Penetration Testing Agreement
This agreement covers the provision of Penetration Testing Services. These terms and conditions and the Order Form, form the contract governing the terms of supply.
2 Definition of Terms
Used In these terms and conditions (“Terms”), the following definitions are used:
2.1 ‘Client’ means the organisation or Individual that will be procuring the penetration testing services and upon whose computer systems the Penetration Testing Services will be undertaken.
2.2 ‘Contract’ means together the Order Form and these Terms.
2.3 ‘Deliverables’ means the results of the Services documented in a written report.
2.4 ‘Fee’ means the agreed fee that will charged by the Service Provider for carrying out the Services.
2.5 ‘Order Form’ means the online test authorisation & order form.
2.6 ‘Parties’ means the Client and the Service Provider, along with any other person or company that are directly involved or have an interest in the Services covered by this Contract.
2.7 ‘Penetration Testing Services’ means any manual or automated testing, reviews or audits that will attempt to identify security vulnerabilities and/or software and system configuration errors on one or more computer systems. Tests may be run remotely over a network or on- site as specified in the scope of the Services.
2.8 ‘Service Provider’ means the organisation that will be providing the penetration testing services.
2.9 ‘Services’ means the agreed services to be supplied to the Client as defined in the agreed scope of the Penetration Testing Services, which shall include as a minimum the following:.
2.9.1 scan of 65,000 ports available on your IP address to see if there is any services sitting behind them that a hacker could expose;
2.9.2 we will also return any banners from any port which is open which allows us to understand what software maybe running on your open ports;
2.9.3 we will also use a library of over 55,000 known exploits to see which software you have that maybe vulnerable;
2.9.4 your IP addresses will be searched using cyber search engines just to see what the darker side of the internet knows about your network; and
2.9.5 we will look over your report and write a personal appraisal of what we have found during the test.
3 Provision of Services
3.1 The Service Provider hereby agrees to provide the Services to the Client for the agreed Fee in accordance with the terms of this Contract. This Agreement becomes binding when the Client approves these terms and conditions by checking the “I agree to these terms and conditions” or provides formal written confirmation to the Service Provider authorising the initiation of the Services.
3.2 The activities undertaken to perform the Services are used on many networks all over the world for this type of testing exercise and the Service Provider warrants that the Services should not adversely affect the Client’s computer systems in any way. But it is also understood by the Client that any local configuration to the Client’s computer system is not known by the Service Provider, so the Service Provider cannot give any form of any indemnification to any IT issues the Client may experience in or around the time of the testing exercise.
3.3 The Service Provider shall perform the Services:
3.3.1 in accordance with the Contract;
3.3.2 with reasonable care, diligence and skill;
3.3.3 within the times and dates agreed with the Client (although time shall not be of the essence); and
3.3.4 in accordance with any specific terms that appear in the Scope section of this Contract and the Order Form.
4 Client’s Obligations
The Client shall provide the Service Provider with all necessary specific and detailed information concerning, and reasonable access to, the Client’s computer systems and networks as agreed in the scope of the Services. As part of the online sign up the Client’s External IP address that will be used as part of this testing exercise will be confirmed by the Client.
5 Governing Law and Jurisdiction
5.1 This Contract shall be governed by the laws of England and Wales and the Parties agree to submit to the exclusive jurisdiction of the English Courts.
5.2 The Client accepts that by carrying out the Services, the Service Provider will be undertaking activities which will, unless the Service Provider has specific consent from the Client, be unlawful.
5.3 The relevant laws include, but are not limited to:
5.3.1 The Computer Misuse Act 1990.
5.3.2 The Copyright, Design and Patents Act 1988.
5.3.3 The Data Protection Act 2018.
5.3.4 The Human Rights Act 1998.
5.3.5 The Police and Justice Act 2006.
5.3.6 The Regulation of Investigatory Powers Act 2000.
5.4 By signing these Terms and Conditions, the Client accepts and acknowledges that it consents to the Service Provider undertaking the Services.
5.5 The Client indemnifies the Service Provider against any and all claims, losses and expenses arising from any breach or alleged breach of the laws pertaining to the provision of the Service.
6 Intellectual Property
6.1 The copyright and any other relevant intellectual property rights in the Services and all Deliverables shall belong to and remain vested in the Service Provider.
7 Data Protection
7.1 In the course of providing the Services, the Service Provider may obtain personal data from the Client in which case it may be acting either as a data processor or data controller as defined in the Data Protection Act 2018.
7.2 The Client warrants that it has obtained all consents required from data subjects in relation to whom it is a data controller to enable such personal data to be disclosed to the Service Provider and to enable the Service Provider to carry out the Services. The Client shall indemnify the Service Provider against any claims losses or expenses arising from data subjects in relation to such personal data.
7.3 When acting as data controller, the Service Provider confirms that it complies fully with the terms of the Data Protection Act. When acting as a data processor, The Service Provider confirms that it has in place all technical and organisational measures required to ensure compliance with the Data Protection Act and will process all such personal data in accordance with the instructions of the Client to undertake the Services.
8.1 Where Services have multiple agreed Deliverables and Fee payments scheduled sequentially, the Service Provider reserves the right to suspend the Services or any part of them in the event of non-payment of issued invoices.
8.2 All Fees are exclusive of any applicable value added or any other sales tax, for which the Client shall be additionally liable.
9.1 Except in respect of death or personal injury caused by that party’s negligence, one party shall not be liable to the other party by reason of any representation, (unless fraudulent), or any implied warranty, condition or other term, or any duty at common law, or under the express terms of this Contract, for any indirect, special or consequential loss or damage which arises out of or in connection with the performance of this Contract including but not limited to any indirect, special or consequential loss or damage which arises out of late delivery and/or non- delivery of goods and/or services.
9.2 Neither party shall be liable to the other for any:
9.2.1 loss of documentation;
9.2.2 loss or corruption of data;
9.2.3 remedial costs;
9.2.4 loss of operation or staff time;
9.2.5 costs of obtaining substitute goods or services;
9.2.6 loss of goodwill or anticipated savings;
9.2.7 loss of business;
9.2.8 loss of anticipated profit or savings; or
9.2.9 pure economic loss.
9.3 Subject to the terms of clause 9.1, any claim against the Service Provider shall be limited to the value of the Fee.
9.4 The express warranties given in this Contract are in lieu of all warranties, conditions, terms, representations, undertakings and obligations imposed by statute, common law or otherwise all of which are hereby excluded to the maximum extent permitted by law.
9.5 The Service Provide will take all reasonable steps to provide accurate and comprehensive test results within the agreed scope of the Services but cannot be held liable if the testing undertaken fails to discover certain security vulnerabilities or configuration issues on the systems under test.
10.1 Each Party undertakes that it will not at any time hereafter use, divulge or communicate to any person, except to its professional representatives or advisers or as may be required by law, or any legal, law enforcement or regulatory authority, any confidential information concerning the business or affairs of the other Party, or of any member of the group of companies to which the other Party belongs which may have or may through the course of undertaking the Services come to its knowledge. “Confidential Information” includes, but is not limited to, details of the Client’s computer systems, procedures, network configuration and topology, all and any passwords and private encryption keys and details of the Service Provider’s methodologies. However some data taken from this exercise maybe used for Anonymous statistics which will be available in the public domain but will include no client network detail whatsoever.
11 Whole Agreement
11.1 Subject to Clause 19.3 below this Agreement (including the documents and instruments referred to in it) supersedes all prior representations, arrangements, understandings and agreements between the Parties relating to its subject matter and is the entire complete and exclusive agreement and understanding between the Parties relating to its subject matter.
11.2 Each Party acknowledges that it has not relied on any representation, arrangement, understanding or agreement (whether written or oral) not expressly set out or referred to in this Agreement.
11.3 Clauses 19.1 and 19.2 above shall not apply to the extent that they relate to any warranty, representation or undertaking made fraudulently in which case the other Parties shall be entitled to all the remedies available under English law.
12.1 Any notice given under this Agreement shall be in writing and shall be delivered or sent by pre-paid registered post or by fax to the address of the relevant party. In the case of post, the notice shall be deemed to have been received three working days after it was posted, and in the case of fax, as soon as it has finished being sent, provided that the sending machine confirms that the receiving machine has received the notice error-free.
13 Rights of Third Parties
13.1 This Agreement is not intended to convey a benefit on any person not a party to it and accordingly the provisions of the Contracts (Rights of Third Parties) Act 1999 are excluded.