Defence Cyber Certification Terms & Conditions.

In these Terms, capitalised terms have the meanings given below:

Agreement

these Terms and Conditions together with any Order Form.

Annual Attestation

the structured questionnaire issued by Fig Compliance Ltd at the end of Year 1 and Year 2 of the Certificate validity period, requiring the Customer to confirm that the Controls in scope at the original Assessment remain in place, signed by the same authorised representative who signed the Order Form.

Assessment

the IASME-licensed Defence Cyber Certification Level 0 (DCC L0) assessment to be carried out by Fig Compliance Ltd, comprising a documentation review of three controls drawn from Def Stan 05-138 issue 4, conducted by review of evidence supplied by the Customer (no on-site or remote technical inspection).

Certificate

the Defence Cyber Certification Level 0 certificate issued to the Customer following a favourable Assessment outcome, valid for three (3) years from the issue date subject to Annual Attestation.

Certification Body

Fig Compliance Ltd, acting in its capacity as an IASME-licensed Certification Body for the Defence Cyber Certification (DCC) scheme, licensed for Levels 0 and 1.

Confidential Information

all information (however recorded or preserved) disclosed by a party or its employees, officers, representatives, advisers or subcontractors (Representatives) to the other party and that party's Representatives in connection with this Agreement, which is either labelled as such or which should reasonably be considered as confidential because of its nature and the manner of its disclosure.

Customer

the person, firm, company or other entity that purchases or agrees to purchase the Services from Fig Compliance Ltd, as identified in the Order Form.

Customer Materials

any information, data, documents, materials, access credentials, software, specifications, policies, records, content, or other materials provided by or on behalf of the Customer to Fig Compliance Ltd for the purposes of the Services, or otherwise made available for use, review, or reference in connection with the provision of the Services and Deliverables.

Cyber Essentials

the UK Government-backed Cyber Essentials certification scheme, as administered by IASME on behalf of the NCSC, which is a prerequisite for DCC L0.

Cyber Risk Profile (CRP)

the Cyber Risk Profile assigned to a UK Ministry of Defence (MOD) contract by the contracting authority, which determines the required Defence Cyber Certification level for that contract.

Data Protection Legislation

all applicable data protection and privacy legislation in force from time to time in the UK including the UK GDPR; the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

DCC Scheme

the Defence Cyber Certification scheme administered by IASME on behalf of the UK Ministry of Defence, built on Defence Standard 05-138 issue 4, used to certify suppliers in the MOD supply chain.

Def Stan 05-138 issue 4

the UK Ministry of Defence Defence Standard issue 4 of 05-138 on which the DCC Scheme is built.

Deliverables

all documents, reports, certificates, written summaries, gap descriptions, remediation guidance, evidence-mapping outputs and any other materials prepared for or delivered to the Customer in connection with the provision of the Services.

Fees

the fees payable by the Customer to Fig Compliance Ltd for the Services as detailed in the applicable Order Form.

Fig Technology Platform

the compliance automation platform operated by Fig Technology Ltd to which the Customer is granted limited, read-only access for evidence pre-mapping during the Assessment.

Intellectual Property Rights

patents, rights to inventions, copyright and related rights, trade marks, trade names, domain names, rights in get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered.

Order Form

the Customer's order for Services, which sets out the Fees payable, a description of the Services (including, where applicable, the estimated timetable, the in-scope estate, and the Cyber Risk Profile under which the Customer is engaging), and which incorporates these Terms by reference.

Services

the IASME-licensed DCC L0 assessment, certification, Annual Attestation support and related services to be provided by Fig Compliance Ltd, as further described in the applicable Order Form.

Fig Compliance Ltd

Fig Compliance Ltd, a company registered in England and Wales under company number 16857592 (VAT number 506692774), whose registered office is at 11 Wandle Bank, London, England, SW19 1DW, and which is part of Fig Group.

VAT

value added tax chargeable under English law for the time being and any similar additional tax.

1.1References to clauses are to clauses of these Terms unless otherwise stated.

1.2Words importing the singular include the plural and vice versa, and references to persons include companies, partnerships and other legal entities.

1.3The headings in these Terms are for convenience only and do not affect their interpretation.

2.1Each Order Form constitutes an offer by the Customer to purchase the Services on these Terms. An Order Form is accepted when Fig Compliance Ltd issues written acceptance, at which point the Agreement comes into existence between the parties.

2.2The Order Form sets out the Services to be provided, the Fees payable, the in-scope estate (including sites, suppliers and the legal entity to be certified), and the Cyber Risk Profile under which the Customer is engaging.

2.3These Terms apply to the exclusion of any other terms that the Customer seeks to impose or incorporate, or which are implied by trade, custom, practice or course of dealing.

2.4Fig Compliance Ltd may amend these Terms from time to time. Changes apply to Order Forms placed after the amendment is published; existing engagements continue to be governed by the Terms in force when the Order Form was accepted.

3.1Fig Compliance Ltd shall provide the Services with reasonable skill and care, in accordance with the standards required of an IASME-licensed Certification Body for the DCC Scheme.

3.2Fig Compliance Ltd shall conduct the Assessment as a documentation review against the three controls drawn from Def Stan 05-138 issue 4. The Assessment does not include any on-site visit, remote technical inspection, vulnerability scanning or penetration testing.

3.3Fig Compliance Ltd is licensed by IASME for DCC Level 0 and Level 1 only. Where the Customer’s engagement requires DCC Level 2 or Level 3 (or where the contracting authority subsequently re-assigns the Cyber Risk Profile to a level Fig Compliance Ltd is not licensed for), Fig Compliance Ltd shall refer the Customer to other IASME-licensed Certification Bodies that hold the required scope. Fig Compliance Ltd accepts no liability arising from its inability to conduct Level 2 or Level 3 assessments.

3.4Fig Compliance Ltd shall use reasonable endeavours to meet the indicative timeline set out in the Order Form (typically 2-3 weeks for a prepared organisation), but time is not of the essence. Timeline variability is materially driven by the Customer’s evidence-readiness and response time.

4.1The Customer must hold a current Cyber Essentials certificate as a prerequisite for the DCC L0 Assessment.

4.2Where the Customer does not hold a current Cyber Essentials certificate at the date of the Order Form, Fig Compliance Ltd shall issue Cyber Essentials within the engagement at no additional charge. The Cyber Essentials certificate must be issued before formal DCC L0 Assessment work begins.

4.3Where the Customer does hold a current Cyber Essentials certificate, the Customer shall provide a copy of the certificate to Fig Compliance Ltd and confirm that it covers the same scope as the DCC L0 engagement.

4.4Delays to the Cyber Essentials prerequisite are the responsibility of the Customer and shall extend the indicative timeline accordingly. No re-booking fee is charged for Fig Compliance Ltd to re-sequence the engagement.

5.1The Customer represents and warrants that the contracting authority for the relevant MOD contract has assigned, or has confirmed in writing as adequate, a Very Low Cyber Risk Profile for the scope declared in the Order Form. DCC Level 0 applies only to Very Low CRP contracts.

5.2Where Fig Compliance Ltd identifies, during scoping or during the Assessment, that the contracting authority’s CRP assignment is Low, Moderate or High, Fig Compliance Ltd may pause the Assessment and recommend escalation to a higher DCC level.

5.3Where escalation is recommended, the Customer may elect to (i) proceed to a separate DCC L1 engagement (where Fig Compliance Ltd is licensed and quoted accordingly), (ii) accept referral to another IASME-licensed Certification Body for L2 or L3, or (iii) withdraw. No refund is due in respect of Assessment work already performed under L0; where the Customer proceeds to L1 with Fig Compliance Ltd, the Fees paid for L0 are credited against the L1 engagement fees.

6.1The Customer shall provide Fig Compliance Ltd with all Customer Materials reasonably required for the Assessment, in the form requested, within the timescales set out in the Order Form or otherwise agreed with the Fig Compliance Ltd consultant assigned to the engagement.

6.2The Customer warrants that all Customer Materials are accurate, complete and not misleading at the date of submission, and shall promptly notify Fig Compliance Ltd of any subsequent material changes affecting the in-scope estate.

6.3The Customer shall confirm at scoping the in-scope sites, in-scope suppliers, the legal entity being certified, and the Cyber Risk Profile assigned by the contracting authority. The Customer shall provide a list of direct suppliers in scope of the MOD contract together with documented flow-down clauses or DPA materials where contractually required.

6.4The Customer shall complete the Annual Attestation questionnaire issued by Fig Compliance Ltd at the end of Year 1 and Year 2 of the Certificate validity period within thirty (30) calendar days of issue. Failure to attest within ninety (90) calendar days of issue may, at Fig Compliance Ltd’s discretion, result in (i) suspension of Certificate validity until attestation is completed, or (ii) requirement for a chargeable re-assessment to restore validity.

6.5Where the Customer chooses to use the Fig Technology Platform during the engagement, the Customer grants Fig Compliance Ltd and its subcontractor Fig Technology Ltd limited, read-only access to the systems necessary for evidence pre-mapping. Platform access for engagement purposes terminates ninety (90) calendar days after Certificate issue unless extended by separate agreement.

7.1The Assessment is a documentation review. The IASME-licensed assessor reviews the evidence supplied by the Customer against the three controls drawn from Def Stan 05-138 issue 4 and decides whether to recommend issue of the Certificate.

7.2Fig Compliance Ltd does not warrant that the Assessment will result in the issue of a Certificate. The Certificate is issued only where the assessor is satisfied that the evidence demonstrates compliance with the three controls in scope.

7.3Where the Customer’s scope materially changes after the Order Form is accepted (including the addition of new sites, change of legal entity, expansion of supplier scope, or re-classification of the Cyber Risk Profile by the contracting authority), Fig Compliance Ltd may pause the Assessment, re-scope the engagement and adjust the Fees. Material scope change shall be notified by the Customer to Fig Compliance Ltd in writing without delay.

8.1The Fees for the Services are set out in the Order Form and are payable in full on acceptance unless otherwise agreed in writing. Fees are exclusive of VAT.

8.2The Fees include the IASME-licensed L0 Assessment, the Cyber Essentials prerequisite where required (clause 4), Annual Attestation support at the end of Year 1 and Year 2, and limited consultant access during evidence preparation.

8.3Re-assessment at Year 3 (if required) is not included in the Fees and shall be separately quoted at the prevailing published price.

8.4Without prejudice to any other right or remedy, Fig Compliance Ltd reserves the right to charge interest on overdue amounts at the rate of 4% per annum above the Bank of England base rate from time to time, accruing on a daily basis from the due date until the date of actual payment.

9.1The Customer may cancel an Order Form at any time before formal Assessment work has commenced. Where cancellation occurs before any chargeable work has commenced, Fig Compliance Ltd shall refund the Fees in full.

9.2Where cancellation occurs after Assessment work has commenced (including scoping, Cyber Essentials issuance under clause 4, evidence pre-mapping, or formal assessor review), Fig Compliance Ltd shall refund the Fees on a pro-rated basis reflecting the proportion of the engagement not yet performed. Where the Cyber Essentials prerequisite has been issued, the value of the Cyber Essentials certificate is deducted from any refund.

9.3The Customer may reschedule the Assessment in writing on reasonable notice. Fig Compliance Ltd shall use reasonable endeavours to accommodate the new date but does not warrant any specific scheduling outcome.

9.4Where the Customer fails to provide Customer Materials within thirty (30) calendar days of the date set out in the Order Form, Fig Compliance Ltd may elect to (i) pause the engagement until materials are provided, or (ii) treat the engagement as cancelled by the Customer, with refund calculated on a pro-rated basis under clause 9.2.

10.1Where the Assessment identifies gaps against the three controls in scope, Fig Compliance Ltd shall describe the gaps in writing and provide remediation guidance. The Customer may remediate the gaps and the Assessment shall continue, without separate re-engagement fees for a single retry round.

10.2Where Fig Compliance Ltd reasonably determines that the gaps identified during Assessment are pervasive or indicate that the Customer’s posture is materially below the L0 baseline, Fig Compliance Ltd may pause the Assessment and discuss the options under clause 10.3 before invoicing any extension.

10.3Where the Assessment is paused under clause 10.2, the Customer may elect to (i) undertake a remediation programme of an agreed duration before re-entering Assessment (which may incur additional Fees, scoped transparently before any charges are incurred), (ii) consider escalation to a higher DCC level under clause 5.3, or (iii) withdraw, with refund calculated on a pro-rated basis under clause 9.2.

10.4Fig Compliance Ltd will not push a Customer through formal Assessment where, in its reasonable opinion, the Assessment is unlikely to result in the issue of a Certificate.

11.1The Certificate is valid for three (3) years from the date of issue, subject to Annual Attestation in accordance with clause 6.4.

11.2Fig Compliance Ltd shall send the Annual Attestation questionnaire to the Customer approximately thirty (30) calendar days before the anniversary of Certificate issue in Year 1 and again in Year 2.

11.3Where the Customer notifies a material change to the in-scope estate during the Certificate validity period, Fig Compliance Ltd may require a re-scoped attestation or, where the change is material to the controls in scope, recommend a re-assessment (which shall be separately quoted).

11.4At the end of the three (3) year validity period, the Customer must obtain a new Certificate by way of full re-assessment. Re-assessment shall be quoted at the prevailing published price; the Customer is under no obligation to engage Fig Compliance Ltd for re-assessment.

12.1Fig Compliance Ltd may subcontract any of its obligations under this Agreement to Fig Technology Ltd or to other suitably qualified subcontractors, but shall remain liable to the Customer for the performance of the Services.

12.2Where Fig Technology Ltd is engaged for evidence pre-mapping, Fig Compliance Ltd shall ensure that Fig Technology Ltd is bound by confidentiality and data protection obligations no less stringent than those in these Terms.

13.1As between the parties, the Customer owns the Customer Materials and any pre-existing Intellectual Property Rights of the Customer.

13.2As between the parties, Fig Compliance Ltd owns all Intellectual Property Rights in the Deliverables (other than the Customer Materials) and in any methodology, templates, intake forms, software, platform configuration or know-how used in providing the Services.

13.3Fig Compliance Ltd grants the Customer a non-exclusive, royalty-free, non-transferable licence to use the Deliverables solely for the Customer’s internal business purposes connected with the relevant MOD contract for which the Certificate was obtained.

13.4The Customer grants Fig Compliance Ltd a non-exclusive, royalty-free licence to use the Customer Materials to the extent reasonably necessary to provide the Services.

13.5The Certificate is issued by Fig Compliance Ltd in its capacity as an IASME-licensed Certification Body. The DCC Scheme is administered by IASME on behalf of the UK Ministry of Defence; nothing in this Agreement transfers any rights in the DCC Scheme, the IASME licence, Def Stan 05-138 issue 4, or any related trade marks or Intellectual Property Rights of IASME, the NCSC or the MOD.

14.1Each party undertakes to keep the Confidential Information of the other party confidential and not to disclose it to any third party without the prior written consent of the disclosing party, except where disclosure is required by law, regulation, IASME audit, or any competent authority.

14.2Each party may share Confidential Information with its Representatives on a need-to-know basis, provided those Representatives are bound by confidentiality obligations no less stringent than those in this clause.

14.3The obligations in this clause shall survive termination of this Agreement for a period of five (5) years.

15.1Each party shall comply with its respective obligations under the Data Protection Legislation in respect of personal data processed in connection with this Agreement.

15.2The parties acknowledge that, in providing the Services, Fig Compliance Ltd may process limited personal data on behalf of the Customer (for example contact details of the Customer’s authorised representative). Where Fig Compliance Ltd acts as a processor, it shall do so only on documented instructions from the Customer.

15.3Each party shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

15.4Fig Compliance Ltd’s privacy notice, which describes its processing of personal data, is available at /privacy-policy.

16.1Nothing in this Agreement excludes or limits either party’s liability for (i) death or personal injury caused by negligence, (ii) fraud or fraudulent misrepresentation, or (iii) any other liability that cannot be excluded or limited by applicable law.

16.2Subject to clause 16.1, Fig Compliance Ltd shall not be liable to the Customer, whether in contract, tort (including negligence), breach of statutory duty or otherwise, for any (i) loss of profits, (ii) loss of revenue, (iii) loss of business, (iv) loss of opportunity, (v) loss of contract, (vi) loss of anticipated savings, (vii) loss of goodwill or reputation, (viii) loss or corruption of data, or (ix) indirect or consequential loss.

16.3Subject to clauses 16.1 and 16.2, Fig Compliance Ltd’s total liability to the Customer arising under or in connection with this Agreement, whether in contract, tort (including negligence), breach of statutory duty or otherwise, shall be limited to the Fees paid by the Customer under the relevant Order Form in the twelve (12) months immediately preceding the event giving rise to the claim.

16.4Fig Compliance Ltd is not liable for any failure of the Customer to win, retain or deliver any MOD contract, regardless of whether the Certificate was issued, refused or pending at the relevant time.

17.1Either party may terminate this Agreement immediately by written notice to the other party if (i) the other party commits a material breach which is irremediable or, if remediable, is not remedied within thirty (30) calendar days of written notice, or (ii) the other party becomes insolvent, enters administration, suffers a receiver to be appointed, or ceases to carry on business.

17.2On termination, (i) any Fees due and payable up to the date of termination shall become immediately due, (ii) each party shall return or destroy the Confidential Information of the other party (subject to retention required by law), and (iii) clauses that by their nature should survive termination shall continue in force.

18.1Neither party shall be liable for any failure or delay in performing its obligations under this Agreement to the extent such failure or delay is caused by an event beyond its reasonable control (including acts of God, strikes, lockouts, government action, pandemic, war, terrorist activity, and significant infrastructure or telecommunications failure).

18.2The affected party shall promptly notify the other party of the force majeure event and shall use reasonable endeavours to mitigate its effects.

19.1During the term of this Agreement and for a period of twelve (12) months after its termination, neither party shall solicit for employment any employee of the other party who has been directly engaged in the provision or receipt of the Services, without the prior written consent of the other party. This clause does not apply to general recruitment advertising not specifically targeted at the other party’s employees.

20.1Entire agreement. This Agreement constitutes the entire agreement between the parties in respect of its subject matter and supersedes all prior agreements, understandings and representations.

20.2Variation. No variation of this Agreement is effective unless in writing and signed by an authorised representative of each party.

20.3Assignment. The Customer shall not assign or transfer this Agreement without the prior written consent of Fig Compliance Ltd. Fig Compliance Ltd may assign or transfer this Agreement to any company within Fig Group on written notice.

20.4Notices. Notices under this Agreement shall be in writing and delivered by email to the address set out in the Order Form (or such other address as the receiving party notifies in writing).

20.5Severance. If any provision of this Agreement is held to be unenforceable, the remaining provisions shall continue in full force.

20.6Third party rights. Nothing in this Agreement is intended to confer rights on any third party under the Contracts (Rights of Third Parties) Act 1999, save that Fig Technology Ltd may enforce clauses 6.5 and 12.2 directly.

20.7Governing law and jurisdiction. This Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales.