Terms of Service

Last updated: October 2024

1. Agreement to Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("Client," "you," or "your") and CyBEARSec Ltd (Company Registration No. 15531581) ("Company," "we," "our," or "us") regarding your use of our cybersecurity services and website.

By engaging our services or using our website, you acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy.

1.1 Definitions

  • "Direct Client" means an organisation that contracts directly with CyBEARSec for Services
  • "Partner" means a third-party organisation that contracts with CyBEARSec to provide Services to their End-Clients
  • "End-Client" means the ultimate recipient of Services when provided through a Partner arrangement
  • "Services" means penetration testing, vulnerability assessment, security consulting, and related cybersecurity services
  • "Report" means the written documentation of findings, recommendations, and technical details resulting from Services

2. Services Description

CyBEARSec Ltd provides professional cybersecurity services including but not limited to:

  • Penetration Testing: Authorised security testing of networks, applications, and systems to identify vulnerabilities and security weaknesses
  • Vulnerability Assessment: Comprehensive security scanning and evaluation of IT infrastructure and applications
  • Red Team Operations: Advanced simulated attack scenarios designed to test detection and response capabilities
  • Security Consulting: Expert advice and strategic security guidance including policy development and compliance
  • Compliance Assessment: Evaluation against industry standards and regulations including PCI-DSS, ISO 27001, and GDPR
  • Wireless Security Testing: Assessment of wireless networks and infrastructure security

2.1 Service Delivery Models

Services may be delivered through:

  • Direct Engagement: Services contracted and delivered directly to the Client
  • Partner Channel: Services delivered to End-Clients through approved Partners who contract with CyBEARSec on behalf of their clients

3. Service Authorisation and Scope

3.1 Written Authorisation Required

All security testing activities require explicit written authorisation from the Client before commencement. This includes:

  • Signed statement of work (SOW) or service agreement
  • Detailed scope definition and target specifications
  • Approved testing methodologies and timeframes
  • Emergency contact information and escalation procedures

3.2 Scope Limitations

Testing activities are strictly limited to:

  • Systems, networks, and applications explicitly authorised in writing
  • IP addresses and domains owned or legally controlled by the Client
  • Testing methods and techniques approved in the engagement scope
  • Agreed timeframes and business hours restrictions

3.3 Third-Party Systems

Testing of third-party hosted services, cloud platforms, or shared infrastructure requires:

  • Client confirmation of ownership or legal authority
  • Written permission from relevant third-party providers
  • Compliance with third-party terms of service

4. Client Responsibilities

4.1 Information Provision

The Client agrees to:

  • Provide accurate and complete information about systems to be tested
  • Identify critical systems and business-sensitive periods
  • Ensure proper authorisation from system owners
  • Maintain up-to-date emergency contact information

4.2 System Preparation

Prior to testing, the Client should:

  • Ensure adequate backups of critical systems and data
  • Notify relevant IT staff and system administrators
  • Implement monitoring to detect potential issues
  • Plan for potential service disruptions

4.3 Legal Compliance

The Client warrants that:

  • They have legal authority to authorise the requested testing
  • All necessary internal approvals have been obtained
  • Testing activities comply with applicable laws and regulations
  • Third-party permissions have been secured where required

5. Service Standards and Methodology

5.1 Professional Standards

Our services are conducted in accordance with:

  • Industry-standard testing methodologies (OWASP, NIST, PTES)
  • Professional certification requirements (OSCP, CREST)
  • Ethical hacking principles and best practices
  • Applicable legal and regulatory frameworks

5.2 Reporting and Documentation

We provide comprehensive reporting including:

  • Executive summary with risk assessment
  • Technical findings with evidence and impact analysis
  • Prioritised recommendations for remediation
  • Supporting documentation and proof-of-concept code

6. Limitations and Disclaimers

6.1 Service Limitations

Our services are subject to the following limitations:

  • Point-in-Time Assessment: Testing results reflect security posture at the time of testing
  • Scope Restrictions: Only authorised systems and methods are tested
  • False Negatives: Some vulnerabilities may not be detected
  • Environmental Factors: Network conditions and system states may affect results

6.2 No Guarantee of Security

While we strive for comprehensive testing, we cannot guarantee:

  • Detection of all possible vulnerabilities
  • Prevention of future security incidents
  • Compliance with all regulatory requirements
  • Absolute security of tested systems

7. Confidentiality and Data Protection

7.1 Confidentiality Obligations

We maintain strict confidentiality regarding:

  • Client information and business operations
  • Technical findings and vulnerability details
  • System configurations and network topology
  • Any sensitive data encountered during testing

7.2 Data Handling

We commit to:

  • Minimising data collection to what is necessary for testing
  • Secure storage and transmission of all information
  • Prompt deletion of sensitive data after project completion
  • Compliance with applicable data protection regulations

8. Liability and Risk Allocation

8.1 Limitation of Liability

To the maximum extent permitted by law, CyBEARSec's liability is limited to:

  • The total amount paid by the Client for the specific engagement
  • Direct damages only (excluding consequential, indirect, or punitive damages)
  • Claims brought within 12 months of service completion

8.2 Client Assumption of Risk

The Client acknowledges that security testing involves inherent risks including:

  • Potential system downtime or performance degradation
  • Triggering of security alerts or monitoring systems
  • Unintended disclosure of vulnerabilities to third parties
  • Risk of exploitation by malicious actors

8.3 Indemnification

The Client (or Partner in Partner arrangements) agrees to indemnify CyBEARSec against claims arising from:

  • Unauthorised or improper use of testing results
  • Client's failure to implement recommended security measures
  • Testing of systems without proper authorisation
  • Violation of third-party rights or terms of service
  • End-Client actions or omissions in Partner arrangements
  • Breach of End-Client obligations by Partner or End-Client

8.4 Partner Liability

In Partner arrangements:

  • Partner assumes full liability for End-Client compliance with these Terms
  • Partner is responsible for obtaining necessary authorisations from End-Client
  • Partner indemnifies CyBEARSec against all End-Client-related claims and liabilities
  • Partner ensures End-Client adherence to confidentiality and usage restrictions

9. Payment Terms

9.1 Fees and Billing

  • Fees are as specified in the signed statement of work or service agreement
  • Payment terms are typically net 30 days from invoice date
  • Additional work outside the original scope requires written approval
  • Travel and expense costs are billed separately unless included in the engagement

9.2 No Delay on Account of End-Client Payment

Where Services are provided through a Partner arrangement:

  • Partner payment obligations to CyBEARSec are independent of End-Client payment to Partner
  • Partner remains fully liable for payment regardless of End-Client payment status
  • No delay in Partner payment to CyBEARSec is permitted due to End-Client non-payment
  • Partner waives any right to withhold payment pending End-Client resolution

9.3 Late Payment

In accordance with the Late Payment of Commercial Debts (Interest) Act 1998, late payments may result in:

  • Statutory Interest: Bank of England base rate plus 8% per annum on overdue amounts
  • Fixed Compensation:
    • £40 for debts up to £999.99
    • £70 for debts between £1,000 - £9,999.99
    • £100 for debts of £10,000 or more
  • Reasonable Recovery Costs: Additional costs incurred in recovering the debt
  • Suspension of ongoing services until payment is received
  • Withholding of final reports and deliverables

Payment terms are net 30 days from invoice date. Interest and compensation charges apply immediately when payment becomes overdue (31 days after invoice date), unless otherwise agreed in writing.

10. Intellectual Property

10.1 Ownership of Materials

  • Client Data: All Client data and information remains the property of the Client
  • Reports: Ownership of Reports transfers to Client upon full payment of all fees. Until payment is received in full, CyBEARSec retains ownership rights
  • Methodologies: Testing methodologies, tools, and proprietary techniques remain the exclusive property of CyBEARSec
  • General Knowledge: General security knowledge and techniques may be retained and reused
  • Work Product: All work product created during Services (excluding Client-specific data) remains the property of CyBEARSec until payment is received in full

10.2 Partner Arrangements

In Partner arrangements:

  • Report ownership transfers to Partner upon full payment, who may then transfer to End-Client per their agreement
  • Partner is responsible for ensuring End-Client compliance with intellectual property restrictions
  • CyBEARSec retains the right to withhold deliverables from Partner until payment is received in full

11. Termination

11.1 Termination Rights

Either party may terminate the engagement:

  • For material breach with 10 days written notice to cure
  • For convenience with 30 days written notice
  • Immediately for illegal activities or safety concerns

11.2 Effect of Termination

Upon termination:

  • All testing activities cease immediately
  • Client remains liable for services performed to date
  • Confidentiality obligations continue indefinitely
  • Both parties return or destroy confidential information

12. Force Majeure

Neither party shall be liable for delays or failures in performance resulting from circumstances beyond their reasonable control, including natural disasters, government actions, cyber attacks, or pandemic-related restrictions.

13. Dispute Resolution

13.1 Governing Law

These Terms are governed by the laws of England and Wales, without regard to conflict of law principles.

13.2 Dispute Resolution Process

  1. Direct Negotiation: Parties will attempt to resolve disputes through good faith negotiation for a period of 30 days
  2. Mediation: If negotiation fails, disputes will be submitted to mediation through a mutually agreed mediator
  3. Court Proceedings: Unresolved disputes will be subject to the exclusive jurisdiction of the courts of England and Wales
  4. Expedited Procedures: Payment disputes may be subject to expedited court procedures for debt recovery

14. General Provisions

14.1 Entire Agreement

These Terms, together with any signed statement of work and privacy policy, constitute the entire agreement between the parties.

14.2 Modifications

These Terms may only be modified by written agreement signed by both parties. Updates to general terms will be posted on our website with reasonable notice.

14.3 Severability

If any provision of these Terms is deemed unenforceable, the remaining provisions will continue in full force and effect.

14.4 Assignment

These Terms may not be assigned by the Client without our written consent. We may assign these Terms in connection with a business transfer or merger.

15. Emergency Procedures

15.1 Incident Response

In the event of system issues during testing:

  • Testing activities will be immediately suspended
  • Client emergency contacts will be notified promptly
  • We will cooperate fully in incident investigation and resolution
  • Detailed logs and evidence will be preserved for analysis

15.2 Critical Findings

Critical security vulnerabilities will be:

  • Reported to the Client immediately upon discovery
  • Communicated through secure channels only
  • Documented with appropriate remediation guidance
  • Handled with the highest level of confidentiality

16. Contact Information

For questions regarding these Terms or our services, please contact:

CyBEARSec Ltd
Company Registration No. 15531581
Email: legal@cybearsec.com
Website: https://cybearsec.com
Address: 128 City Road, London, EC1V 2NX, United Kingdom

Important: These terms are for general reference. Specific engagements are governed by individually negotiated statements of work that may contain additional or modified terms.