Cyber Essentials terms and conditions.

1.1In these Terms, the following definitions apply:

“Agreement”

these Terms and Conditions together with any Order Form.

“Assessment”

the Cyber Essentials or Cyber Essentials Plus assessment, audit and/or certification process to be carried out by Fig Compliance Ltd as further described in the applicable Order Form.

“Certification Body”

Fig Compliance Ltd, acting in its capacity as an IASME-licensed Certification Body for the Cyber Essentials scheme.

“Confidential Information”

all information (however recorded or preserved) disclosed by a party or its employees, officers, representatives, advisers or subcontractors (Representatives) to the other party and that party’s Representatives in connection with this Agreement, which is either labelled as such or else which should reasonably be considered as confidential because of its nature and the manner of its disclosure.

“Customer”

the person, firm, company or other entity that purchases or agrees to purchase the Services from Fig Compliance Ltd, as identified in the Order Form.

“Customer Materials”

any information, data, documents, materials, access credentials, software, specifications, policies, records, content, or other materials, in any form or medium, provided by or on behalf of the Customer to Fig Compliance Ltd for the purposes of the Services, or otherwise made available for use, review, or reference in connection with the provision of the Services and/or Deliverables.

“Cyber Essentials”

the UK Government-backed Cyber Essentials certification scheme, as administered by IASME on behalf of the NCSC, comprising both the Cyber Essentials (Basic) self-assessment and the Cyber Essentials Plus technically verified assessment levels.

“IASME”

The IASME Consortium Ltd, the NCSC-appointed delivery partner that owns and administers the Cyber Essentials scheme and licenses Fig Compliance Ltd to deliver Cyber Essentials assessments.

“IASME Terms”

the Cyber Essentials terms and conditions published by IASME at https://iasme.co.uk/cyber-essentials/terms-and-conditions, as updated by IASME from time to time, which apply to the Customer as buyer of a Cyber Essentials certificate under the scheme.

“Scheme Rules”

the rules, requirements, technical control standards, and operational guidelines published by IASME and the NCSC that govern the Cyber Essentials scheme, including the Cyber Essentials Requirements for Infrastructure (the Danzell guide).

“Data Protection Legislation”

all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data.

“Deliverables”

all documents, reports, certificates, written summaries, analyses, remediation guidance, vulnerability scan results, and any other materials (whether in written, electronic, or other tangible form) that are prepared for and/or delivered to the Customer in connection with the provision of the Services.

“Fees”

the fees payable by the Customer to Fig Compliance Ltd for the Services as detailed in the applicable Order Form or quotation.

“Intellectual Property Rights”

patents, rights to inventions, copyright and related rights, trade marks, trade names, domain names, rights in get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered, and including all applications for, and renewals or extensions of, such rights, and all similar or equivalent rights or forms of protection in any part of the world.

“Order Form”

the Customer’s order for Services, which sets out the Fees payable, a description of the Services (including, where applicable, the estimated timetable and the scope of the Assessment), and which incorporates these Terms by reference.

“Services”

the Cyber Essentials and/or Cyber Essentials Plus assessment, audit, certification, and/or related services to be provided by Fig Compliance Ltd, as further described in the applicable Order Form.

“Fig Compliance Ltd”

Fig Compliance Ltd, a company registered in England and Wales under company number 16857592 (VAT number 506692774), whose registered office is at 11 Wandle Bank, London, England, SW19 1DW, and which is part of Fig Group.

“VAT”

value added tax chargeable under English law for the time being and any similar additional tax.

1.2Clause and paragraph headings shall not affect the interpretation of this Agreement. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality). A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time. A reference to writing or written includes email but not fax. References to clauses are to the clauses of these Terms. Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2.1These Terms operate as the contractual terms and conditions under which Fig Compliance Ltd shall supply the Services to the Customer. These Terms shall prevail over any inconsistent terms or conditions contained in, or referred to in, the Customer’s purchase order, the Customer’s confirmation of order, or the Customer’s specification, or implied by law, trade custom, practice or course of dealing.

2.2An Order Form shall commence on the date set out therein and shall continue until the earlier of: (a) the completion of the relevant Services; (b) expiry of any fixed term specified in the Order Form; or (c) termination of the Order Form in accordance with the terms of the Order Form and/or these Terms.

2.3The Customer acknowledges that the Services have not been developed to meet the Customer’s individual requirements and that it is therefore the Customer’s responsibility to ensure that the scope and nature of the Services as described in the Order Form meet the Customer’s requirements.

2.4In the event of any conflict or inconsistency between these Terms and the provisions of an Order Form, the provisions of the Order Form shall prevail.

2.5Precedence between these Terms and the IASME Terms. These Terms apply to the commercial relationship between Fig Compliance Ltd and the Customer. The IASME Terms apply to the Customer’s relationship with IASME as scheme owner. Where the two documents conflict on a matter relating to the technical assessment, the scheme certification process, the validity or use of the Cyber Essentials certificate, or the use of the IASME mark, the IASME Terms shall prevail. Where they conflict on commercial matters (including but not limited to Fees, payment, refunds, delivery timelines, and the Customer’s access to the Fig platform), these Terms shall prevail. The Scheme Rules govern the technical conduct of the Assessment and the certification standards Fig Compliance Ltd is obliged to apply.

3.1Fig Compliance Ltd shall provide the Services with reasonable care and skill, and shall deliver the Deliverables to the Customer, in accordance with all material aspects of the applicable Order Form and in compliance with the prevailing Cyber Essentials scheme requirements as published by IASME and the NCSC.

3.2Fig Compliance Ltd shall use reasonable endeavours to meet any performance dates specified in the Order Form, but any such dates shall be estimates only and time shall not be of the essence of this Agreement.

3.3Fig Compliance Ltd: (a) does not warrant that the Customer’s use of the Services will be uninterrupted or error-free, nor that the Services, Deliverables and/or the information obtained by the Customer through the Services will meet the Customer’s requirements; and (b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

3.4If Fig Compliance Ltd is prevented or delayed from performing any of its obligations under this Agreement or any Order Form by any act or omission of the Customer or its agents, sub-contractors or personnel, then, without prejudice to any other right or remedy it may have, Fig Compliance Ltd shall: (a) not be liable for any delay, loss or failure in performing its obligations to the extent so prevented or delayed; (b) be entitled to an extension of time to perform those obligations equal to the period of the Customer’s delay (or otherwise as may be reasonable in the circumstances); and (c) be entitled to recover from the Customer any additional costs or expenses which are reasonably incurred by Fig Compliance Ltd as a result of such act or omission by the Customer.

3.5Whilst Fig Compliance Ltd will use reasonable endeavours to ensure continuity of personnel, it reserves the right to replace its staff, agents or representatives at its sole discretion by notifying the Customer.

3.6Where Fig Compliance Ltd advertises a 6-hour Cyber Essentials turnaround guarantee, that guarantee applies only to Cyber Essentials (Basic) submissions that are complete, compliant, and submitted through the prescribed assessment process before 12:00 midday UK time on a Business Day. The guarantee does not apply to Cyber Essentials Plus, incomplete or non-compliant submissions, submissions requiring Customer clarification or remediation, delays caused by the Customer or any third party, or any event outside Fig Compliance Ltd’s reasonable control.

4.1Fig Compliance Ltd may at any time, without the prior consent of the Customer, subcontract, delegate or assign the performance of all or any part of the Services (including the Assessment) to any third party, including but not limited to other IASME-licensed assessors, consultants, or technical specialists.

4.2Any such subcontracting shall not relieve Fig Compliance Ltd of its obligations under this Agreement, and Fig Compliance Ltd shall remain the principal point of contact for the Customer in respect of the Services.

4.3Fig Compliance Ltd shall ensure that any subcontractor engaged under this clause is bound by obligations of confidentiality no less onerous than those set out in this Agreement.

4.4The Customer acknowledges and agrees that Fig Compliance Ltd shall not be liable for any act, omission, default, negligence, breach of duty (whether statutory or otherwise), error, or failure of any subcontractor, agent, representative, assessor, or other person engaged by or on behalf of Fig Compliance Ltd in connection with the Services, to the fullest extent permitted by law.

5.1The Customer shall: (a) co-operate with Fig Compliance Ltd in all matters relating to the Services and appoint a suitably qualified point of contact who shall have the authority to contractually bind the Customer on matters relating to the Services; (b) provide in a timely manner such access to the Customer’s premises, systems, network environments, documentation, information, personnel, and data as is requested by Fig Compliance Ltd in connection with the Services; (c) provide in a timely manner such documents, information and data as Fig Compliance Ltd may request in connection with the Services, and ensure that such documents, information and data are accurate, complete and up to date in all material respects; (d) be responsible (at its own cost) for preparing the relevant premises, systems, and networks for the supply of the Services; (e) have sole responsibility for all adequate protection and backup of materials, documents, data and/or equipment used in connection with or having any connection with the Services and confirm that it has protected and backed up all applicable infrastructure; (f) comply with all applicable laws, regulations and codes of practice in relation to the subject matter of the Services; (g) comply with any additional requirements or obligations set out in the applicable Order Form; (h) be responsible for making all decisions and obtaining all authorisations, licences, consents or approvals necessary for the receipt, use and implementation of the Services and Deliverables; and (i) select the service level (Cyber Essentials or Cyber Essentials Plus) that best meets its needs and requirements.

5.2The Customer represents and warrants that it has all necessary rights, power and authority to provide the Customer Materials to Fig Compliance Ltd and to permit their use for the purposes of this Agreement.

6.1Cyber Essentials (Basic). Where the Services comprise a Cyber Essentials (Basic) assessment, the Customer shall: (a) complete the self-assessment questionnaire accurately and honestly, providing true and correct information about its IT infrastructure, controls and security posture; (b) ensure that the scope declared in the self-assessment accurately reflects the Customer’s IT infrastructure; and (c) acknowledge that the assessment is based solely on the information provided by the Customer and that Fig Compliance Ltd accepts no responsibility for the accuracy or completeness of such information.

6.2Cyber Essentials Plus. Where the Services comprise a Cyber Essentials Plus assessment, the Customer shall, in addition to the obligations in clause 6.1: (a) operate best practice and implement appropriate security precautions in connection with its use and receipt of the Services, including maintaining effective firewalls, virus checks, and suitable data backup and security arrangements, and ensuring that all necessary backups of relevant data, systems and networks are taken prior to the commencement of testing; (b) provide advance notice of any business-critical periods or scheduled downtime during which testing should not be carried out; (c) procure and maintain its own network connections, telecommunications links, and internet connectivity, and acknowledges that all problems, conditions, delays, delivery failures, and all other loss or damage arising from or relating to those connections or caused by the internet are the Customer’s responsibility; (d) procure, where applicable, all required consents and authorisations from relevant third parties (including, without limitation, any ISP or hosting or infrastructure providers) to permit the testing to be performed, and, when reasonably requested by Fig Compliance Ltd, provide evidence of such consents; (e) notify any relevant employees, agents, or third-party suppliers of the scheduled testing and that their activities or communications may be monitored, where appropriate; (f) arrange a mutually convenient time with Fig Compliance Ltd for the performance of the Assessment, inform its ISP or third-party host of the agreed date, and promptly advise of any periods during testing when work should stop to protect critical business processes; (g) provide at least one employee with substantial knowledge of the Customer’s systems, networks, and IT environment to act as a principal liaison between the Customer and Fig Compliance Ltd; (h) ensure that all necessary preparations are made and that Fig Compliance Ltd is provided with all specific external Internet Protocol (IP) addresses, domains, access credentials and all necessary access to premises, systems, and assets in scope, including on-site access if required and advance written notice of any site-specific restrictions; (i) ensure a suitably qualified person is available at all times during the provision of the Services to restore, as soon as possible, any service or server that becomes unavailable; (j) take all reasonable steps to mitigate the risks inherent in the provision and receipt of the Services, including data loss or disruption to systems; and (k) promptly implement any recommendations or remedial actions identified in the Deliverables, unless otherwise agreed in writing.

6.3In respect of any Assessment, the Customer: (a) recognises and agrees that Fig Compliance Ltd provides no warranty or guarantee as to the outcome of its testing or assessment methods, that all such methods have reliability limitations, and that such methods cannot guarantee discovery of all weaknesses, non-compliance issues, or vulnerabilities; (b) agrees that it has knowledgeably accepted these limitations and the risks attendant thereon; (c) understands that Fig Compliance Ltd may use various methods and software tools to probe network resources for security-related information and to detect actual or potential security flaws and vulnerabilities; (d) acknowledges that the Services could possibly result in service interruptions or degradation regarding the Customer’s systems and accepts those risks and consequences; and (e) further acknowledges it is the Customer’s responsibility to restore network computer systems to a secure configuration after provision of the Services.

6.4The Customer acknowledges and agrees that: (a) Fig Compliance Ltd provides assessment and certification services in accordance with the Cyber Essentials scheme requirements but does not warrant or guarantee that any particular certification will be achieved, as the outcome depends on the Customer’s compliance posture and the accuracy of information provided; (b) certification standards, requirements and methodologies may be updated or revised by IASME or the NCSC at any time, and Fig Compliance Ltd has no responsibility for changes to certification criteria occurring after the delivery of the Services or for ongoing compliance beyond the agreed scope; (c) a Cyber Essentials or Cyber Essentials Plus certificate reflects the Customer’s security posture at a point in time only and does not constitute an ongoing guarantee of security; and (d) the responsibility for maintaining ongoing compliance with Cyber Essentials requirements rests solely with the Customer.

6.5By engaging Fig Compliance Ltd in the Services, the Customer confirms that: (a) they are the lawful owner of every system, network, device and asset within the agreed scope of the Assessment, or hold written permission and delegated authority from each owner to authorise the testing described in these Terms; (b) they authorise Fig Compliance Ltd, and any subcontractor appointed under Clause 4, to perform vulnerability scans, penetration tests and any other technical assessment activity reasonably necessary to deliver the Services against those assets; (c) there are no legal, contractual or regulatory restrictions that would prevent, limit or qualify the authorisation given under this clause; and (d) they accept that the laws of England and Wales apply to the delivery of the Services, including the Computer Misuse Act 1990, the Human Rights Act 1998 (in particular Article 8), the UK General Data Protection Regulation and the Data Protection Act 2018, and grant consent for the Services to be provided notwithstanding the provisions of those Acts.

7.1The Customer shall pay each invoice submitted to it by Fig Compliance Ltd in full, and in cleared funds, within 14 days of the date of invoice, unless otherwise stated in the Order Form.

7.2Unless otherwise agreed in the Order Form, Fig Compliance Ltd shall be entitled to invoice the Fees in full in advance of the provision of the Services.

7.3Without prejudice to any other right or remedy that Fig Compliance Ltd may have, if the Customer fails to pay Fig Compliance Ltd on the due date, Fig Compliance Ltd may: (a) charge interest on such sum from the due date for payment at the annual rate of 8% above the base lending rate from time to time of the Bank of England, accruing on a daily basis until payment is made, whether before or after any judgment; and (b) suspend, without liability, all Services until payment has been made in full; and (c) charge, in addition to any other sums due, a fixed late payment fee of £40 in respect of each overdue invoice.

7.4Fig Compliance Ltd shall be entitled to recover from the Customer any reasonable expenses, disbursements or costs (including travel, accommodation, third-party tool costs, or subsistence) that are properly and necessarily incurred in connection with the provision of the Services, provided always that such expenses shall be agreed with the Customer in advance.

7.5All payments payable to Fig Compliance Ltd under this Agreement shall become due immediately on termination of this Agreement, despite any other provision. This clause is without prejudice to any right to claim for interest under the law, or any such right under the Agreement.

7.6All Fees are exclusive of VAT, which shall be payable by the Customer at the prevailing rate.

8.1The Customer may cancel or reschedule a confirmed Assessment subject to the following charges: (a) cancellation or rescheduling with more than 10 Business Days’ notice - no charge; (b) cancellation or rescheduling with 5 to 10 Business Days’ notice - 50% of the applicable Fees; (c) cancellation or rescheduling with less than 5 Business Days’ notice - 100% of the applicable Fees.

8.2Where the Customer fails to attend, fails to provide access, or is otherwise unable to proceed with a scheduled Assessment on the agreed date through no fault of Fig Compliance Ltd, the full Fees for that Assessment shall be payable and a rebooking fee equivalent to 50% of the original Fees may be charged for any rescheduled date.

8.3Fig Compliance Ltd reserves the right to reschedule an Assessment by providing the Customer with reasonable notice, and shall use reasonable endeavours to agree an alternative date that is convenient for the Customer. No cancellation or rebooking fee shall apply where the rescheduling is initiated by Fig Compliance Ltd.

8.4For the purposes of this clause, a “Business Day” means any day other than a Saturday, Sunday or public holiday in England.

9.1Where the Customer fails a Cyber Essentials Plus Assessment, Fig Compliance Ltd shall provide the Customer with a remediation report detailing the areas of non-compliance. The Customer shall be responsible for implementing any necessary remedial actions at its own cost.

9.2Unless otherwise stated in the Order Form, one retest within 30 days of the initial Assessment is included in the Fees. Any further retests beyond this shall be charged at Fig Compliance Ltd’s prevailing rate.

9.3Retests must be completed within the timescales prescribed by the Cyber Essentials scheme. The Fig Compliance Ltd accepts no responsibility for any failure to achieve certification resulting from the Customer’s delay in implementing remedial actions or scheduling a retest.

10.1All Intellectual Property Rights in and to the Services, Deliverables and any materials created, developed or provided by Fig Compliance Ltd in connection with this Agreement shall, as between the parties, be owned exclusively by Fig Compliance Ltd. Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from Fig Compliance Ltd to the Customer. Any pre-existing materials, tools, templates, scanning software, assessment methodologies or processes of Fig Compliance Ltd used in the provision of the Services and Deliverables shall remain the exclusive property of Fig Compliance Ltd.

10.2The Customer owns all right, title and interest in and to: (a) Customer Materials; (b) all Intellectual Property Rights of the Customer that may be made available in the course of providing the Services; and (c) all Confidential Information of the Customer.

10.3Fig Compliance Ltd hereby grants to the Customer a non-exclusive, non-sublicensable, non-transferable and worldwide licence to use the Deliverables to such extent as is necessary to enable the Customer to make reasonable internal use of the Deliverables for the purpose they were created. The Customer shall not copy, modify, distribute, sublicense, or use any Deliverables or part thereof for any purposes other than as expressly permitted in this Agreement.

10.4The Customer hereby grants to Fig Compliance Ltd a non-exclusive, sublicensable, transferable worldwide licence to use, modify, distribute and copy the Customer Materials to the extent necessary for the performance of the Services and the creation and/or delivery of the Deliverables.

10.5The Customer may, for its legitimate business purposes, disclose or provide copies of the Deliverables to third parties (including, but not limited to, regulators, certification bodies, clients, or professional advisers), provided always that: (a) such sharing is on a strictly “as is” basis and subject to the disclaimers and exclusions contained in this Agreement; (b) Fig Compliance Ltd shall have no liability of any kind to any third party to whom the Deliverables are disclosed, whether by the Customer or otherwise; (c) the Customer shall not remove any copyright, proprietary or disclaimer notices contained in or on the Deliverables; and (d) the Customer remains responsible for ensuring that any third party recipients are made aware of, and agree to, the limitations and exclusions of liability set out in this Agreement.

11.1Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party’s Confidential Information shall not be deemed to include information that: (a) is or becomes publicly known other than through any act or omission of the receiving party; (b) was in the other party’s lawful possession before the disclosure; (c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or (d) is independently developed by the receiving party, which independent development can be shown by written evidence.

11.2Each party shall hold the other’s Confidential Information in strict confidence, not use the other’s Confidential Information for any purpose other than the performance of its obligations hereunder and, subject to the exceptions in this clause, not make the other’s Confidential Information available to any third party.

11.3Each party shall take all reasonable steps to ensure that the other party’s Confidential Information to which it has access is not disclosed or distributed by its Representatives in violation of the terms of this Agreement.

11.4A party may disclose the Confidential Information of the other party to such of its Representatives as need to know it for the purpose of discharging the disclosing party’s obligations under this Agreement, provided that such Representatives are subject to obligations of confidentiality corresponding to those which bind the disclosing party.

11.5A party may disclose Confidential Information of the other party to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction. To the extent it is legally permitted to do so, the disclosing party shall give the other party as much notice of such disclosure as possible.

11.6The parties acknowledge that the Deliverables and any other information gathered by Fig Compliance Ltd in the provision of Services shall constitute the Customer’s Confidential Information.

11.7The provisions of this clause 11 shall survive for a period of 3 years following termination of the Agreement, however arising.

12.1The following provisions set out the entire liability of Fig Compliance Ltd (including any liability for the acts or omissions of its employees, officers, agents, representatives, assessors, subcontractors and any other person engaged by or on behalf of Fig Compliance Ltd) to the Customer arising out of or in connection with this Agreement. A reference to liability or liable in this Agreement shall mean any liability, whether in contract, tort (including negligence), misrepresentation, for breach of statutory duty or otherwise.

12.2Except as expressly and specifically provided in this Agreement: (a) Fig Compliance Ltd shall have no liability for any loss, damage or liability caused by the Customer Materials, or any actions taken by Fig Compliance Ltd at the Customer’s direction; (b) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, disclaimed and excluded from this Agreement including, without limitation, any warranties of title, merchantability, or fitness for a particular use or purpose; and (c) the Services and the Deliverables are provided to the Customer on an “as is” basis.

12.3Nothing in this Agreement excludes the liability of either party: (a) for death or personal injury caused by negligence; or (b) for fraud or fraudulent misrepresentation.

12.4Subject to clauses 12.2 and 12.3: (a) to the maximum extent permitted by law, Fig Compliance Ltd shall not be liable for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect, punitive, exemplary or consequential loss, costs, damages, charges or expenses however arising under or relating to this Agreement, even if Fig Compliance Ltd has been advised of the possibility thereof, and regardless of the legal or equitable theory upon which the claim is based; and (b) Fig Compliance Ltd’s total aggregate liability arising out of or in connection with the performance or contemplated performance of an Order Form shall be limited to the total amount of Fees paid by the Customer to Fig Compliance Ltd for the Services under the applicable Order Form; and (c) in respect of any other liability under this Agreement which does not fall under clause 12.4(b), Fig Compliance Ltd’s total aggregate liability shall be limited to the greater of: (i) total Fees paid by the Customer to Fig Compliance Ltd in the 12 months immediately preceding the date on which the liability arose; and (ii) £1,000.

12.5Under no circumstances shall Fig Compliance Ltd be responsible or liable for: (a) any harm caused by the transmission, through the Services, of a computer virus, malicious actor or other computer code or programming device that might be used to access, modify, delete, damage, corrupt, deactivate, disable, disrupt, or otherwise impede in any manner the operation of any of the Customer’s software, hardware, networks, systems, data or property; (b) any inaccuracy, error or delay in, or omission of, any data or information entered into the Services by the Customer or any third party; (c) any error or delay in the transmission of such data or information; or (d) any interruption in any such data or information.

12.6In view of the fact that the Cyber Essentials Plus Assessment may involve technical testing and vulnerability scanning, the Customer agrees not to take any action against Fig Compliance Ltd for conducting the Services. Fig Compliance Ltd shall not be responsible or liable for any losses incurred by the Customer as a result of such tests or audits, including any losses or damage caused to the Customer’s systems, documents, data, information, networks or business, or any third party claims brought against the Customer relating to or arising out of such tests or audits, except to the extent that it would be unlawful for Fig Compliance Ltd not to be responsible or liable.

12.7Exclusion of liability for staff, agents and representatives. To the fullest extent permitted by law, Fig Compliance Ltd shall have no liability whatsoever for any act, omission, default, negligence, error, failure, breach of duty (whether statutory, contractual, or otherwise), or misconduct of any of its employees, officers, agents, representatives, assessors, subcontractors, or any other person engaged by or on behalf of Fig Compliance Ltd in connection with the Services, howsoever arising. The Customer’s sole and exclusive remedy in respect of the Services shall be against Fig Compliance Ltd in its corporate capacity, subject always to the limitations set out in this clause 12.

12.8The Customer shall defend, indemnify and hold harmless Fig Compliance Ltd and its employees, officers, agents, representatives, assessors and subcontractors against any and all claims, actions, liabilities, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with: (a) any allegation or claim that Fig Compliance Ltd’s use of the Customer Materials infringes any Intellectual Property Rights or other rights of any third party; (b) any breach by the Customer of the licence granted under clause 10.3, including any misuse of the Deliverables or any unauthorised or unlawful provision of Deliverables, Services or information to third parties; (c) actual or threatened prosecution, regulatory enforcement, investigation, civil claim, or similar proceedings arising from the conduct of the Assessment authorised by the Customer and performed by Fig Compliance Ltd as part of the Services, including any failure by the Customer to obtain all necessary third party consents or authorisations; (d) any false or misleading statements or submissions made to a certification body or authority, or failure to comply with applicable standards, requirements or audit processes; and (e) any third-party claim arising from the Customer’s reliance, implementation or use of any advice, recommendations or Deliverables provided under the Services.

13.1Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate the Agreement, including all active Order Forms, immediately on written notice to the other party without liability if the other party: (a) fails to pay any amount due under this Agreement on the due date for payment and remains in default seven days after being notified in writing to make such payment; (b) commits a material breach of any other term of this Agreement and (if such breach is remediable) fails to remedy that breach within a period of 14 days after being notified in writing to do so; (c) suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986; or (d) commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes an order for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation.

13.2Any provision of this Agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this Agreement shall remain in full force and effect.

13.3Termination of this Agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination.

13.4Upon termination or expiry of this Agreement for any reason: (a) all rights and licences granted to the Customer under this Agreement shall immediately cease, except as expressly stated otherwise; (b) the Customer shall promptly pay all outstanding amounts due to Fig Compliance Ltd, including any accrued Fees for Services performed and reasonable costs and expenses incurred up to and including the date of termination; (c) each party shall, upon written request and at its own cost, promptly return or permanently delete (as instructed) all Confidential Information and any materials belonging to the other party in its possession, custody or control, except to the extent a party is required to retain such materials by law or for regulatory purposes; and (d) the Customer shall cease all use of the Deliverables and Services except to the extent permitted under this Agreement.

14.1Fig Compliance Ltd shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes, failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, epidemic or pandemic, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of Fig Compliance Ltd’s subcontractors, for so long as said cause persists, provided that the Customer is notified of such an event and its expected duration.

15.1Each party agrees to comply with the Data Protection Legislation.

15.2The parties acknowledge that for the purposes of the Data Protection Legislation, from time to time, the Customer will be the data controller and Fig Compliance Ltd is the data processor in connection with personal data relating to this Agreement.

15.3Where Fig Compliance Ltd is a processor and the Customer is a controller, the applicable Order Form will set out the scope, nature and purpose of the processing by Fig Compliance Ltd, the duration of the processing and the types of personal data (as defined in the Data Protection Legislation (“Personal Data”)) and categories of data subject.

15.4Fig Compliance Ltd shall, in relation to any Personal Data processed in connection with the provision of the Services: (a) process that Personal Data only on written instructions of the Customer; (b) keep the Personal Data confidential; (c) comply with the Customer’s reasonable instructions with respect to processing Personal Data; (d) not transfer any Personal Data outside of the UK unless the Customer provides its prior written consent; (e) provide commercially reasonable assistance to the Customer in responding to any data subject access request relating to the Services or with supervisory authorities or regulators; (f) notify the Customer without undue delay, and in any event within 72 hours, on becoming aware of a Personal Data breach or communication which relates to the Customer’s or Fig Compliance Ltd’s compliance with the Data Protection Legislation; (g) at the written request of the Customer, delete or return Personal Data (and any copies of the same) to the Customer on termination of the applicable Services unless required by the Data Protection Legislation to store the Personal Data; and (h) maintain complete and accurate records and information to demonstrate compliance with this clause 15.

15.5Fig Compliance Ltd shall ensure that it has in place appropriate technical or organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.

15.6Fig Compliance Ltd shall be permitted to appoint third-party processors of Personal Data in connection with the performance of this Agreement without the prior consent of the Customer, provided that: (a) any such appointment is subject to a written agreement imposing on the third-party processor data protection obligations that are no less onerous than those set out in this Agreement; and (b) Fig Compliance Ltd shall inform the Customer of any intended changes concerning the addition or replacement of such processors, giving the Customer the opportunity to object to such changes.

16.1The Customer agrees that, during the term of each Order Form and for a period of 12 months after completion, expiry or termination of that Order Form, it will not, nor attempt to, solicit away from Fig Compliance Ltd any employees or personnel of Fig Compliance Ltd (or its subcontractors) which it met or was introduced to through its relationship under that Order Form without the prior written consent of Fig Compliance Ltd.

17.1No variation or modification of this Agreement shall be effective unless it is in writing and signed by both parties (or their authorised representatives).

17.2No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

17.3Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

17.4If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

17.5This Agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover. Each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.

17.6The Customer shall not, without the prior written consent of Fig Compliance Ltd, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. Fig Compliance Ltd may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.

17.7Nothing in this Agreement is intended to or shall operate to create a partnership, joint venture, agency, franchise or employment relationship between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).

17.8This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns).

17.9Any notice required to be given under this Agreement shall be in writing and may be delivered by hand, sent by pre-paid first-class post or recorded delivery, or sent by e-mail to the other party at its address or e-mail address set out in the applicable Order Form, or such other address or e-mail address as may have been notified by that party in accordance with this clause. A notice delivered by hand shall be deemed received when delivered (or, if not in business hours, at 9 am on the first business day following delivery); a correctly addressed notice sent by pre-paid first-class post or recorded delivery shall be deemed to have been received at the time at which it would have been delivered in the normal course of post; and a notice sent by e-mail shall be deemed received at 9 am on the first day following delivery.

17.10This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of England and Wales. The parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).