Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Applicable Data Protection Laws:
Applicable Laws: all applicable laws, statutes, regulation and codes from time to time in force in any relevant jurisdiction, including data protection laws other than the Applicable Data Protection Laws, and applicable to the Parties in relation to the Services under the Services Agreement (including without limitation export law and those governing the use of networks, scanners, encryption devices, user monitoring and related software).
Business Day: a day, other than a Saturday, Sunday or UK bank holiday.
Business Hours: the period from 9.00 am to 5:30 pm GMT/BST on any Business Day or as set forth in the Order Form.
Commencement Date: the date of the last signature or as first set forth on the Order Form and agreed by the parties as the effective date of the Services Agreement.
Confidential Information: means any information whether supplied, made available or otherwise accessed or accessible in any form, wholly or in part, and whether or not marked confidential, by either party to the other under or in connection with the Services Agreement and includes (but is not limited to) information relating to software and hardware products, IT infrastructure, samples, equipment, drawings, specifications, information about a party's clients and including customer characteristics and identities, staff and subcontractors to a party including characteristics and identities, trade secrets, technical information and know-how, performance or process data, cost and financial information, market opportunities, business affairs, methods of doing business, strategic marketing, business plans and any information, operation of digital platform, reports or analysis derived from the Confidential Information, but does not information that is or becomes generally available to the public otherwise than as a result of a breach of this agreement, is already available to a receiving party on a non-confidential basis from a third party or is independently developed by a party without relying on Confidential Information supplied by the other party.
Customer: means the party referred to as Customer on the Order Form and any persons, third party agents, subcontractors, consultants, employees and those acting on its behalf.
Customer's Equipment: any equipment, including tools, systems, cabling or facilities, provided by Customer, its agents, employees, subcontractors or consultants which is used directly or indirectly in relation to the supply of the Services including any such items specified in the Order Form or Annex.
Customer Materials: all documents, information, items and materials in any form, whether owned by Customer or a third party, which are provided by Customer to Supplier in connection with the Services, including the items provided pursuant to clause 5.6(d) or otherwise specified in the Services Agreement.
Customer Personal Data: any personal data which Supplier processes in connection with the Services Agreement, in the capacity of a processor on behalf of Customer.
Customer’s System: means the system, application and/or network set forth in the Order Form or an Annex which Customer requires to be security tested.
Defense.com Licence: means, where applicable as set forth in the Order Form, a licence granted to Customer for access to and use of the Defense.com Platform and for the provision of the Services and related Deliverables on and via the Defense.com Platform.
Defense.com Platform: means Supplier’s online security information and service web portal and/or any other related Supplier facilities or systems to which Customer has been granted access and use as set forth in the Order Form.
Defense.com Users: means in respect of Defense.com Licence, the permitted users who are designated by Customer to use Defense.com Platform.
Deliverables: any output of the Services to be provided by Supplier to Customer as specified in the Order Form or in the Services Agreement Service-specific Terms.
EU GDPR: means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
Fees: the monetary amounts due for the Services as set forth in the Order Form.
Good Industry Practice: means the exercise of that degree of skill, diligence and foresight which would reasonably and ordinarily be expected from a skilled and experienced service provider engaged in the provision of services similar to the Services under the same or similar circumstances as those applicable to the Services Agreement and which are in accordance with any codes of practice published by relevant trade associations.
Initial Term: the first and minimum Services Agreement duration for any Service as set forth in the Order Form.
Intellectual Property Rights or IPRs: patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, data, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Milestone: a date by which a part or all the Services is to be completed, as set forth in the Order Form.
Monthly Recurring Service Fees: means any monthly recurring fees for the applicable service payable by Customer as detailed on the Order Form.
Order Form(s): shall mean the request on Supplier’s standard Order Form from Customer to Supplier for Services to be provided pursuant to the terms of the Services Agreement which agreement, for the avoidance of doubt, applies in each case to a specific Order Form.
Order Form Services Addendum: has the meaning given in clause 7.1.
Professional Services: means consultant delivered Services, as defined by Supplier including, but not limited to, Penetration Testing and compliance Consultancy.
Service(s): means a Supplier service or multiple Supplier services (which may be packaged) that are ordered by Customer as set forth in the Order Form.
Services Agreement: shall mean these Services Agreement Standard Terms together with and which be read to include the Service-specific Terms and a specific Order Form pursuant to which Supplier makes the Services available to Customer, any related Annex and/or any related Order Form Services Addendum.
Supplier's Equipment: any equipment, including tools, systems, documentation, cabling or facilities, provided by Supplier to Customer and used directly or indirectly in the supply of the Services, including any such items specified in the Order Form but excluding any such items which are the subject of a separate agreement between the parties under which title passes to Customer.
Supplier Personal Data: any personal data that Supplier processes in connection with the Services Agreement, in the capacity of a controller.
UK GDPR: has the meaning given to it in section 3(10) as supplemented by section 205(4)) of the Data Protection Act 2018.
VAT: value added tax chargeable in the UK.
The Services Agreement creates a contractual framework between Supplier and Customer under which:
In the event of any conflict or ambiguity, except where otherwise provided, the order of precedence for the Services Agreement shall be as follows:
Supplier will provide, and Customer will receive and have use of the Services and any related Deliverables (where applicable, by grant of a Defense.com Licence) in accordance with the Services Agreement for the Initial or Extension Term, as applicable, set out in the Order Form whereby:
Customer will:
Customer shall not:
Customer shall:
The Fees exclude the following, which shall be payable by Customer monthly in arrears (provided that Supplier has obtained the written consent of Customer, which shall not be unreasonably delayed or withheld), as incurred:
The Fees also exclude services related to non-Supplier delay, cancellation and rescheduling charges, for costs related directly to the administration, system, personnel, facilities, third party and/or other allocated resources associated with scheduled Services. The following charges will apply to any Customer short-term cancellation and rescheduling:
Customer shall pay each invoice submitted to it by Supplier based on the following terms:
Without prejudice to any other right or remedy that it may have, if Customer fails to pay Supplier any sum due under the Services Agreement on the due date:
All amounts payable to Supplier under the Services Agreement:
In relation to the Services and any Deliverables:
In relation to Customer Materials, Customer:
Supplier:
Customer:
If either party (Indemnifying Party) is required to indemnify the other party (Indemnified Party) under this clause 9, the Indemnified Party shall:
Without prejudice to the generality of clause 10.2, Supplier shall, in relation to Customer Personal Data:
Customer provides its prior, general authorisation for Supplier to:
appoint processors to process Customer Personal Data, provided that Supplier:
Each party may disclose Confidential Information:
Liabilities which cannot legally be limited. Nothing in the Services Agreement limits any liability which cannot legally be limited, including but not limited to liability for:
Specific heads of excluded loss. SUBJECT TO CLAUSE 12.2 (NO LIMITATION OF CUSTOMER'S PAYMENT OBLIGATIONS), CLAUSE 12.3 (LIABILITIES WHICH CANNOT LEGALLY BE LIMITED), THIS CLAUSE 12.5 SPECIFIES THE TYPES OF LOSSES THAT ARE EXCLUDED:
Either party may immediately terminate the Services Agreement without payment of compensation or other damages caused to the other solely by such termination by giving notice to the other if any one or more of the following occurs:
Force Majeure Event means any circumstance, except for Customer’s payment obligations, not within a party's reasonable control including, without limitation:
The Affected Party shall:
No amendment or variation of the Services Agreement shall be effective without express written consent signed by the parties (or their authorised representatives) except that Supplier may from time to time update the Services Agreement Standard Terms or Services Agreement Service-specific Terms upon 90 days express written notice to Customer upon which Customer may send express written notice of its intent to terminate the Services Agreement as provided for in clause 13.4.
The rights and remedies provided under the Services Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
Each Party shall, and shall ensure any of its agents, employees, consultants, contractors and subcontractors shall, comply with all applicable laws, statutes, regulation, and codes relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010 and shall establish, maintain and enforce its own policies and procedures to ensure compliance.
Each Party shall, in performing its obligations under the Services Agreement, comply with all applicable anti-slavery and human trafficking laws, statutes and regulations from time to time in force including the Modern Slavery Act 2015; and each party represents and warrants that it has not been convicted of any offence involving slavery and human trafficking or been the subject of any investigation, inquiry or enforcement proceedings regarding any offence or alleged offence of or in connection with such trafficking.
Except as otherwise agreed, the Services Agreement does not give rise to any third-party statutory rights to enforce any of its terms.
The Services Agreement Order Form may be executed and delivered electronically or by hardcopy in any number of counterparts, each of which shall constitute a duplicate original, but all counterparts together constitute the one Services Agreement Order Form. No counterpart shall be effective until each party has executed at least one counterpart.
(incorporated into the Services Agreement Order Form and incorporating the Services Agreement Standard Terms, any Annex and any Order Form Services Addendum, all together the “Services Agreement”)
Alphabetical Order
Supplier will provide Customer the following Service(s) as set forth on the Order Form:
Defense.com is Supplier’s SaaS security management solution, the Defense.com Platform, that integrates into any size organisation, providing Customer access to a scalable suite of cyber security tools, each playing a part in protecting Customer’s business from new and existing threats and, as a whole, providing Customer’s Defense.com Users a Defense.com Licence to access to a 360° view of Customer’s security profile 24 hours a day.
Supplier will provide access to Customer to define its digital assets profile which assists in defining the attack surface and allows Supplier to automatically align threats to Customer’s unique attack surface. Customer will add assets to ensure the correct threat intelligence feeds align to Customer‘s environment.
Supplier will provide an automated monitoring solution performing surface web, deep web and dark web scans 24 hours a day for Customer’s designated business data which includes Supplier’s comprehensive source feeds -- IRC chatrooms, bin sites, data dumps, social sources and dark web sites, to detect sensitive data efficiently.
Supplier will provide access to an online self-assessment tool that enables Customer to assess its current cyber security and information security posture by answering a series of questions based on modules covering a range of best practice cyber/information security controls, following completion of which Customer will receive an online report of its current status using a RAG (red, amber, green) indication which can be downloaded, and any threats identified will be automatically fed into Customer’s Defense.com Threat Dashboard. For each successfully passed question module, Customer may download a pass certificate. Customer may choose which modules to take and can re-take any of the assessment modules at any time.
Supplier will provide Endpoint Protection software and the SaaS platform to manage the endpoints. Supplier will also provide staff to manage, tune and support the platform. The following are included:
Windows – FileScan; ContentControl; UserControl; Application Backlisting; DataProtection; TrafficScan; AntiPhishing Firewall; BehavioralScan; MailServers (Exchange - only servers); DeviceControl; AntiExploit.
Mac – FileScan; Update Server; and Content Control with TrafficScan + Antiphishing
Linux – FileScan; and Update Server
Customer will install the software to secure endpoints and/or entry points on Customer’s end-user devices to prevent file-based malware and detect and block malicious activity through automated vulnerability scanning.
Supplier will provide access to the automated Microsoft 365 Monitoring feature which will automatically create threats, escalating the highest risks to Customer and provide remediation advice. Customer will provide support and necessary secure access to Customer’s MS Office 365 account with privileges for the Supplier to ingest data and alert on threats identified.
Supplier will provide a 24x7x365 emergency help button which allows Customer to raise potential security incidents with our trained, experienced team. Supplier provides fast-tracked preliminary incident response advice for all types of security events and cyber incidents including, but not limited to, suspected data breaches, ransomware attacks, insider threat, suspicious network activity and known vulnerability exposure. This service is intended to triage potential security incidents and provide practical advice for resolution, but does not include any remediation work from the Supplier.
Supplier will provide access to the Phishing Simulator feature, which enables Customer to send safe phishing emails to test Customer staff’s vigilance and identify any weaknesses in their security knowledge. Customer will use the platform to schedule and select the appropriate campaign per team, track results and take remediation steps following the outcome of the test. Customer will setup whitelisting of Supplier IP addresses and email domains as defined in Supplier provided help guides
Supplier will provide a SaaS based centralised log management to aggregate all log data in a single location and into a common format. Supplier will store log data for 12 months in an archive and provide 90 days of logs for immediate searching. Customer will install with support of Supplier the relevant software and virtual hardware to support the delivery of the service.
Provision of a Supplier helpline, including audio and/or messaging, that offers first level response, general guidance and assistance to Customer, within 24 hours of a logged service request (excluding where the response due time falls within a weekend or national holiday), for cyber security questions Supplier deems to be common and frequently asked.
Supplier will provide functionality in a single interface that displays threats across all the features provided in Defense.com. Threats are automatically populated by each feature, such as live threat intelligence tailored to Customer. Once threats have been populated, Defense.com provides powerful features to allow Customer to manage each threat and allocate threats to specific individuals for remediation. The platform will assign risk levels and allow the businesses to drill down into specific threat information and understand the business impact. Customer will action threats and perform remediations as identified by the platform or will take action to accept risk or acknowledge threats as false positives.
