Terms & Conditions

Introduction & Acceptance of Terms

These Terms and Conditions ("Terms") govern the relationship between Custodian Consulting Ltd ("Custodian Consulting", "we", "us", "our") and any individual or organisation ("Client", "you", "your") that engages our services or uses our website at custodianconsulting.co.uk.

By submitting a purchase order, signing a statement of work, or otherwise instructing us to proceed with an engagement, you confirm that you have the authority to enter into a binding agreement on behalf of your organisation and that you accept these Terms in full.

Where a separate written contract or master service agreement exists between you and Custodian Consulting, the terms of that agreement shall take precedence over these Terms to the extent of any conflict.

Services

Custodian Consulting provides offensive security and cybersecurity consulting services, including but not limited to:

• Infrastructure penetration testing — internal and external network assessments to identify vulnerabilities in servers, endpoints, network devices, and cloud environments
• Web application testing — security assessment of web applications, APIs, and associated back-end systems against OWASP and industry-recognised methodologies
• Mobile and wireless testing — security evaluation of mobile applications and wireless network configurations
• Social engineering — simulated phishing campaigns, vishing, physical intrusion assessments, and other human-factor testing designed to evaluate organisational resilience
• Incident response and ransomware recovery — containment, investigation, forensic analysis, and remediation support following a security incident
• Security consultancy — policy reviews, architecture assessments, compliance gap analysis, and strategic advisory services

The specific services to be delivered for each engagement will be detailed in a written statement of work, proposal, or scoping document agreed between both parties prior to commencement.

Scope of Work & Authorisation

All penetration testing and offensive security activities carried out by Custodian Consulting are performed strictly within the scope defined and agreed in writing prior to the engagement. We will not test systems, networks, or applications that fall outside the agreed scope without obtaining explicit written authorisation.

The Client warrants that:

• They are the legal owner of, or have the legal authority to authorise testing against, all systems, applications, and infrastructure listed in the scope
• They have obtained any necessary permissions from third-party service providers (e.g. cloud hosting providers, managed service providers) prior to the engagement commencing
• The authorisation is provided by a person with the appropriate seniority and legal authority to grant such permission on behalf of the organisation

We require signed authorisation (a "Rules of Engagement" document or equivalent) before any active testing begins. Custodian Consulting shall not be held liable for any disruption, data loss, or damage that occurs during testing carried out within the agreed scope and in accordance with industry best practice.

Client Obligations

To enable us to deliver our services effectively and safely, the Client agrees to:

• Provide accurate and complete information about the systems, networks, and applications in scope
• Designate a primary point of contact who is available during the testing window and authorised to make decisions regarding the engagement
• Notify relevant internal teams (e.g. IT operations, security operations centre) of the testing schedule to avoid unnecessary incident escalation
• Provide timely access to environments, credentials, documentation, or other resources required under the statement of work
• Promptly inform Custodian Consulting of any changes to the environment or scope that may affect the engagement

Delays or additional costs arising from the Client's failure to meet these obligations may result in the rescheduling of the engagement or additional charges at our standard day rate.

Confidentiality & Data Handling

We treat all information obtained during an engagement as strictly confidential. This includes, but is not limited to, vulnerability findings, network architecture details, credentials, business data, and any other information disclosed to us in the course of delivering our services.

Our commitments:

• All engagement data is handled in accordance with UK GDPR and the Data Protection Act 2018
• Test data, reports, and findings are stored on encrypted systems with access restricted to authorised Custodian Consulting personnel assigned to the engagement
• Reports and associated evidence are securely deleted within 90 days of delivery unless the Client requests a longer retention period or regulatory obligations require otherwise
• We will not disclose the Client's identity, engagement details, or findings to any third party without the Client's prior written consent, unless compelled by law
• Where sub-contractors are engaged, they are bound by equivalent confidentiality obligations

The Client may request early deletion of all engagement data at any time by contacting us in writing. We will confirm deletion within 10 business days.

For full details of how we handle personal data, please refer to our Privacy Policy.

Limitation of Liability

Penetration testing, by its nature, involves the deliberate probing of systems for security weaknesses. While we take every reasonable precaution to minimise disruption and operate within agreed parameters, the Client acknowledges that some inherent risk exists.

Subject to the limitations below:

• Custodian Consulting's total aggregate liability under or in connection with any engagement shall not exceed the total fees paid by the Client for that specific engagement
• We shall not be liable for any indirect, consequential, incidental, or special damages, including but not limited to loss of profit, loss of revenue, loss of data, or business interruption, howsoever caused
• We shall not be liable for any damage, disruption, or data loss caused by testing carried out within the agreed scope and in accordance with the statement of work, except where such damage results from our gross negligence or wilful misconduct
• We shall not be liable for any security breaches that occur after the delivery of our report, whether or not the Client has implemented our recommendations

Nothing in these Terms excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be lawfully excluded or limited under the laws of England and Wales.

Intellectual Property

Report ownership: Upon receipt of full payment, the Client is granted a non-exclusive, non-transferable licence to use the deliverables (reports, executive summaries, remediation guidance) produced during the engagement for their own internal business purposes.

Our IP: All methodologies, tools, techniques, frameworks, scripts, and proprietary processes used by Custodian Consulting in the delivery of services remain the intellectual property of Custodian Consulting. No rights to our underlying intellectual property are transferred to the Client.

Client IP: All Client data, source code, and proprietary information provided to us during the engagement remains the property of the Client. We claim no rights over Client intellectual property.

Neither party shall use the other party's trademarks, logos, or trade names in marketing materials without prior written consent. Custodian Consulting may reference the Client as a customer in general terms (e.g. "a UK financial services organisation") without naming the Client, unless the Client requests otherwise.

Payment Terms

Unless otherwise agreed in writing, the following payment terms apply:

• All fees are quoted in British Pounds (GBP) and are exclusive of VAT, which will be charged at the applicable rate where due
• A deposit of 50% of the total engagement fee is required before testing commences, unless otherwise agreed in the statement of work
• The remaining balance is invoiced upon delivery of the final report and is payable within 30 days of invoice date
• For engagements exceeding 10 working days, we may invoice on a monthly basis for work completed
• Late payments will incur interest at the rate of 4% above the Bank of England base rate per annum, calculated daily from the due date until payment is received, in accordance with the Late Payment of Commercial Debts (Interest) Act 1998

We reserve the right to suspend work on any engagement where invoices remain unpaid beyond 14 days past the due date, without liability for any resulting delays.

Cancellation & Rescheduling

We understand that plans change. The following cancellation and rescheduling terms apply to confirmed engagements:

• More than 10 working days' notice — the engagement may be cancelled or rescheduled at no charge. Any deposit paid will be refunded in full or applied to the rescheduled dates.
• 5 to 10 working days' notice — a cancellation fee of 25% of the total engagement fee applies. Rescheduling is subject to consultant availability and may incur an administrative fee.
• Fewer than 5 working days' notice — a cancellation fee of 50% of the total engagement fee applies to cover reserved capacity and preparation costs.
• No-show or cancellation after testing has commenced — the full engagement fee is payable.

Custodian Consulting may reschedule an engagement due to illness, force majeure, or circumstances beyond our reasonable control. In such cases, we will offer alternative dates at no additional charge, or a full refund if alternative dates cannot be agreed.

Warranties & Disclaimers

Custodian Consulting warrants that:

• All services will be performed with reasonable skill and care, in accordance with generally accepted industry standards and methodologies
• Our consultants hold relevant professional qualifications and certifications appropriate to the services being delivered
• We maintain appropriate professional indemnity insurance for the services we provide

Important disclaimers:

• A penetration test is a point-in-time assessment. We do not warrant that all vulnerabilities will be identified, nor that systems will be secure following the engagement
• Our reports and recommendations are based on the information available at the time of testing. Changes to systems, configurations, or threat landscapes after the engagement may affect the validity of our findings
• This website and its content are provided on an "as is" basis. While we make reasonable efforts to ensure accuracy, we do not warrant that the website content is complete, current, or free from error

Termination

Either party may terminate an engagement by giving written notice if:

• The other party commits a material breach of these Terms and fails to remedy the breach within 14 days of receiving written notice specifying the breach
• The other party becomes insolvent, enters administration, or has a receiver appointed over its assets

Custodian Consulting may terminate or suspend an engagement immediately if:

• We reasonably believe that continuing the engagement would involve unlawful activity or pose a significant risk to our personnel, reputation, or third parties
• The Client's authorisation to test is withdrawn or is found to have been provided without proper authority

Upon termination, the Client shall pay for all services delivered up to the date of termination. Clauses relating to confidentiality, limitation of liability, and intellectual property shall survive termination.

Governing Law & Jurisdiction

These Terms, and any dispute or claim arising out of or in connection with them (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of England and Wales.

Both parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms or their subject matter.

If any provision of these Terms is found to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

Contact Us

If you have any questions about these Terms, or wish to discuss any aspect of a proposed or existing engagement, please contact us.