TERMS OF SERVICE

In these Terms, the following definitions apply:

Term	Meaning
"Agreement"	These Terms together with any applicable Order Form, Statement of Work, or MSA.
"Client" / "you"	The company, organisation, or individual entering into an Agreement with Paragon.
"Paragon" / "we" / "us"	Paragon Cyber Advisory Ltd, registered in England and Wales (Company No. 14729031).
"Consulting Services"	Cybersecurity advisory, GRC consulting, AI governance, penetration testing, security auditing, and incident response services.
"Managed Services"	Ongoing managed cybersecurity services provided on a subscription or retainer basis.
"Digital Products"	Downloadable security kits, documentation templates, frameworks, and toolkits sold via our website.
"Deliverable"	Any report, document, code, template, or output produced by Paragon under a Statement of Work.
"Intellectual Property Rights"	All patents, copyrights, trademarks, trade secrets, database rights, and other proprietary rights.
"Confidential Information"	Any non-public information disclosed by either party in connection with the Agreement.
"Fees"	The charges payable by the Client as set out in an Order Form or as listed on our website for Digital Products.

By accessing our website, requesting a consultation, signing an Order Form or MSA, or purchasing a Digital Product, you confirm that:

• You have read, understood, and agree to be bound by these Terms;
• You have the legal authority to bind your organisation (if acting on behalf of a company);
• You are at least 18 years of age;
• Your use of our services complies with all applicable laws and regulations.

If you do not agree to these Terms, you must not use our website or services. We reserve the right to update these Terms at any time. Material changes will be communicated with at least 30 days' notice. Continued use of our services following notification constitutes acceptance of the revised Terms.

Paragon provides cybersecurity and advisory services to businesses and organisations. The specific scope, timescales, and deliverables for Consulting and Managed Services are defined in a Statement of Work or Order Form agreed with each Client. Our services include but are not limited to:

• Managed Cyber Security: Continuous monitoring, threat detection, and response via our Security Operations Centre.
• AI Governance & Security: Advisory on AI risk management, regulatory readiness (EU AI Act, ISO 42001), and responsible AI deployment.
• Penetration Testing: Authorised security assessments of networks, applications, and infrastructure to identify exploitable vulnerabilities.
• Security Auditing: Independent assessment of your security posture against recognised frameworks including ISO 27001, Cyber Essentials, and NIST.
• GRC Consulting: Governance, Risk and Compliance advisory including policy development, risk registers, and framework implementation.
• Incident Response: Emergency response to active security incidents, forensic investigation, and recovery support.
• Training & Development: Instructor-led, virtual, and bespoke security awareness and technical training programmes.

Digital Products sold via our website are subject to the following terms in addition to these general Terms:

• Licence grant: Upon purchase and receipt of payment in full, Paragon grants you a non-exclusive, non-transferable, perpetual licence to use the Digital Product for your internal business purposes only.
• Permitted use: You may customise, adapt, and implement the templates and documents within your own organisation. You may not resell, sublicence, publish, or otherwise distribute the Digital Products to third parties.
• Updates: Digital Products include 12 months of free updates from the date of purchase. Where a product is updated due to regulatory changes, the updated version will be provided at no additional charge within that period.
• Delivery: Download links are delivered by email within 5 minutes of confirmed payment. Links remain active for 12 months. If you experience delivery issues, contact [email protected].
• Refunds: We offer a 30-day money-back guarantee on Digital Products. If you are not satisfied, email [email protected] within 30 days of purchase with your order reference and reason for return.
• No certification guarantee: Our Digital Products are designed to support compliance and certification journeys. However, they do not guarantee that your organisation will achieve any specific certification or pass any particular audit.

To enable Paragon to deliver services effectively, the Client agrees to:

• Provide access: Grant Paragon reasonable access to systems, networks, personnel, and documentation required to perform the agreed services, including any necessary authorisations for penetration testing activities.
• Provide accurate information: Ensure that all information provided to Paragon is accurate, complete, and up to date. We are not liable for errors or substandard outputs arising from inaccurate information provided by the Client.
• Appoint a contact: Designate a suitably authorised named contact to liaise with Paragon throughout the engagement.
• Obtain third-party consents: Obtain all necessary permissions from third parties (including cloud providers, software vendors, and staff) before authorising Paragon to assess or access systems belonging to or operated by those third parties.
• Comply with applicable law: Ensure that your use of our services complies with all laws applicable to your organisation and industry.
• Pay Fees: Pay all Fees in accordance with the payment terms in your Order Form or as specified on our website for Digital Products.

Failure to meet these obligations may result in delays, reduced scope, or suspension of services. Paragon will not be liable for any consequences arising from the Client's failure to fulfil these obligations.

Consulting & Managed Services: Fees are as specified in the applicable Order Form or Statement of Work. Unless otherwise agreed, our standard payment terms are:

Service Type	Payment Terms	Method
Consulting (project-based)	50% on engagement, 50% on delivery	Bank transfer / BACS
Managed Services (monthly)	Monthly in advance by the 1st of each month	Direct Debit / BACS
Managed Services (annual)	Annual invoice payable within 30 days	Bank transfer / BACS
Training (scheduled)	Full payment 14 days before delivery	Bank transfer / card
Digital Products	Immediate payment at point of purchase	Card (Stripe)

• Late payment: Invoices not paid within the agreed terms will accrue interest at 8% per annum above the Bank of England base rate, pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.
• Disputed invoices: If you dispute any invoice, you must notify us in writing within 7 days of receipt, setting out the reasons for the dispute. Undisputed portions remain payable on their due date.
• VAT: All Fees are exclusive of VAT, which will be charged at the prevailing rate where applicable.
• Expenses: Reasonable pre-approved travel and accommodation expenses will be invoiced at cost where on-site delivery is required.
• Price changes: We will provide at least 30 days' written notice of any change to Managed Services pricing.

Paragon IP: All methodologies, frameworks, tools, templates, training materials, software, processes, and know-how developed by or belonging to Paragon ("Paragon IP") remain the exclusive property of Paragon. Nothing in these Terms transfers ownership of Paragon IP to the Client.

Deliverables: Subject to full payment of all Fees, Paragon grants the Client a non-exclusive, perpetual licence to use Deliverables produced under a Statement of Work for the Client's internal business purposes. Unless expressly agreed in writing, Paragon retains all underlying Intellectual Property Rights in Deliverables.

Bespoke development: Where a Statement of Work expressly provides for assignment of IP in a specific Deliverable, ownership of that Deliverable will transfer to the Client upon receipt of full payment. Any Paragon background IP incorporated into such Deliverables remains licensed (not assigned) to the Client.

Client IP: The Client retains all Intellectual Property Rights in materials, data, systems, and information provided to Paragon. The Client grants Paragon a limited licence to use such materials solely for the purpose of delivering the agreed services.

Feedback: If you provide feedback, suggestions, or ideas about our services or Digital Products, you grant Paragon a royalty-free, irrevocable licence to use that feedback without any obligation to you.

Both parties acknowledge that they may receive Confidential Information from the other in connection with the Agreement. Each party agrees to:

• Hold Confidential Information in strict confidence and not disclose it to any third party without prior written consent;
• Use Confidential Information solely for the purpose of performing obligations or exercising rights under the Agreement;
• Apply at least the same degree of care as it applies to its own confidential information (and in any event no less than reasonable care);
• Limit access to Confidential Information to employees and contractors with a need to know, who are bound by equivalent confidentiality obligations.

These obligations do not apply to information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was known to the receiving party prior to disclosure; (c) is independently developed by the receiving party without reference to the Confidential Information; or (d) is required to be disclosed by law or regulatory authority, provided the receiving party gives prompt written notice and reasonably cooperates with any protective measures.

Confidentiality obligations shall survive termination of the Agreement for a period of five years, except in respect of trade secrets which shall remain confidential indefinitely.

Where a separate Non-Disclosure Agreement (NDA) has been executed between the parties, the NDA shall govern confidentiality obligations and shall prevail over this clause in the event of conflict.

Both parties shall comply with all applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Paragon as Data Controller: Where Paragon processes personal data about the Client's contact persons (such as names and email addresses) for the purpose of managing the commercial relationship, Paragon acts as a data controller. Such processing is governed by our Privacy Policy.

Paragon as Data Processor: Where the delivery of services requires Paragon to process personal data on behalf of the Client (for example, accessing systems containing employee data during a penetration test or incident response engagement), Paragon acts as a data processor. In these circumstances:

• A Data Processing Agreement (DPA) will be executed prior to any such processing commencing;
• Paragon will process personal data only on the Client's documented instructions;
• Paragon will implement appropriate technical and organisational security measures;
• Paragon will assist the Client in meeting its obligations regarding data subject rights and breach notification;
• Sub-processors will only be appointed with the Client's prior consent.

To request a Data Processing Agreement or for any data protection queries, contact [email protected].

Paragon's aggregate liability to the Client in respect of any and all claims arising under or in connection with the Agreement (whether in contract, tort, negligence, or otherwise) shall not exceed the greater of:

• The total Fees paid by the Client to Paragon in the 12 months immediately preceding the claim; or
• £10,000.

Excluded losses: Neither party shall be liable to the other for any:

• Loss of profits, revenue, or business;
• Loss of anticipated savings;
• Loss of data or information (except where caused by Paragon's gross negligence or wilful misconduct);
• Loss of goodwill or reputation;
• Indirect, special, or consequential losses;

whether or not such losses were foreseeable or the party had been advised of their possibility.

Penetration testing: Paragon shall not be liable for any disruption, data loss, or damage arising from authorised penetration testing activities carried out within the agreed scope. The Client acknowledges that testing activities carry inherent risks and must ensure appropriate backups and change-freeze procedures are in place prior to testing.

Third-party products: Where we recommend or integrate third-party security products or services, our liability is limited to the quality of our advice and implementation. We are not liable for defects, failures, or security incidents arising from those third-party products.

The Client agrees to indemnify, defend, and hold harmless Paragon and its officers, directors, employees, and contractors from and against any claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from:

• The Client's breach of these Terms;
• The Client's negligence or wilful misconduct;
• Any claim by a third party arising from the Client's use of our services in a manner not authorised by these Terms;
• The Client's failure to obtain necessary third-party consents before granting Paragon access to systems or data;
• Infringement of any third party's Intellectual Property Rights caused by materials or instructions provided by the Client.

Paragon will promptly notify the Client of any such claim, cooperate in the defence at the Client's reasonable expense, and allow the Client to control the defence subject to Paragon's right to participate with counsel of its own choosing at its own cost.

Term: The Agreement commences on the date of the Order Form or (for Digital Products) on the date of purchase, and continues until the services are completed or until terminated in accordance with this clause.

Managed Services subscriptions have a minimum initial term as specified in the Order Form (typically 12 months), after which they continue on a rolling monthly basis unless terminated by either party giving not less than 30 days' written notice prior to the end of any monthly period.

Termination for cause: Either party may terminate the Agreement immediately by written notice if:

• The other party commits a material breach that is incapable of remedy, or fails to remedy a remediable breach within 14 days of written notice;
• The other party is subject to an insolvency event (including administration, liquidation, or appointment of a receiver);
• The other party commits fraud or acts dishonestly in connection with the Agreement.

Termination for convenience: Either party may terminate Consulting engagements with 14 days' written notice, subject to payment of all Fees for work completed to the date of termination plus any non-cancellable third-party costs committed by Paragon.

Consequences of termination: Upon termination: (a) the Client shall pay all outstanding Fees within 14 days; (b) each party shall promptly return or destroy the other's Confidential Information on request; (c) Paragon will provide the Client with any completed Deliverables in exchange for payment of all outstanding sums; (d) licences granted to use Digital Products survive termination.

