Terms of Service

1. Who these terms are between

These terms govern the application security services provided by JustAppSec Limited, a company registered in England and Wales (Company No. 16602827), referred to here as “we”, “us”, or “our”. They apply to the Application Security Health Check and any related security assessment, review, or consultancy work we agree to carry out for you (the “Services”).

An engagement is formed when (a) we send you a written engagement confirmation by email or other electronic means setting out the agreed scope, fee, and any engagement-specific terms, and (b) you accept it in writing, by commissioning the Services, or by providing access to materials for the agreed scope. By doing any of those things, you confirm on behalf of the organisation engaging us (the “Client”, “you”) that you have read, understood, and agreed to these terms and that you have authority to do so.

If a separate signed agreement covers a particular engagement, that agreement takes precedence where it conflicts with these terms.

2. What the Services are

The Services are a time-boxed, point-in-time security assessment of the application, code, environments, and materials agreed with you in writing before work begins. The deliverable is a written report setting out our findings and prioritised recommendations and, where included, a discussion to talk them through.

The Services are not a penetration test, not a comprehensive line-by-line source code audit, and not an assurance, audit, or certification engagement. We do not attempt to chain exploits, demonstrate persistence, or otherwise act as a live attacker against your systems. The Services are a senior-led, AI-assisted review designed to surface the application security weaknesses most likely to matter in your context within the time available, drawing on our professional judgement about where to look and what to prioritise.

The fee is payable for the deliverable, not for a number of hours or days. We determine the methodology, tooling, and level of effort we apply, using our professional judgement, and we do not commit to a minimum amount of time spent on any engagement. Delivery of the agreed report constitutes performance of the Services.

The scope of each engagement is what we confirm with you in writing. Anything not expressly agreed is out of scope. Remediation, retesting, implementation of fixes, and ongoing monitoring are not included unless we agree them separately in writing.

We deliver the report to you in writing, typically by email or a secure file share we agree. The report is deemed accepted if you do not raise a specific written objection within 14 days of delivery. Acceptance, or deemed acceptance, completes our performance for that engagement and starts time running for the purposes of any time-limited claim.

3. Scheduling and delivery

Engagements are scheduled by mutual agreement. The start date and an indicative delivery window are agreed with you on a per-engagement basis and are subject to our availability and to you providing the access and information we need. We will carry out and deliver the Services within a reasonable period agreed with you. Any dates given are estimates, time is not of the essence, and we may decline, defer, or reschedule an engagement where our availability requires it.

We may decline a prospective engagement, or pause an engagement that has not yet begun, at our discretion and without giving reasons. Where we decline a prospective engagement after fees have been paid, we will refund any fees paid for work not yet started.

We are not responsible for delays or for any consequence of delay caused by late, incomplete, or withdrawn access, by third-party dependencies, or by events outside our reasonable control.

4. Your responsibilities and authorisation

You confirm and warrant that you own, or are fully authorised to permit the security testing and code review of, every system, application, environment, repository, account, and dataset you give us access to or ask us to assess, and that you have obtained all consents and authorisations required from any third party, including hosting, cloud, and platform providers.

You are responsible for providing timely, accurate, and complete access and information, for taking your own backups, and for assessing the impact of testing on any production system. Where practical, you should provide a non-production environment. You will not represent to any third party that we have tested or assured anything outside the agreed scope.

You will indemnify us against any claim, loss, liability, cost, or expense we incur arising from your breach of this section, including any claim that testing was carried out without proper authorisation or affected systems or data you did not own or control.

5. Nature of the assessment and no guarantee

A security assessment is a time-boxed, best-efforts exercise that reflects the application as it existed at the time of the work. It cannot, and does not, identify every vulnerability, weakness, misconfiguration, or risk. The absence of a finding is not a statement, assurance, or guarantee that a system is secure or free of vulnerabilities.

No software can be made completely secure. The Services are intended to help you identify, understand, and manage security risk. They do not eliminate it and do not transfer it to us. We give no warranty, express or implied, that any application is or will be secure, that all vulnerabilities have been or will be found, or that any vulnerability will not be exploited.

Our findings and recommendations relate only to the agreed scope at the time of assessment. Changes made after delivery, and anything outside the agreed scope, are not covered. The report is not a certification, accreditation, audit opinion, or guarantee of compliance with any law, standard, or framework, and is not legal advice. Decisions you take in reliance on the report, including whether and how to remediate, are yours.

In carrying out the Services, we will not knowingly perform denial-of-service testing, attempt to pivot to systems outside the agreed scope, or take actions designed to disrupt your services. We will use reasonable care to avoid unintended impact, but you remain responsible for the production consequences of granting us access (see section 4).

If during an engagement we discover what we reasonably believe to be an active compromise, an imminently exploitable issue, or evidence of unauthorised activity affecting your systems, we will notify you promptly and as confidentially as practicable. We are not obliged to investigate beyond the agreed scope, to perform incident response, or to take remediation action ourselves. Onward disclosure to your customers, regulators, or other third parties is your responsibility as controller.

6. Tools and third-party providers

We use commercial and open-source security tooling and reputable third-party service providers, including automated analysis and AI-assisted tooling, to deliver the Services. AI-assisted tools are used to widen the scope of what we can examine in the time available and to surface candidate findings; the final findings, prioritisation, and recommendations represent our professional judgement, not the raw output of any tool. By engaging us, you consent to the materials you provide being processed using such tools and providers for the sole purpose of delivering the Services. We take reasonable steps to select reputable providers and to protect confidential material.

7. Data protection

JustAppSec Limited is registered as a data controller with the UK Information Commissioner's Office (ICO registration reference ZC068280).

You remain the data controller for any personal data contained in the code, environments, configurations, logs, or other materials you give us access to or ask us to assess. You confirm and warrant that you have a lawful basis under the UK General Data Protection Regulation and the Data Protection Act 2018 to share that data with us for the purposes of the Services, and that doing so does not breach any other agreement or duty you owe.

Where you give us access to materials containing personal data, we process that data only to deliver the Services and in accordance with these terms. We treat all such data as confidential. We apply reasonable technical and organisational measures to protect the materials you provide.

Materials you provide are principally processed in the United Kingdom. Reputable third-party tools and providers used to deliver the Services may process materials outside the UK. On reasonable written request, we will describe the categories of tools and providers used for your engagement. We do not currently publish a list of individual sub-processors but will engage with reasonable enterprise due diligence requests.

Where reasonably practical, you should redact, mask, or pseudonymise personal data, or provide a non-production environment with representative test data, rather than sharing live personal data with us. Responsibility for any international transfer of personal data resulting from you sharing materials with us, including transfer to providers used to deliver the Services under section 6, sits with you as the controller.

If an engagement requires us to process personal data on your behalf to an extent that calls for a separate written data processing agreement under Article 28 of the UK GDPR, we will agree one with you in writing before that processing begins.

We do not seek and do not need to receive special category personal data, such as health, biometric, or political opinion data, to deliver the Services. You should not share such data with us unless we have agreed in writing that you may.

Unless we agree otherwise with you in writing, we will return or delete the materials you provided to us, including copies actively held by us, within 90 days of completion of the engagement. We may retain the report, our working notes, and limited records of the engagement for up to six years from completion to address any limitation period applicable to the engagement. Copies in routine backups will not be accessed in the normal course and will be overwritten by our standard backup retention cycle.

You will indemnify us against any claim, loss, liability, cost, or expense we incur arising from your breach of this section, including any claim by a data subject, customer, or regulator relating to materials you shared with us in breach of these terms.

8. Confidentiality

We treat your code, data, and the findings we produce for you as confidential, and use them only to deliver the Services and as set out in these terms. You treat our reports, methods, templates, and materials as confidential, and use the report only for your own internal business purposes.

These obligations do not apply to information that is or becomes public through no breach of these terms, was already lawfully known to the receiving party, is independently developed, or is required to be disclosed by law or a regulator, in which case reasonable notice will be given where lawful.

9. Intellectual property

Once the relevant fees have been paid in full, you may use the report internally for your own business purposes. We retain all intellectual property rights in our methodologies, know-how, tooling, and templates, and in any general knowledge and experience gained.

You may not publish the report externally, or present it as an endorsement, certification, or assurance by us, without our prior written consent.

10. Marketing references

We may reference the existence of an engagement, including by your name or logo, on a “worked with” style list or in anonymised case study material, only with your prior written consent. Consent may be given for a specific use and may be withdrawn by you on reasonable written notice, in which case we will remove the reference from prospective marketing within a reasonable period.

We will not publish your report, your findings, or any technical detail of the engagement without your prior written consent.

11. Fees and payment

The Application Security Health Check is provided for a fixed fee, confirmed in writing for each engagement. Unless agreed otherwise, we invoice on or after delivery and payment is due within 30 days of the invoice date.

All sums payable to us are payable in full without set-off, counterclaim, deduction, or withholding, other than any deduction or withholding required by law.

We may charge interest and reasonable recovery costs on overdue amounts under the Late Payment of Commercial Debts (Interest) Act 1998. If an engagement is cancelled or rescheduled by you after it has been agreed, we may charge for work already carried out and for committed time we are unable to reallocate.

12. Liability

Nothing in these terms limits or excludes liability that cannot lawfully be limited or excluded, including liability for death or personal injury caused by negligence, or for fraud or fraudulent misrepresentation.

Subject to that, and to the fullest extent permitted by law: we are not liable for any indirect, consequential, or special loss, or for loss of profit, revenue, business, contracts, goodwill, anticipated savings, or data; and we are not liable for any security incident, breach, intrusion, loss, or damage arising from a vulnerability or issue not identified, from your systems, code, or environments, from third parties, or from your acts or omissions.

Our total aggregate liability arising out of or in connection with an engagement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, is limited to the total fees paid by you for that engagement. We will perform the Services with reasonable skill and care. Beyond that, and to the fullest extent permitted by law, all warranties, conditions, and terms implied by statute or common law are excluded.

Unless we have expressly agreed otherwise with you in writing for a specific engagement, no warranty or representation is given as to any particular level of professional indemnity, public liability, or other insurance cover. The limitation of liability set out in this section represents the agreed allocation of risk between the parties and is reflected in the fee.

13. Force majeure

Neither party is in breach of these terms, or liable to the other, for any failure or delay in performance caused by events beyond its reasonable control, including acts of God, war, terrorism, civil unrest, government action, epidemics, fire, flood, power or internet outage, third-party service failure, industrial action, or material illness or incapacity of personnel.

The affected party will notify the other promptly, take reasonable steps to mitigate, and resume performance as soon as reasonably practicable. If the event continues for more than 60 days, either party may terminate the affected engagement by written notice. No fees are payable for work not carried out as a result of a force majeure event, and we will refund any fees paid in advance for such work.

14. Termination

Either party may end an engagement before work begins by written notice. If an engagement ends after work has started, you remain liable for the fees properly due for work carried out up to that point. The sections of these terms that by their nature should survive termination will continue to apply.

15. Compliance with laws

Each party will comply with all applicable laws and regulations in performing its obligations under these terms.

Each party will comply with the Bribery Act 2010 and will not give, offer, promise, request, agree to receive, or accept any financial or other advantage that would breach that Act in connection with these terms or the Services.

Each party will comply with all applicable laws relating to slavery and human trafficking, including the Modern Slavery Act 2015 to the extent applicable.

16. Governing law and jurisdiction

These terms and any dispute or claim arising out of or in connection with them or the Services, including non-contractual disputes or claims, are governed by the law of England and Wales. The courts of England and Wales have exclusive jurisdiction.

17. Changes to these terms

We may update these terms from time to time. The version that applies to an engagement is the version in force when that engagement is agreed. The “last updated” date above reflects the most recent revision.

18. General provisions

Entire agreement. These terms, together with any written engagement confirmation we send you for a specific engagement, constitute the entire agreement between the parties relating to the Services and supersede any prior discussions, proposals, or understandings, whether oral or written. Neither party has relied on any statement or representation not expressly set out in these terms or that engagement confirmation, save that nothing limits liability for fraud or fraudulent misrepresentation.

No waiver. A failure or delay by either party to exercise any right under these terms is not a waiver of that right. A waiver of any breach is not a waiver of any subsequent breach.

Severability. If any provision of these terms is held to be invalid, illegal, or unenforceable, the remaining provisions continue in full force. The parties will negotiate in good faith to replace the affected provision with a valid provision that achieves, as nearly as possible, the original commercial intent.

Assignment and subcontracting. You may not assign, transfer, or sub-contract any of your rights or obligations under these terms without our prior written consent. We may sub-contract the performance of all or part of the Services to a reputable third party, provided we remain responsible to you for that performance. We may assign these terms in connection with a reorganisation, merger, or sale of all or substantially all of our business.

Notices. Notices under these terms must be in writing and may be sent by email to the addresses set out in section 19, or by post to our registered office address. A notice sent by email is deemed received on the next working day after sending, provided no delivery failure is received.

No partnership or agency. Nothing in these terms creates a partnership, joint venture, agency, employment, or fiduciary relationship between the parties. Neither party may bind the other.

Third-party rights. A person who is not a party to these terms has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of their provisions. This does not affect any right or remedy of a third party which exists or is available apart from that Act.

Electronic communications. These terms may be agreed by email or other electronic means, which the parties confirm is binding.

19. Contact

Questions about these terms, and notices under section 18, can be sent to [email protected], or via the contact page.