Terms of Business

Getting Started

Our Contract

Who We Are

Teal Consulting Ltd t/as ISO Serious (We / Us / ISO Serious) is registered in England with number 15466339 and registered office at The Connections Suite, 7-8 New Road Avenue, Rochester, Kent, UK, ME4 6BB. Our VAT number is GB 459876813.

Our Engagement Letter

We will send you a letter that sets out the Services we will provide to you (our Engagement Letter). You / Your means the business we will provide our Services to, as described in the Engagement Letter.

The Engagement Letter, these Terms of Business, our mutual Collaboration Framework and our Data Processing Agreement (if relevant) (DPA), form our contract with you (our Contract).

When Our Contract Starts

Our Contract starts on: (a) the date of the Engagement Letter; or (b) the date on which you first instruct us to provide Services, whichever is earlier.

Our Services

What Services We Provide

We provide ISO 27001 and data protection consultancy services, work product and related materials and content, which may be more specifically set out in the Engagement Letter (our Services). Any changes or additions to the Services will be agreed with you in writing.

Where We Provide Them

Our Services are usually provided remotely. If you need us to work at your premises, you agree to let us know at the outset, and provide our staff with access to your premises and other facilities as may reasonably be required by us.

How We Will Communicate With You

We will usually communicate with you via email (using our ISO Serious email), telephone, and video conferencing. If you would like us to work with your team using your own company email address or other workplace platforms, please let us know at the outset, so we can confirm whether it is possible for us to work in this way, and if so, agree on any additional onboarding and training required for us to provide our Services in this way.

Information You Need To Provide

Onboarding Call

For us to provide our Services effectively, we usually require an onboarding call between your ISO Serious consultant and a senior member of your team as early as reasonably possible, so that we can obtain sufficient background information about your business, as well as clarify any specific requirements and documentation for any immediate workstreams.

Who We Report To

As your ISO 27001 consultant, we are deemed to be under your supervision and control, and we will report to any person you specify to us. We will be authorised to provide our Services to any of your staff members/consultants unless you tell us otherwise in writing. If your instructions, reporting lines or any other relevant circumstances change, you agree to tell us as soon as practicable.

Communication

You agree to provide us with timely and up-to-date information regarding any particular projects we are working on throughout our engagement, so we are able to provide our Services effectively. You agree that you will promptly:

Keep us informed of any proposals or developments in your business relevant to our engagement, including any time limits which may apply;
Provide us with all future information and documents that appear to be relevant to our work; and
Let us know about any relevant changes (or intended changes) to your business so that the implications of such changes on our Services can be assessed.

We’ve set out what we expect from you and what you can expect from us in our mutual Collaboration Framework which you can find here. It's important that you read this document carefully as it outlines the requirements and expectations that are integral to the success of our relationship. This includes your responsibilities, such as providing correct information in a timely manner, and defines what constitutes a performance failure from both sides.

We might update our Collaboration Framework occasionally to improve our Services, comply with new regulations or make things clearer based on feedback from you and others. We will let you know about any changes and explain why they’re happening. We hope you’ll be okay with these updates, and if we don’t hear from you within a week of this notification, we will assume you have agreed to the updates. If you have a reasonable concern, please tell us within that week. If possible, we’ll keep things going under the current Collaboration Framework, but if we cannot do that, it may be necessary for us to end the agreement. If that happens, we’ll only bill you for the Services provided up to that point and help you smoothly transition your project to a new vendor. This flexible approach helps us ensure that our Services stay effective, protecting both your interests and ours.

Fees and Costs

Adjustments

Any fee estimates we provide or fixed fees we agree upon for our Services are based on the information you give us and our initial assessment of the likely cost to deliver these Services. Please be aware that all fee estimates and fixed fee agreements are subject to adjustment if there are changes in the scope of our Services, whether due to new information you provide, changes in your situation, or details that were not evident at the project's outset. While we will strive to absorb any reasonable additional costs where possible, there are instances where we may need to adjust our fees to reflect the increased scope of work.

If a fee adjustment is necessary, we will provide you with an updated written estimate of fees and reasons for the changes and work together with you to agree on any further fees before we continue with changes to the scope of work. We also encourage you to inform us as soon as possible of any unforeseen complications or developments that might impact the fees. This mutual transparency helps us manage your project effectively and ensures continued fair billing based on the most accurate and current project scope.

Your Fee Rate

You will be billed for our Services in accordance with the fee rates set out in the Engagement Letter. Any changes to our fee rates will be agreed in writing and will take effect from the agreed date.

Expenses

Any expenses that you request us to incur on your behalf will be additionally charged to you at cost (with VAT where applicable).

Bank Fees

Any payments or bank transfers that incur bank charges (including the receiving bank’s charges) are your responsibility. You will review these charges and add them to the amount you transfer.

Payment

How We Invoice

We will invoice you monthly in pounds sterling for any Services we provide in that month, or as otherwise set out in the Engagement Letter. All amounts payable are exclusive of VAT.

When Payment Is Due

As we invoice after our Services have been provided, our invoices are due for payment upon receipt. We reserve the right to charge interest at 4% over the base rate of the Bank of England, or such higher rate as is allowed by law, on all amounts outstanding for more than 30 days from the date of the relevant invoice.

Invoice Queries

All invoice queries must be made in writing within 14 days of the relevant issue date.

Suspension of Services if Invoices Overdue

We reserve the right to suspend and/or terminate our Services should any invoice remain outstanding for over 60 days. We will tell you if we decide to suspend and/or terminate our Services in these circumstances.

Other Obligations

Obligations as Your ISO 27001 Consultant

You may disclose information to us that is confidential (i.e. information that is not already known to us, not publicly available, or not disclosed to us from a third party who is not under an obligation of confidentiality) (Confidential Information). We commit to treating all of your Confidential Information confidentially and to protect it from disclosure to others, except where we need to disclose it as set out below.

We may disclose your Confidential Information:

To our staff so that we can perform our Services;
To third parties, for example to other professional advisers, our accountants, regulators, insurers, and government agencies;
As required by law or court order including under the Data Protection Legislation (see clause 9).

You agree to any disclosures by us for the purposes set out in this clause.

We may use your name and logo(s) to list you as a client on our website, proposals/tender documentation and other marketing materials. In so far as such information is already publicly available, we may also include a brief description of the Services that we have provided to you. Please let us know in writing if you would prefer that we do not do this.

Conflict Of Interest

We will endeavour to establish at the outset that no conflicts of interest exist. If you think one may exist, please let us know. You will tell us in writing as soon as is reasonably practicable. If you or we become aware of a possible conflict, the relevant party agrees to bring it to the other’s attention and we shall confirm whether we are required to stop providing our Services, or whether it is possible for us to continue to act for you whilst the conflict exists, and the process required for us to do so. You agree to pay our fees for the period up to the date on which we stop providing our Services.

Work Based on Current Standards

Our Services are based on the ISO 27001 standard as at the date the specific Services are given. We are not obliged to provide you with any updates to reflect any subsequent changes to this standard unless you and we specifically agree to such updated work.

Complaints Procedure

If you have any concerns relating to our Services, please follow the procedure set out in our Engagement Letter.

What We Are Not

As your ISO 27001 consultant, our role is to guide and advise you on the process necessary to obtain certification for and comply with ISO 27001 requirements. It’s important to understand that our Service focuses on compliance advisory, helping you align your systems and processes with the standards required for certification. Please note that obtaining ISO 27001 certification through our guidance does not equate to guaranteeing the security of your system and infrastructure. The security and integrity of your data and systems remain your responsibility.

Our Services do not cover the implementation of security measures or the ongoing maintenance of your system’s security. It is essential that you ensure all aspects of your infrastructure are secure, as our advisory role is limited to compliance guidance. The distinction is critical for understanding the scope of our Services and your responsibilities.

Intellectual Property Rights

How We May Use Your IP

You agree that we will retain ownership of the intellectual property rights in the materials and content we create for you and which we have created previously and independently of our engagement with you. The materials and content we create for you are not created as “work for hire”.

We may use any materials and content you provide to us only to the extent necessary for the delivery of our Services, and as allowed under clause 6.3.

How You May Use Our Work

We give you a licence to use materials and content we deliver to you for the purpose for which it was delivered. You agree not to resell any such material or content, or offer them or a version of them for review, sale or reuse at any time, unless they are intended by us to be shared with the relevant party or published.

Your Confidentiality Obligations

You agree you will not disclose our Confidential Information, including our fee rates, for any purpose, other than as required under our Contract. This obligation will not apply:

To employees, officers, contractors or advisers on a strictly need to know basis, or
As may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.

Data Protection Obligations

We Collect and Process Your Personal Data

In this Contract, Data Protection Legislation means the Data Protection Act 2018 and the UK retained version of the General Data Protection Regulation (EU) 2016/679 or its successor or equivalent.

Data Protection Legislation requires us to inform you that we collect and process personal data relating to your staff, customers and others related to your business. How we handle your personal data is subject to the Data Protection Legislation. Your personal data may also be confidential and, if so, we will treat it as such. Unless otherwise defined herein, definitions used in this clause will have the same meanings as those used in the Data Protection Legislation.

Your Rights

You have rights in relation to your personal data and these are set out in our Privacy Policy.

Our Obligations As a Data Controller

You acknowledge that we may collect and process personal data provided by you to provide our Services. Information regarding our collection, use and storage of your personal data when we are acting as a Data Controller and your rights are set out in our Privacy Policy and Cookie Policy, which are incorporated herein.

We implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of personal data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of such data. If you would like information about these measures, please contact us.

Acting As Your Data Processor

In some cases, we may act as your Data Processor. This is the case if you decide on the purpose and means of the processing of personal data and we process it under your instructions. You confirm that you have all necessary consents and notices in place to enable the lawful transfers of such data to us and agree that where we process your personal data as a Data Processor, the provisions of our DPA will apply. If we act as your Data Processor, you agree that the processing itself and compliance with the requirements related to the processing may incur costs beyond our usual operating costs which we may ask you to pay.

Sharing Your Personal Data

You agree that we may share your data with others in order to provide our Services or run our business effectively. This includes our staff, our IT service providers, those who manage our data, our advisers and marketing partners. We require others to respect the personal data we share with them, and to only use it in ways the law allows. We only allow others to use such information for the specific purposes we set out, subject to our instructions and not for any other purposes. When we engage processors to process information on our behalf, we ensure a contract is in place with the processor that sets out the details of the processing and the provisions required by the Data Protection Legislation. We remain liable for any breach of the Contract that is caused by an act, error or omission of any of the processors we share your personal data with.

Our Retention of Data

You understand and agree that, when acting in our capacity as a controller, we may retain your personal data after termination of our Contract until you ask in writing for it to be deleted or removed. In which case, we will do so to the extent reasonably practicable unless we are required to keep it by law or have a legitimate interest to keep it, for example, for liability and/or insurance purposes.

Ending Our Contract

Termination Due to Breach

Either party may, by written notice, terminate our Services with immediate effect if the other party commits a serious breach of, or persistently breaches, any of their obligations under our Contract.

Termination Due to Notice

If you choose to terminate our Services for convenience, you are obligated to compensate us for the portion of the Services we have already provided.

For Certification Services: Upon receiving your notice of termination, we will calculate our cost of providing our Services to you up to the date of termination based on the amount of Services provided up to the time of termination multiplied by the hourly rate for our standard services as set out in our Engagement Letter. Any initial payment you made upon signing the Engagement Letter will be adjusted accordingly. This calculation will ensure fair compensation for the work we have undertaken and for making our resources available for your project, which stopped their deployment elsewhere.
For Maintenance Services: You must give one (1) month’s notice. Upon receiving your notice of termination, we will calculate our cost of providing our Services to you from the date of notice up to the date of termination on a pro-rata basis.

Immediate Payment of Fees and Expenses

Upon termination of the Services for any reason, we will invoice you all fees and expenses incurred up to the date of termination, and all unpaid fees and expenses will be immediately due and payable.

Survival of Clauses

Any provisions of the Contract which expressly or by implication are intended to continue in force after termination of the Contract, will remain in full force and effect.

No Poaching

Our staff engage with you to provide our Services on the understanding that, unless agreed otherwise in writing, you will not employ or work with them independently of us during the term of the Contract or within 12 months following the end of our engagement. If you do employ or work with such person within such period, we reserve the right to charge you a fee of 25% of such person’s annual salary/earnings (plus benefits) plus VAT.

Limitations on Liability

Who Is Liable

ISO Serious is responsible to you for the provision of the Services. You agree that you won’t bring any claim against any individual member of our staff.

Aggregate Liability

The aggregate liability of ISO Serious, its directors, partners, consultants, agents, subcontractors and employees for all losses, including without limitation for negligence, breach of contract, misrepresentation or otherwise on its or their part in relation to any Services we perform under the Contract will not exceed the amount paid by ISO Serious’ professional indemnity insurance.

Excluded Liability

We are not responsible for any loss or damage resulting from inadequate, incomplete or erroneous information supplied by you or on your behalf, or any commercial decisions made by you, which do not reasonably take into account any advice we have provided.

Unless we agree otherwise in writing, our Services are only provided to you, and we are under no liability to any third party in respect of such Services. All information we provide to you is for your sole use and must not be communicated, reused or resold to any third party, unless they are intended by us to be shared with the relevant party or published.

We are not responsible for any loss, damage or delay arising out of our compliance with any statutory or regulatory requirement.

You agree that communication by email or other business communication/workplace platforms may not be secure or error-free. We are not responsible for any loss or claim arising out of any such communications whether by you, us or any third party in connection with our engagement, except to the extent these are caused by our negligence or wilful default.

Except as set out in these Terms of Business, all warranties, representations, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from our Contract.

All liability for the following is excluded:

Any loss or damage which does not arise as a direct and natural consequence of the default in question, including indirect, special, exemplary, punitive or consequential loss or damage;
Loss of profits, anticipated savings, revenue or business, in each case whether arising from negligence, breach of contract or otherwise, even if we have been advised of the possibility of such loss or damage arising.

Force Majeure

In this Contract, Force Majeure Event means any event beyond our reasonable control. If we are prevented or delayed in carrying out any of our obligations by a Force Majeure Event, we will use all reasonable endeavours to mitigate the effects of such a Force Majeure Event, but we are not liable to you for any losses howsoever caused by such a Force Majeure Event.

Other Terms

Order of Precedence

In the event of any inconsistencies between the documents which make up this Contract, the following order of precedence shall apply: first, the Engagement Letter, second, the Terms of Business, and third, the Collaboration Framework.

Acceptance of Terms

You agree that you accept the terms of the Contract by signing the Engagement Letter or by otherwise instructing us to provide any Services to you, and the terms of the Contract apply to all work that has already been performed before the Engagement Letter was signed.

Assignment

Neither party may assign, transfer or subcontract all or any of their rights or obligations under our Contract, without the prior written consent of the other party, which will not be unreasonably withheld.

Third Parties

A person who is not a party to our Contract will have no rights (whether under the Contracts (Rights of Third Parties) Act 1999 or otherwise) to enforce any of its terms.

Entire Agreement

Our Contract sets out the entire agreement between you and us and supersedes all prior agreements, understandings or arrangements relating to our engagement with the exception of the Context Of The Organisation document you completed for us in order for us to assess the scope of services required to be provided to you under this Contract. Neither party can rely on any prior agreement, understanding or arrangement that is not expressly incorporated into our Contract.

Independent Contractors

The parties to our Contract are independent contractors. Nothing in our Contract is intended to, or will be deemed to, constitute a partnership, joint venture, employment or agent relationship of any kind between you and us, or any other party. No party will have authority to act as employee or agent for the other in any way, unless otherwise agreed in writing.

Waiver

A waiver of any right or remedy under our Contract or by law is only effective if given in writing and will not be deemed a waiver of any subsequent right or remedy. A failure or delay to exercise any right or remedy under the Contract or by law will not constitute a waiver of that or any other right or remedy.

Severability

If any provision or part of a provision of our Contract is invalid, illegal or unenforceable, the parties will try to agree a change to the provision(s). The other provisions will stay the same.

Notices

All notices must be in writing. Notices to us must be sent to tom@isoserious.com or our registered office address (with a copy to our email address). Notices to you will be sent to the email or postal address in our Engagement Letter, or the address provided by written notice stating your intention to change your notice address.

Governing Law and Jurisdiction

Our Engagement Letter and these Terms of Business will be governed by English Law and the parties agree to submit to the exclusive jurisdiction of the English Courts.