Terms & conditions
These Conditions apply to and govern the supply of cyber risk assessment, analysis and cyber incident response advisory services by STORM Guidance Limited a company incorporated in England and Wales under number 08954537, whose registered office is at The Old Crown, 153 High Rd, Loughton, Essex IG10 4LG, United Kingdom.
1. Interpretation
1.1 In these Conditions the following words have the following meanings:
the Conditions: means these terms and conditions; the Contract an agreement for the purchase of the Services by the Customer from STG;
the Customer: means the person, company or organisation ordering the Services from STG under the Contract;
the Data Results: information and data extracted and generated by STG from the assessments and analyses forming part of the Services;
an Estimated Completion Date: an estimated date for delivery of the Data Results as set out in a Project Plan as part of the Contract; the Fees; means the fees specified in the Quotation for the Services;
Intellectual Property Rights: means patents, copyright, registered and unregistered design rights, utility models, trade marks (whether or not registered), database rights, rights in know-how and confidential information and all other intellectual and industrial property rights and similar or analogous rights existing under the laws of any country and all pending applications for and rights to apply for or register such rights;
STG: means STORM Guidance Limited;
STG Affiliate: means STORM Guidance Limited and any other subsidiary for the time being of STORM Guidance Limited;
a Project Plan: a suitably detailed assessment, analysis and/or training & exercise or incident response plan agreed in writing between STG and the Customer specifying the Services to be performed by STG and referencing the relevant Quotation;
the QC Criteria: quality and delivery criteria of the assessment process, support, in the form of facilitation by the Customer and specification of presentation of Data Results required for STG to carry out the Services as set out in a Project Plan;
the Quotation: a written quotation issued by STG specifying the cost of the Services and incorporating these terms by reference;
the Assessment Criteria: information and evidence provided by the Customer to STG for the purposes of assessment and analysis of risk and capability as specified in a Quotation or in the Project Plan; and
the Services: the qualitative or quantitative assessment and analysis of cyber risk or capability and training/exercising of cyber incident response functions of the customer to be supplied by STG under the Contract as specified in a Project Plan.
1.2 Any reference in these conditions to a statute or regulation is to be construed as a reference to that statute or regulation as amended or reenacted from time to time.
1.3 The Interpretation Act 1978 applies to these Conditions as if these Conditions were an enactment.
1.4 The definitions set out in the Data Protection Act 2018 apply to words and expressions with an initial capital letter appearing in condition 9 of these Conditions.
1.5 The headings in these Conditions are for ease of reference only; they do not affect the interpretation or construction of these Conditions.
1.6 Any typographical, clerical or other error or omission in any sales literature, price list, Quotation, acceptance of offer, invoice or other document or information issued by STG shall be subject to correction without any liability on the part of STG.
2. Contract Formation
2.1 These Conditions will govern the provision of the Services to the exclusion of all other terms and conditions (including any terms or conditions which the Customer purports to apply under any purchase order, confirmation order, specification or other document) except where any special terms and conditions are included in a Quotation, a Project Plan or agreed in writing by STG
2.2 Following a request from a prospective Customer to provide the Services, STG will usually issue a Quotation to that Customer and agree a Project Plan for those Services with the Customer. That Quotation is open to acceptance by the prospective Customer for 90 days after its date.
2.3 If the Customer accepts the Quotation within that 90 day period, the Contract between the Customer and STG will be formed for the supply of the Services and that Contract will be subject to these Conditions.
2.4 If the Customer asks STG to proceed to supply any of the Services listed in a Quotation or in any Project Plan; gives STG instructions for any Services; or issues any purchase order for any services, the Customer will be deemed to have accepted STG’s Quotation.
2.5 If a prospective Customer does not accept STG’s quotation within that 90 day period, but later purports to accept it, the purported acceptance will be an offer to treat. If a prospective Customer places an order with STG without STG first having issued a Quotation, that order will be an offer to treat. In either of those circumstances a contract will only come into existence if and when STG accepts the Customer’s offer. STG may decline the Customer’s offer as STG sees fit.