Supplier will provide Customer a customised list of cyber threats, continually updated by experts based on the latest intelligence from commercial, opensource and custom-built feeds. Customer will define assets to ensure the correct intelligence is supplied relevant to Customer’s environment.
Supplier will provide access to Threat Recon which presents the attack surface of Customer’s business to highlight risks. Threat Recon will automatically perform predefined tests that are used by attackers to test the exposure of the business. These checks include sub-domain detection, port scanning of top 20 ports, network information gathering, SSL validation, potential risk based on site popularity, email spoofing protection checks, block list lookup, security best practices assessment and other checks as offered by Supplier. Customer will provide all relevant internet facing web domains as the scope for the checks.
Supplier will provide a range of standard training courses covering varied cyber security, information security and compliance topics. These are delivered through Defense.com with a range of videos and associated exams which, along with built in reporting, allow Customer to track adoption.
Supplier will provide a platform to allow Customer to run automated Vulnerability Scans of the most common ports with the option to customise to Customer’s requirements, to assess systems or applications for known security flaws and weaknesses. Supplier will provide threats that can be managed, allocated, assigned and risks accepted via Defense.com in addition to actionable remediation advice. The service will allow Customer to identify assets that are prone to attacks. Customer will define the scope of the automated scans and take measures to patch or remediate the threats as provided by Supplier’s automated process.
Supplier will remotely provide Customer advice and support covering information security topics, including, without limitation, frameworks such as ISO 27001, NIST, CIS, ISO22301 and General Data Protection Regulation (GDPR) data protection. Where specified, Supplier will assist Customer to work toward improvement of its business performance in terms of operations, management, structure and/or strategy regarding cyber security and/or GDPR compliance. On-site visits may be arranged with Customer in exceptional circumstances.
Supplier will provide an experienced Information Security Consultant to assess the current level of information/cyber security in Customer’s organisation. This will be based on the NIST CSF and ISO 27001/27002 controls and the output will be a report detailing the level of compliance against each of the requirements along with recommendations on how to achieve compliance.
Supplier will provide Customer access to up to 2 hours per month of remote support for queries and questions relating to GDPR and data privacy matters. Customers can contact the DPA service via a centralised mailbox initially and then queries can be dealt with via email, phone or video conferencing.
Supplier will provide an experienced GDPR consultant to audit the current level of compliance to GDPR. The output of the audit will be a report that will outline any non-conformities. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit.
Supplier will provide an experienced GDPR consultant to undertake a gap analysis against the requirements of GDPR. The output of the gap analysis will be a report detailing the current level of compliance to each of the requirements along with a document review (which will include a maximum of 20 GDPR related policies, procedures or documents) with recommendations and an action plan outlining what needs to be done to achieve compliance. During the gap analysis, which will be conducted via a series of online interviews with key stakeholders, Customer will be required to provide documents, e.g., policies and procedures that are currently in place for assessment.
Supplier will provide an experienced GDPR consultant to deliver the GDPR implementation project. The service, which will be delivered remotely, will include preparation of all required documentation along with advice and support on how to ensure current processes are compliant. Customer will be required to play an active part in the implementation through interviews and workshops.
Supplier will provide an experienced ISO 27001 consultant to undertake a Gap Analysis against, as appropriate, the version of the ISO 27001 standard ISO requested by Customer in accordance with the agreed scope. The output of the gap analysis will be a report detailing the current level of compliance to each of the requirements of ISO 27001 with recommendations on what needs to be done to achieve compliance. During the Gap Analysis, which will be conducted via a series of online interviews with key stakeholders, Customer will be required to provide documents, e.g., policies and procedures that are currently in place for assessment.
Supplier will provide an experienced ISO 27001 lead implementer to deliver an ISO 27001 implementation project to enable Customer’s readiness for certification by an external UKAS accredited certification body. The implementation service, which will be delivered remotely, will include training of all staff on the Information Security Management System the consultant is implementing and preparation of all required documentation. Customer will be required to play an active part in the implementation through interviews and workshops.
