Terms and Conditions for buying goods and services on our website
Version: 4.0 Issue date: 01/04/22
These terms and conditions apply to all transactions made on any UK-based website or platform owned and/or operated by a GRC International Group PLC company. A full list of our companies and websites is available on www.grci.group/privacy-notice. Transactions may be initiated by you interacting directly with the website or by you instructing us (through email, live chat, telephone or any other medium) to process a transaction on your behalf. These terms and conditions also apply to all transactions completed offline that involve products or services described online on any GRC International Group PLC company website.
‘You’: the individual or entity visiting this website and/or purchasing products or services from us, whether on this website or offline.
‘Us’: the GRC International Group PLC company that operates this website, any GRC International Group PLC company whose products or services you purchase, as well as GRC International Group PLC itself.
‘Contract’: a formal contractual relationship in respect of any transaction only exists between you and us from the point at which we accept your order. This acceptance may be automated, where fulfilment is automated, or it may be manual and occur only when manual fulfilment is initiated.
Our Terms and Conditions
These terms and conditions together with our Privacy Notice, our Acceptable Use Policy and our Terms and Conditions of Website Use (together, the ‘Terms’) provide you with information about us and apply to any contract between you and us. Please read these Terms carefully and make sure you understand them before ordering anything from our website or from us directly. We will also notify you at the point of purchase if there are any additional terms and conditions that may apply to any specific contract made between us.
- Our prices are as set out on our website, do not include packaging, shipping, insurance or travel costs, and are subject to the addition of applicable VAT or other state or national tax in line with any relevant regulations.
- We may vary our prices from time to time, which we will do by updating our website. Price changes will not be retrospective.
- The law says that, if you are a consumer, you have a legal right to cancel a contract during the period set out below; the law does not extend to business buyers, so in law the clauses below do not apply to transactions with organisations.
- Your legal right to cancel a contract starts from the date we confirm our acceptance of your order.
- During the relevant period, if you change your mind or decide for any other reason that you do not want to receive or keep a product, you can notify us of your decision to cancel the contract and receive a refund. Advice about your legal right to cancel the contract is available from your local Citizens Advice or Trading Standards office.
- This cancellation right does not apply in the case of:
- digital contents (software, e-books, audiobooks, PDFs, or other electronic templates, books or reports) once a download has started;
- any products that become mixed inseparably with other items after their delivery; or
- any products that are made to your specifications or are clearly personalised.
- Under this right to cancel, and where the first day for delivery of any service falls within 14 days from the day on which the contract was established, you must make the cancellation at least one clear day before the planned first day of delivery; in other words, your right of cancellation does not apply on or after the last business day preceding the first day for delivery of that service.
- Under this right to cancel, where you do not specify a date on which you wish to attend a training course or on which consultancy delivery should start, your right to cancel does not apply after 14 days from the date of the contract and you have no right to a refund if you subsequently decide not to proceed with the service.
- There are further terms, set out below, that apply specifically to the purchase of training courses, Cyber Essentials, e-learning, self-paced online training courses (distance learning), toolkits and other products through our sites.
- Your deadline for cancelling the contract depends on what you have ordered and how it is delivered, as set out in the table below:
||End of cancellation period
Your contract is for a single product (which is not delivered in instalments on separate days).
|The end date is 14 days after the day on which you receive the product. For example, if we provide you with an order confirmation on 1 January and you receive the product on 10 January, you may cancel at any time between 1 January and the end of the day on 24 January.
Your contract is for either of the following:
- One product delivered in instalments on separate days.
- Multiple products delivered on separate days.
|The end date is 14 days after the day on which you receive the last instalment of the product or the last of the separate products ordered. For example, if we provide you with an order confirmation on 1 January and you receive the first instalment of your product or the first of your separate products on 10 January and the last instalment or last separate product on 15 January, you may cancel in respect of all instalments and any or all of the separate products at any time between 1 January and the end of the day on 29 January.
Your contract is for the regular delivery of a product over a set period.
The end date is 14 days after the day on which you receive the first delivery of the products. For example, if we provide you with an order confirmation on 1 January in respect of products to be delivered at regular intervals over a year and you receive the first delivery of your product on 10 January, you may cancel at any time between 1 January and the end of the day on 24 January. 24 January is the last day of the cancellation period in respect of all products to arrive during the year.
To cancel a contract, you need to let us know that you have decided to cancel. The easiest way to do this is to email firstname.lastname@example.org, identifying the website from which you purchased and quoting the electronic purchase sale number, the date of the transaction and the items purchased. This email must contain a categorical statement that goods that have been delivered have not been copied, duplicated or used in any way. If there are physical goods to return, please also obtain a returns number at the time of notifying us of your decision to cancel, and we will at that time also notify you of our returns address.
If you cancel your contract, we will:
- Refund you the price you paid for the products. However, please note that we are permitted by law to reduce your refund to reflect any reduction in the value of the goods if this has been caused by your handling them in a way that would not be permitted in a shop. If we refund you the price paid before we are able to inspect the goods and later discover you have handled them in an unacceptable way, you must pay us an appropriate amount.
- Refund any return delivery costs you have paid, although, as permitted by law, the maximum refund will be the costs of delivery by the least expensive delivery method we offer (provided this is a common and generally acceptable method). For example, if we offer delivery of a product within 3–5 days at one cost but you choose to have the product returned within 24 hours at a higher cost, we will only refund what you would have paid for the cheaper delivery option.
- Make any refunds due to you as soon as possible and in any event within the deadlines indicated below:
- If you have received the product and we have not offered to collect it from you, you must return it to us within 14 days of the date on which you notify us of the cancellation and we will make any refund due 28 days after the day on which we receive the product back from you or, if earlier, the day on which you provide us with legal evidence that you have sent the product back to us.
- If you have not received the product, or you have received it and we have offered to collect it from you: 28 days after you inform us of your decision to cancel the contract.
- If you have returned the product to us because it is faulty or not as described, we will refund the price of the product in full, together with any applicable delivery charges, and any reasonable costs you incur in returning the item to us. We will make any refund due 28 days after the day on which we receive the product back from you.
- Refund you on the credit or debit card you used to pay. If you used vouchers to pay for the product, we may refund you in vouchers. If you paid via PayPal or a similar payment processor, or via bank transfer, we will make the refund by the same route.
The legal rights of consumers are not affected by the rights of return and refund outlined above or anything else in these terms; advice about the legal rights of consumers is available from your local Citizens Advice or Trading Standards office.
Recurring payment authority (subscription products)
- A number of our products are sold on subscription, and our deliverables are provided on a recurring or cyclical basis. These products are clearly identified on our websites as subscription products and include, but are not limited to, staff awareness (e-learning) training, Cyber Essentials, Cyber Essentials Plus, scanning services, software and toolkits.
- Subscription periods (monthly or annual) are set out on individual product pages on our websites.
- Where your initial subscription is made online by means of a payment card, you enter into a Recurring Payment Authority (‘RPA’) that authorises us to collect recurring payments from you until you formally cancel the RPA.
- The RPA can be cancelled in your My Account area of our website at any time; cancelling the RPA will cancel all access to the relevant service at the end of the billing period for which we have received payment.
- Unless and until you cancel your contract for a recurring or cyclical deliverable, we will automatically invoice and/or collect payment in line with the subscription period you selected when entering the contract.
- You agree to keep your payment card details current and valid throughout the subscription period and agree to meet any and all additional costs we may incur as a result of your failure to keep these details current.
- Where you are purchasing on behalf of an organisation, and there is any change in organisational contact details, but you fail to notify us in the My Account area of that change, then your organisation will still be liable to pay subscription charges as they fall due.
- Where your initial subscription is made by means of a purchase order, you agree that subsequent invoices for the recurring deliverables will be paid on your standard agreed credit terms until you formally cancel the contract.
- You cannot cancel subscriptions in arrears. Once a subscription renewal date has passed, you can only cancel the subscription with effect from its next renewal date.
- We will notify you at least 28 days before the applicable renewal date of your subscription services of any changes in price so that you can decide whether you wish to give notice and cancel the RPA at its next renewal date. It is your responsibility to ensure that our email address is whitelisted or otherwise authorised so that you can receive our notification emails.
- On cancellation of an RPA, we will cancel access to the subscription services and remove any related registrations and benefits with effect from the end of the subscription period for which you have paid.
Online credit purchasing agreements
- If you have applied for and been granted an approved credit account, you are authorised to place orders through our websites using a purchase order, as documented in that authorisation. Any purchases made by means of a purchase order will be invoiced in line with your specific agreement with us, with payment due in full 28 days from the invoice date. Title in goods purchased by means of a purchase order does not pass to you until you have paid the invoice in full.
- Time of payment is of the essence and, where sums due under a contract are not paid by the due date, we may charge interest at 8% above the HSBC base rate (with interest accruing on a daily basis from the date the payment became due until the payment is made in full) as well as recovering from you all the costs, including legal and court costs, we incur to obtain payment.
- You agree that you will undertake best efforts (including, as appropriate, deploying relevant security measures) to ensure that only your authorised personnel place orders through our websites, and you agree that you will be responsible for paying all invoices generated as a result of any transaction on your account with us.
- If you are purchasing either the GRCI Law EU Representative Service or the GRCI Law UK Representative Service, and you are purchasing by purchase order, then you agree that you will pay for these services annually in advance by direct debit and that you will provide us with a duly authorised, valid and accurate annual direct debit form before the commencement of the subscription period.
Cyber Essentials and Cyber Essentials Plus
The following terms apply to all purchases of Cyber Essentials and Cyber Essentials Plus (both of which are annual subscription products and so auto-renew) (the ‘Cyber Services’):
- You must complete and submit the completed Cyber Essentials self-assessment questionnaire (‘SAQ’) on the IT Governance-branded IASME Consortium (IASME) portal (‘Cyber Essentials Portal’) within six months of purchase. Any applications not completed within that period will be marked as void and your application will automatically be archived; in these circumstances, we cannot issue a refund and you agree that you will not be entitled to any refund of or reduction in the fee.
- If you require certification by a certain date, or before the expiry of an existing certificate, it is your responsibility to start the application in time to ensure it is completed before your deadline. In particular, you must provide an asset inventory and ensure that all assets, systems and applications that are within scope of a proposed certification are supported and meet the requirements of the Cyber Essentials scheme.
- We provide these services in accordance with the requirements of the IASME, which is the National Cyber Security Centre’s (‘NCSC’) Cyber Essentials Partner for the delivery of the Cyber Essentials scheme, and we shall have no liability to you outside the scope of those requirements. From time to time, due to the ever-evolving nature of the cyber security sector, changes may be implemented by IASME or the NCSC. Such changes may cause price increases, which shall be passed on to you.
- If you are not successful on your first submission for Cyber Essentials, you will receive a ‘More Information’ or ‘Fail’ outcome. You then have two working days to submit a further attempt for certification. If you are not successful on your second submission, or if you fail to re-submit your second attempt within the two days, you will be required to purchase a new Cyber Essentials package and reapply.
- Before applying for Cyber Essentials Plus certification, you must confirm that you hold Cyber Essentials certification achieved through an IASME-licensed certification body within three months of applying.
- You will need to complete the Cyber Essentials Plus certification within three months of achieving your most recent basic-level Cyber Essentials certification. If your Cyber Essentials Plus application is unsuccessful, your Cyber Essentials certification may be revoked.
- For Cyber Essentials Plus applications, all scans including the internal and external vulnerability scans and the workstation assessment/technical audit must be completed and passed (including time to allow review by us in our capacity as the certification body) within a period of one month or within three months of the Cyber Essentials certificate, whichever date is earliest.
- If FOR ANY REASON you do not meet the deadlines outlined in the terms and conditions, then we will be under no obligation to provide the Cyber Services nor to refund any part of the agreed fee. Conversely, if we are required to do any additional work to help you complete your application, we may charge you separately for that work.
- For Cyber Essentials Plus applications, your explicit authorisation is required, as well as that from any additional parties involved in hosting any infrastructure or application that is in scope, before the start of any tests; this should be submitted in writing alongside the list of scan targets/IPs.
- Any limitations on the testing, such as a requirement for out-of-hours testing or weekend testing, or restrictions such as testing only during office hours, should be stipulated at the time of submitting the testing request. Any surcharges incurred for any out-of-hours testing will be agreed in advance and billed separately.
- If you fail any of the Cyber Essentials Plus testing performed as part of the overall engagement, we will provide you with details of further tests required. The delay between the original assessment and retest should not exceed one month including completion of the application and including time to allow review by us (in our capacity as the certification body). These tests will be billed separately.
- Where we are required to provide on-site consultancy or testing at a customer site within or outside of the mainland United Kingdom, travel time and costs, accommodation and subsistence expenses may be chargeable. These expenses will be billed separately.
- Unless otherwise agreed, we reserve the right to list your name and/or logo on our website as evidence that certification has been achieved.
- Cancellations – we reserve the right to charge in full for booked days where you cancel with less than five business days’ notice, and to charge 50% of the contracted rate where the day is cancelled between five and ten days in advance. In each case, we may waive the right to charge for a specific cancellation if we are able to deploy the consultant’s time with an alternative client. We also reserve the right to charge (at cost) for any non-refundable expenses incurred in respect of travel and accommodation arrangements made in line with this agreement.
- If you are UK-domiciled, with a turnover under £20 million, and you achieve self-assessed certification covering your whole organisation to the basic level of Cyber Essentials, you are entitled to Cyber Liability Insurance (terms apply). The cover is underwritten by AXA XL, a division of AXA, and administered via Sutcliffe & Co. Insurance Brokers. This Cyber Liability Insurance does not form part of the agreement. Please visit https://iasme.co.uk/cyberessentials/cyberliabilityinsurance/.
- Your subscription product cannot be downgraded to an alternative package and, should you decide not to complete your application, you will not be entitled to a refund.
Penetration testing, including for Cyber Essentials Plus certification and vulnerability scanning
- You must identify and disclose to us any third parties that may conceivably be affected by our testing activities, and any damages and/or loss of service caused by your failure to identify and/or disclose such third parties will remain your sole responsibility, and you therefore indemnify us against all and any costs or damages howsoever arising from such activities. Your authorisation to commence testing activities is deemed to include confirmation that any relevant internal or external parties have been appropriately notified, and that all necessary permissions from such parties for us to commence testing have been provided to us.
- We will only identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools we deploy. You accept that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, none of which could normally be identified at the time of testing, and you therefore agree that you will not, now or in the future, hold us to account for any such matters.
- We will accept no liability for damages caused to you by any automated or non-automated attacks on your Internet-facing infrastructure or its applications, irrespective of whether our security testing activity carried out under this agreement did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.
- We will identify vulnerabilities that our testing has exposed and, wherever possible, we will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely your responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.
- All our training courses, including all those for which we act as booking agents for third-party training providers, are subject to the terms and conditions set out below. By booking a training course or a third-party training course through us, you accept these terms and conditions.
- Prices for individual courses are as advertised on our website and exclude VAT. Where required, VAT will be added to the advertised price to arrive at the final total cost. The course price includes trainers’ time, provision of training rooms and necessary facilities, all necessary training materials and, as appropriate, morning, lunch and/or afternoon refreshments. It does not include travel or other subsistence costs.
- Exam costs are either included in the course cost or are an extra charge; we set out which option applies on our product pages.
- Bookings, which are in all cases subject to the availability of places on courses and, for third-party courses, on confirmation to us by the training provider that the course will actually run, will be accepted by us, and the rights and responsibilities in respect of cancellation will apply from the date on which the booking is accepted by us.
- We reserve the right to refuse admittance to any course unless:
- The full purchase price has been paid for the course;
- A valid purchase order has been received by us from a UK local authority, other UK public-sector organisation or a company that has an approved credit account with us; or
- The full purchase price has been received by us before the course start date.
- Delegates will not be permitted to enter the classroom if payment has not been made as set out above. The cancellation terms below will also apply.
- Once we have accepted your booking, the below cancellation terms apply:
- There is no cancellation fee providing we receive written notice more than 20 days before the start of the relevant training course.
- No refunds will be given for written cancellations received 20 days or less before the start of the training course.
- No refunds will be given if you fail to attend a course for which you have made a booking.
- Delegates can be transferred from one course to another, or alternative delegates can be substituted for those already booked on a course, and in-house course dates can be rescheduled. For this to happen, the following fees apply:
- There is no fee where we receive written notification more than 21 days before the start of the relevant training course.
- Where the written request is received between 21 and 15 days before the start of the training course, there is a 15% transfer fee.
- Where the written request is received between 14 and 8 days before the start of the training course, there is a 25% transfer fee.
- Where a transfer request is received 7 days or less before the start of the training course, there will be a 50% transfer fee.
- Where the course booking is for multiple delegates, or you are not yourself the delegate, we need to know the names of delegates five working days before the start of the course so that we can ensure that exams are correctly organised, as well as to provide attendance certificates at the end of the training course. If you do not provide the names of the delegates before the five-working-day window described in this clause, the cancellation clauses above will apply to those delegates and a 100% cancellation fee will apply.
- We (and our selected training partners) reserve the right to cancel training courses but will endeavour not to do so within ten working days of the start of the course. If a training course is cancelled, our only obligation to you will be, at our discretion, either to reschedule the cancelled course within four months or to refund in full the fees paid by you for the training course. To the fullest extent permitted by law, we will not be liable to you in contract, tort, negligence or otherwise for any loss, damage, costs or expenses of any nature whatsoever incurred or suffered by you as a direct, indirect, special or consequential nature arising from such a cancellation.
- Delegates from outside the UK may require visas to attend a training course in the UK. We will endeavour to provide you with reasonable support to obtain a visa, but the actual issue of a visa is beyond our control and we have no liability to you in respect of the issue of such a visa. We will only issue appropriate invitation letters once you have booked and paid for the course(s) you wish to attend, and our visa invitation letters will only be in respect of such course(s). If your visa is not issued in time for you to travel to the UK to attend your chosen course, we will, at your discretion, arrange for you to attend an alternative course at a later date or we will, without deduction, refund any course fees paid. We will not under any circumstances be responsible for travel costs you may have incurred. If your visa is issued in sufficient time for you to attend your course but you do not attend, then our standard cancellation clauses will apply, including your liability to make payment in full.
- You are responsible for ensuring that the backgrounds of you or your delegates are suitable for the training course(s) that they are attending. We will not be liable for any refund if delegates decide that the course material is inappropriate for them or where they are unable to participate fully for any reason. In no circumstances will we be liable to refund any amount in excess of the agreed and paid price for any training course. This applies in particular (but is not limited) to any travel, subsistence or consequential expenses of any sort incurred by delegates.
- All copyright and other intellectual property rights in or relating to any course materials provided or made available in connection with the course are and remain our sole property and/or that of our third-party providers. Course materials may not be used, copied, reproduced, stored in a retrieval system, distributed or transmitted in whole or in part, or in any form or by any means, whether electronically, mechanically or otherwise, or translated into any language, without the prior written permission of us and/or our third-party providers.
- Exam vouchers are only valid for 12 months from the date of the transaction.
- Any standards you purchase from us are for your internal business use.
- Your end users are permitted to print a single copy of the publication.
- Neither you nor your end users may remove any proprietary markings or electronic watermarks, including original publisher copyrights and trademarks.
- Your end users may not copy, transfer, sell, license, lease, give, download, modify, publish, assign, transmit or otherwise reproduce, disclose or make available to others or create derivative works from the standards or any portion thereof.
Staff awareness e-learning
- We license you and, as set out in your sales receipt, the maximum number of your users to access on our e-learning portal the specific e-learning course(s) you have selected for the length of time you have purchased.
- If we have agreed to it, we will provide a single session of training for one or more administrators nominated by you to enable you to administer the e-learning portal for your users.
- Where you have purchased a corporate e-learning licence, your identified administrator may personalise your e-learning portal with your corporate branding (including colours and logos) as well as relevant corporate content such as procedure and contact information.
- Self-paced courses are only valid for 12 months from the date of purchase.
- Extensions to the 12 months can be arranged for the following fees:
- Foundation courses: £50 +VAT for 3 months, £100 +VAT for 6 months.
- Advanced courses: £100 +VAT for 3 months, £200 +VAT for 6 months.
- No extension can be applied after the valid period has expired.
- Exam vouchers are only valid for 12 months from the date of the transaction.
- Our e-learning courses have been designed to work on the following browsers and mobile apps:
- Windows: Microsoft Edge, Google Chrome and Firefox.
- Mac: Safari, Google Chrome and Firefox.
- Mobile: Safari in Apple iOS 12 or later, Google Chrome in Apple iOS 12 or later and Google Chrome in Android OS 6 or later.
Note that older browsers may encounter playback issues related to browser feature releases, so we strongly recommend using the latest browser version for the best experience.
- You agree to:
- Ensure that each of your users accesses the e-learning portal using one of the following:
- Microsoft Internet Explorer versions 9 or later
- Apple Safari v6 or later
- Mozilla Firefox v25 or later
- Google Chrome v30 or later
- Permit us to place cookies on your users’ computers to facilitate provision of our e-learning staff awareness training courses;
- Establish connectivity to the e-learning portal; and
- Ensure that your users are instructed in the proper use of our e-learning portal and any e-learning staff awareness courses.
- In relation to the e-learning portal, we agree that:
- With the exception of Internet outages and scheduled downtime, the e-learning portal will be available for 99.5% of each calendar month;
- We will provide you with at least 72 hours’ email notification of scheduled downtime (that is, any planned or scheduled interruption of services from the e-learning portal, for the purposes of e-learning portal or infrastructure upgrades, software patching, software improvement, or for the replacement of any hardware or software); and
- We will make regular backups of all data on the e-learning portal and will retain them for 60 days.
- We reserve the right to deny access to the e-learning portal by any of your users who are, or we reasonably suspect may be, engaged in any illegal activity or which may in any way affect the performance of the e-learning portal or its continued use by any of our users.
- You also agree that, unless otherwise identified, we own the copyright in all the content material (whether text, graphics, designs, guidance notes, or information of any kind) (‘Courseware’), as well as in any upgrades or updates of any sort that may, from time to time, be made available to you on our e-learning portal.
DPO as a Service/Privacy as a Service: specific terms
Scope of work
- You agree that you will be solely responsible for obtaining appropriate legal advice on any matters on which you need legal advice, and that you will be solely responsible for agreeing and settling any legal fees arising in respect of that advice.
- We rely on you to ensure that all your directors and authorised officers fully understand these terms and that any instructions or questions on the terms from such directors, officers or any other individuals are authorised by you.
- You agree to provide us with appropriate resources and access to relevant data and processes in order for us to provide the services.
- You will make available a board member to whom we can report in respect of the services.
- You agree that you alone are responsible for your compliance with the General Data Protection Regulation (GDPR) and any other relevant laws and regulations, not limited to those relating to personal data.
- You agree that the services are provided by us, and not by any employees of ours, and that our liability in respect of the services is limited to us. You agree that you will under no circumstances seek to bring any form of action, legal or otherwise, against any employee of ours in relation to the services.
- We will not be liable for any delay in providing advice or guidance within the scope of the services where this is caused by circumstances beyond our reasonable control.
- We will not be liable for failure or delay in performance by you in respect of advice, guidance or instructions given within the scope of the services where this is due to causes beyond our reasonable control. Where the services require us to deal with third parties on behalf of you, we do not accept any liability in relation to such third parties.
- If there are other advisers or third parties involved in any matter on which we are also engaged, the extent to which any loss or damage will be recoverable by you from us will be limited, without prejudice, in proportion to the overall fault for such loss or damage or as agreed in advance with the other parties. If our ability to claim a contribution to our costs under these circumstances from a third party is prejudiced by any limitation of liability agreed by you with that third party, we will not be liable to you for any amount that we would have been able to recover from that third party but for that limitation of liability.
- In respect of obtaining advice on any issue that is within scope of the services, it is your responsibility to engage with us in a timely manner. We will not be held liable for any delay in you engaging the services and any associated delay in us delivering the services.
- It is your responsibility to follow the advice provided by us within the scope of the services. Should you not follow the advice provided by us, we will not be held liable for any consequences, financial or otherwise, experienced by you as a result. If you fail to follow any advice provided by us within the scope of the services, we will be entitled to terminate this agreement with immediate effect and without any obligation to make any refund of any fees already paid under the agreement.
- Unless otherwise agreed in writing, we are not responsible for reminding you of key dates or other time-sensitive actions or information.
People responsible for delivering on behalf of GRCI Law.
- We undertake to ensure that those of our employees who are deployed to provide the services have the necessary skills, knowledge and experience. You agree that we alone will determine what skills, knowledge and experience are necessary in relation to the services.
- The services will be carried out by a team of our employees and the contact details for the team will be provided in the agreement.
- We will identify a lead manager within the team who has ultimate responsibility for delivery of our services to you. If we change the lead manager for any reason, we will notify you as quickly as possible.
Processes and procedures
GDPR and UK Data Protection Act (DPA) 2018 advice and guidance, including helpline
- We will provide email and telephone advice only to nominated contacts of yours, such nominations to be made in writing.
- We will record and track all requests for advice or guidance or other types of calls received from you. A quarterly report will be generated by us and sent to the nominated contacts. This report will also record the trends in terms of the categories of requests, highlighting root causes of issues raised and potential organisational issues.
Review of GDPR and UK DPA 2018 policies
- You will provide us with copies of all your policies and procedures that relate to data protection and compliance with EU data protection legislation.
- We will review all documents provided in relation to their compliance with applicable laws and regulations. We will provide written feedback to you, highlighting areas for improvement, as soon as possible.
GDPR and UK DPA 2018 audit
- We will allocate an appropriate consultant(s) to carry out privacy audits as may be required for the services.
- Such audits will be scoped and planned in consultation with you. For the avoidance of doubt, audits will not be conducted by the lead manager.
- Audit reports, with recommendations for improvement or otherwise, will be provided to you after completing the data gathering phase of the audit and after undergoing any necessary further review.
GDPR and UK DPA 2018 updates
- We will provide your nominated contacts with regular updates on issues critical to data protection compliance.
- The copyright in all the updates (whether text, graphics, designs, guidance notes, or information of any kind) may belong to us or to other third parties.
- You may distribute internally any update material to which we own the copyright, but you are hereby notified that any third-party material may have different copyright restrictions and that you are solely responsible for complying with any restrictions in respect of such third-party material.
Availability of services
- Unless otherwise agreed between us, we will provide the services between the hours of 9:00 am and 5:00 pm in the United Kingdom, on a day, other than a Saturday, Sunday or bank holiday, on which clearing banks are open for non-automated commercial business in the City of London.
- Calls received outside of the standard hours of service will go through to an answerphone service and will not be accessed by us until the next working day.
- Emails received outside of the standard hours of service will be received by our server, but no action will be taken by us until the next working day.
Cyber Security as a Service (CSaaS): specific terms
The following terms apply to all purchases of Cyber Security Advice Service and Cyber Security as a Service (both of which are annual subscription products that you will be billed for monthly).
Cyber Security Advice Service
- With the exception of bank holidays, our unlimited Cyber Security Advice Service is available 9:00 am – 5:00 pm Monday to Friday (BST/GMT).
- The Cyber Security Advice Service is limited to providing advice on how to address cyber risks within your organisation. This advice will be provided by our cyber security experts. It covers common cyber security concerns and best practices. Wherever possible, recommendations to control and reduce cyber risk will be appropriate to your organisation.
- The Cyber Security Advice Service is available to your nominated point of contact and can be delivered by email, phone or Microsoft Teams during our usual business hours.
- Where additional support is needed to implement advice, you are entitled to a discounted rate on pre-paid blocks of consultancy hours. The level of this discount will depend on the level of services purchased in accordance with the size of your organisation. Such consultancy will be billed separately.
- We will provide you, insofar as we are reasonably able, with information about the latest cyber threats and risks. This will be delivered via email as a monthly newsletter.
Cyber Security as a Service
- You will be provided with a dedicated point of contact. Your specific cyber security expert will be available via phone, email and Microsoft Teams during office hours on weekdays.
- You should nominate a project coordinator or a single point of contact in a senior role to coordinate delivery of this service with us.
- Our Cyber Security as a Service includes all the elements of the above Cyber Security Advice Service. Depending on the level of services purchased in accordance with the size of your organisation, we will provide you with the following additional services:
Cyber Security Assessment
- Our Cyber Security Assessment is designed to establish whether your organisation has basic security controls in place to protect you against commonly occurring cyber threats. The output of the assessment indicates where you might need to increase your defences to reduce the risk of suffering a cyber incident.
Data breach and incident response planning support
- Depending on the level of services purchased, we will provide you with access to an incident response expert as part of these services. The level of support provided will depend on the services purchased. The scope of this service will be:
- Year 1: help you develop an effective incident response process.
- Year 2 onwards: help test your incident response capability and provide advice on improving and maintaining it.
Staff awareness training – additional terms and conditions apply. See “Staff awareness e-learning”
- We will provide you with licences for three staff awareness e-learning courses: Information Security and Cyber Security, GDPR: Email Misuse, and Phishing. The number of licences will depend on the level of services purchased. Additional licences are available to purchase at additional cost.
- If the number of additional licences purchased is more than the number of employees stated for the organisation size you have purchased the services for, you may be charged for the higher organisation package. You should select the services appropriate to the number of employees as classified.
Policies and procedures
- Template document policies and procedures are provided that can be tailored to your organisation or used as the basis for developing your own cyber security documentation.
Internal network vulnerability scans and external vulnerability scanning
- We will provide you with access to our external vulnerability scanning service. This service will allow unlimited access to automated scans for your external infrastructure. Access will be provided for up to four IP addresses. Scans for additional IP addresses can be provided at an additional cost.
- Depending on the level of services purchased, this service includes an annual internal vulnerability scan of your internal infrastructure and endpoint devices. Under some circumstances, this service can be provided remotely.
- Where we are required to provide on-site consultancy or testing at a customer site within or outside of the mainland United Kingdom, travel time and costs, accommodation and subsistence expenses may be chargeable. These expenses will be billed separately.
- All our testing services are subject to the conditions set out further above in respect of penetration testing and vulnerability scanning.
Emergency Cyber Incident Response and Digital Forensic Services: specific terms
- The Terms in this section apply only to Agreements that cover the provision of emergency cyber incident response and digital forensic services.
- The Client acknowledges and agrees that in providing these Services, the Company may modify its approach as appropriate to assist the Client in investigating a cyber security incident.
- The Company will work with the Client at the outset to identify appropriate incident response aims and objectives that are realistic and achievable by the cyber incident response team.
- Throughout the engagement, logs are kept of the actions taken by the cyber incident response team, and in line with the Company’s data retention procedure, these are retained, along with all other Client files, for six years and are then destroyed.
- Client files will be encrypted and classified as appropriate.
- Access to Client artefacts and documentation is restricted to the cyber incident response consultants and senior management of the Company.
- Should the delivery of these Services require specific hardware, software or specialised products, the Client may be provided with a quotation for the equipment and any additional services.
- The Client authorises the Company to perform any off-site analysis of Client data necessary for the delivery of this Service.
- The Client acknowledges and agrees that the Company may be required to connect its computers or equipment directly into the Client’s computer network or assets. The Client assumes all risk and liability in this regard and the Company shall have no liability in this regard whatsoever.
- The Company will carry out all emergency cyber incident response and digital forensic services using reasonable care and skill and in a professional manner.
- The Client acknowledges and agrees that while delivering this Service, the Company may find evidence of issues such as a data breach, malware infection, network intrusion, etc., and that may require regulatory reporting for one or more territories in which the Client operates. The Client remains solely responsible for all such reporting requirements and the Company shall have no liability in this regard whatsoever.
- While delivering this Service, the Company reserves the right to assign any suitably skilled resource(s) available to provide this Service. The Company is not obligated to provide a specific resource or third party.
- The emergency cyber incident response triage will not exceed the length of time as set out in the Letter of Engagement. Where the triage will require more time than as set out in the Letter of Engagement, the Company reserves the right to charge additional fees. The Company will not exceed the agreed time without the Client’s consent.
- The Company will require explicit authorisation to proceed from the Client and from any additional parties that are in scope before the start of any emergency cyber incident response or digital forensic activities.
The Company will not:
- disclose information regarding ongoing or closed cyber security incidents to third parties without the Client’s prior permission, unless otherwise required by law;
- allow anyone, other than those with a need to know, access to information regarding the Client’s cyber security incident; or
- exchange information in relation to a cyber security incident over an unencrypted or unsecure medium.
- The Client will provide appropriate personnel who have the necessary technical, operational and business knowledge and authority to make decisions concerning the emergency cyber incident response service.
- The Client will provide the Company with all necessary cooperation, information and support that may reasonably be required by the Company to deliver this Service.
- The Client will provide the Company with escalation/contact details that can be used as required.
- The Client will make any decisions required promptly and without delay, and the Company shall be entitled to rely on such decisions and approvals.
- The Client will identify and disclose to the Company any third parties that may conceivably be affected by the Company’s cyber incident response or digital forensic services in relation to the investigation, and damage and/or loss of service/delays caused by the Client’s failure to identify and/or disclose such third parties shall remain the sole responsibility of the Client and the Client therefore indemnifies the Company against all and any costs or damages howsoever arising from such activities. The Client’s authorisation to commence cyber incident response or digital forensic activities is deemed to include confirmation that any relevant Client-internal or external parties have been appropriately notified and that all necessary permissions from such parties for the Company to commence work have been provided to the Company in writing.
- The Client is responsible for notifying the Company of any applicable legal, regulatory or export control requirements related to the Client’s assets. If necessary, the Client will obtain any necessary licences with respect to the Service.
- If emergency cyber incident response services are to be conducted on the Client’s premises, the Client agrees to provide the cyber incident response team with a suitable working space.
Processing as a data controller
- We process personal data in line with the requirements of the UK GDPR and the UK DPA 2018. The GRC International Group Privacy Notice (www.grci.group/privacy-notice) sets out the specific bases on which, as a data controller, we process personal data.
- In respect of personal data that you upload to our e-learning portal, or to any other facility that we offer as part of our services to you, we require only the personal data that enables us to deliver to you the service that you have purchased and we therefore act as a data controller in respect of that data. We process all data securely, in line with our obligations under the UK GDPR and the UK DPA 2018.
- Taking account of the nature of the processing, and the risks to the rights and freedoms of natural persons, we apply appropriate measures of security to protect the confidentiality, integrity and availability of all personal data that we process.
- You acknowledge that we own the intellectual property (including copyright) in our websites or in any/all products or services purchased from us. In some cases, where the product is provided by a third party, you acknowledge that the intellectual property in that product is owned by the third party.
- You also acknowledge that use of our website, or purchase of products or services from our website, does not provide any licence for the use and/or modification of our intellectual property (including trademarks and other copyrights) other than in circumstances specifically identified and provided for in relation to a specific product. You therefore agree that, if you do use any of our intellectual property without our prior explicit permission, we may require you to cease and desist from such use and/or pay us an appropriate fee for that use and/or pay us a penalty fee for that use.
Limitation of liability
- Our total liability under or in respect of any contract will not exceed the amounts paid by you under that contract.
- We will also not be liable for consequential, indirect or special losses of any sort.
- If any of these terms is at any time held in any jurisdiction to be void, invalid or unenforceable, then it will be treated as changed or reduced only to the extent minimally necessary to bring it within the laws of that jurisdiction and to prevent it from being void, and it will be binding in that changed or reduced form.
- Subject to that, each provision will be interpreted as severable and will not in any way affect any other of these terms.
- No waiver by us in exercising any right, power or provision hereunder will operate as a waiver of any other right or of that same right at a future time; nor will any delay in exercise of any power or right be interpreted as a waiver.
- These terms will be governed by and construed in accordance with the laws of England and Wales and you explicitly accept that only the law courts of England have jurisdiction to deal with any matter arising from or in any way, whether directly or indirectly, related to the use of this website and, accordingly, you explicitly waive all and any rights to bring any action of any sort in relation to this website, or to any transaction carried out with it, or any data stored on it or provided to it in any court anywhere else in the world.