2.6 STG may revise these Conditions at any time by publishing new or revised Conditions on its website. If a Quotation is accepted by the Customer after the new or revised Conditions have been published on STG’s website, those new or revised Conditions will apply to the supply of those services.
2.7 If there is any conflict or inconsistency between these Conditions and any Quotation or Project Plan, the Quotation and Project Plan will prevail. If there is any inconsistency between these Conditions and any content on STG’s website, these Conditions will prevail.
3. Delivery Acceptance and use of the Assessment Criteria
3.1 The Customer will provide STG with the Assessment Criteria to STG’s advisors and where this may need to be transported or transmitted this will be at the Customers own risk and cost.
3.2 The Customer will provide with the Assessment Criteria all associated information and documentary evidence (including, without limitation, certificates of non-contamination and patient and ethical consents as appropriate) in relation to the Assessment Criteria as STG may reasonably require in order to perform the Services.
3.3 The Customer will ensure that all transmission methods used to communicate the Assessment Criteria ensures the confidentiality of the Assessment Criteria during transmission.
3.4 After delivery of the Assessment Criteria, STG will carry out quality control checks on the Assessment Criteria in order to ensure that the quality and quantity of the Assessment Criteria meet the QC Criteria. If STG in its sole discretion determines that the quality or quantity of the Assessment Criteria does not meet the QC Criteria, STG will notify the Customer of this by email within 14 days after receipt of the Assessment Criteria by STG.
3.5 If the Customer does not supply STG with Assessment Criteria that meets the QC Criteria within 30 days after the date of STG’s notification under clause
3.4, STG will be under no obligation to carry out the Services in respect of that aspect of the Service.
3.6 STG may use the Assessment Criteria for the purposes of performing the Services, but all right, title and interest in the Assessment Criteria will at all times remain the sole property of the Customer. STG will not use the Assessment Criteria for any purpose except to provide the Services to the Customer and will handle and store the Assessment Criteria in accordance with any instructions specified by the Customer and agreed by STG in writing.
3.7 STG will, at the Customer’s option, either destroy or return to the Customer all Assessment Criteria supplied to STG once the Services have been completed or on termination of the Contract under condition 11.1 or where STG is unable to perform the Services in accordance with condition 3.5 or condition 10.3. STG will maintain records of the use and disposal of the Assessment Criteria for three months after delivery of the Data Results to the Customer.
3.8 If the Customer wishes STG to retain the Assessment Criteria and/or Data Results after completion of the Services, the retention of the Assessment Criteria and Data Results will be at the Customer’s own cost and risk.
4. The Services and Data Results
4.1 STG will use reasonable endeavours to carry out the Services with reasonable skill and care. STG will endeavour to complete the Services and to deliver the Data Results by any Estimated Completion Date, but any such Estimated Completion Date is an estimate only, and STG will not be liable for any delay or failure to deliver or perform in accordance with an Estimated Completion Date.
4.2 The Services are provided as security and risk assessment, analysis and training services only and the Customer acknowledges that the Services and Data Results are not provided by STG to the Customer for any specific use (including, without limitation, risk management, controls implementation, for placing assurance or trust) without further analysis and assessment by the Customer.
4.3 Any delay by the Customer in providing Assessment Criteria, or in complying with clause 3.2, or in paying any of the Fees to STG will give STG the right to delay performance of the Services by a reasonable amount of time taking into account the delay by the Customer and the availability of STG’s consultancy, advice or facilities.
4.4 Once the Services have been completed STG will deliver the Data Results to the Customer through or on an accessible electronic medium.
4.5 STG will store a copy of the Data Results for three months after delivery of the Data Results to the Customer, but will be entitled to destroy its files of the Data Results after that three month period.
5. Payment
5.1 The Customer will pay the Fees. Unless otherwise agreed in writing, payment of all invoices will be made by the Customer to STG in full in Pounds Sterling as invoiced, no later than thirty (30) days from the date of an invoice.
5.2 All prices are exclusive of VAT unless otherwise stated and the Customer will pay any and all tax duties and other government charges payable in respect of the Products in accordance with UK legislation in force at the tax point and all other taxes and duties payable in connection with the supply of the Services to the Customer and its export and import into any territory.
5.3 In the event of late payment by the Customer STG will be entitled, without limiting any other rights and remedies it may have:
5.3.1 suspend the Services and/or cancel any of its outstanding obligations under the Contract;
5.3.2 levy a service charge to cover administrative and other associated costs in relation to overdue accounts at the rate of 3% per month on all unpaid accounts; and
5.3.3 to charge interest on any outstanding amount accruing from time to time at the rate of 8% per annum above the base rate from time to time of Lloyds Bank plc or the amount prescribed in the Late Payment of Commercial Debts (Interest) Act 1998 (whichever is greater) from the due date until the outstanding amount is paid in full.
5.4 The Customer will have no right to set off any amounts owing to it by STG against unpaid invoices due to STG.
5.5 STG shall have the right for reasonable cause to withdraw or refuse credit facilities or to require from the Customer cash on or before delivery or security for payment and to withhold delivery until such requirement is complied with.
5.6 Any claim or query by the Customer in respect of the invoiced price of the Services must be notified to STG by the Customer within the period referred to in condition 5.1.
6. Intellectual Property Rights
6.1 Nothing in these Conditions grants the Customer any licence to or any other rights under any Intellectual Property Rights of or used by STG existing at the date of the Contract other than those rights specifically set out in this clause 6.
6.2 The Intellectual Property Rights in the Data Results will be the property of the Customer and STG will assign to the Customer all Intellectual Property Rights in the Data Results. At the request and cost of the Customer STG will execute documents and take all necessary actions to assign to the Customer the Intellectual Property Rights in the Data Results.
6.3 Subject to Condition 6.2, the Customer will have no interest in any Intellectual Property Rights of or used by STG relating to methods of analysing cyber risk, methods of responding to cyber breaches or other types of incident or cyber risk analysis tools.
7. Warranties and Indemnities
7.1 The Customer warrants that:
7.1.1 it has obtained all contractual or ethical consents from any internal or third parties in scope of the services in respect of the Assessment Criteria necessary to allow the Customer to submit or otherwise provide the Assessment Criteria to STG and for STG to comply with its obligations under the Contract;
7.1.2 that STG’s possession or use of the Assessment Criteria to provide the Services or its holding of the Data Results in accordance with the Contract complies with all applicable laws and regulations and will not infringe the Intellectual Property Rights of any third party; and
7.1.3 it has provided STG with all necessary information concerning the safe transmission, handling and storage of the Assessment Criteria.
7.2 The Customer warrants that it has not been induced to enter into the Contract by any representation or by any warranty (whether oral, or in writing, or in any other form) except those expressly made part of the Contract. The Customer waives all claims for breach of any warranty and all claims for any misrepresentation, (negligent or of any other kind, unless made by STG fraudulently) which is not specifically set out in the Contract as a warranty.
7.3 The Customer acknowledges and agrees that the Services are assessment, analysis and training services and accordingly specific results or outcomes are not guaranteed or warranted.
7.4 The Data Results are supplied without any express or implied warranties, conditions or representations and all warranties, conditions, terms, undertakings and obligations on the part of STG implied by statute, common law, custom, trade usage, course of dealing or in any other way are, to the extent permitted by law, excluded.
8. Limitation of Liability
8.1 Nothing in these Conditions limits STG’s liability for fraud, or death, or personal injury arising as a result of STG’s negligence or any other liability which may not, by law, be excluded.
8.2 Subject to clause 8.1, the maximum liability of STG under or in connection with the Services whether caused by the negligence of STG, its servants, agents sub-contractors or otherwise will not exceed the amounts which have been paid or which have become payable by the Customer. In the event of an error by STG in providing the Services which renders the Data Results unusable by the Customer, the Customer’s only remedy will be either:
8.2.1 the return of the amounts which have been paid to STG by the Customer under the Contract; or
8.2.2 to require STG to repeat the whole or part of the Services at STG’s own cost
8.3 Subject to clause 8.1, the Customer accepts the risk of using the Data Results and STG will have no responsibility or liability for any use which may be made of the Data Results by the Customer or any other person or for any loss arising from that use, whether caused by the negligence of STG, its servants, agents, sub-contractors or otherwise.
8.4 Subject to clause 8.1, STG will not be liable to the Customer for any of the following: loss of profit, loss of revenue, loss of savings, loss of opportunity, loss of business and loss of goodwill (in each case whether direct or indirect) or for any indirect loss, damage, costs, expenses and other claims (whether caused by the negligence of STG, its servants, agents sub-contractors or otherwise) which arise out of or in connection with the Services or the Contract.
9. Confidentiality and Data Protection
9.1 Subject to the remaining provisions of this Condition 9, neither party will use (except for exercising its rights and performing its obligations under the Contract), will keep confidential and not divulge to any third party any and all confidential information of the other party (whether oral, written or recorded or disclosed in any other form, and whether disclosed on, before or after the date of the Contract) concerning any of the following: the business, affairs, plans, technology, know-how, products and services of the other party and, in particular, any Assessment Criteria, information and material disclosed to them by the other party for purposes of the Contract without the other party’s prior written consent.
9.2 For the purposes of this Condition 9, the Data Results are confidential information of the Customer disclosed to STG. STG will keep confidential and not divulge to any third party the Data Results and may not publish or otherwise disseminate the Data Results without the prior written consent of the Customer.
9.3 The restriction contained in Condition 9.1 will not apply to any information which:
9.3.1 was already in the receiving party’s possession or at its free disposal before its disclosure by the disclosing party;
9.3.2 is disclosed after the date of the Contract to the receiving party without any obligations of confidence by a third party who has not derived it directly or indirectly from the disclosing party;
9.3.3 is or becomes generally known anywhere in the world through no act or default on the part of the receiving party; or
9.3.4 is independently developed or discovered by the receiving party’s personnel without use of or reliance upon information provided by the disclosing party.
9.4 Nothing in this Condition 9 will prevent:
9.4.1 STG from disclosing in confidence to any STG Affiliate any confidential information disclosed to it by the Customer and the Data Results in order to meet STG’s obligations under the Contract; or
9.4.2 the Customer from disclosing in confidence to any of its own Affiliates any confidential information disclosed to it by STG and the Data Results in order to meet the Customers obligations under the Contract; or
9.4.3 either party from making any disclosure required by law, or by the order of any court of competent jurisdiction or any regulatory authority.
9.5 If STG processes any Personal Data on the Customer’s behalf when providing the Services, the parties intend that the Customer will be the Data Controller and STG will be a Data Processor in relation to those Personal Data and agree that:
9.5.1 the Customer will ensure that it is entitled to transfer those Personal Data to STG so that STG may lawfully use, process and transfer those Personal Data in accordance with the Contract on the Customer's behalf;
9.5.2 the Customer will ensure that all Data Subjects have been informed of, and have given their consent to, such use, processing, and transfer as required by the Data Protection Act 2018;
9.5.3 STG will process those Personal Data only in accordance with the Contract and any lawful and reasonable instructions given by the Customer from time to time; and
9.5.4 STG will take appropriate technical and organisational measures against unauthorised or unlawful processing of those Personal Data or their accidental loss, destruction or damage, having regard to the state of technological development, the cost of implementing any measures, the harm which might result from such unauthorised or unlawful processing or accidental loss, destruction or damage, and the nature of the data to be protected.
