Terms & Conditions
1.1 These Terms and Conditions a contract between you and STORM Guidance Limited, company number 08954537 and registered office at The Old Crown, 153 High Road, Loughton, Essex IG10 4LG (referred to as we, us or our).
1.2 References to you or your are to the Customer who has subscribed to access and use the CyberCare Service (as defined below). By subscribing to the CyberCare Service, you confirm your legal agreement to be bound by these Terms and Conditions and that you have authority to bind the subscribing organisation that you represent to these Terms and Conditions. We may amend these Terms and Conditions on written notice at any time.
1.3 The CyberCare Service provided by us shall be on these Terms and Conditions to the exclusion of all other terms and conditions of business, including any that you may send to us, and all terms otherwise implied by law, custom or previous course of dealing to the maximum extent permitted by law. We expressly reject any terms and conditions you may send to us at any time.
1.4 Some organisations may engage us directly to access the CyberCare Service. Other organisations may have engaged us through an authorised Reseller of the CyberCare Service. These Terms and Conditions apply to any organisation that accesses Services, and we are not responsible for any act or omission of our authorised Resellers.
2. Definitions and Interpretation
2.1 In these Terms and Conditions, the following words have the following meaning:
Customer: a company or organisation who purchases the CyberCare Service from a Reseller or STORM;
Reseller: a company or organisation who is licensed by STORM as a Reseller and has purchased the CyberCare Service from STORM and is offering the CyberCare Service to the Customer;
Customer Data: all information that we require and receive from you in order to provide the CyberCare Service including any data that we access through the Customer System;
Customer Personal Data: any personal data which STORM Guidance may process in the course of providing the CyberCare Service to you;
Customer System: the day to day computer system(s) of the company or organisation that has agreed to these Terms and Conditions;
Confidential Information: has the meaning given to it in Condition 6;
Data Protection Legislation: any laws and regulations of the UK relating to the processing of personal data including but not limited to the Data Protection Act 2018, the General Data Protection Regulation 2016/679 (GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 each as may be amended from time to time. The terms controller, data subject, processor, process, processed, and processing, personal data shall have the meaning given to them in the Data Protection Legislation.
Subscription Fee: the hotline and helpline access fee due from you or your Reseller in accordance with Condition 4;
IR Fee: the once per incident fee of £295 + VAT due from you in accordance with Condition 5;
IT Representative: the individual responsible for your IT support;
Incident: any breach of the security of the Customer System through (a) a failure to protect against or prevent the transmission of a computer virus or malware; and/or (b) the unauthorised access and/or modification of the Customer System and/or any data stored or processed by the Customer System; and
CyberCare Service: our advice and information relating to your Incident more particularly described in the Schedule.
2.2 Words in the singular include the plural and in the plural include the singular.
2.3 The headings shall not affect the interpretation of these Terms and Conditions.
2.4 References to Conditions are references to the numbered provisions of these Terms and Conditions.
2.5 Unless a right or remedy of a party is expressed to be an exclusive right or remedy, the exercise of it by a party is without prejudice to that party's other rights and remedies.
2.6 Any phrase introduced by the words including shall be construed as illustrative and shall not limit the generality of the related general words.
2.7 A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension or re-enactment and includes any subordinate legislation for the time being in force made under it.
3. Relationship of the parties
3.1 The parties are operating as independent contracting parties. Nothing in these Terms and Conditions shall create or imply an agency, partnership or joint venture between the parties.
3.2 Neither party shall act or describe itself as the agent of the other party nor shall either party have or represent that it has any authority to make commitments on behalf of the other.
4. Subscription Fee
4.1 The Subscription Fee is a regular payment made monthly or annually. The Subscription Fee may be paid by you as the Customer or by third party contracted with STORM Guidance as a Reseller of the CyberCare service. The fee is non-refundable and may be increased for subsequent years on written notice to the party paying the Fee.
4.2 If you or your Reseller fails to pay the Subscription Fee by the due date, without limiting any other rights and remedies available to us, we may:
(a) suspend your access to the CyberCare Service;
(b) charge costs and interest on any outstanding amount accruing in accordance with the Late Payment of Commercial Debts (Interest) Act 1998 from the due date until the outstanding amount is paid in full.
4.3 You have no right to set off any amounts that you or your Reseller owes to us against any Subscription Fees.
4.4 All Subscription Fees are exclusive of VAT and you or your Reseller will pay any and all tax duties and other government charges payable in respect of the CyberCare Service in accordance with UK legislation in force at the tax point and all other taxes and duties payable in connection with the supply of the CyberCare Service to you.
5. Using the CyberCare Service
5.1 To report an Incident, you should call us on the hotline number advertised on our website (). We will immediately answer your call and begin to identify you as a subscriber and then to progress identification of your reported issue as an incident. Your IT Representative must attend incident calls upon our or your request, be a party to all follow up communications and available to us on request throughout the provision of the CyberCare Service.
You should give us all available information relating to the Incident, and if we agree that the Incident may be resolved by the CyberCare Service, we will provide you with a unique Hotline Reference Number and One-Time Password. You should visit our website and input the unique Hotline Reference Number and One-Time Password when prompted, and then pay the IR Fee. You are under no obligation to pay the IR Fee under this Condition 5.1, but if you do not do so, we will not be able to continue to provide the CyberCare Service in relation to your Incident.
If, for any reason, and prior to your payment of the IR Fee, we cannot be reasonably sure that an incident has occurred we will explain the apparent reason why we cannot make such a determination and will not continue to provide the CyberCare Service in relation to your incident. An example might be where you think you have an incident, but we are able to analyse and explain your concerns as a false positive.
We reserve the right in all circumstances to decide whether a cyber incident has occurred and cannot be held liable for any losses resulting from such a diagnosis. If we have mis-diagnosed the incident we will of course immediately remedy the situation as far as we are able, through the delivery our Services to respond to the incident once it is confirmed and the IR Fee is paid.
5.2 Whilst we endeavour to resolve all Incidents, we cannot do so in the following circumstances, and so we will not provide you with a unique reference number in respect of:
(a) any hardware fault;
(b) any legitimate systems misconfiguration;
(c) third party network, issues or suspensions including public network issues or suspensions;
5.3 Once we have received the fee due under Condition 5.1, we shall telephone you on the number provided and continue to provide the CyberCare Service.
5.4 In order to provide the CyberCare Service, you grant to us a non-exclusive right and licence to use the Customer System. You warrant and represent that you have the right to grant us access to the Customer System, you have administrative control over the Customer Systems, and you are the controller of access to any personal data involved in the Incident. You shall indemnify and keep us indemnified from and against any costs, claims, liabilities, expenses, damages and losses that we may suffer as a result of a breach of the warranties contained in this Condition 5.4.
6. Confidential Information
6.1 Confidential Information shall mean all information that is marked confidential or is manifestly by its nature confidential and whether written or oral and in whatever medium and relates to the business, products, financial and management affairs, customers, employees or authorised agents, plans, proposals, strategies or trade secrets disclosed by one party (the Disclosing Party) to the other party (the Receiving Party). We acknowledge and agree that the Customer System and the Customer Data is your Confidential Information.
6.2 The Receiving Party shall not, and shall ensure that its employees shall not, use copy or disclose any of the Confidential Information of the Disclosing Party except to carry out its obligations and exercise its rights under these Terms and Conditions.
6.3 The Receiving Party shall only disclose the Disclosing Party’s Confidential Information to those of its employees to the extent that they need to know the same in order to carry out its obligations under the Conditions and where those employees are bound by written obligations of confidentiality and non-use and such obligations apply to the Confidential Information disclosed to them.
6.4 The provisions of Conditions 6.1, 6.2 and 6.3 shall not apply to any Confidential Information which:
(a) is or becomes generally available to the public other than as a result of any act or omission of the Receiving Party;
(b) is already in or comes into the possession of the Receiving Party from a person lawfully in possession of the information and owing no obligation of confidentiality to the Disclosing Party in respect of the information;
(c) is already known to the Receiving Party; or
(d) is required to be disclosed by any court, government or administrative authority competent to require disclosure.
7. Warranties, Liability
7.1 Each of the parties warrants that it has:
(a) full power and authority to enter into these Terms and Conditions and that the performance of these Terms and Conditions shall not breach any other agreement entered into by it; and
(b) not been induced to enter into these Terms and Conditions by any representation or by any warranty (whether oral, or in writing, or in any other form) except those expressly made part of these Terms and Conditions. To the extent permitted by law, no representations, warranties or conditions are given or assumed by us in relation to the CyberCare Service.
7.2 You warrant and represent on a continuing basis that the Customer has:
(a) fewer than 20 (twenty) employees and freelancers and/or consultants working for the Customer; and
(b) less than £5,000,000 (five million pounds) annual turnover; and
(c) either in-house or outsourced IT Representative and/or IT specialist service providers.
You shall immediately notify us if any of these warranties is breached. If you do so, or if we otherwise establish such a breach, we shall then be entitled to terminate these Terms and Conditions immediately without any refund or other compensation payable to you.
7.2 We warrant that we shall provide the CyberCare Service with reasonable skill and care. However, you acknowledge and agree that the CyberCare Service is an assessment and analysis service and accordingly specific results or outcomes are not guaranteed or warranted. The results or outcomes of the CyberCare Service are in any event dependent on your ability to implement them properly and continue to do so as necessary. In addition, you acknowledge and agree that the CyberCare Service is an investigation service and is not, and should not, replace IT support services.
7.3 We are not liable for any loss you may suffer as a result of any delay in your failure to pay the Fee due under Condition 5.1, or any failure by you to make available to us your IT Representative on request.
7.4 We shall not be liable to you for:
(a) loss of profits;
(b) loss of business;
(c) loss or corruption of data or information;
(d) business interruption;
(e) loss of goodwill or reputation;
(f) loss of or wasted expenditure and/or staff or management time; and/or
(g) any kind of special, indirect, consequential loss or pure economic loss whether or not advised of the possibility of the same.
The parties agree that the provisions of this Condition 7.4 are severable.
7.5 Our total liability to you for all claims or series of claims under these Terms and Conditions whether in contract, negligence or otherwise for any damages, losses or expenses shall be limited to the Fees paid by you to us during the previous 12 months.
7.6 Nothing in these Terms and Conditions limits or excludes our liability for death or personal injury resulting from our negligence, fraud or fraudulent misrepresentation, and/or any other liability that cannot lawfully be excluded under English law.
8. Data Processing
8.1 The parties acknowledge that during the provision of the CyberCare Service, STORM Guidance may access names, email addresses and other personal data included within the Customer System. For the purposes of the Data Protection Legislation, STORM Guidance is the processor of the Customer Personal Data, and you are the controller of the Customer Personal Data.
8.2 The parties shall both comply at all times with the Data Protection Legislation and shall not do anything (or fail to do anything) to cause the other party to breach any of its obligations under the Data Protection Legislation. Each party shall promptly notify the other party if it becomes aware of any breach of the Data Protection Legislation by it in connection with the CyberCare Service.
8.3 You warrant that you have the right to engage STORM Guidance to process the Customer Personal Data under the Data Protection Legislation.
8.4 You agree that STORM Guidance shall be entitled to sub-contract processing of the Customer Personal Data provided that it shall be fully responsible for the acts and omissions of all sub-processor as if they were STORM Guidance’s acts and omissions.
8.5 In processing the Customer Personal Data on your behalf, STORM Guidance shall:
(a) process the Customer Personal Data only as necessary to provide the CyberCare Service;
(b) co-operate with you, and promptly provide such information and assistance as you may reasonably require, to enable you to comply with your obligations under the Data Protection Legislation taking into account the nature of the processing and the information available to us;
(c) comply with any request from you requiring us to amend, transfer or delete Customer Personal Data (to the extent STORM Guidance stores the Customer Personal Data on its systems) or to restrict processing and STORM Guidance shall confirm that such request has been implemented;
(d) take and implement all such technical and organisational security procedures and measures necessary and appropriate which ensure a level of security to preserve the security and confidentiality of any Customer Personal Data processed by us having regard to the types of personal data being processed ()and to the extent STORM Guidance stores the Customer Personal Data on its systems;
(e) upon termination of the CyberCare Service or as may be requested in writing at any time by you, cease to use the Customer Personal Data and at your discretion return the Customer Personal Data and delete all copies of it to the extent commercially possible (to the extent STORM Guidance stores the Customer Personal Data on its systems); and
(f) notify you if STORM Guidance becomes aware of any security breach affecting the Customer Personal Data;
(g) permit you and/or your auditor to inspect and audit STORM Guidance’s activities under this Agreement during working hours and on reasonable notice; and
(h) co-operate and assist you or any regulator where you are required to deal or comply with any assessment, enquiry, notice or investigation by a relevant regulator so as to enable you to comply with all of your obligations as a controller which arise as a result of such an assessment, enquiry, notice or investigation.
8.5 You agree that STORM Guidance may process Customer Personal Data outside the European Economic Area, including through its sub-contractors, provided that STORM Guidance shall ensure that any processing that does take place, complies with the Data Protection Legislation or to a country, a territory or sector to the extent that the European Commission has decided that the country, territory or sector ensures an adequate level of protection for Personal Data. In particular, STORM Guidance may transfer the Customer Personal Data internally to its own employees, offices and forensics laboratory facilities in Mauritius (or permit such employees to process the Customer Personal Data remotely), provided it complies with Mauritian data protection law; which is fully compliant and based on Protection Legislation, using zero-knowledge data encryption in storage and access controlled on individual level to fully UK-trained, qualified and experienced specialists only.
8.6 Notwithstanding any other provision of this Agreement, STORM Guidance may process the Customer Personal Data if and to the extent that the STORM Guidance is required to do so by applicable law. In such a case, STORM Guidance shall inform you of the legal requirement before processing, unless that law prohibits such information.
8.7 STORM Guidance may elect to apply an exemption as provided for under Data Protection Legislation in the interests of lawful investigation of data breaches and other incidents where the confidentiality of personal information is required in order to protect the integrity of the investigation or to protect your or data subjects from further losses. STORM Guidance will always act under your instruction and authorisation before any applicable exemptions are enacted.
9.1 During the term of these Terms and Conditions, and for a period of 12 (twelve) months after termination or expiry, neither party shall solicit for hire or hire as an employee, or engage as an independent contractor, any member of the other party’s staff.
9.2 If a party breaches the provisions of Condition 9.1, without prejudice to any other right or remedy available to the other party, the party engaging the member of staff shall pay to the other party an amount equal to the salary payable to the member of staff in question during its contractual notice period or such equivalent amount where the member of the staff is not an employee.
9.3 The provisions of this Condition 9 shall not stop a party from hiring any individual who responds to a public advertisement in relation to a vacancy.
10. Duration and termination
10.1 These Terms and Conditions shall come into effect on the date of receipt of the initial Subscription Fee and we shall begin to provide the Service 30 (thirty) days after that date and shall continue to provide the Service 30 (thirty) days after the final Subscription payment. These Terms and Conditions shall continue in force in accordance with this Condition 10.
10.2 On each renewal of Subscription Fee described in Condition 10.1, these Terms and Conditions shall roll over automatically for further renewal period, unless either party gives to the other written notice at least 30 (thirty) days before the next renewal date.
10.3 To maintain continuity of service, STORM Guidance shall be responsible for requesting either renewal or notice from you or your Reseller between 90 (ninety) and 60 (sixty) days before the next renewal date. Such request will be made by email to your registered email address. Failure to respond by you or your Reseller will be considered as notice to terminate the CyberCare Service.
10.4 Either party may terminate these Terms and Conditions immediately by written notice to the other if the other party:
(a) commits any material breach of any of the provisions of this Agreement and, in the case of a breach capable of remedy, fails to remedy that breach within 30 (thirty) days after receipt of a written notice giving particulars of the breach and requiring it to be remedied;
(b) has a receiver, administrative receiver or administrator appointed over all or any of its assets or undertaking or, except for the purposes of a solvent amalgamation or reconstruction, enters into liquidation, enters into any composition or arrangement with or for the benefit of its creditors or enters into any similar or analogous arrangement existing under the law of any country or ceases to carry on business.
10.5 If at any time either party is prevented or hindered from carrying out its obligations under these Terms and Conditions for reasons beyond its control, including war, invasion, armed conflict, terrorism, strike, lock-out, labour dispute, (but excluding strikes, lockouts and labour disputes involving employees of the party affected) riot, civil commotion, accident, act of God, fire, flood and STORM, it shall notify the other party accordingly, and its obligations under this Agreement shall be suspended. If such suspension continues for 1 (one) month or more, either party may terminate these Terms and Conditions on 30 (thirty) days’ notice.
10.6 The termination of these Terms and Conditions, by either party is without prejudice to any other rights or remedies of that party accrued prior to termination. Conditions 1, 6, 7, 8, 10.5, 11 and 12 will survive the expiry or termination of this Agreement and will continue indefinitely.
11. Dispute Resolution
11.1 If a dispute arises between the parties in respect of the provision of these Terms and Conditions, then within 7 (seven) days of the dispute arising, the dispute shall be escalated to a director or such other person of equivalent seniority as agreed between the parties. Within 7 (seven) days of escalation such nominated persons shall meet in a good faith effort to resolve the dispute.
11.2 If no resolution to the dispute so referred has been agreed within a further 21 (twenty-one) days, then the parties will attempt to settle it by mediation in accordance with the Dispute Resolution (CEDR) Model Mediation Procedure. To initiate the mediation a party must give notice in writing to the other party to the dispute requesting mediation. Unless agreed between the parties, the mediator will be nominated by CEDR. The mediation will start no later than 7 (seven) days after the date of the notice. The commencement of mediation will not prevent the parties commencing or continuing court proceedings.
12.1 You shall not assign or delegate your rights and/or obligations under these Terms and Conditions, in whole or in part, to any third party by operation of law or otherwise, without our prior written consent. We may assign or delegate our rights and/or obligations under these Terms and Conditions at our discretion.
12.2 If any provision of these Terms and Conditions is found to be unenforceable, the remainder shall be enforced as fully as possible and the unenforceable provision shall be deemed modified to the limited extent required to permit its enforcement in a manner most closely approximating the intention of the parties.
12.3 Nothing in these Terms and Conditions shall confer or purport to confer on any other third party any benefit or the right to enforce any provision of these Terms and Conditions, whether under the Contracts (Rights of Third Parties) Act 1999 or otherwise.
12.4 No waiver or delay by a party in enforcing its rights will prejudice or restrict those rights and no waiver of any right will operate as a waiver of any later right or breach.
12.5 These Terms and Conditions is governed by and will be construed in accordance with the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales in relation to any legal actions or proceedings arising out of or in connection with these Terms and Conditions.
CyberCare Service Schedule
Initial Response Call Handing
Initial review of the circumstantial and technical details of the Incident.
Technical Incident Response Services
- Initial technical triage with remote access;
Determining the severity of the Incident based on the details presented by your company;
Provision of support and guidance to your company’s IT support incl. response checklists;
Security testing to determine your company’s network vulnerabilities (external and internal);
Computer Forensic investigation, where required, to determine the scope of a breach;
Recommending any need for legal advice about regulatory notifications and the provision of customer support/credit monitoring services to your affected customers;
Recommending remediation services that should be offered to impacted parties, including the level of service to be provided based on the specific facts of each cyber incident;
Recommendation on the potential need for public relations response;
Provide advice to your company and any 3rd party service providers with how to replace, restore or re-collect data which has been encrypted/corrupted or destroyed as a result of a network security failure or privacy breach.
Advice on the recovery of funds stolen through fraudulent electronic transfer.
- Assist in the determination of the extent, method, containment/eradication and recovery of your company data, e.g. the existence of any data backups or other sources of data recovery.
- Technical Support with remote access;
Analysing your computer system to determine the variant of the ransomware used in the attack and the method by which it invaded your computer systems;
To the extent reasonably possible, advising you on options to decrypt the data on affected computer systems, remove any ransomware, and restore access to files and system functionality;
If decrypting the data is not possible, advising you to erase and rebuild the computer system from a previously made restoration backup copy. If such a backup copy is not available, then offer advice as to other options for data recovery;
A summary analysis of your company’s network security and recommendations on necessary remediation in relation to the incident you have experienced.
Activities Not Provided Under the Standard CyberCare Service Subscription
- Onsite attendance;
BEC: Deep mailbox analysis;
Ransomware: Decryption services;
Credit Monitoring Services;
Public Relation services.
General IT/cyber security assessment
We regularly work with Legal, Public Relations, Credit Monitoring and Decryption service providers, whose services we can provide to you for additional fees. An example of where you may need such services would be if the circumstances of your incident mean you should notify affected parties and/ or regulators.
Last updated: November 2019