDF format upon completion of training.

B5.3 Phishing Simulations

CHMS Cyber Security will perform tailored phishing simulations to test Customer staff's vigilance. Customer will provide target employee details including email addresses, roles, and names.

B6. Monitoring, Detection & Response

B6.1 Service Description

CHMS Cyber Security will provide monitoring and detection services including dark web monitoring, threat intelligence, and security event monitoring.

B6.2 Dark Web Monitoring

Automated monitoring performing surface web, deep web, and dark web scans 24 hours a day for Customer's designated business data to detect sensitive data efficiently.

B6.3 Service Exclusions

CHMS Cyber Security will not be liable where:

• Scheduled maintenance was being carried out
• Customer acts or omissions caused the issue
• Security breaches were caused by Customer changes not communicated to CHMS Cyber Security
• Threat signatures were not available from vendors

B7. Consultancy Services

B7.1 Service Description

CHMS Cyber Security will remotely provide advice and support covering information security topics, including frameworks such as ISO 27001, NIST, CIS, and data protection regulations. On-site visits may be arranged in exceptional circumstances.

B7.2 Assessment Services

Consultancy services may include:

• Cyber Security Assessments based on NIST CSF and ISO 27001/27002 controls
• Gap Analysis against ISO 27001 or other frameworks
• Implementation support for security frameworks
• Internal audits against agreed requirements

B7.3 Customer Participation

Customer will be required to play an active part in consultancy engagements through interviews, workshops, and provision of relevant documentation.

B8. Contact Information

For questions about these Terms of Service or to discuss Services, please contact us: