North Infosec Testing Ltd T/A North IT (NIT). Company No. 08088728 and VAT No. 238 5160 07. The company is registered in England & Wales with its registered address at: 16-26 Albert Road, Middlesbrough, TS1 1PR.
Services
NIT will provide services as agreed in a Quotation, so far as is reasonably practicable and aimed to complete within any agreed timescale.
NIT is responsible for maintaining reasonable continuity in personnel providing Services on its behalf, but reserves the right in its sole discretion to make changes from time to time; no additional charge will be made for any handover period, and NIT remains responsible for Services performed by any individual on its behalf.
Penetration Testing & Vulnerability Assessment Services
You must identify and disclose to us any third parties that may conceivably be affected by our testing activities, and any damages and/or loss of service caused by your failure to identify and/or disclose such third parties will remain your sole responsibility, and you therefore indemnify us against all and any costs or damages howsoever arising from such activities. Your authorisation to commence testing activities is deemed to include confirmation that any relevant internal or external parties have been appropriately notified, and that all necessary permissions from such parties for us to commence testing have been provided to us.
We can only aim to identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools we deploy. You accept that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, which may not have been identified or ranked at a lower severity at the time of testing, and you therefore agree that you will not, now or in the future, hold us to account for any such matters.
We can only identify vulnerabilities of where the service is made available to us. Any web-application firewall, network firewall or technology which blocks ours attempts to access any element of the test including but not limited to networks, devices, ports, application functionality, or any other service or element of the test to evaluate the security appropriately or any other protection may prevent any security evaluation or vulnerability discovery. These technologies may hide vulnerabilities and it is your responsibility to make the NIT aware of any potential technology implemented which may impede the test and to agree a strategy to test those elements if required. We will accept no liability for failing to test any element which is unavailable to us.
Any limitation on testing including but not limited to bandwidth, requests, time-limited, non-invasive testing, or excluding networks/devices/services, social engineering, or any other constrains may fail to identify vulnerabilities or rank them with the correct severity.
Application testing are not code reviews and will not identify all issues, including any backdoor or any vulnerability which requires additional knowledge of the source code. For additional assurance consider a full security code review.
DDoS and large brute-force attacks will not be tested. DDoS attack simulations can impact network services and therefore are not part of our penetration testing or audit services. Brute force attacks have a similar affect and may lock users out. Therefore, application testing of these are limited to 10 logins. For domain, network, and infrastructure testing, please make us aware during the project scoping that this is required, and we will seek to set up limited testing accounts to confirm brute force protection is in place. For red-teaming exercises we may use brute force attacks as part of our audit as a real world simulation.
We will accept no liability for damages caused to you by any automated or non-automated attacks on your Internet-facing infrastructure or its applications, irrespective of whether our security testing activity carried out under this agreement did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.
We will aim to identify vulnerabilities that our testing has exposed and, wherever possible, we will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely your responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.
Code Review & Due Diligence Services
All code review and due-diligence reports are opinion-based assessments. The reviews undertaken are made based on code, documentation, or other evidence provided and conversations with personnel. All reports should be considered as situational in nature and not be regarded as a business or operational plan.
Limitation of Liability
Our total liability under or in respect of any contract will not exceed the amounts paid by you under that contract. We will also not be liable for consequential, indirect or special losses of any sort. Each party expressly excludes liability for consequential loss or damage, loss of profit, business, revenue, goodwill or anticipated savings.
Project Changes
All quotes and estimates are based on the requirements from the client. If the scope of the project increases, or the customer requirements change during the project which then extends the work required to deliver the project, then our standard daily rate of 975 GBP will apply.
NIT’s projects are planned and timed appropriately. Where there is an increase in workload due to customer requirement change, any further work will be scheduled around, or performed after other current commitments and projects. This is to minimise disruption and delays for all our customers. This will significantly extend the timeline of the project and therefore clients are requested to stick to the scope of the project which was agreed, or be upfront with the full scope of the project during the scoping and quotation stage.
NIT may bill the customer on a monthly basis for the time used in that month if the project is delayed or requires additional time and not at the end of the project. NIT charges on a time and materials basis for projects which are on-site. The client is expected to pay for travel, accommodation, and any reasonable expenses but will be agreed to the client prior to the engagement.
Charges & Payment
All sums due shall be invoiced and paid as specified in the Quotation. The Client will pay NIT’s invoices within 14 days, unless otherwise specified. If payment is on a time and materials basis, or if the project has been delayed, NIT will invoice monthly for the time and materials used in that month.
If any of the invoices become overdue, NIT will suspend provision of any services, and any agreed timescale will be extended. NIT may also terminate an engagement at any time when any payment is more than 14 days overdue.
Any invoice which is 14 days or more overdue will be subject to the Late Payment of Commercial Debts (Interest) Act 1998 and compensation, interest and associated reasonable costs with recovering the debt will also be payable.
Invoices will be generally issued on delivery of the report. For larger projects a deposit of up to 50% may be required, or invoiced per project milestone.
Non-poaching of staff
Neither party will engage, employ or otherwise solicit for employment any person who during the previous 3 years was an employee, partner, or sub-contractor of the other and with whom such party had material contact in connection with any engagement, until 3 years after the end of that engagement.
Confidentiality
Unless the parties have signed a separate agreement containing more specific provisions in relation to confidentiality (in which case the provisions of such agreement will continue to apply in lieu of this clause), each party will keep any confidential information disclosed by the other secret. Neither party may use or take advantage of any such confidential information without the discloser’s consent, even after the end of an engagement. This obligation does not apply to (i) information known to the receiver before disclosure by the other party, or (ii) information which becomes public knowledge without fault on the part of the receiver, or (iii) disclosures made to the extent required by some applicable legal or regulatory requirement.
General
If any of these terms is at any time held in any jurisdiction to be void, invalid or unenforceable, then it will be treated as changed or reduced only to the extent minimally necessary to bring it within the laws of that jurisdiction and to prevent it from being void, and it will be binding in that changed or reduced form.
Subject to that, each provision will be interpreted as severable and will not in any way affect any other of these terms. No waiver by us in exercising any right, power or provision hereunder will operate as a waiver of any other right or of that same right at a future time; nor will any delay in exercise of any power or right be interpreted as a waiver.
These terms will be governed by and construed in accordance with the laws of England and Wales and you explicitly accept that only the law courts of England have jurisdiction to deal with any matter arising from or in any way, whether directly or indirectly, related to the use of this website and, accordingly, you explicitly waive all and any rights to bring any action of any sort in relation to this website, or to any transaction carried out with it, or any data stored on it or provided to it in any court anywhere else in the world.
Services
NIT will provide services as agreed in a Quotation, so far as is reasonably practicable and aimed to complete within any agreed timescale.
NIT is responsible for maintaining reasonable continuity in personnel providing Services on its behalf, but reserves the right in its sole discretion to make changes from time to time; no additional charge will be made for any handover period, and NIT remains responsible for Services performed by any individual on its behalf.
Penetration Testing & Vulnerability Assessment Services
You must identify and disclose to us any third parties that may conceivably be affected by our testing activities, and any damages and/or loss of service caused by your failure to identify and/or disclose such third parties will remain your sole responsibility, and you therefore indemnify us against all and any costs or damages howsoever arising from such activities. Your authorisation to commence testing activities is deemed to include confirmation that any relevant internal or external parties have been appropriately notified, and that all necessary permissions from such parties for us to commence testing have been provided to us.
We can only aim to identify vulnerabilities that are already known at the date on which any tests are carried out, and which are capable of being exposed by the range of testing tools we deploy. You accept that it is in the nature of technical security testing that there may be flaws that will be uncovered in the future or by the use of alternative tools and attack methodologies, which may not have been identified or ranked at a lower severity at the time of testing, and you therefore agree that you will not, now or in the future, hold us to account for any such matters.
We can only identify vulnerabilities of where the service is made available to us. Any web-application firewall, network firewall or technology which blocks ours attempts to access any element of the test including but not limited to networks, devices, ports, application functionality, or any other service or element of the test to evaluate the security appropriately or any other protection may prevent any security evaluation or vulnerability discovery. These technologies may hide vulnerabilities and it is your responsibility to make the NIT aware of any potential technology implemented which may impede the test and to agree a strategy to test those elements if required. We will accept no liability for failing to test any element which is unavailable to us.
Any limitation on testing including but not limited to bandwidth, requests, time-limited, non-invasive testing, or excluding networks/devices/services, social engineering, or any other constrains may fail to identify vulnerabilities or rank them with the correct severity.
Application testing are not code reviews and will not identify all issues, including any backdoor or any vulnerability which requires additional knowledge of the source code. For additional assurance consider a full security code review.
DDoS and large brute-force attacks will not be tested. DDoS attack simulations can impact network services and therefore are not part of our penetration testing or audit services. Brute force attacks have a similar affect and may lock users out. Therefore, application testing of these are limited to 10 logins. For domain, network, and infrastructure testing, please make us aware during the project scoping that this is required, and we will seek to set up limited testing accounts to confirm brute force protection is in place. For red-teaming exercises we may use brute force attacks as part of our audit as a real world simulation.
We will accept no liability for damages caused to you by any automated or non-automated attacks on your Internet-facing infrastructure or its applications, irrespective of whether our security testing activity carried out under this agreement did, did not, or could have but did not identify any vulnerability exploited, or which might in future be exploited by any such attack.
We will aim to identify vulnerabilities that our testing has exposed and, wherever possible, we will identify by reference to commonly available and published information the appropriate patches and fixes that are recommended to deal with the identified vulnerability, but it will be entirely your responsibility to formally identify and deploy an appropriate solution to the vulnerabilities identified by our security testing.
Code Review & Due Diligence Services
All code review and due-diligence reports are opinion-based assessments. The reviews undertaken are made based on code, documentation, or other evidence provided and conversations with personnel. All reports should be considered as situational in nature and not be regarded as a business or operational plan.
Limitation of Liability
Our total liability under or in respect of any contract will not exceed the amounts paid by you under that contract. We will also not be liable for consequential, indirect or special losses of any sort. Each party expressly excludes liability for consequential loss or damage, loss of profit, business, revenue, goodwill or anticipated savings.
Project Changes
All quotes and estimates are based on the requirements from the client. If the scope of the project increases, or the customer requirements change during the project which then extends the work required to deliver the project, then our standard daily rate of 975 GBP will apply.
NIT’s projects are planned and timed appropriately. Where there is an increase in workload due to customer requirement change, any further work will be scheduled around, or performed after other current commitments and projects. This is to minimise disruption and delays for all our customers. This will significantly extend the timeline of the project and therefore clients are requested to stick to the scope of the project which was agreed, or be upfront with the full scope of the project during the scoping and quotation stage.
NIT may bill the customer on a monthly basis for the time used in that month if the project is delayed or requires additional time and not at the end of the project. NIT charges on a time and materials basis for projects which are on-site. The client is expected to pay for travel, accommodation, and any reasonable expenses but will be agreed to the client prior to the engagement.
Charges & Payment
All sums due shall be invoiced and paid as specified in the Quotation. The Client will pay NIT’s invoices within 14 days, unless otherwise specified. If payment is on a time and materials basis, or if the project has been delayed, NIT will invoice monthly for the time and materials used in that month.
If any of the invoices become overdue, NIT will suspend provision of any services, and any agreed timescale will be extended. NIT may also terminate an engagement at any time when any payment is more than 14 days overdue.
Any invoice which is 14 days or more overdue will be subject to the Late Payment of Commercial Debts (Interest) Act 1998 and compensation, interest and associated reasonable costs with recovering the debt will also be payable.
Invoices will be generally issued on delivery of the report. For larger projects a deposit of up to 50% may be required, or invoiced per project milestone.
Non-poaching of staff
Neither party will engage, employ or otherwise solicit for employment any person who during the previous 3 years was an employee, partner, or sub-contractor of the other and with whom such party had material contact in connection with any engagement, until 3 years after the end of that engagement.
Confidentiality
Unless the parties have signed a separate agreement containing more specific provisions in relation to confidentiality (in which case the provisions of such agreement will continue to apply in lieu of this clause), each party will keep any confidential information disclosed by the other secret. Neither party may use or take advantage of any such confidential information without the discloser’s consent, even after the end of an engagement. This obligation does not apply to (i) information known to the receiver before disclosure by the other party, or (ii) information which becomes public knowledge without fault on the part of the receiver, or (iii) disclosures made to the extent required by some applicable legal or regulatory requirement.
General
If any of these terms is at any time held in any jurisdiction to be void, invalid or unenforceable, then it will be treated as changed or reduced only to the extent minimally necessary to bring it within the laws of that jurisdiction and to prevent it from being void, and it will be binding in that changed or reduced form.
Subject to that, each provision will be interpreted as severable and will not in any way affect any other of these terms. No waiver by us in exercising any right, power or provision hereunder will operate as a waiver of any other right or of that same right at a future time; nor will any delay in exercise of any power or right be interpreted as a waiver.
These terms will be governed by and construed in accordance with the laws of England and Wales and you explicitly accept that only the law courts of England have jurisdiction to deal with any matter arising from or in any way, whether directly or indirectly, related to the use of this website and, accordingly, you explicitly waive all and any rights to bring any action of any sort in relation to this website, or to any transaction carried out with it, or any data stored on it or provided to it in any court anywhere else in the world.