Terms of Service

Last updated: 10 June 2026

1. Who these terms are between

These terms govern the application security services provided by JustAppSec Limited, a company registered in England and Wales (Company No. 16602827), referred to here as “we”, “us”, or “our”. They apply to the Application Security Health Check and any related security assessment, review, or consultancy work we agree to carry out for you (the “Services”).

An engagement is formed when (a) we send you a written engagement confirmation by email or other electronic means setting out the agreed scope, fee, and any engagement-specific terms, and (b) you accept it in writing, by commissioning the Services, or by providing access to materials for the agreed scope. By doing any of those things, you confirm on behalf of the organisation engaging us (the “Client”, “you”) that you have read, understood, and agreed to these terms and that you have authority to do so.

If a separate signed agreement covers a particular engagement, that agreement takes precedence where it conflicts with these terms.

2. What the Services are

The Application Security Health Check is a fixed, three-day, point-in-time security assessment of the application, code, environments, and materials agreed with you in writing before work begins. The deliverable is a written report setting out our findings and prioritised recommendations and, where included, a discussion to talk them through.

Those three days are typically used approximately as follows: around half a day to set up and scope the work, around two days to test and review, and around half a day to prepare the report. This breakdown is indicative only. We apply our professional judgement to how the time is used on your Health Check.

The three-day shape and the breakdown above are specific to the Health Check. Larger or bespoke engagements are scoped, priced, and agreed separately, and may be covered by their own written agreement; where they are, that agreement governs (see section 1).

The Services are not a penetration test, not a comprehensive line-by-line source code audit, and not an assurance, audit, or certification engagement. We do not attempt to chain exploits, demonstrate persistence, or otherwise act as a live attacker against your systems. The Services are a senior-led, AI-assisted review designed to surface the application security weaknesses most likely to matter in your context within the time available, drawing on our professional judgement about where to look and what to prioritise.

The fee is fixed and is payable for the deliverable. The three days represent the level of effort we allow for the Health Check; they are not billed or accounted for by the hour. We determine the methodology, tooling, and allocation of that effort using our professional judgement. Delivery of the agreed report constitutes performance of the Services.

The scope of each engagement is what we confirm with you in writing. Anything not expressly agreed is out of scope.

We deliver the report to you in writing, typically by email or a secure file share we agree. The report is deemed accepted if you do not raise a specific written objection within 14 days of delivery. Acceptance, or deemed acceptance, completes our performance for that engagement and starts time running for the purposes of any time-limited claim.

3. Scheduling and delivery

Once a Health Check is agreed and the deposit invoice has been paid, we will deliver the report within 60 days of the date we receive the deposit. The three days of work need not be carried out consecutively, and we schedule them at our discretion within that period. The 60-day period is extended by any period during which we are waiting on you for access, materials, information, or responses we have reasonably requested, and by any period of delay caused by third-party dependencies or events outside our reasonable control. We are not responsible for any consequence of delay arising from these causes.

We may decline a prospective engagement, or pause or reschedule an engagement that has not yet begun, at our discretion and without giving reasons. Where we decline an engagement, or reschedule it and you do not wish to accept the new date, we will refund any fees paid for work we have not yet started.

4. Your responsibilities and authorisation

You confirm and warrant that you own, or are fully authorised to permit the security testing and code review of, every system, application, environment, repository, account, and dataset you give us access to or ask us to assess, and that you have obtained all consents and authorisations required from any third party, including hosting, cloud, and platform providers.

You are responsible for providing timely, accurate, and complete access and information, for taking your own backups, and for assessing the impact of testing on any production system. Where practical, you should provide a non-production environment. You will not represent to any third party that we have tested or assured anything outside the agreed scope.

You will indemnify us against any claim, loss, liability, cost, or expense we incur arising from your breach of this section, including any claim that testing was carried out without proper authorisation or affected systems or data you did not own or control.

5. Nature of the assessment and no guarantee

A security assessment is a time-boxed, best-efforts exercise that reflects the application as it existed at the time of the work. It cannot, and does not, identify every vulnerability, weakness, misconfiguration, or risk. The absence of a finding is not a statement, assurance, or guarantee that a system is secure or free of vulnerabilities.