10. Force Majeure
10.1 STG will not be liable for any failure to fulfil the Contract or any term or condition of the Contract if fulfilment has been delayed, hindered or prevented by circumstances beyond its reasonable control including but not limited to fire, explosion, flood, tempest, unusually adverse weather conditions, failure or shortage of power supplies, fault or failure of plant or machinery, war, hostilities, riot, acts of terrorism, strikes, lock-outs or other industrial action or trade dispute (“a Force Majeure Event”).
10.2 STG will promptly notify the Customer if a Force Majeure Event arises and during the period in which STG is prevented from performing the Contract the Customer will be entitled after giving STG written notice of its intention to do so to purchase products elsewhere at its own cost and risk and STG shall not be obliged to make up deficiencies which arise as a result.
10.3 If a Force Majeure Event exceeds one month STG may cancel the Contract without liability.
11. Termination
11.1 Either party may terminate the Contract immediately by written notice to the other at any time giving written notice using a timescale defined in an accepted proposal or statement of work or if the other party:
11.1.1 commits any material breach of any of the provisions of this Agreement and, in the case of a breach capable of remedy, fails to remedy that breach within 30 days after receipt of a written notice giving particulars of the breach and requiring it to be remedied;
11.1.2 has a receiver, administrative receiver or administrator appointed over all or any of its assets or undertaking or, except for the purposes of a solvent amalgamation or reconstruction, enters into liquidation, enters into any composition or arrangement with or for the benefit of its creditors or enters into any similar or analogous arrangement existing under the law of any country or ceases to carry on business.
11.2 The termination of the Contract, by either party in accordance with this clause 11 will be without prejudice to any other rights or remedies of that party accrued prior to termination.
11.3 On termination of the Contract for any reason the Customer will immediately pay to STG any Fees or other amounts due under the Contract.
11.4 Clauses 1, 3.7, 4.4, 5.4, 6.2, 6.3, 7, 8, 9, 11.2, 11.3, 11.4 and 12 will survive the expiry or termination of this Agreement and will continue indefinitely.
12. General
12.1 No Partnership etc. - Nothing in these Conditions creates, implies or evidences any partnership or joint venture between STG and the Customer, or the relationship between them of principal and agent.
12.2 Third Party Rights - No third party is entitled to the benefit of this Agreement under the Contracts (Rights of Third Parties) Act 1999 or otherwise.
12.3 Assignment and Subcontracting - The Customer may not assign or otherwise deal with the Contract or any part of it without obtaining the prior written consent of STG. STG may perform any of its obligations or exercise any of its rights under the Contract by itself or through an STG Affiliate, provided that any act or omission of any STG Affiliate shall be deemed to be the act or omission of STG.
12.4 Non-Solicitation - During the provision of the Services and for a period of one year after delivery of the Services or any termination of this agreement, The Customer will not directly or indirectly, on The Customer's own behalf or in the service or on behalf of others, in any capacity induce or attempt to induce any officer, director, or employee to leave STG.
12.5 Severability - If any provision of these Conditions is held by any competent authority to be invalid or unenforceable in whole or part the validity of the other provisions of these Conditions and the remainder of the provision in question shall not be affected.
12.6 Notices - Any notice permitted or required under the Contract will be in writing and will be sent to the contact address, or e-mail address of the other party set out in the Quotation or any other address or e-mail address which that party may designate by notice given to the other party in accordance with this condition 12. Any notice may be delivered personally, or by first class pre-paid letter or by e-mail and will be deemed to have been served: if by hand, when delivered; if by first class post, 48 hours after posting; and if by e-mail, on that e-mail being accessible by the intended recipient.
12.7 Waiver - No waiver or delay by STG in enforcing its rights will prejudice or restrict those rights and no waiver of any right will operate as a waiver of any later right or breach.
12.8 Governing Law and Jurisdiction - The Contract shall be governed and construed in accordance with the laws of England. The English Courts will have exclusive jurisdiction to deal with any dispute which may arise out of or in connection with the Contract.