Supplier will provide an experienced ISO 27001 auditor to conduct an internal audit against the agreed requirements and scope of the Information Security Management System. The output of the internal audit will be a report, written in accordance with the requirements of the ISO 27001 standard that will outline any non-conformities and opportunities for improvement. During the audit, which will be conducted remotely, Customer will need to provide access to key staff, documentation and evidence to support the audit.
Supplier will perform tailored Phishing simulations (campaigns) to test Customer staff’s vigilance and identify any weaknesses in their security knowledge. Supplier will provide a report documenting the results of the Phishing Campaigns through a secure portal. Customer will work closely with Suppliers to agree the scope, requirements of the test, schedule, track results and take remediation steps following the outcome of the test. Customer will provide target employee details including, e.g., their email address, role and full name.
Supplier will provide an experienced information security consultant to provide a range of PCI DSS consultancy services to ensure Customer has implemented all the necessary policies, procedures and technical controls to achieve PCI DSS certification. Where available, Customer will be required to provide an asset inventory for systems in scope for PCI along with a network diagram and data flow diagram along with any other relevant supporting policies, procedures and documentation.
Supplier will provide an experienced information security consultant to provide a range of SOC2 consultancy services to assist Customer in the implementation of all necessary policies, procedures and technical controls in preparation for an audit by a Certified Public Accountant (CPA).
Supplier will provide a range of standard training courses covering both cyber security awareness and GDPR awareness. These can be delivered through Defense.com with a range of videos and associated exams which, along with built in reporting, allows Customer to track that staff have watched the videos and completed their exams. Other delivery methods include on-site training and virtual training using video conferencing tools. Bespoke training courses covering specific cybersecurity or GDPR topics can also be developed and delivered for Customers in any format, be that video, online training or, where agreed, physically on site. Supplier will provide a copy of any training materials to Customer in pdf format upon completion of the training.
Supplier will assist Customer to achieve certification under the NCSC Cyber Essentials scheme. Support is provided in line with the level of service Customer has contracted for as per the following:
Supplier in addition will provide:
*Cyber Insurance:
Free cyber insurance, provided by a third party insurer, is provided to UK companies as part of the scheme if the basic certification covers the entire organisation.
Customer acknowledges that the Cyber Essentials scheme is intended to reflect that the certificated organisation has established the cyber security profile set out in the Cyber Essentials scheme documents only and that receipt of a scheme certificate does not indicate or certify that the certificate holder is free from cyber security vulnerabilities. Customer acknowledges that Supplier has not warranted or represented the Cyber Essentials scheme or certification under the Cyber Essentials scheme as conferring any additional benefit to Customer.
After purchasing Cyber Essentials, Customer will be required to confirm via email when they are ready to complete their assessment. The Cyber Essentials team will send an email after initial purchase, asking to be informed when Customer is ready to proceed. Customer will not be given access to complete their assessment until a response is received.
Customer shall complete and submit the self-assessment form within a month of being added to the portal.
Customer shall comply with the Cyber Essentials scheme documentation and all reasonable directions made to Customer by the Authority, a Cyber Essentials Partner or a certification body.
Subject to Customer’s completion of a Cyber essentials self-assessment (the “Questionnaire”), Supplier will assess the Customer-completed Questionnaire against the Cyber Essentials Scheme criteria.
The Questionnaire account will remain open and accessible for six (6) months. If Customer has not submitted the Questionnaire within 6 months, the assessment will expire and no refund will be permitted. If Customer wishes to complete the Questionnaire after expiration, it will be required to order Cyber Essentials again.
If the completed Questionnaire assessment meets the Cyber Essentials scheme criteria (which Supplier shall assess in accordance with the IASME marking scheme) Supplier will notify Customer and, subject to Customer meeting its obligations, Supplier will arrange for the issue of a IASME Certificate to Customer.
If a certification only service has been purchased by Customer, no support will be provided by Supplier other than assistance gaining access to the Questionnaire.
If Customer has not submitted its application after a month of being added to the portal, reminders will be sent to Customer as follows:
If all the above reminders do not result in a reply with either an offered date or a submission, the customer will be invoiced either at the point where their account expires (6 months after the questionnaire account being added) or when their contract ends, whichever is sooner.
Where Customer’s order has not been completed within 12 months from the date it was placed, the assessment will be marked as a ‘fail’ and Customer will be invoiced.
Cancellation of orders is not possible due to the systems and third parties involved in providing the service. Therefore, incomplete applications will be marked as a ‘fail’ and Customer will be invoiced.
Customer must achieve an additional cyber essential level within 90 days of certifying against Cyber Essentials (excluding Plus). Any free retest offerings must be used within the 90-day deadline for completing Cyber Essentials Plus.
If Customer is unable to pass within that time through no fault of Supplier, the application will be marked as a ‘fail’.
Where Customer fails the Cyber Essentials Plus test, Customer will have 30 days to remediate any issues found and get a retest (within the 90 days).
Where Customer refuses or fails to provide the access required to conduct the test, the test will be marked as a ‘fail’.
If Customer wishes to move their assessment date, Customer must provide Supplier with at least 48 hours’ notice. Failure to provide the requisite notice to Supplier will incur cancellation charges in line with the Services Agreement Standard Terms.
Supplier will provide Customer assistance within three hours via Supplier’s SOC hotline which is available 24x7x365. The emergency request will consist of an initial assessment and triage via phone to discover and confirm the nature and impact of the incident within Customer's environment, including the collection and analysis of all relevant information, and to provide advice based on the nature of the incident. Customer will provide all necessary resources and information to ensure the success of the service. If more detailed analysis is required or the incident has been confirmed as a data breach the service will provide additional support to investigate the extent of the incident which may include forensic analysis supported onsite (Digital Forensics) where required at an additional cost as defined in the Services Agreement Standard Terms. Digital Forensics support will be charged, as required, at a day rate of ~£1,500.00 as updated by Suppler from time to time.
During the initial notification call, Customer shall provide Supplier with information below to create an incident ticket. Customer shall appoint an authorised contact person for every incident raised. The appointed contact person shall be preregistered with Supplier.
Customer Name
Contact Name
Note: Should Customer consider the nature of the incident to preclude the support desk being provided with these details, Customer contact may simply state that the incident is a ‘flash priority’ at which point Supplier support personnel will request no further details and will immediately initiate the response procedures.
Supplier will provide a SaaS based security information and event management platform to deliver real-time analysis of potential cybersecurity threats. Supplier’s security analysts will analyse Customer logs 24x7x365 to identify security threats and raise events to Customer for investigation. Customer will install, with the support of Supplier, relevant software and virtual hardware to support the delivery of the Service.
The following additional definitions shall apply to this Service:
“APT” or “Advance Persistent Threat” means a set of stealthy and continuous computer hacking processes.
“Attack” means the inflow of malicious or illegitimate call requests to an infrastructure or web platform for malicious intent. The purpose of this is to gain access or to deliver disruption to the infrastructure.
“Critical” means the classification by Supplier of a Security Event as defined in the Managed Detection & Response Service Level Agreement (MDR SLA) that will receive the highest level of response from Supplier's designated trained security professionals.
“Incident Response Plan” means the overarching framework for both parties’ efficient and professional reactions during a security incident.
“Non-Critical” means a Security Event as defined in the MDR SLA that does not require immediate attention because it is deemed not to be critical.
“Runbook” means a routine compilation of procedures and operations which designated employees will use as a reference.
“Security Event” means a change in the everyday operations of a network or information technology service, which indicates that a security policy may have been violated or a security safeguard may have failed.
“Security Incident” means a situation where an adverse impact has resulted from a Security Event.
“SIEM” means software products and services combining security information management (SIM) and security event management (SEM) that provide real-time analysis of security alerts generated by network hardware and software applications.
“Threat Investigation” means any actions taken by Supplier to validate a Security Event as a real threat and to rule out the possibility of it being a false alert.
“Threat Signatures” means any information provided by Vendors to help identify any threats that could impact Customer’s network or infrastructure.
“Vendors” means third parties who provide Supplier with infrastructure, products, intelligence or expertise to allow us to provide the Services, including but not limited to dedicated hardware appliances, Threat Signatures, and vulnerability scanning services.
“Zero-day” means an attack that exploits a previously unknown vulnerability in a computer application or operating system, one that developers have not had time to address and patch.
Supplier will provide the following in accordance with the Order Form, the MDR SLA and Runbooks.
Active monitoring of all systems in scope for Security Event using a threat intelligence SIEM module.
Correlate various logs to identify any Security Events that may carry a potential threat.
Interpretation of logs and audit trail and focus on threats that matter most to Customer.
Incident investigation from triggered alerts and abnormal behaviour in accordance with a well-defined and agreed Runbook.
Customer notification and incident reporting in accordance with the agreed incident response plan.
Provide recommendations for dealing with incidents.
Ongoing management and maintenance of the threat (SIEM) appliances: installation, migration and configuration of the SIEM hardware or software.
All configuration files will be kept and backed-up for a minimum of 30 days with daily restore points covering one week, unless an alternative period is formally requested by Customer and agreed by Supplier.
All logs will be kept and backed-up for a minimum period of 30 days, with immediate access and 1 year in archive.
Incident reports will be generated within 24 hours following any critical Security Event as soon as the investigation has been completed. Upon request, Supplier will provide incident reports for any critical Security Events that have occurred.
Access to an online portal which will contain up-to-date incident reports and change control information.
Customer agrees to perform the obligations and that Supplier’s ability to perform its obligations and its liability are dependent on Customer’s compliance with the following:
Customer is required to make appropriate staff available to help Supplier with the following items (if applicable):
In the case of a Security Event occurring, Customer agrees to work in line with agreed Runbooks.
Customer agrees and understands that the effectiveness of the Services depends on the collaboration during the on-boarding phase that will define and assess the processes, escalation points and on-going communication channels.
Customer must inform Supplier of any changes that could affect any individual Runbook or the Incident Response Plan. This also includes the escalation procedures, availability and contact details of personnel, reliability, performance and any other security or compliance related requirements.
Supplier will work in line with the agreed Runbooks.
Supplier will monitor all key components used in the delivery of the Services 24x7x365.
In the event of any issues arising, Supplier will work to identify and resolve any threats or issues as quickly as possible.
Supplier will provide technical staff 24x7x365 to support the Services provided and to assist Customer with any issues that may arise. A 24-hour telephone number will be available for Customers. Email support will also be provided but should not be used for emergencies.
If a Critical event occurs, Supplier will perform an initial Threat Investigation and then notify Customer within 30 minutes of the Security Event if it has been deemed by Supplier to have become a Critical event.
If a Security Event occurs of a Non-Critical nature, Supplier will take actions in line with the agreed Runbook.
If a Security Event occurs Supplier will first carry out a Threat Investigation and will then respond to Customer within the timeframes listed in the table below.
For any Security Event which Supplier deems to be Critical prior to the Threat Investigation being completed, Supplier will contact and regularly update Customer.
The Security Event severity is typically set via the stage at which the event comes in the attack kill chain. The further along this process the more severe the event.
Supplier will not be liable under the following conditions:
A managed service where Customer can purchase a number of days (smallest amount is 0.5 days) per month for DPO services. Where Customer does not use the total amount of time in any given month, that time may be carried over to the subsequent month (but not longer).
Supplier will provide virtual consultation to Customer, information, advice and other related services, in accordance with the DPO Service Levels below, to ensure that Customer processes the personal data of its staff, customers, service providers or any other individuals (also referred to as data subjects) in compliance with Applicable Data Protection Laws and best practice.
Supplier will:
Act as the Data Protection Officer (DPO) for Customer in accordance with Applicable Data Protection Laws;
Facilitate Customer compliance with the UK/EU GDPR and other applicable data protection legislation by ensuring effective systems and controls are in place to enable Customer to comply with their legal obligations;
Act as Customer’s intermediary between relevant stakeholders, including supervisory authorities, data subjects, and business units;
Report notifiable data breaches identified and notified to Supplier by Customer to the Information Commissioner’s Office (ICO) and any relevant supervisory authority at the end of any statutorily required notice period where the requisite notice has not been sent earlier either by Customer or Supplier at Customer’s instruction; and
Inform and advise Customer’s senior management (where appointed to do so) in accordance with Supplier’s position as DPO of Customer.
Customer will ensure compliance with all Applicable Data Protection Laws and in particular Customer will:
Report all notifiable and potential data breaches to Customer assigned DPO dposupport@bulletproof.co.uk as soon as Customer becomes aware of the breach;
Submit details of data breach(es) to Supplier for reporting to the ICO and any relevant supervisory authority without undue delay; and
Where Customer fails to comply with reporting obligations above, Supplier shall not be liable and Customer will indemnify Supplier for any penalties imposed by the ICO, any relevant supervisory authority or any third-party claims, because of failure and or delay in reporting notifiable breaches.
