phone icon 0161 410 1337
Contact Us

Exosec Limited

Terms and Conditions

1.   Definitions

In this Agreement, the following terms will have following meanings:


“Exosec”, “We” or “Us” – Our company’s name is Exosec Ltd registered in Wales under company number 11700006, with registered office at M-Sparc Parc Gwyddoniaeth Menai, Menai Science Park, Gaerwen, Anglesey, Wales, LL60 6AG.


“Client” or “You” – Client is a company or individual who contracted Us to deliver security penetration testing services of their IT systems agreed in the Statement of Work (SOW) and signed Authorisation Form.


“Security Consultant”, “Consultant” – Security consultant is an individual with ethical hacking skills, appropriate education and experience who will perform security penetration testing on behalf of Exosec.


“Statement of Work”, “SOW” – Statement of Work is a document where We list the scope of the penetration test, necessary prerequisites, detailed delivery dates for each element of testing, names and contact details of assigned consultants, deliverables, and the cost of penetration testing.


“Authorisation Form” – Authorisation Form is a document where We list confirmed scope, delivery dates (including start and end dates of testing), report distribution list, and emergency contacts from both Client’s and Exosec’s side. Authorisation Form must be signed by every client.


“Contract” – These Terms and Conditions (T&Cs) together with agreed SOW and signed Authorisation Form present a Contract between the Client and Exosec.


“Security Penetration Testing” or “Testing” – Security Penetration Testing is a service we provide to our Clients for a fee. It is a method of providing cyber security assurance of Client’s IT systems within agreed scope stated in the SOW and the Authorisation Form by testing and compromising these systems by our Consultant in order to identify existing vulnerabilities.


“IT System” or “System” – IT System means that part of information technologies that the Client requested to undergo the testing and that was agreed in the scope.


“Delivery Dates” or “Testing Window” – Delivery dates are dates agreed between Exosec and the Client (including the Client’s third-party suppliers) for each element of the testing, including start and end dates of testing and reporting time.


“Business Day” – Business Day is considered any working day from Monday to Friday, from 09:00 to 17:00. Any other day or time is considered as Out of Hours (OoH) and additional charges might apply.


“Security Testing Report” or “Report” – Security testing report is a confidential document compiled by Exosec consultant that contains detailed results of penetration testing. It contains all vulnerabilities identified during testing, references, and recommendations for remediation of these flaws.


“Confidential Information” – Confidential Information is all information in any form or on any medium shared between Exosec, Client and any appropriate third-party that is not publicly available. This includes but is not limited to details of the Client’s IT systems and networks, private encryption keys, software; commercial, financial, marketing, or technical information; customer, sales, or supplier information; methods, processes, know-how.


“Third-party” – Third-party is an Internet Service Provider (ISP), where the ISP is hosting services on behalf of the Client, or any other relevant third-party supplier of the System, only where the third-party supplier is hosting services on behalf of the Client.


2.   Exosec's Responsibilities

2.1   Exosec shall perform security penetration testing using a security consultant with reasonable skills to deliver the service at the best quality while complying with guidelines and cyber-security best practice during the agreed testing window.


2.2.   We shall only conduct testing on the systems within the scope agreed and detailed in an Authorisation Form. The testing will be conducted in a manner that aims to ensure minimal impact on the system being tester. Testing activity known to have destructive or adverse consequences will not be performed unless specifically requested.


2.3.   We contract to deliver the report to the individuals listed in the distribution list mentioned in the Authorisation Form by 10 days from last day of the testing window.


2.4.   The Exosec consultant shall comply with reasonable site rules and procedures that will be notified to Us by the Client prior to testing on the client’s site.


2.5.   In case the consultant identifies high risk issue that could result in breach during the testing, they will raise it to the Client immediately or as soon as practical.


3.   Client's Responsibilities

3.1.   The Client agrees with performing security penetration testing by signing the Authorisation Form and shall provide access to the systems to be tested.


3.2.   The client owns the IT system being tested or has all necessary permissions, authorisations, and consents from their Internet System Provider (ISP) or other applicable third-party during whole testing window.


3.3.   The Client shall agree to dates that are mutually convenient for Us, the Client and the appropriate third-party.


3.4.   The Client shall provide Us at least one technical point of contact that have substantial knowledge of Client’s systems, network, and other vital details required for the testing. The Client also agrees to co- operate with Exosec and shall provide Us any necessary information about system that are subject of testing in timely manner.


3.5.   It is recommended that were possible the Client creates a back-ups of the system tested prior to commencement of testing.


3.6.   When testing is performed on the Client’s site, Client contracts to provide secure, safe, and appropriately equipped environment or to provide an allocated office for the Exosec consultant.


3.7.   The Client agrees to pay the fees agreed in the SOW (including VAT), and expenses arising from testing onsite (where applicable) as per section “Payment terms” below.


4.   Intellectual Property

4.1.   Exosec is the owner of all intellectual property rights of our website and the content published on it or has the license for them.


4.2.   All documentation (such as SOW, Authorisation Form, methodologies, reports or these Terms and Conditions), software and designs created by our employees is considered intellectual property of Exosec.


4.3.   The security testing report is intellectual property of Exosec; however, the Client is granted the licence to use the report for their own purposes.


4.4.   Intellectual property rights are not transferrable between the Client and Us.


4.5.   Intellectual property rights of the tested IT systems are owned by the Client and/or by their ISP or by another relevant third-party.


5.   Data Protection and Privacy

5.1.   Exosec may obtain personal data and other sensitive information from the Client during security penetration testing. The Client affirms that they have received all consents required from data subjects to allow these data to be revealed to Us. The Client also confirms that they have made all required registrations and notifications that are complying with appropriate Data Protection Laws to enable Us to perform the testing.


5.2.   We confirm that all data gained during testing will be treated as confidential information. We will not share, rent, or sell any personal data gained during testing to any third-party without the Client’s written permission. We will not use Client’s email addresses for any purposes other than a communication and connection tool necessary for provision of agreed services.


5.3.   We shall not be in breach of this section when we act on behalf of Client’s instructions.


5.4.   Exosec and our services are governed and complying by the laws of England and Wales. We comply with following regulations:

  • Data Protection Act 2018 (DPA) – DPA regulates how organisations process personal data.
  • UK General Data Protection Regulation (UK-GDPR) – an additional regulation that is complementing DPA; it regulates how organisations collect, store, use and process personal data and it is very similar to previous EU-GDPR.
  • Network and Information Security Regulations 2018 (NIS) – this regulation helps to detect and manage the threats to the security of network and information systems in an acceptable and proportional manner.
  • Computer Misuse Act 1990 - regulates and criminalise unauthorised access to computer own by another individual and make changes in files, properties, and other details of the computer without consent of the owner.

6.   Payment Terms

6.1.   The fees for the service You contracted Us to conduct will be based on the number of days allocated for testing multiplied by Exosec fixed day-rate (either for business day, or OoH), and it will be clearly stated in the SOW.

We reserve the right to charge additional fees for work delivered on Client’s site, such as expenses for travel, accommodation, and subsistence that the Consultant must spend.


6.2.   All prices are exclusive of VAT, unless stated otherwise. VAT shall be paid in addition to total value of the invoice at the rate from time to time prescribed by law at the time of invoice payment.


6.3.   Invoices will be issued after delivery of the report via email to selected individuals or appropriate department as instructed by the Client. It is Client’s responsibility to provide up to date contacts for processing invoices.


6.4.   Invoices must be paid within 30 calendar days from invoice date stated on the invoice. Client shall pay the invoice in full without any set-off, counterclaim, deduction or withholding (except for any deduction or withholding required by law).


6.5.   If the invoice amount (including VAT) is not paid within 30 calendar days from the invoice date, We reserve the right to:

  • suspend access to use Exosec services.
  • charge client the interest for each day of overdue payment at the rate of 4.25% in addition to the interest rate set by the Bank of England.

7.   Cancellation Policy

7.1.   Upon written confirmation from the Client, Exosec reserves dates and allocate appropriately skilled resources to fulfil contractual commitments.


7.2.   Should you wish to re-schedule the testing, You must notify us at least 5 business days before the confirmed start date. If You notify us in less than 5 business days and We will not be able to replace the work, cancellation charges might apply.


7.3.   Should you wish to cancel the testing, You must notify us least 5 business days before the confirmed start date, otherwise cancellation charges will apply in up to 100% of the total value payable. This would be charged proportionally, 20% of total value per each day We are not able to replace.


8.   Liability

8.1.   Exosec shall not be responsible for any damage, loss, or financial claims for compensations resulting from either material or information provided by the Client that were incomplete, incorrect, inaccurate, or defective in any other aspects.


8.2.   The Client understands that security penetration testing should help to reduce vulnerability of their systems by identifying vulnerabilities and providing recommendations for their remediation. Although as the Internet security is constantly and continuously evolving area, it never fully eliminates potential vulnerabilities and therefore, We are not liable for any potential breaches or cyber attacks that shall happen in the future.


8.3.   Testing undertaken by Exosec will be conducted in a manner that ensures the impact on the system being tested is as minimal as possible. The Client shall not hold Exosec liable for any system instability or crashes. Should it become apparent that the availability of the system being tested is being affected testing will be immediately halted.


8.4.   There is nothing in these Terms and Conditions that would exclude or limit liability of Exosec, Client or involved third-party for:

  • personal injury or death caused by their negligence, incorrect or incomplete information,
  • any damage or loss which were reasonably foreseeable by all parties involved,
  • breach of content of any sections of this document.

9.   Force Majeure

Force Majeure presents an event that out of control of either party included in this contract affecting fulfilling their contractual obligations. Force Majeure events include:

  • Act of God - natural disasters (flood, fire, earthquake, …).
  • Act of War, Act of Terrorism, revolutions, strikes.
  • Act of Government (compliance with over-ruling law, regulation, or direction).
  • Failure of supplies - power, fuel, transport, equipment or other goods or services vital for fulfilment of the contract.
  • Theft, malicious damage, or cyber attack (beyond their reasonable control).

Neither party shall be in breach of these Terms and Conditions in the event of Force Majeure. In case that event of Force Majeure persists for longer than 30 working days, any party has the right to terminate the contract.