No software can be made completely secure. The Services are intended to help you identify, understand, and manage security risk. They do not eliminate it and do not transfer it to us. We give no warranty, express or implied, that any application is or will be secure, that all vulnerabilities have been or will be found, or that any vulnerability will not be exploited.

Our findings and recommendations relate only to the agreed scope at the time of assessment. Changes made after delivery, and anything outside the agreed scope, are not covered. The report is not a certification, accreditation, audit opinion, or guarantee of compliance with any law, standard, or framework, and is not legal advice. Decisions you take in reliance on the report, including whether and how to remediate, are yours.

In carrying out the Services, we will not knowingly perform denial-of-service testing, attempt to pivot to systems outside the agreed scope, or take actions designed to disrupt your services. We will use reasonable care to avoid unintended impact, but you remain responsible for the production consequences of granting us access (see section 4).

If during an engagement we discover what we reasonably believe to be an active compromise, an imminently exploitable issue, or evidence of unauthorised activity affecting your systems, we will notify you promptly and as confidentially as practicable. We are not obliged to investigate beyond the agreed scope, to perform incident response, or to take remediation action ourselves. Onward disclosure to your customers, regulators, or other third parties is your responsibility as controller.

6. Tools and third-party providers

We use commercial and open-source security tooling and reputable third-party service providers, including automated analysis and AI-assisted tooling, to deliver the Services. AI-assisted analysis is a core part of our standard assessment methodology, not an optional add-on.

We currently use, and may use, AI tools and services provided by Anthropic (Claude) and OpenAI (including OpenAI Codex) for code and configuration analysis during assessments. Both are reputable US-based companies operating under data processing agreements and applicable international transfer safeguards. We may also use any other AI, large language model, or analysis services we consider suitable for the engagement, including providers not specifically named in these terms, provided their use is consistent with our confidentiality and data handling obligations to you.

AI tools are used to widen what we can examine in the time available and to surface candidate findings. The final findings, prioritisation, and recommendations in the report represent our professional judgement, not the raw output of any tool.

If the use of any specific provider or category of tooling is unacceptable to you, please tell us before engaging. We will tell you whether we can accommodate your requirements or whether, in our view, we are unable to deliver the Services without them. By engaging us, you consent to the materials you provide being processed using such tools and providers for the sole purpose of delivering the Services.

7. Data protection

JustAppSec Limited is registered as a data controller with the UK Information Commissioner's Office (ICO registration reference ZC068280).

You remain the data controller for any personal data contained in the code, environments, configurations, logs, or other materials you give us access to or ask us to assess. You confirm and warrant that you have a lawful basis under the UK General Data Protection Regulation and the Data Protection Act 2018 to share that data with us for the purposes of the Services, and that doing so does not breach any other agreement or duty you owe.

Where you give us access to materials containing personal data, we process that data only to deliver the Services and in accordance with these terms. We treat all such data as confidential. We apply reasonable technical and organisational measures to protect the materials you provide.

Materials you provide are processed by us in the United Kingdom. Where we use third-party tools, providers, or sub-contractors to deliver the Services, those parties may process materials outside the United Kingdom, including in the United States or the European Economic Area. Reputable providers we use operate under data processing agreements and applicable international transfer safeguards (such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or equivalent). On reasonable written request, we will describe the categories of tools, providers, and sub-contractors used for your engagement. We do not publish a sub-processor list but will engage with reasonable due diligence requests.

Where reasonably practical, you should redact, mask, or pseudonymise personal data, or provide a non-production environment with representative test data, rather than sharing live personal data with us. Responsibility for any international transfer of personal data resulting from you sharing materials with us, including transfer to providers used to deliver the Services under section 6, sits with you as the controller.

Where the Services involve us processing personal data on your behalf such that you are the controller and we are the processor for the purposes of the UK GDPR, these terms also serve as the data processing agreement required by Article 28. The subject matter, duration, nature, and purpose of processing, the type of personal data, and the categories of data subjects are determined by the scope and content of the engagement as agreed with you in writing. In addition to the other obligations in this section, in such a case:

  • we process personal data only to deliver the Services and only on your documented instructions, except where required by law;
  • persons authorised by us to process personal data are bound by confidentiality;
  • we apply appropriate technical and organisational measures to the personal data;
  • we will inform you without undue delay of any personal data breach affecting personal data we are processing for you;
  • we will assist you, taking into account the nature of processing and the information available to us, in responding to data subject requests and in carrying out reasonable data protection impact assessments;
  • on completion of the Services we will return or delete personal data as set out in this section;
  • you authorise us to engage the categories of tools, providers, and sub-contractors described in section 6 and elsewhere in these terms, and we will inform you of any material change to our use of sub-processors; and
  • we make available information reasonably necessary to demonstrate compliance with this section. Audits or inspections, where reasonably required, will be agreed in advance, conducted at your cost, and arranged so as not to unduly disrupt our operations or breach our obligations to other clients.

We do not seek and do not need to receive special category personal data, such as health, biometric, or political opinion data, to deliver the Services. You should not share such data with us unless we have agreed in writing that you may. If during an assessment we incidentally encounter such data, for example in code, test data, configurations, or logs falling within the agreed scope, we will not extract, copy, or further process that data beyond what is necessary to complete the assessment, and our incidental encounter is not a breach of these terms.

Within 90 days of completion of an engagement, we will delete (or, on your written request and where reasonably practical, return) the materials you provided to us for the purposes of the assessment, including source code, environment access details, datasets, configurations, and any other materials supplied by you, from systems under our direct control. Where those materials have been processed using third-party tools, providers, or sub-contractors, the deletion of any data those parties may have retained is subject to their own retention and deletion policies. We will request deletion in line with their standard process where applicable.

We retain our own work product, which includes the report we delivered to you, our working notes, our internal records of the engagement, and our communications with you. We keep this work product so that we can respond to any subsequent issue or claim arising from the engagement, support you if you return to us as a client, and meet our own internal record-keeping needs. We may keep our work product for so long as we consider appropriate for those purposes. Copies in routine backups will not be accessed in the normal course and will be overwritten by our standard backup retention cycle.

You will indemnify us against any claim, loss, liability, cost, or expense we incur arising from your breach of this section, including any claim by a data subject, customer, or regulator relating to materials you shared with us in breach of these terms.

8. Confidentiality

We treat your code, data, and the findings we produce for you as confidential, and use them only to deliver the Services and as set out in these terms. You treat our reports, methods, templates, and materials as confidential, and use the report only for your own internal business purposes.

These obligations do not apply to information that is or becomes public through no breach of these terms, was already lawfully known to the receiving party, is independently developed, or is required to be disclosed by law or a regulator, in which case reasonable notice will be given where lawful.

9. Intellectual property

Once the relevant fees have been paid in full, you may use the report internally for your own business purposes. We retain all intellectual property rights in our methodologies, know-how, tooling, and templates, and in any general knowledge and experience gained.

You may share the report with third parties who have a legitimate need to see it, provided you do so under appropriate confidentiality obligations. You may not publish the report publicly, or represent it to any third party as a certification, endorsement, or assurance of security by us.

10. Marketing references

We may reference the existence of an engagement, including by your name or logo, on a “worked with” style list or in anonymised case study material, only with your prior written consent. Consent may be given for a specific use and may be withdrawn by you on reasonable written notice, in which case we will remove the reference from prospective marketing within a reasonable period.

We will not publish your report, your findings, or any technical detail of the engagement without your prior written consent.

11. Fees and payment

The Application Security Health Check is provided for a fixed fee, confirmed in writing for each engagement. Unless agreed otherwise, the fee is invoiced in two instalments: a 50% deposit invoiced on agreement of the engagement, payable before work begins; and the balance invoiced on delivery of the report, payable within 7 days of the invoice date.

All sums payable to us are payable in full without set-off, counterclaim, deduction, or withholding, other than any deduction or withholding required by law.

We may charge interest and reasonable recovery costs on overdue amounts under the Late Payment of Commercial Debts (Interest) Act 1998. If an engagement is cancelled or rescheduled by you after it has been agreed, we may charge for work already carried out and for committed time we are unable to reallocate.

12. Liability

Nothing in these terms limits or excludes liability that cannot lawfully be limited or excluded, including liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

Subject to that, and to the fullest extent permitted by law: we are not liable for any indirect, consequential, or special loss, or for loss of profit, revenue, business, contracts, goodwill, anticipated savings, or data; and we are not liable for any security incident, breach, intrusion, loss, or damage arising from a vulnerability or issue not identified, from your systems, code, or environments, from third parties, or from your acts or omissions.

Our total aggregate liability arising out of or in connection with an engagement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is limited to the total fees paid by you for that engagement. We will perform the Services with reasonable skill and care. Beyond that, and to the fullest extent permitted by law, all warranties, conditions, and terms implied by statute or common law are excluded.

We maintain professional indemnity, public liability, and employers' liability insurance appropriate to the Services, and details of our current cover are available on request. The existence of this insurance does not increase, extend, or vary the limitation of liability set out in this section, and no particular level of cover forms part of our agreement with you unless we have expressly agreed it in writing for a specific engagement. The limitation of liability set out in this section represents the agreed allocation of risk between the parties and is reflected in the fee.

13. Force majeure

Neither party is in breach of these terms, or liable to the other, for any failure or delay in performance caused by events beyond its reasonable control, including acts of God, war, terrorism, civil unrest, government action, epidemics, fire, flood, power or internet outage, third-party service failure, industrial action, or material illness or incapacity of personnel.

The affected party will notify the other promptly, take reasonable steps to mitigate, and resume performance as soon as reasonably practicable. If the event continues for more than 60 days, either party may terminate the affected engagement by written notice. No fees are payable for work not carried out as a result of a force majeure event, and we will refund any fees paid in advance for such work.

14. Termination

Either party may end an engagement before work begins by written notice. If an engagement ends after work has started, you remain liable for the fees properly due for work carried out up to that point. The sections of these terms that by their nature should survive termination will continue to apply.

15. Compliance with laws

Each party will comply with all applicable laws and regulations in performing its obligations under these terms.

Each party will comply with the Bribery Act 2010 and will not give, offer, promise, request, agree to receive, or accept any financial or other advantage that would breach that Act in connection with these terms or the Services.

Each party will comply with all applicable laws relating to slavery and human trafficking, including the Modern Slavery Act 2015 to the extent applicable.

16. Governing law and jurisdiction

These terms and any dispute or claim arising out of or in connection with them or the Services, including non-contractual disputes or claims, are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction.

17. Changes to these terms

We may update these terms from time to time. The version that applies to an engagement is the version in force when that engagement is agreed. The “last updated” date above reflects the most recent revision.

18. General provisions

Entire agreement. These terms, together with any written engagement confirmation we send you for a specific engagement, constitute the entire agreement between the parties relating to the Services and supersede any prior discussions, proposals, or understandings, whether oral or written. Neither party has relied on any statement or representation not expressly set out in these terms or that engagement confirmation, save that nothing limits liability for fraud or fraudulent misrepresentation.

No waiver. A failure or delay by either party to exercise any right under these terms is not a waiver of that right. A waiver of any breach is not a waiver of any subsequent breach.

Severability. If any provision of these terms is held to be invalid, illegal, or unenforceable, the remaining provisions continue in full force. The parties will negotiate in good faith to replace the affected provision with a valid provision that achieves, as nearly as possible, the original commercial intent.

Assignment and subcontracting. You may not assign, transfer, or sub-contract any of your rights or obligations under these terms without our prior written consent. We may sub-contract the performance of all or part of the Services to a reputable third party, provided we remain responsible to you for that performance. We may assign these terms in connection with a reorganisation, merger, or sale of all or substantially all of our business.

Notices. Notices under these terms must be in writing and may be sent by email to the addresses set out in section 19, or by post to our registered office address. A notice sent by email is deemed received on the next working day after sending, provided no delivery failure is received.

No partnership or agency. Nothing in these terms creates a partnership, joint venture, agency, employment, or fiduciary relationship between the parties. Neither party may bind the other.

Third-party rights. A person who is not a party to these terms has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of their provisions. This does not affect any right or remedy of a third party which exists or is available apart from that Act.

Electronic communications. These terms may be agreed by email or other electronic means, which the parties confirm is binding.

19. Contact

Questions about these terms, and notices under section 18, can be sent to [email protected], or via the contact page.

Want a professional to look at it?Get an AppSec Health Check.