Priority levels will be addressed in line with the following Service Levels.
All Service Levels apply only from 9:00am to 5:30pm GMT Monday to Friday excluding UK bank holidays (“Working Hours”). All DPO Service requests must originate with an email sent to the allocated DPO and copied to dposupport@bulletproof.co.uk and the subject line must contain the priority in accordance with the following:
Supplier will perform penetration testing that evaluates Customer systems to validate and exploit known vulnerabilities by assessing critical external and/or internal assets and/or APIs and/or web applications and /or mobile applications and/or cloud infrastructure and/or wireless infrastructure using experienced penetration testers to determine if Customer’s organisation is susceptible to attacks. Supplier will provide a report in both online and downloadable versions within 5 working days of completion of a test.
“Late Availability Test” where Customer contacts Supplier to conduct Penetration Tests with five working days or less notice.
“Red Team Penetration Test” means the onsite presence of Supplier who will test the System as described in a scope Annex made by Supplier to Customer.
“Test Start Time” means the provisional or definitive date and time listed in the Order Form (or otherwise later expressly agreed by the parties in writing) that determines when the Services will commence.
To submit, by upload into the Defense.com platform (Penetration Testing dashboard), any necessary further scope details at least five working days prior to the start of the Penetration Tests for efficient scheduling of necessary resources and time.
Where Customer fails to submit the necessary scope details, Supplier shall reschedule the Penetration Test and Customer shall be liable for any charges.
Customer and Supplier will agree dates promptly after the Commencement Date or as set forth in the Order Form for Supplier to deliver the Services within 12 months of the execution of the Order Form and, where Customer fails to agree dates for the Services through no fault of the Supplier, Customer will forfeit their right to the Services for the relevant 12-month period and, for the avoidance of doubt, no refund or waiver of Fees or related costs, all owed upon execution of the Order Form, will be issued by Supplier.
Where Customer requests a Late Availability Test and fails to timely provide Supplier with the necessary information to commence the Penetration Test, Supplier shall not be obliged to carry out the relevant Services and Customer will not be entitled to any refunds or waiver of Fees or related costs.
Customer acknowledges that the Service will be provided remotely unless explicitly requested and agreed otherwise. If onsite access is required to facilitate testing, Supplier will provide the option of customer present equipment (CPE) to facilitate remote testing from Supplier’s secure remote location. In person tests may be provided upon request by Customer or Supplier, subject to approval by Supplier.
Customer acknowledges that a Penetration Test is a snapshot in time and that it is limited to the actions set out on the Order Form (which actions may be agreed in an incorporated scope Annex document).
Customer shall comply with any rules imposed by any third party whose content or services are accessed via the Services.
Customer shall inform Supplier forthwith if any of the Services are subject to interference or malfunction.
Customer, prior to Penetration Tests, must proactively and appropriately backup all critical data from its Systems that will form part of the Penetration Tests.
Where Customer engages Supplier to provide a Red Team Penetration Test, Customer further represents and warrants to Supplier that Customer: a) has the necessary authority to instruct Supplier to provide the Red Team Penetration Test; and b) shall sign a letter of authority (duly signed by an authorised member of the executive board or equivalent) in the eventuality that Supplier requires it.
Supplier will provide a remote managed service that includes an experienced Information Security Consultant to build and implement information security strategy for Customers. The service may require an initial health check to establish the current security posture of Customer’s organisation and enable Supplier’s Consultant to build a strategy. This Service can also provide support to manage existing security frameworks such as Cyber Essentials and ISO 27001. On-site visits may be arranged, where agreed, with Customer in exceptional circumstances.
Supplier will provide regular updates to Customer where reasonably requested;
Supplier will provide regular (at least monthly, at Supplier’s discretion) updates on the progress of the implementation of the agreed security strategy;
Supplier will only amend any agreed strategy with the written agreement of Customer; and
Supplier will work with third party suppliers of Customer where reasonably requested (e.g., outsourced IT providers).
Customer will notify Supplier’s designated VCISO of changes to Customer’s business including, interpreted broadly:
Customer will notify the VCISO of any security incidents or data breaches of which it becomes aware.
Customer will notify VCISO of any Customer regulatory, legislative and/or contractual requirements.
Customer will, when raising a request for assistance from its VCISO, ensure that vciso@bulletproof.co.uk is copied on all messages.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.