TERMS & CONDITIONS

2.1 Periculo provides cybersecurity, compliance, and risk management services ("Services") tailored to organisations operating in regulated environments, including but not limited to the digital health, MedTech, and defence sectors.

2.2 These Services may include: Penetration testing and vulnerability assessments (CREST-accredited); Regulatory and security auditing, including but not limited to: ISO27001 Internal Auditing, Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance, NHS DSPT, Defence Cyber Certification; Advisory services relating to international compliance and risk frameworks, including but not limited to: ISO/IEC 27001, SOC 2, EU MDR, US FDA cybersecurity guidance, NIST Cybersecurity Framework, HIPAA, ISO 13485, MDCG Guidance.

2.3 Where relevant, Periculo may provide Digital Services to support or enhance delivery of the Services. Access to such Digital Services is provided on a non-exclusive, revocable basis and may be subject to additional terms.

2.4 The specific services to be delivered under each engagement will be set out in a corresponding Statement of Work, quotation, or proposal agreed between Periculo and the Client.

3.1 Prior to the commencement of Services, the following steps must be completed: (a) Acceptance of a formal quotation or proposal issued by Periculo, detailing the scope, deliverables, timelines, and fees. (b) Execution of a non-disclosure agreement (NDA), where necessary, to govern the exchange and protection of confidential information. (c) Issuance of an invoice by Periculo, with the understanding that work will begin once this invoice is raised, regardless of payment status at that point.

3.2 Project-specific terms, including any technical requirements, scheduling considerations, or client dependencies, may be outlined in a separate Statement of Work (SoW).

3.3 Any changes to the agreed scope must be documented and approved by both parties in writing. Such changes may impact timelines, fees, or deliverables.

4.1 Provide Periculo with reasonable access to personnel, infrastructure, facilities, documentation, and systems necessary to perform the Services.

4.2 Designate a primary point of contact with decision-making authority and ensure their timely availability for status reviews or clarifications.

4.3 Respond to requests for approvals, feedback, or information within a reasonable timeframe as mutually agreed at the start of the engagement.

4.4 Ensure all internal permissions and authorisations are secured to allow Periculo to conduct agreed activities such as penetration testing, data access, or documentation review.

4.5 Notify Periculo promptly of any material changes to the Client's operating environment, system configurations, third-party dependencies, or regulatory position that may impact the Services.

4.6 Engage third parties as necessary, where services depend on third-party systems (e.g. hosting providers, software vendors), to ensure cooperation and continuity.

4.7 Where Digital Services are provided, ensure authorised users maintain secure access credentials and use such services in accordance with any applicable instructions or acceptable use requirements.

5.1 Periculo will provide the Client with deliverables as specified in the quotation, proposal, or Statement of Work for each engagement.

5.2 Deliverables may include, but are not limited to: Penetration testing reports; Security assessments and gap analyses; Remediation plans and risk registers; Regulatory certification documents (e.g. Cyber Essentials, Cyber Essentials Plus); Audit preparation reports; Compliance documentation (e.g. ISO27001 mappings, SOC 2 readiness reports, EU MDR/US FDA cybersecurity files).

5.3 Deliverables are developed in good faith based on the scope of the engagement and the information provided by the Client. Periculo will deliver these in industry-standard formats (e.g. PDF, Excel, platform export) unless otherwise agreed in writing.

5.4 Unless otherwise agreed, deliverables may not be altered, resold, or rebranded by the Client.

5.5 Where reports are intended to be shared with third parties, the Client must not modify the content or presentation without written consent from Periculo.

5.6 All deliverables are provided "as is" based on the conditions observed during the testing or assessment window. The validity of findings, recommendations, or attestations may degrade over time as systems or risk environments change.

5.7 Periculo retains intellectual property rights in its methodologies, templates, and report structures. The Client receives a licence to use deliverables for internal business purposes.

6.1 Periculo adheres to the principles of the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR) in all aspects of service delivery, regardless of client type.

6.2 In the course of delivering short-term or project-based services (such as penetration testing, documentation audits, or compliance assessments), Periculo may be granted access to a range of client data. This may include: Security and compliance documentation (e.g. policies, procedures, audit logs); Network or system configurations; Access logs or authentication records; Architecture diagrams or infrastructure documentation.

6.3 Where possible, Periculo prefers to perform technical testing in non-production environments (e.g. test or staging systems). If production or sensitive data must be accessed, this will be explicitly agreed in advance.

6.4 All client-provided data is stored securely, typically on Google Workspace under Periculo's enterprise account with access controls.

6.5 Data access is limited to Periculo personnel directly involved in the delivery of the Services and is retained only for the duration necessary to fulfil the engagement, unless otherwise agreed in writing.

6.6 Periculo may act as either a data controller or a data processor depending on the nature of the Services. Where Periculo acts as a processor, a Data Processing Agreement (DPA) will apply.

7.1 Invoices are issued at the commencement of each engagement, based on the agreed quotation or proposal.

7.2 All invoices are payable within thirty (30) calendar days from the invoice date, unless otherwise agreed in writing.

7.3 In the event of late payment, Periculo reserves the right to: (a) Charge interest at a rate of 5% above the Bank of England base rate, calculated daily from the due date until payment is received in full. (b) Suspend ongoing services or withhold deliverables until outstanding invoices are settled.

7.4 Clients may cancel an engagement with reasonable notice. If work has commenced prior to cancellation, Periculo reserves the right to charge a proportional fee based on time and materials expended up to the cancellation date.

7.5 In cases where project-specific resources have been procured or allocated, any non-recoverable costs may also be invoiced.

7.6 Fees for Digital Services or ongoing/managed services, where applicable, will be set out in the relevant proposal or Statement of Work.

8.1 Either party may terminate this Agreement by providing written notice. The notice period and any associated termination charges will be defined in the relevant proposal or Statement of Work.

8.2 Periculo may suspend or terminate the Agreement immediately if the Client is in material breach of its obligations, including but not limited to non-payment, misuse of deliverables, breach of confidentiality, or unlawful use of any Digital Services.

8.3 Upon termination: (a) Periculo will invoice for all Services performed up to the effective termination date. (b) The Client must settle any outstanding fees within the agreed payment terms. (c) Any access to Digital Services provided as part of the engagement may be withdrawn. (d) All confidential materials and client data in Periculo's possession will be securely deleted or returned, unless retention is required by law or agreed otherwise.

8.4 Any service-specific termination terms, including minimum commitment periods for managed services or Digital Services, will be set out in the applicable proposal or Statement of Work and shall take precedence over this clause.

9.1 Periculo warrants that it will perform Services using reasonable skill, care, and diligence in accordance with industry standards. However, Periculo does not guarantee specific outcomes, including but not limited to successful regulatory approvals, audit passes, or the absolute security of any client system.

9.2 Under no circumstances shall Periculo be liable for indirect, incidental, or consequential losses, including but not limited to loss of revenue, profits, business opportunity, or reputation.

9.3 Periculo's total liability for any claim arising out of or in connection with the Services shall not exceed the total fees paid by the Client for the specific Services giving rise to the claim.

10.1 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.

10.2 In the event of any dispute arising out of or in connection with this Agreement, the parties agree to: (a) First attempt to resolve the dispute through good faith negotiation. (b) If unsuccessful, escalate the matter to senior representatives from each party. (c) If resolution is still not achieved, submit the dispute to arbitration in London or proceed through the courts of England and Wales, depending on the preference of the initiating party.

11.1 Periculo maintains and operates its services in accordance with industry-leading certifications and frameworks, including: ISO/IEC 27001 - Information Security Management; ISO 9001 - Quality Management; CREST - Penetration Testing Accreditation; IASME Consortium - Cyber Essentials and Cyber Essentials Plus Certification Body.

11.2 All work undertaken is aligned with GDPR principles and Periculo's internal security, quality, and data handling policies.

11.3 Where applicable, Periculo provides advisory and assessment support for compliance with international frameworks, including SOC 2, HIPAA, EU MDR, US FDA cybersecurity guidance, and NIST.