These conditions shall form part of every contract of sale entered by Connectus Business Solutions Ltd (“the Company”) to the exclusion of all other terms and conditions including any which the Customer may propose. These conditions may not be varied except in writing signed by an officer of the Company.
This Document relates only to our Cyber Essential, IASM, DPO services they do not relate to any other product or service supplied by Connectus Business Solutions Ltd unless specified herein.
Definitions and Interpretation
“The Company” means Connectus the company providing and operating these services and products.
“Services and Products” means the services and products described and offered on our website.
“Customer” means the business or businesses, person or persons who are registered with Connectus.
“Website” means our presence on the world wide web under https://Connectus.com which is available to the public.
“Account” means the record of transactions applicable to a user or users associated with Connectus.
“Legislation” means laws or regulations governing the provision of goods or services between Connectus and registered users.
“Registered Partners or Affiliates” refer to associated persons or businesses appointed by Connectus to distribute our goods or services to end users.
“Acceptable Use Policy” means the guidelines provided by Connectus for acceptable use. These guidelines are shown separately on the Connectus website but may change from time to time. It is also available on request.
Where a Customer orders Cyber Essentials, the provisions of these Cyber Essentials Terms and Conditions shall apply.
The Cyber Essentials Scheme is owned by HM Government (the Authority) and IASME Consortium Limited is the Accreditation Body (AB).
HMG and IASME own respectively all the intellectual property rights in the Cyber Essentials mark (as appears on the website) and the IASME Governance Standard mark (as appears on the website).
This agreement is intended to govern the relationship between the Company (a Certification Body appointed by the AB) and the Customer under which the Customer wishes to apply for certification under the scheme. The assessment for certification will be carried out only on the basis that the Customer has paid the fees and that the Customer accepts the terms and conditions of this agreement in full.
If the Customer does not accept all of the terms of this agreement the Customer must not download, copy or use the marks or claim to be certified under the scheme. The Customer must also destroy any unlicensed copies of the marks or other materials under the scheme which might be in the Customer’s possession.
A “pass” under the GDPR assessment does not mean that the Customer is assessed as being legally compliant. It indicates only that the Customer is starting on the pathway to compliance and is committed to ensuring ‘privacy by design’.
The Customer should ensure that they obtain specialist legal advice on the GDPR as on any other data protection issue. This GDPR assessment is not legal advice and must not be relied upon as such and the Company accepts no liability for loss or damage suffered because of reliance on views expressed here.
The assessment addresses what are key elements and to help organisations demonstrate progress towards meeting the policy objectives that underpins the GDPR.
1. The Company’s Obligations
1.1 The Company will, upon receipt of the Fees, allow the Customer to complete a Scheme Self-Assessment Questionnaire and will, subject to the Customer meeting its obligations under this Agreement, assess the Customer’s completed Questionnaire against the Scheme’s criteria.
1.2. The Company will perform the assessment using reasonable skill and care.
1.3 In the event that the Customer’s Questionnaire meets the Scheme criteria (which the Company shall assess at its sole and absolute discretion) the Company will notify the Customer in writing and, subject to the Customer meeting their obligations under clause 2, will arrange for the issue of a Scheme Certificate to the Customer.
1.4. If the Customer is unsuccessful in their first assessment attempt, the Company will consider and re assess against the Scheme profile any changes to the Customer’s profile that the Customer notifies to the Company or which otherwise come to the Company’s attention over the following two (2) working days. The Company will not conduct this reassessment more than one time within the price quoted.
2. The Customer’s Obligations
2.1. The Customer will complete the Self-Assessment Questionnaire accurately, fully, and honestly within 6 months of application. After these 6 months the Customer’s account may be closed, and no refund will be due.
2.2. The Customer will not use the Marks or claim to be certified unless the Customer is in receipt of a current, valid Scheme Certificate duly issued by the Company.
2.3. The Customer acknowledges that any Scheme Certificate will be issued to the Customer only upon acceptance of a signed agreement governing the terms and conditions of use including constraints on the use of the Marks.
2.4. The Customer will not make any derogatory statements about the Scheme or behave in any manner that would damage the reputation of the Scheme.
2.5. The Customer acknowledges that the Scheme is intended to reflect that certificated organisations have themselves established the cyber security profile set out in the Scheme documents only and that receipt of a Scheme Certificate does not indicate or certify that the certificate holder is free from cyber security vulnerabilities.
2.6. The Customer acknowledges that the Company has not warranted or represented the Scheme or certification under the Scheme as conferring any additional benefit to the Customer.
2.7. The Customer will comply with the Scheme documentation and all reasonable directions made to the Customer by the Authority, the AB or the Company.
3.1. The Customer agrees to pay the Charges for the Service.
3.2. For the avoidance of doubt, connectus shall be entitled to charge Additional Charges if any Services or work is requested by the Customer which fall outside the scope pf the agreed Service or which are to be completed by the Company outside Working Hours. Any Additional Charges shall become due and be invoiced on completion of the additional work.
3.3. The Charges are exclusive of Value Added Tax which shall be payable by the Customer at the applicable rate.
3.4. the Installation Charges will be invoiced on acceptance of order;
3.4.1. the Service Charges will be invoiced monthly in advance
3.4.2. Payment of invoices will be made in full by Direct Debit if no Direct Debit mandate is signed then a £75 per quarter service charge will be applied.
3.5. The Customer shall pay the Charges without off-set or deduction in pounds sterling by the due date specified herein. The Customer shall pay all Charges for the Service whether the Service is used by the Customer.
3.6. If the Customer fails to pay the Charges in accordance with these conditions, the Company may suspend the Service until payment is received in full and the Company may charge interest at the rate of 2% per annum above the base rate of Barclays Bank plc on nay amounts outstanding from the due date until payment is made in full. Service will continue to be billed during suspension of Services.
The Customer must pay the Renewal Fee and be reassessed at each anniversary of the issue of the Customer’s original certificate. Non-payment of the Renewal Fee or noncompliance at the reassessment will result in the certificate becoming invalid.
The Scheme Profile details, and methodology are confidential, and the Customer agrees to keep them confidential, save where disclosure is required by an order of the courts or tribunal or as required by HMRC and only in accordance with the terms of that order or requirement.
6.1. The Customer warrants that the Scheme Questionnaire has been completed by an authorised and suitably competent person.
6.2. The Customer warrants that they will maintain the Security Profile indicated in their completed Questionnaire.
6.3. The Customer warrants that the Scheme Questionnaire the Customer submits is complete and accurate in all material respects.
7. Limitation of Liability
7.1. The Company does not accept any liability to the Customer resulting from any security breach or vulnerability in the Customer’s systems or processes. Registered in England No. 07738099 VAT Registration No. 129013922 Registered Office: Meteor House First Avenue Finningley Doncaster DN9 3GA
7.2. The Company does not accept any liability to the Customer resulting from any security breach or vulnerability in the systems or processes that have been applied.
7.3. Without prejudice to the generality of clause 7.1 and subject to clause 7.5 the Company shall not be liable to the Customer whether in contract, tort (including negligence) for breach of statutory duty or otherwise arising under or in connection with this agreement for:-
(a) loss of profits;
(b) loss of sales or business;
(c) loss of agreements or contracts;
(d) loss of anticipated savings;
(e) loss of or damage to goodwill;
(f) loss of use or corruption of software, data or information;
(g) any indirect or consequential loss.
7.4. The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from this agreement.
7.5. The limitations and exclusions on liability in this section will not apply to any liability for death or personal injury caused by our negligence, for fraud or fraudulent misrepresentation or for any other liability that cannot lawfully be excluded or limited.
7.6. Subject to clause 7.5, the total limit of the Company’s liability to the Customer whether in contract or tort is the sum equivalent to the Fees that the Customer has paid to the Company in the 12 months preceding the date of the Customer’s claim against the Company.
7.7. The Company nor the Customer shall be liable for any delay in performing its obligations as a result of any circumstances beyond its reasonable control – “Force Majeure”; such as but without limitation to lightning, flood, exceptionally severe weather, fire, act of God, explosion, war, terrorism, civil disorder, strike, industrial dispute (whether or not involving employees of either party), malicious damage (including virus/hacking attacks or other intentional malicious acts of third parties), compliance with a law or governmental order, rule, regulation direction, accident, third party interference, actions or omissions of 3rd party providers.
Connectus may terminate Customer subscription at any time, immediately upon written notice via post, email or SMS message if you:
8.1. Breach any term of the Terms and Conditions or Acceptable Use Policy.
8.2. Are subject to Insolvency Proceedings.
8.3. If Connectus consider your behavior or interaction with any member of Connectus staff to be inappropriate or abusive. In such an event, the final decision shall rest with Connectus without burden of proof.
8.4. Refuse to comply with any of Connectus’ s prescribed methods of interacting with Connectus, which may change from time to time to account for Connectus working practices, for example submitting support via support ticket.
8.5. On termination or suspension of Services Connectus shall be entitled to immediately block any website or Service provided to you or hosted for you by Connectus as part of the Services and to remove all data located on it. Connectus shall be entitled to delete all such data but Connectus may, at its discretion, hold such data for such period as Connectus may decide, to allow you to collect it at your expense, subject to payment in full of any amount outstanding payable to Connectus. Connectus shall further be entitled to post such notice in respect of the non-availability of such website as Connectus thinks fit.
8.6. The Customer is entitled to terminate their service once the contracted period stated on the order form has been reached providing 30 days’ notice. Otherwise Connectus will automatically invoice and/or collect payment at each anniversary period.
9. Data Protection and use of data.
9.1. The provisions of this Condition shall apply only to the extent that Personal Data (as defined below) is provided by the Customer to the Company or otherwise acquired by the Company in relation to the Contract.
9.2. In this Condition, the following terms shall have the following meanings: “Data Controller”, “Data Subject”, “Personal Data” “Data Processor” and “processing” shall have the meanings ascribed to them in Regulation (EU)2016/679 or any subsequent legislation in relation thereto (“The Regulation”) and derivative expressions shall be construed accordingly;
9.3. “Data Protection Legislation” shall mean collectively the Regulation and applicable local legislation, which includes in respect of Personal Data originating in the UK, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Computer Misuse Act 1990 and the Regulation of Investigatory Powers Act 2000; and
9.4. The Parties acknowledge that the Customer is the Data Controller and the Company is the Data Processor in respect of all Personal Data processed by the Company for the Contract and the Customer alone as Data Controller shall determine the purposes for which and the way such Personal Data will be processed by the Company.
9.5. Without prejudice any other right of audit that the Customer may have, the Company shall, upon the Customer giving reasonable notice, allow the Customer or its nominated representatives such access to its (and its agents’, subsidiaries’ and subcontractors’) premises, facilities, equipment, information and records as may be reasonably required by the Customer from time to time to assess the Company’s and/or Company’s personnel compliance with this condition.
9.6. Unless the Customer requests otherwise, the Company may arrange for the Customer’s telephone numbers and details to be published in a telephone directory and made available from directory enquiries services.
9.7. The Company may use or disclose information relating to the Customer that it receives or collates if it is required to do so by its telecommunications operators, law, regulation or rules of a securities exchange or other regulatory authority, but only to the extent of the relevant requirement.
9.8. The use of any information, including call line identification may be subject to (and therefore the Customer shall comply with) the Data Protection Act 1998, EU Data Protection directives, the Telecommunications (Data protection and Privacy) regulations 1999 or any other related law or regulation. The Company reserves the right to withhold calling line identification if it believes that the Customer has failed to comply with this condition or the Company receives a complaint from its telecommunications operators or any relevant authority.
9.9. The Company shall:
9.9.1. take all reasonable precautions to protect the Data Controller’s Personal Data and help them in meeting their legal obligations under prevailing Data Protection Legislation;
9.9.2. submit to audits and inspections providing the Data Controller with whatever information it needs to ensure both the Data Controller and the Data Processor are meeting their obligations under Article 28 of The Regulation and the relevant sections of Data Protection Legislation;
9.9.3. process the Personal Data only on and in accordance with the written instructions of the Customer and to the extent necessary for the proper performance of the Contract and shall not process the Personal Data for any other purpose;
9.9.4. maintain records of all processing requested by the Customer;
9.9.5. not modify, amend or alter the contents of the Personal Data except as required or permitted by the Contract or with the Customer’s prior written consent;
9.9.6. implement the appropriate technical and organisational measures (including, where relevant, those prescribed elsewhere in the Contract) to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing;
9.9.7. ensure that it takes reasonable steps to ensure the reliability of any of the Company personnel who have access to the Personal Data; that only those Company personnel who need to have access to the Personal Data are granted access to it; that such access is granted only for the purposes of the proper performance of the Contract; and that the Company personnel are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Condition;
9.9.8. notify the Customer forthwith, and in any event, no later than 12 hours from the time it comes to the Company’s attention, that any Personal Data has been the subject of accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, or any other unlawful form of processing;
9.9.9. co-operate fully with the Customer in the event of a Data Breach in providing all relevant information necessary for the Breach Report to the Information Commissioners Office;
9.9.10. notify the Customer within 7 days of receipt by it of a request or notice from any Data Subject to have access to that person’s Personal Data held by it; and provide the Customer with full co-operation and assistance in relation to any complaint or request, including providing the Customer with any relevant Personal Data it holds, within the timescales provided by the request or notice or as otherwise required by the Customer;
9.9.11. not retain the Personal Data for longer than is necessary to properly perform the Contract and upon expiry of the Contract for whatever reason, or at any other time at the Customer’s request, securely destroy or immediately return to the Customer all the Personal Data and certify that no copies have been made or retained by the Company or any third party acting on its behalf, provided that such secure destruction or return does not prevent the Company from fulfilling its obligations under the Contract; and comply with all Data Protection Legislation.
10. Dispute Resolution
Any dispute regarding this agreement shall first be discussed between the parties with a view to resolving it promptly. If it cannot be resolved within 28 days then the parties hereby agree that the dispute will be referred for alternative dispute resolution by an appropriate mediation practitioner who is a member of and subject to the rules of the Chartered Institute of Arbitrators.
11. Law and Jurisdiction
The relationship between the parties will be governed by English law and will be subject to the exclusive jurisdiction of the English courts. However, the Company may bring legal proceedings in any other jurisdiction, including the jurisdiction where the Customer is domiciled or based, to recover fees or other sums payable to the Company.
The Customer also agrees to the publication of the name of the Customer’s company and, if relevant, the scope of the assessment if the Customer is awarded certification. The Customer also agrees to the UK Government publishing the following details on their website:
-Date of certification