Terms of Service

Cyber Essentials Services Contract - General Terms and Conditions

1. Definitions and Interpretations

1.1 Definitions

'Services' means Remote Cyber Essentials Basic (Self Assessment) and/or Remote Cyber Essentials Plus assessment and certification services as specified in the applicable Order Form.
'Fee(s)' means the sum to be paid for the Services as set out in the Order Form or as otherwise agreed in writing.
'Parties' means Net Sec Group Limited (the "Service Provider") and the Client, and 'Party' shall mean either one of them.
'Output' means reports, advice, analyses, methodologies, code or any other deliverable produced as part of the Services.
'Facilities' means working space, computer equipment, access to the internet and the Client's computer network, telecommunications system etc., and shall include not only access to such resources but also use of them to the extent required by the Service Provider in order to perform the Services.
'Authorised Targets' means the systems, applications, networks and data that the Client identifies in writing as in scope for Cyber Essentials or Cyber Essentials Plus certification.
'Security Testing' means non-destructive security testing limited to vulnerability scanning, configuration assessment and related verification activities required for Cyber Essentials and Cyber Essentials Plus certification.

1.2 Interpretations

Words importing the singular only shall also include the plural and vice versa.
Words importing persons include companies and vice versa.
Reference to any Act of Parliament shall include any modification, re-enactment, amendment or extension thereof.
Any reference to the necessary consent or approval of the Client or Service Provider shall mean consent or approval in writing.

2. Specification of Services

The Services to be provided are:

Cyber Essentials Basic (Self Assessment) - Remote assessment and certification
Cyber Essentials Plus - Remote assessment and certification including technical verification

The Service Provider shall:

Provide the Services in consideration for the Client paying the Fee.
Perform the Services by such employees or agents as the Service Provider may choose as most appropriate.
Provide the Client with a report as to time spent on request.
Carry out the Services as agreed in discussions between the parties.
Confirm that no data scraping will be carried out as part of the Services.

3. Client's Obligations

3.1 General Obligations

During performance of the Services the Client undertakes to:

Pay the Fees and any other costs without any retention, deduction or set-off save as permitted under this Agreement.
Co-operate with the Service Provider as reasonably required.
Provide the information and documentation that the Service Provider reasonably requires.
Ensure that the Client's staff and agents co-operate with and assist the Service Provider.
Complete the Cyber Essentials questionnaire within 1 month of the Commencement Date.
Achieve Cyber Essentials Plus certification within 3 months of Cyber Essentials Basic certification (where applicable).
Respond to all reasonable requests from the Service Provider within 5 Working Days. Where the Client's failure to respond causes delay to the Services, any delivery timelines shall extend accordingly and the invoice trigger in clause 4 (Invoice Backstop) shall not be delayed.

3.2 Authorisation for Security Testing

IMPORTANT: Computer Misuse Act 1990 Compliance

The Client hereby expressly authorises Net Sec Group Limited to perform Security Testing strictly in accordance with the current Cyber Essentials methodology and scheme requirements against the Authorised Targets.

The Client confirms that:

It owns or lawfully controls the Authorised Targets and has full authority to permit the Security Testing.
All necessary permissions and consents have been obtained from any relevant third parties (including hosting, cloud and telecommunications providers).
Appropriate backup, disaster recovery and business continuity arrangements have been implemented and verified.
All internal and external parties who reasonably need to be aware of the Security Testing have been notified.
All actions undertaken by Net Sec Group Limited in carrying out the Security Testing shall, for the purposes of the Computer Misuse Act 1990, be treated as fully authorised.

3.3 Acknowledgement of Testing Risks

The Client acknowledges that Security Testing for Cyber Essentials and Cyber Essentials Plus is designed to identify vulnerabilities and control weaknesses and that, although Net Sec Group Limited will exercise reasonable skill and care:

Such testing may in limited cases result in reduced performance, system errors, data corruption or temporary loss of availability.
Testing cannot guarantee identification of all vulnerabilities, misconfigurations or security weaknesses.
If Net Sec Group Limited reasonably believes that an active compromise or intruder is present on any Authorised Target, it will notify the Client as soon as reasonably practicable and may suspend or modify the Security Testing.

3.4 Data Protection Compliance

In performing the Security Testing, Net Sec Group Limited may access information, including personal data, for which the Client is the controller. The Client confirms that:

It has a lawful basis for such processing.
It has provided any notices required to data subjects.
It has obtained all necessary consents and authorisations to permit Net Sec Group Limited to access and process such data.

Net Sec Group Limited will process any personal data obtained in the course of Security Testing only as necessary to perform, validate and report on the Security Testing, and will handle such data in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and its internal information security and data retention policies.

4. Fees and Payments

The Fee for the Services is as specified at the time of purchase.
Payment is required in full at the time of booking via our secure online payment system (Stripe).
Services will commence upon receipt of payment confirmation.
The Service Provider is permitted to charge for all reasonable and necessary costs and expenses incurred in performing the Services, including but not limited to travelling, accommodation and courier services, subject to prior written notification to the Client together with a reasonable estimate of the costs to be incurred.
All amounts stated are exclusive of VAT and any other applicable taxes unless expressly stated otherwise. VAT at the prevailing rate will be added at checkout.

No Refunds

All Fees paid under this Agreement are non-refundable. The Client acknowledges that the Fee represents the Service Provider's commitment of dedicated resources, expertise, and the opportunity cost of declining other engagements. No refund, credit, or reduction of Fees shall be available under any circumstances, including but not limited to: cancellation by the Client, failure to achieve certification, failure to complete the assessment questionnaire, delay by the Client, or dissatisfaction with the assessment outcome.

Late Payment

Charge interest on the outstanding amount at the rate of 4% per year above the Bank of England base rate, accruing on a daily basis from the due date until payment is made in full, pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.
Require advance payment for any unperformed Services where any amount remains outstanding.
Withhold further Services until all outstanding payments have been received in full.
Claim a fixed statutory debt recovery charge pursuant to the Late Payment of Commercial Debts Regulations 2013, being £40 for invoices up to £999.99, £70 for invoices between £1,000 and £9,999.99, and £100 for invoices of £10,000 or more.
Recover all reasonable costs of debt recovery, including solicitors' fees and collection agency costs.

Invoice Backstop

The Service Provider shall be entitled to invoice the Client on the earlier of: (i) the date the Client is certified under Cyber Essentials (and/or Cyber Essentials Plus, where applicable); or (ii) the date falling 1 month after the Commencement Date, irrespective of progress, delay, or certification outcome.

Payment shall be due within 30 days of the date the invoice is issued by the Service Provider. The 30-day period runs from the date of issue and is not affected by whether the invoice was opened, read, or filtered by the Client's email systems, provided that the invoice has been sent to the email address specified in the Agreement or such other address as the Client may notify in writing.

Cyber Essentials Plus Re-Assessment

Where the Client is pursuing Cyber Essentials Plus (CE+) certification:

The CE+ assessment process involves an initial assessment of a random sample of in-scope devices. If vulnerabilities are found during the initial assessment, a second assessment of a new random sample will be automatically triggered in accordance with the IASME scheme rules. The Service Provider does not control whether a second assessment is triggered.
The Client's self-assessment questionnaire responses will be locked by the Service Provider once testing commences and may not be amended. Any inaccuracies in the Client's self-assessment responses prior to testing are the Client's sole responsibility.
Where a second assessment is triggered due to vulnerabilities found on the Client's systems, the Service Provider reserves the right to charge for the time required to conduct and administer the second assessment at the Standard Day Rate, in addition to any fees levied by the certification body.
Failure of the second CE+ assessment will result in revocation of the Client's Cyber Essentials (Basic) certificate in accordance with the IASME scheme rules. The Client's Cyber Essentials Plus certificate will not be issued. The Service Provider accepts no liability for such revocation arising from the Client's failure to remediate vulnerabilities identified during the assessment process.
The Service Provider does not guarantee that the Client will achieve Cyber Essentials Plus certification. The IASME scheme rules govern assessment criteria, pass/fail thresholds, and certificate revocation. Compliance with those rules is the Client's sole responsibility.

5. Ownership and Intellectual Property

In connection with the provision of the Services the Service Provider may generate, create, write or produce Output as required by the provisions of this Agreement.

Unless otherwise agreed by the Parties:

The Client will be granted a license to use the Services and/or any Output for their own internal purposes only.
The Client will not be entitled to publish, sell, make available to third parties, or allow any other person to do so, the Services or Output.
The copyright and database right (and all other intellectual property rights) in the Services or any Output shall belong to the Service Provider.

6. Confidentiality

Each Party ('Receiving Party') shall keep the confidential information of the other Party ('Supplying Party') confidential and secret, whether disclosed to or received by the Receiving Party. The Receiving Party shall only use the confidential information for the purpose of performing obligations under the Agreement.

'Confidential Information' means:

Information of whatever nature obtained from the other Party or its advisers, or by observations during visits, or by demonstrations.
Information relating to the business activities, practices and finances of either Party.
Any evaluation material, design work, strategic plans and ideas, innovations, creative plans, concepts and ideas.
Any information derived from the above.

Exceptions:

Confidential Information does not include information which is:

Publicly available (other than as a result of breach of this Agreement).
Lawfully available from a third party free from any confidentiality restriction.
Marked 'Non Confidential' by the Supplying Party.
Required by law or regulation to be disclosed (to the absolute minimum necessary).

This clause shall survive termination of this Agreement.

7. Competition

The Parties (and/or their employees, agents, representatives) shall be free to provide services or engage in any form of activity (including, but not limited to, any business, investment or financial activities) whether for themselves or on behalf of or to other organisations, companies or individuals who are or are potentially direct or indirect competitors of the other Party.

8. Sub-Contractors

The Service Provider is permitted to use sub-contractors to provide some or all of the Services, subject to providing prior written notice to the Client of the intended sub-contractor.
The Service Provider shall remain fully responsible to the Client for the acts and omissions of any sub-contractor as if they were the acts and omissions of the Service Provider itself. The use of sub-contractors does not limit or transfer any of the Service Provider's obligations under this Agreement.
Where the terms and conditions of a sub-contractor are more restrictive than the provisions of this Agreement, the Parties agree that work provided by a sub-contractor will be governed by the terms and conditions of the sub-contractor.

9. Warranties and Liability

THE CLIENT'S ATTENTION IS PARTICULARLY DRAWN TO THIS CLAUSE.

9.1 Warranty

The Service Provider warrants that it will use reasonable care and skill in performing the Services.

9.2 Excluded Losses

No Party shall be liable to the other for:

Loss of profit, market, business, or contract
Damage to goodwill
Loss of projected or anticipated savings
Loss of revenue
Any other consequential or indirect loss howsoever caused

9.3 Unlimited Liability

Nothing in this Agreement shall limit or exclude the liability of either Party for:

Death or personal injury caused as a result of its negligence
Fraud or fraudulent misrepresentation
Loss or damage to property caused by any negligent act
Any matters where it is illegal to exclude or limit liability

9.4 Liability Cap

Except in the case of death or personal injury caused by the Service Provider's negligence, the liability of the Service Provider under or in connection with this Agreement shall not exceed the Fee paid by the Client to the Service Provider under this Agreement.

10. Time for Performance

Time shall not be of the essence for the performance by the Service Provider of its obligations under this Agreement. Any dates, periods or times specified by the Service Provider in this Agreement or otherwise shall be estimates only.

11. Termination

11(A) Completion

Without prejudice to the other remedies or rights a Party may have, this Agreement will terminate following completion of the Services, and payment of the Fees.

11(B) Bad Faith

The Service Provider reserves the right to terminate this Agreement immediately by written notice if the Client has entered into this Agreement in bad faith, including but not limited to misrepresenting the nature, scope, or requirements of the work to be performed.

11(C) Scope Misrepresentation

Where a quotation, proposal, or contract price has been provided based on information supplied by the Client (including but not limited to organisation size, number of employees, number of IP addresses, devices, or other assets within scope), and such information is subsequently found to be materially inaccurate or incomplete, the Service Provider reserves the right to:

Revise the Fees to reflect the accurate scope of work; or
Terminate this Agreement by written notice.

The Client shall be liable for any Fees incurred for work already performed up to the date of termination or amendment.

11(D) Non-Payment

The Service Provider may terminate this Agreement immediately by written notice if any invoice issued under this Agreement remains unpaid for more than 14 days after its due date. Termination under this clause does not affect the Client's liability for all outstanding Fees and accrued interest.

11(E) No Cancellation by Client

The Client has no right to cancel this Agreement. The Client acknowledges that the Fee represents the Service Provider's commitment of dedicated resources and expertise, including the opportunity cost of declining other engagements, and that the full Fee payable on cancellation represents a genuine pre-estimate of the Service Provider's loss. If the Client cancels or purports to cancel this Agreement for any reason, the full Fee as set out in this Agreement shall become immediately due and payable. The Service Provider is not obligated to accept cancellation and may elect to continue performance of the Services.

11(F) Scope Variation

Where the scope of Services increases materially during the engagement (including but not limited to an increase in the number of devices, users, sites, or legal entities), the Service Provider may issue a written variation notice setting out revised Fees. If the Client does not serve written objection within 5 Working Days of receipt of the variation notice, the revised Fees shall be deemed accepted.

11(G) Accrued Rights

Termination of this Agreement under clauses 11(B), 11(C), or 11(D) shall not affect the accrued rights and obligations of either Party. Any sums due to the Service Provider for work performed prior to termination shall remain payable.

12. General Provisions

12.1 Force Majeure

The Service Provider shall not be liable for any delay or failure in performance of this Agreement resulting from circumstances beyond its reasonable control, including but not limited to acts of God, pandemic, government action, or infrastructure failure. The Service Provider shall notify the Client promptly of any such circumstances and shall resume performance as soon as reasonably practicable.

The Client's obligation to pay the Fees shall not be suspended, reduced, or extinguished by any force majeure event, whether affecting the Client or otherwise.

Where such circumstances prevent the Service Provider from performing for a continuous period of more than 60 days, the Service Provider may terminate this Agreement by written notice, in which case all Fees for work performed to the date of termination shall remain immediately payable.

12.2 Amendments

This Agreement may only be amended in writing signed by duly authorised representatives of the Parties.

12.3 Assignment

Neither Party may assign, delegate, sub-contract, mortgage, charge or otherwise transfer any or all of its rights and obligations under this Agreement without the prior written agreement of the other Party. A Party may, however, assign and transfer all its rights and obligations to any person to which it transfers all of its business, provided that the assignee undertakes in writing to the other Party to be bound by the obligations.

12.4 Entire Agreement

This Agreement contains the whole agreement between the Parties in respect of the provision of the specified Services and supersedes and replaces any prior written or oral agreements, representations or understandings between them. Nothing in this Agreement excludes liability for fraud.

12.5 Waiver

No failure or delay by the Service Provider in exercising any right, power or privilege under this Agreement shall impair the same or operate as a waiver of the same nor shall any single or partial exercise of any right, power or privilege preclude any further exercise of the same or the exercise of any other right, power or privilege. The rights and remedies provided in this Agreement are cumulative and not exclusive of any rights and remedies provided by law.

12.6 Agency, Partnership etc

This Agreement shall not constitute or imply any partnership, joint venture, agency, fiduciary relationship or other relationship between the Parties other than the contractual relationship expressly provided for in this Agreement.

12.7 Announcements

No Party shall issue or make any public announcement or disclose any information regarding this Agreement unless it obtains the approval of the other Party, or it is necessary to comply with applicable law or stock exchange regulations.

12.8 Notices

Any notice to be given under this Agreement shall be in writing and shall be sent by first class mail, air mail, or email (confirmed by first class mail or air mail). Notices shall be deemed to have been received:

Three working days after posting (inland first class mail)
Seven working days after posting (air mail)
The next working day after sending (email)

13. Severance

If any provision of this Agreement is prohibited by law or judged by a court to be unlawful, void or unenforceable, the provision shall, to the extent required, be severed from this Agreement and rendered ineffective as far as possible without modifying the remaining provisions of this Agreement.

14. Law and Jurisdiction

The validity, construction and performance of this Agreement shall be governed by the laws of England and Wales and shall be subject to the exclusive jurisdiction of the courts of England and Wales to which the Parties submit.

15. Third Parties

For the purposes of the Contracts (Rights of Third Parties) Act 1999 and notwithstanding any other provision of this Agreement, this Agreement is not intended to, and does not, give any person who is not a Party to it any right to enforce any of its provisions.

Contact Information

Net Sec Group Limited
Company Registration: 12960489
Bletchley Business Campus, Barton Road, Bletchley, MK2 3HU | 85 Great Portland Street, London, W1W 7LT
Email: [email protected]

Last Updated: April 2026. These terms govern all Cyber Essentials and Cyber Essentials Plus services provided by Net Sec Group Limited.