Get Your Quote. Instantly.

Standard Terms and Conditions

(Updated: 6th March 2024)

OnSecurity Technology Limited

UK Company Number: 14184026
Registered Address: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU

1. The Service and OnSecurity’s Obligations

1.1. Service Provision

OnSecurity shall provide the agreed Services with reasonable skill and care.

1.2. Portal Availability

OnSecurity shall use commercially reasonable endeavours to make the Portal available to the Client 24 hours a day, seven days a week. However, the Client acknowledges that OnSecurity cannot guarantee continuous availability.

1.3. Penetration Testing

OnSecurity shall:

  • Conduct manual Penetration Testing during Normal Testing Hours (09:00 – 18:00 GMT, Monday to Friday, excluding public holidays) unless otherwise agreed in writing. Testing outside Normal Testing Hours may incur additional charges.
  • Conduct vulnerability scanning and automated Penetration Testing at any time (00:00 – 23:59, 7 days a week), aligning with the Client’s subscription interval.
  • Retest Penetration Testing issues without additional charge during the testing round and for the duration of the Aftercare Period (7 days unless otherwise agreed in writing).
  • Provide the Client with an estimate of any reasonable expenses before commencing on-site testing or any other testing likely to incur expenses.
  • Store all Client data securely, adhering to ISO 9001, ISO 27001, and ISO 27018 standards, with encryption at rest.

1.4. Restrictions on Testing

OnSecurity shall not:

  • Test any Targets without prior authorization via the Portal or an appropriate communication medium.
  • Conduct Denial of Service (DoS) testing at any time.

1.5. Liability & Risk Awareness

The Client acknowledges that:

  • OnSecurity can only identify known vulnerabilities at the time of testing, and future discoveries using alternative tools or methods may uncover additional risks.
  • The Client shall not hold OnSecurity liable for vulnerabilities discovered after testing.

2. Scan by OnSecurity

2.1. Vulnerability Scanning Services

OnSecurity provides Scan as an asset discovery, vulnerability management, and vulnerability scanning service, under the following terms:

  • The Client grants OnSecurity the right to perform vulnerability scanning against any enabled target via the Target Management interface.
  • Scanning may occur at any time, 7 days a week, following the subscription interval (daily, weekly, quarterly).
  • The Client assumes full responsibility for the accuracy of the Targets provided for scanning, ensuring they own or have written consent for scanning.
  • The Client accepts liability for scanning Targets they do not own or lack authorization to scan.

3. RADAR BY ONSECURITY

3.1. Service Overview

Radar is an open-source intelligence gathering, active and passive scanning service provided “as-is” by OnSecurity to the Client.

3.2. Data Searches & Threat Identification

  • Radar searches various databases of Open Source data and conducts passive checks on Client assets to identify potential threats.
  • A “threat” is defined as any piece of information that, in OnSecurity’s expert opinion, could be used to cause harm or form the basis of an attack against the Client’s organization.

3.3. Target Identification & Limitations

  • Radar conducts searches on Targets enabled by the Client. The initial target is inferred from the Client user’s email address suffix.
  • OnSecurity has no control over third-party data stores and cannot remove Client credentials or other sensitive information from those stores.

3.4. Client Responsibilities

  • The Client acknowledges that Radar may present information (such as historical passwords) already known to the Client.
  • OnSecurity provides recommendations based on Radar findings, but these are guidance-only, and the Client should apply them with caution.
  • The Client assumes full responsibility for any actions taken based on Radar findings.
  • The Client grants OnSecurity permission to perform active scanning against any enabled Target in the Target Management interface.

4. CLIENT OBLIGATIONS

4.1. Authorization for Security Assessments

The Client grants OnSecurity the right to conduct:

  • IT penetration testing
  • Vulnerability scanning
  • Other security assessment activities against enabled Targets.
    OnSecurity is not liable for incorrectly entered Target information.

4.2. Cooperation & Responsibilities

The Client must:

  • Provide all necessary information for OnSecurity to perform Services, including security access details.
  • Fulfill all responsibilities outlined in this Agreement in a timely and efficient manner.
  • Procure and maintain secure network connections and telecommunications links to OnSecurity’s data centers.

4.3. Security & Incident Notification

The Client must:

  • Prevent unauthorized access to the Services and notify OnSecurity immediately if any unauthorized use occurs.
  • Notify OnSecurity immediately if its systems are compromised (e.g., ransomware, denial-of-service attacks).
  • Identify and disclose third parties that may be affected by OnSecurity’s Services. The Client indemnifies OnSecurity against costs or damages arising from undisclosed third-party impacts.
  • Ensure Targets are owned by the Client or obtain written consent before authorizing them for testing.
  • Immediately notify OnSecurity of unexpected events that may affect service delivery.
  • Ensure that each User maintains a secure password, changing it at least every 90 days.

4.4. Consequences of Non-Compliance

Failure to notify OnSecurity of relevant events shall be considered a material breach of this Agreement.

4.5. Suspension of Services

If OnSecurity is notified of a security concern, it may temporarily suspend Services until:

  • It confirms that unauthorized access is no longer a risk.
  • Its own network and systems remain uncompromised.

4.6. Client’s Sole Responsibilities

The Client assumes full responsibility for:

  • Maintaining its own network connections and telecommunications links.
  • Data backup and protection—OnSecurity is not liable for lost data, re-run time, inaccurate output, or work delays.
  • Ensuring the legality, reliability, integrity, accuracy, and quality of Client Data (except for Personal Data).

5. Service Fees and Payment

5.1. Fee Changes

  • OnSecurity may adjust its hourly rate for Penetration Testing or Services, but must provide 30 days’ advance notice.
  • If the Client does not agree to the new rate, either party may terminate the Agreement.

5.2. Hourly Rate Protection

  • The hourly rate is fixed at the time of booking and will remain unchanged for that testing round.
  • Any subsequent rate changes will not affect booked testing or retesting outside the Aftercare Period.

5.3. Invoicing & Payment Terms

  • Invoices will be issued on the dates stated in the Portal.
  • The Client must pay invoices:
  • Immediately for Split Billing purchases.
  • Immediately for direct debit or payment card purchases (non-Split Billing).
  • Within 14 days for BACS purchases (non-Split Billing).

5.4. Penetration Testing Estimates

  • OnSecurity may provide an estimated duration for Penetration Testing, but these estimates are not guaranteed delivery times.
  • Additional hours may be required, which the Client must purchase at the standard hourly rate.

5.5. Late Payments & Service Suspension

  • If payment is overdue, OnSecurity reserves the right to suspend Services until payment is received.
  • Interest may be charged at 4% above the Bank of England’s base rate from the due date until payment is made.
  • OnSecurity may disable the Client’s accounts, passwords, and service access for unpaid invoices.

5.6. Proprietary Software & Platform Fees

  • Some Penetration Tests or services may be partially delivered using proprietary software.
  • Platform fees may replace manual testing, but will not be additional costs.

5.7. VAT & Cash Balances

  • Unless otherwise specified, prices are exclusive of VAT.
  • Unused testing hours remain as a cash balance in the Portal for 12 months.
  • Cash balances are non-refundable and expire 12 months after purchase.

6. Scan and Radar Fees and Payment

6.1. Subscription Fees

  • Subscription fees for services like Scan and Radar will be stated in the Portal.
  • The Client’s first payment is required before the subscription starts.

6.2. Subscription Period & Payment Terms

  • The Subscription Period starts immediately upon payment.
  • The Client must pay invoices:
  • Immediately for direct debit or payment card purchases.
  • Within 14 days for BACS purchases.

6.3. Subscription Rate Adjustments

  • OnSecurity may change its subscription rate with 30 days’ advance notice.
  • If the Client does not agree to the new rate, either party may terminate the Agreement.
  • Subscription rates may be changed immediately upon written agreement.

6.4. Subscription Modifications & Cancellations

  • OnSecurity reserves the right to modify subscriptions with 30 days’ notice.
  • Subscription fees are billed before each renewal period, continuing until the Client cancels via the Portal.
  • Upon cancellation, services will continue until the end of the Subscription Period.
  • Subscription fees for the remaining period are non-refundable.

7. Split Billing (Optional)

7.1. Overview

  • Split Billing allows the Client to divide the purchase price into multiple payments over time (normally 12 months—“Split Billing Purchase Period”).
  • The option for Split Billing is entirely voluntary, and the Client must positively select it within the Portal before completing a purchase.

7.2. Split Billing Purchase

  • A Split Billing Purchase occurs when the Client authorizes a purchase using Split Billing within the Portal.
  • Upon purchase, the Client’s Cash Balance is immediately credited with the total Split Billing Purchase Amount.

7.3. Payment Terms

  • Payments are made at regular intervals (normally monthly—“Split Billing Payment Interval”).
  • Payments must be collected via an electronic, automatable method, such as direct debit or payment card (“Split Billing Payment Method”).
  • The Client must ensure their Split Billing Payment Method is up-to-date.

7.4. Instalments & Liability

  • The Split Billing Purchase Instalment is calculated by dividing the total Split Billing Purchase Amount by the number of Split Billing Payment Dates.
    • Example: A £12,000 Split Billing Purchase paid monthly results in 12 instalments of £1,000 each.
  • The Split Billing Purchase Liability is defined as the total unpaid balance of the purchase.
  • The liability decreases over the Split Billing Purchase Period as payments are made.

7.5. Additional Fees & Modifications

  • OnSecurity may include a setup fee, added to the first Split Billing Purchase Instalment, which will be clearly communicated before purchase.
  • The Client may modify renewal terms at any time before the Split Billing Purchase Renewal occurs.

7.6. Renewal & Opt-Out Options

  • The Split Billing Purchase automatically renews at the end of the Split Billing Purchase Period.
  • Renewal credits the Client’s Cash Balance with the same purchase amount as the previous Split Billing Purchase.
  • The Client can opt-out of automatic renewal at any time before the end of the Split Billing Purchase Period.

7.7. Managing Multiple Split Billing Purchases

  • The Client may have multiple Split Billing Purchases running concurrently.
  • All Split Billing Purchases collectively form the “Split Billing Subscription”, considered active when:
    • Any Split Billing Purchase Instalments are due in the future.
    • Any Split Billing Purchase Renewals have not been opted out of.
  • For efficiency, all Instalment Payment Dates are aligned whenever possible and combined into fewer payments (typically a single payment).

7.8. Subscription Cancellation & Immediate Payment

  • The Client may cancel their Split Billing Subscription anytime and pay the full Split Billing Subscription Liability.
  • When cancelled, the entire remaining liability becomes immediately due.
  • If the Client fails to pay within 24 hours of the due date, OnSecurity may cancel the subscription, immediately revoking access to the Portal and Services.

7.9. Refunds & Cash Balance Usage

  • OnSecurity does not refund amounts already received for Split Billing Purchase Instalments.
  • If Split Billing Purchases are no longer needed, the unused balance will be returned to the Client’s Cash Balance.
  • The Split Billing Purchase Amount can be used toward other OnSecurity services or products, deducted accordingly from the Cash Balance.

7.10. Agreement to Terms

  • By selecting Split Billing during any purchase, the Client agrees to all Split Billing terms outlined in this section.

8. Intellectual Property Rights

8.1. Ownership of Intellectual Property

  • The Client acknowledges that OnSecurity and/or its licensors own all intellectual property rights in the Services and Documents.
  • This Agreement does not grant the Client any rights to:
  • Patents
  • Copyrights
  • Database rights
  • Trade secrets
  • Trade names
  • Trademarks (registered or unregistered)
  • Any other intellectual property or licenses related to the Services or Documents.

8.2. Rights Assurance

OnSecurity confirms that it holds all the necessary rights to grant the permissions outlined in this Agreement.

8.3. Client Intellectual Property

  • OnSecurity acknowledges that the Client and/or its licensors own all intellectual property rights in the Client Data.
  • This Agreement does not grant OnSecurity rights to:
  • The Client’s patents, copyrights, database rights, trade secrets, trade names, or trademarks.

8.4. Trademark Usage Permission

The Client grants OnSecurity permission to use its trade name or trademark on OnSecurity’s website and marketing materials.

8.5. Restrictions on Use

Except where explicitly allowed by law or this Agreement, the Client shall not:

  • Copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute any portion of the Portal or Services.
  • Reverse engineer, disassemble, or attempt to decompile the Portal.
  • Access the Portal to create a competing product or service.
  • Use the Portal to provide services to third parties.
  • Sell, rent, lease, transfer, assign, distribute, disclose, or commercially exploit the Portal.
  • Obtain or assist others in obtaining unauthorized access to the Portal.

9. Data Protection

9.1. Compliance with Data Protection Laws

Both parties agree to comply with their obligations under all applicable Data Protection Laws. This includes but is not limited to:

  • UK GDPR (as derived from Section 3 of the European Union (Withdrawal Act) 2018)
  • EU General Data Protection Regulation ((EU) 2016/679) (GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426) (as amended)
  • Guidance and codes of practice issued by the Information Commissioner’s Office (ICO) or any other relevant authority.

9.2. Continuing Compliance

The obligations under Data Protection Laws remain in force at all times and do not replace any other obligations under this Agreement.

10. Confidentiality

10.1. Protection of Confidential Information

Each party agrees not to disclose any Confidential Information belonging to the other party except as permitted under Clause 10.4.

10.2. OnSecurity’s Confidential Information

The Client acknowledges that details of the Services are Confidential Information belonging to OnSecurity.

10.3. Client’s Confidential Information

OnSecurity acknowledges that Client Data is Confidential Information belonging to the Client.

10.4. Permitted Disclosures

Each party may disclose Confidential Information:

  • To employees, officers, representatives, or advisers who need access to perform their obligations under this Agreement.
    • Such individuals must be made aware of confidentiality obligations.
  • If required by law, a court of competent jurisdiction, or a governmental authority.

10.5. Restrictions on Use

Neither party may use Confidential Information except for the purpose of fulfilling its rights and obligations under this Agreement.

10.6. Equitable Relief for Breach

If confidentiality obligations are breached:

  • Damages alone may be inadequate compensation.
  • The affected party is entitled to remedies including:
  • Injunctions
  • Specific performance
  • Other equitable relief for any threatened or actual breach.

11. Indemnities

11.1. Client’s Indemnification Responsibilities

The Client shall defend, indemnify, and hold harmless OnSecurity (including its officers, directors, and employees) against all claims, actions, proceedings, losses, damages, expenses, and costs (including court costs and professional fees) that arise from:

  • The Client’s use of the Services.
  • The Client’s breach of obligations, representations, or warranties under this Agreement.
  • Any Intellectual Property Right or confidentiality infringement arising from OnSecurity’s provision of the Services.

11.2. Conditions for Indemnification

The Client’s indemnity obligations apply provided that:

  • The Client is given prompt notice of any claim.
  • OnSecurity cooperates reasonably in the claim’s defense and settlement, at the Client’s expense.
  • The Client is given sole authority to defend or settle the claim.

12. Limitation of Liability and Indemnity

12.1. Scope of Liability

Except as expressly provided in this Agreement:

  • The Client assumes sole responsibility for results obtained from the Services and for conclusions drawn from their use.
  • OnSecurity is not liable for errors or omissions in Client-provided information, instructions, or scripts, or for actions taken at the Client’s direction.
  • All implied warranties, representations, and conditions are excluded to the fullest extent permitted by applicable law.
  • The Services are provided “as is”, without guarantees.

12.2. Exclusions of Liability for Infringement Claims

OnSecurity, its employees, agents, and subcontractors are not liable if an alleged infringement is based on:

  • A modification of the Services or Documents by anyone other than OnSecurity.
  • The Client’s use of Services or Documents in a manner contrary to OnSecurity’s instructions.
  • The Client’s continued use of Services or Documents after receiving notice of infringement.

12.3. Third-Party Service Failures

OnSecurity shall have no liability if it is unable to perform its obligations due to:

  • Failures, outages, or interruptions in third-party services required for Service delivery (provided OnSecurity exercised reasonable due diligence in procuring such services).
  • Any breach of this Agreement caused by third-party service providers, which are outside OnSecurity’s control.

12.4. Non-Excludable Liabilities

Neither party excludes or limits liability for:

  • Personal injury, sickness, or death resulting from negligence or willful default.
  • Fraud or fraudulent misrepresentation.
  • Any liability that cannot legally be excluded or limited.

12.5. Exclusions of Liability for Losses

OnSecurity shall not be liable for any:

  • Special, indirect, or consequential losses, costs, damages, or expenses.
  • Loss of profits, business, goodwill, or similar commercial losses.
  • Loss or corruption of data or information.
  • Pure economic losses or anticipated savings.

12.6. Aggregate Liability Limit

OnSecurity’s total aggregate liability under contract, tort (including negligence or breach of statutory duty), misrepresentation, or restitution shall be limited to the total Fees paid or payable by the Client to OnSecurity in the 12 months immediately preceding the claim.

13. General Terms

13.1. Force Majeure

OnSecurity shall not be liable to the Client for any delays or inability to perform its obligations due to events beyond its reasonable control, including but not limited to:

  • Industrial disputes (strikes, lockouts).
  • Failures of utility services or telecommunications networks.
  • Acts of God (natural disasters, extreme weather).
  • War, riots, civil commotion, or malicious damage.
  • Compliance with government orders, regulations, or laws.
  • Machinery breakdowns, fires, floods, and supplier defaults.
    OnSecurity shall notify the Client of any such event and its expected duration.

13.2. Costs

Each party shall bear its own legal and other costs in relation to the preparation and execution of this Agreement.

13.3. Relationship Between Parties

The parties are independent businesses and are not in a relationship of partnership, principal-agent, employer-employee, or any other fiduciary capacity.

13.4. Third-Party Rights

This Agreement does not grant any rights to third parties under the Contracts (Rights of Third Parties) Act 1999, except as otherwise provided by applicable law.

13.5. Assignment

  • The Client may not assign, transfer, charge, or subcontract any rights or obligations under this Agreement without prior written consent from OnSecurity.
  • OnSecurity reserves the right to transfer or subcontract its rights or obligations at any time without requiring prior consent.
  • This Agreement remains binding upon the parties and their successors or permitted assigns.

13.6. Entire Agreement

This Agreement supersedes all prior agreements, representations, or understandings, unless expressly incorporated by reference.

  • No party may rely on any statements not explicitly included in this Agreement.
  • Liability for fraud or fraudulent misrepresentation is not excluded.

13.7. Severability

If any clause (or part of a clause) is found to be illegal, invalid, or unenforceable, it shall be:

  • Modified or removed to the extent necessary to make it valid and enforceable.
  • Replaced by a provision consistent with the original intent of the Agreement.

13.8. Waiver

Failure to enforce any right or remedy shall not constitute a waiver of such rights or any future rights.

13.9. Notices

Notices must be:

  • In writing, addressed as specified in the Terms Agreed Between the Parties.

13.10. No Partnership or Agency

This Agreement does not create a partnership between the parties, nor does it authorize:

  • Either party to act on behalf of or bind the other.
  • Either party to assume obligations or liabilities on behalf of the other.

13.11. Termination

Either party may terminate this Agreement if:

  • The other party breaches a material term and fails to remedy it within 30 days of written notice.
  • The other party becomes insolvent, files for bankruptcy, or undergoes a change in control.

Upon termination:

  • The Client must pay for all Services performed by OnSecurity up to the termination date.

13.12. Governing Law & Jurisdiction

  • This Agreement is governed by the laws of England and Wales.
  • All disputes arising under this Agreement shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Definitions and Interpretation

14.1. Agreement

The OnSecurity Terms and Conditions.

14.2. Aftercare Period

A 7-day period, unless otherwise agreed by the Parties in writing.

14.3. Business Day

A day when banks in London are open for business, excluding Saturdays, Sundays, and public holidays in England.

14.4. Confidential Information

All technical, commercial, financial, or other data acquired under or related to this Agreement, including but not limited to:

  • OnSecurity’s products, services, operations, processes, methods, strategy, and know-how.
  • Trade secrets, design rights, market opportunities, client lists, and commercial relationships.
  • Marketing, sales materials, and general business affairs, which remain confidential to OnSecurity.

14.5. Client

The entity or person accepting this Agreement.

14.6. Client Data

Data inputted by the Client, including affiliates, employees, and directors, into the Portal or provided to OnSecurity in connection with the Services.

14.7. Client Personal Data

Personal data processed by OnSecurity on behalf of the Client.

14.8. Data Protection Laws

All applicable data protection and privacy legislation in the UK, including:

  • UK GDPR (derived from the European Union (Withdrawal Act) 2018).
  • General Data Protection Regulation (EU 2016/679) (GDPR).
  • Data Protection Act 2018.
  • Privacy and Electronic Communications Regulations 2003 (SI 2003 No. 2426), as amended.
  • Relevant guidance and codes of practice issued by the UK Information Commissioner or other supervisory authority.

14.9. Documents

The document(s) provided to the Client by OnSecurity via https://app.onsecurity.io, or any updated web address, detailing Service descriptions and user instructions.

14.10. Fees

The fees listed in the Portal.

14.11. Finding Retest

A retest booked via the Portal for a specific security issue previously identified in a Penetration Test.

14.12. Intellectual Property Rights

All intellectual property rights, including:

  • Copyright, patents, confidential information, know-how, trade secrets.
  • Trademarks, trade names, design rights, database rights, domain names, software rights, and similar protections.
  • Registered or unregistered, including applications, renewals, extensions, and future rights.

14.13. Normal Testing Hours

09:00 to 18:00 GMT, each Business Day.

14.14. Penetration Testing

Security testing and consultancy services provided by OnSecurity to the Client, including:

  • Infrastructure Penetration Testing (External & Internal).
  • Web Application Penetration Testing.
  • Mobile Application Penetration Testing.
  • Cloud Audits and Penetration Testing.
  • Social Engineering and Physical Penetration Testing.
  • Phishing Simulations.

14.15. Personal Data Breach

A security breach leading to:

  • Accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Client Personal Data.

14.16. Portal

The secure online interface at https://app.onsecurity.io, through which the Client manages Services and related applications.

14.17. Services

Security testing and consultancy services agreed between OnSecurity and the Client, either in writing or through the Portal.

14.18. Subscription Period

The duration of a paid subscription, typically monthly or annually (e.g., for Scan).

14.19. Services Start Date

The start date of Services as agreed in writing or via the Portal.

14.20. Target

An element of the Client’s IT infrastructure, approved by a Portal User for security testing.

14.21. User

An individual authorized to use the Portal.