Clauses 7 (Intellectual Property), 8 (Confidentiality), 9 (Data Protection), 10 (Liability), 11 (Indemnification), and 15 (Governing Law) survive termination.

Paragon warrants that:

• It has the right, power, and authority to enter into the Agreement and perform its obligations;
• Services will be performed with reasonable skill and care by suitably qualified personnel;
• Deliverables will conform in all material respects to the agreed specifications at the time of delivery.

Disclaimer: Except as expressly set out in these Terms, all warranties, representations, conditions, and terms (whether express, implied, statutory, or otherwise) are excluded to the fullest extent permitted by law. In particular, Paragon does not warrant that:

• Our services will identify every vulnerability in your systems or guarantee that your systems will be secure following our engagement;
• Our Digital Products will be error-free or meet your specific compliance requirements without customisation;
• Penetration testing will not cause any disruption to your systems or services;
• Following our recommendations will prevent any security incident or guarantee regulatory compliance.

Cybersecurity is an inherently imperfect discipline. Our services reduce risk; they do not eliminate it. Clients should maintain appropriate insurance, incident response capabilities, and business continuity arrangements regardless of their engagement with Paragon.

You must not use our website, services, or Digital Products to:

• Conduct or facilitate any unlawful activity, including unauthorised access to computer systems (which constitutes an offence under the Computer Misuse Act 1990);
• Conduct offensive security activities (including penetration testing) against any system, network, or infrastructure without the express written consent of the system owner;
• Circumvent or attempt to circumvent any security measures protecting our website or systems;
• Transmit malware, spyware, ransomware, or any other malicious code;
• Collect, harvest, or process personal data in violation of applicable data protection law;
• Infringe the Intellectual Property Rights of Paragon or any third party;
• Make false or misleading representations about your identity, authority, or the intended use of our services;
• Engage in any conduct that brings Paragon into disrepute.

Paragon reserves the right to immediately suspend or terminate services where we reasonably believe a breach of this clause has occurred or is imminent.

These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes and claims) shall be governed by and construed in accordance with the law of England and Wales.

The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms or their subject matter or formation.

Dispute resolution: Before commencing formal legal proceedings, both parties agree to attempt to resolve any dispute through good-faith negotiations. If a dispute cannot be resolved through negotiation within 30 days of written notice, either party may refer the matter to mediation under the CEDR Model Mediation Procedure. The cost of mediation shall be shared equally unless otherwise agreed.

Nothing in this clause prevents either party from seeking urgent injunctive or other equitable relief from a court of competent jurisdiction where necessary to protect Confidential Information or Intellectual Property Rights.

• Entire agreement: These Terms, together with any Order Form, MSA, or Statement of Work, constitute the entire agreement between the parties regarding their subject matter and supersede all prior agreements, representations, and understandings.
• Severability: If any provision of these Terms is found to be unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible, without affecting the remaining provisions.
• Waiver: Failure by either party to enforce any provision of these Terms does not constitute a waiver of that party's right to enforce it at a later date.
• Assignment: Neither party may assign its rights or obligations under these Terms without the prior written consent of the other party, except that Paragon may assign its rights in connection with a merger, acquisition, or sale of all or substantially all of its assets.
• Third-party rights: These Terms do not confer any rights on any third party under the Contracts (Rights of Third Parties) Act 1999.
• Force majeure: Neither party will be liable for delays or failures in performance caused by circumstances beyond its reasonable control (including acts of God, government action, cyberattacks on critical national infrastructure, or industrial disputes), provided the affected party promptly notifies the other and takes reasonable steps to mitigate the impact.
• Notices: Formal notices under these Terms must be in writing and sent by email to the addresses specified in the Order Form (with read receipt) or by recorded post to the registered office address.
• Relationship: The parties are independent contractors. Nothing in these Terms creates an employment, partnership, or joint venture relationship.

For legal queries, contractual questions, or if you wish to raise a formal dispute under these Terms, please contact us: