Subscription & pricing terms and conditions
Subscription Service Agreement
Fractional CISO & Information Security GRC Services
This Subscription Service Agreement (“Agreement”) is made and entered into on the date of initial subscription payment (the “Effective Date”) by and between:
Clear Path Security Ltd, a company incorporated and registered in England and Wales with company number 16304571 whose registered office is at 483 Green Lanes, London, N13 4BS (“Service Provider” or “MSSP”); and
Contact entered on subscription billing details (“Client”).
Each a “Party” and together the “Parties”.
Definitions
Term – Meaning
“Agreement” – This Subscription Service Agreement, including all Schedules and Annexes.
“Confidential Information” – Information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 11.
“Data Protection Legislation” – All applicable privacy and data protection laws including the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications Regulations (PECR).
“Deliverables” – The outputs of the Services specified in Schedule 1.
“Fees” – The subscription fees payable by Client, set out in clause 6 and Schedule 2.
“Services” – The Fractional CISO and Information Security Governance, Risk & Compliance (“GRC”) services detailed in Schedule 1.
“Service Levels” – The performance standards set out in Schedule 2.
“Term” – The period beginning on the Effective Date and continuing on a monthly rolling basis until terminated in accordance with clause 7.
2. Interpretation
2.1. Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.
2.2. A reference to legislation is a reference to such legislation as amended, extended or re‑enacted from time to time.
2.3. Any words following “including”, “include”, “in particular” or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding those terms.
3. Scope of Services
3.1. The Service Provider shall provide the Services to the Client during the Term in accordance with the Service Levels.
3.2. The Services comprise a subscription‑based fractional Chief Information Security Officer (“CISO”) function and GRC support, as further described in Schedule 1.
3.3. The Service Provider may update methodologies or tooling used to deliver the Services, provided that such changes do not materially degrade the scope or quality of the Services.
4. Obligations of the Service Provider
The Service Provider shall:
4.1. Perform the Services with reasonable skill and care, in accordance with Good Industry Practice and applicable laws;
4.2. Ensure its personnel are suitably skilled and experienced;
4.3. Maintain all necessary licences, permissions and consents required to perform the Services; and
4.4. Use commercially reasonable efforts to meet or exceed the Service Levels.
5. Obligations of the Client
The Client shall:
5.1. Provide timely access to information, systems, personnel and premises reasonably required by the Service Provider;
5.2. Designate a primary point of contact empowered to make decisions on behalf of the Client;
5.3. Ensure the accuracy and completeness of information provided to the Service Provider;
5.4. Implement any controls or recommendations made by the Service Provider that the Client accepts; and
5.5. Pay the Fees in accordance with clause 6.
6. Fees, Billing & Payment
6.1. The Client shall pay the monthly subscription Fees set out in Schedule 2 (“Fee Schedule”).
6.2. Initial first payment is due up front to initiate this service agreement (“Effective Date”), with every subsequent payment due exactly full UK calendar month following on from the Effective Date.
6.3. All Fees are exclusive of VAT.
6.4. Without prejudice to any other rights, the Service Provider may suspend Services upon ten (10) Business Days’ written notice if any undisputed invoice remains unpaid after its due date.
6.5. The Service Provider may increase Fees on not less than thirty (30) days’ written notice once in any twelve (12) month period.
7. Term & Termination
7.1. This Agreement shall commence on the Effective Date and shall continue on a monthly rolling basis (each month constituting a “Subscription Period”).
7.2. Either Party may terminate this Agreement for convenience by giving the other Party not less than thirty (30) days’ written notice, such notice to expire at the end of any Subscription Period.
7.3. Either Party may terminate immediately upon written notice if the other Party:
a) commits a material breach incapable of remedy;
b) commits a material breach capable of remedy but fails to remedy within thirty (30) days of notice; or
c) becomes insolvent, enters administration or similar.
7.4. Upon termination for any reason: (i) Client shall pay outstanding Fees up to the effective date of termination; (ii) Service Provider shall deliver any completed Deliverables; and (iii) clauses intended to survive termination (including 10, 11, 12, 13) shall continue.
8. Change Management & Additional Services
8.1. Either Party may request changes to the scope of Services. The Parties shall discuss the requested change in good faith and document any agreed variation (including any adjustment to Fees, timetable or Deliverables) in a written Change Order signed by both Parties.
8.2. Unless otherwise agreed in a Change Order, additional work falling outside the scope of Schedule 1 shall be charged at the Service Provider’s prevailing day rates.
9. Service Levels & Credits
9.1. The Service Provider shall use reasonable endeavours to meet or exceed the Service Levels specified in Schedule 2.
9.2. If the Service Provider fails to meet a Service Level, the Client shall be entitled to the service credits set out in Schedule 2, which shall be the Client’s sole and exclusive remedy for any failure to meet Service Levels.
9.3. Service credits shall be applied as a deduction from the next monthly invoice.
10. Confidentiality
10.1. Each Party undertakes that it shall not disclose to any person any Confidential Information, except as permitted by clause 10.2.
10.2. Each Party may disclose the other Party’s Confidential Information: (a) to its employees, officers, representatives, subcontractors or advisers who need to know such information for the purposes of carrying out its obligations under this Agreement; and (b) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
10.3. Neither Party shall use the other Party’s Confidential Information for any purpose other than to perform its obligations under this Agreement.
11. Data Protection
11.1. Each Party shall comply with the Data Protection Legislation.
11.2. The Parties acknowledge that, for the purposes of the Data Protection Legislation, the Client is the controller and the Service Provider is the processor in respect of any personal data processed as part of the Services, unless otherwise stated.
11.3. The data processing terms in Schedule 3 (Data Processing Agreement) shall apply and are hereby incorporated by reference.
11.4. The Service Provider shall maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure.
12. Intellectual Property Rights
12.1. All Intellectual Property Rights pre‑existing prior to this Agreement (“Background IPR”) shall remain the property of the Party that owns it.
12.2. Subject to payment of all Fees, the Service Provider hereby grants to the Client a worldwide, non‑exclusive, royalty‑free licence to use the Deliverables for the Client’s internal business purposes.
12.3. The Client shall not sub‑licence, assign or otherwise commercially exploit the Deliverables without the Service Provider’s prior written consent.
13. Warranties & Disclaimers
13.1. Each Party warrants that it has the right, power and authority to enter into this Agreement.
13.2. The Service Provider warrants that the Services shall be provided with reasonable skill and care.
13.3. Except as expressly stated, all other warranties (including those implied by statute, common law or otherwise) are excluded to the fullest extent permitted by law.
13.4. The Client acknowledges that the Services constitute advisory and support services; implementation of recommendations and overall security risk rests with the Client.
14. Liability & Indemnity
14.1. Nothing in this Agreement limits any liability which cannot legally be limited, including liability for death or personal injury caused by negligence and fraud or fraudulent misrepresentation.
14.2. Subject to clause 14.1, each Party’s total aggregate liability arising under or in connection with this Agreement (whether in contract, tort (including negligence), breach of statutory duty or otherwise) shall not exceed 100% of the total Fees paid or payable in the twelve (12) months preceding the event giving rise to the claim.
14.3. Subject to clause 14.1, neither Party shall be liable for: (a) loss of profits; (b) loss of business; (c) loss of anticipated savings; (d) indirect or consequential loss or damage.
14.4. The Client shall indemnify the Service Provider against any third‑party claims arising from the Client’s breach of clause 5 or any misuse of the Deliverables.
15. Non‑Solicitation
The Client shall not, without the Service Provider’s prior written consent, solicit or entice away from the Service Provider or employ or attempt to employ any person who is, or has been, engaged as an employee or subcontractor of the Service Provider involved in the performance of the Services, during the Term and for twelve (12) months thereafter.
16. Subcontracting
The Service Provider may subcontract elements of the Services, provided that it remains responsible for the acts and omissions of its subcontractors as if they were its own.
17. Force Majeure
Neither Party shall be liable for any delay or failure to perform its obligations (excluding payment obligations) if such delay or failure results from circumstances beyond its reasonable control, including acts of God, epidemic or pandemic, war, terrorism, cyber‑attacks of unprecedented scale, riots, fire, flood or storm.
18. Notices
18.1. Any notice given under this Agreement shall be in writing and delivered by hand, pre‑paid first‑class post or recorded delivery to the address stated above (or such other address notified in writing).
18.2. Notices shall be deemed received: if delivered by hand, on signature; or if posted, at 9.00 am on the second Business Day after posting.
19. Entire Agreement & Variation
19.1. This Agreement constitutes the entire agreement between the Parties and supersedes all prior arrangements, understandings or agreements.
19.2. No variation of this Agreement shall be effective unless it is in writing and signed by authorised representatives of both Parties.
20. Governing Law & Jurisdiction
This Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.
21. Counterparts
This Agreement may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute one Agreement.
Schedule 1 – Service Description
Essentials subscription
– 8 credits per UK calendar month (equates to a maximum of 8 hours spent performing any of the required activities identified in the credit P1 list).
– Weekly threat intel bulletin sent to named client contacts
– Unrestricted access to premium capability boosting self-help guides.
Pro subscription
– 15 credits per UK calendar month (equates to a maximum of 15 hours spent performing any of the required activities identified in the credit P1 list or the credit p2 list).
– Weekly threat intel bulletin sent to named client contacts
– Unrestricted access to premium capability boosting self-help guides.
– Legal and regulatory scanning tailored to your industry vertical
– Monthly external security scan of company perimeter network and any external facing sites that includes.
Full-Spectrum subscription
– 30 credits per UK calendar month (equates to a maximum of 30 hours spent performing any of the required activities identified in the credit P1 list or the credit p2 list).
– AI augmented threat intelligence tailored to your business, industry & attack surface sent to named client contacts on a continuous detection basis.
– Unrestricted access to premium capability boosting self-help guides.
– Legal and regulatory scanning tailored to your industry vertical
– Continuous & on-demand external security scan of company perimeter network and any external facing sites that includes, with detected concerns flagged to named client contacts.
– Continuous supply chain assurance monitoring up to a maximum of 100 named suppliers. Additional suppliers to be agreed separately.
Schedule 2 – Service Levels & Fees
Essentials Subscription
Initial and subsequent fees required each month £475.00 GBP
Pro Subscription
Initial and subsequent fees required each month £1,280.00 GBP
Full-Spectrum Subscription
Initial and subsequent fees required each month £4,740.00 GBP
Subscription Fee: £ [amount] per month, payable in advance.
Professional Day Rate (for out‑of‑scope work): £ [amount] per day (minimum 0.5‑day increments).
Schedule 3 – Data Processing Agreement (DPA)
Subject Matter & Duration: Processing of personal data as necessary to provide the Services, for the Term plus any post‑termination retention outlined below.
Nature & Purpose of Processing: Security advisory, compliance management, incident readiness, audit support.
Categories of Data Subjects: Client employees, contractors, customers, suppliers, and other stakeholders as determined by the Client.
Types of Personal Data: Names, contact details, job titles, user identifiers, technical log data, risk or incident information.
Retention: Personal data processed for the performance of the Services will be deleted or returned to the Client within 30 days of termination, unless retention is required by law.
Security Measures: ISO 27001‑aligned controls, encryption in transit and at rest, access limited to those with a business need.
Data Subject Rights: Service Provider shall assist the Client in responding to data subject requests.
Audits: Client may audit Service Provider’s compliance with this DPA on 10 Business Days’ notice, subject to confidentiality and a maximum of one audit per year.