Terms of service
TERMS OF BUSINESS
Clockwork Cyber Limited
Company number: SC886072
VAT number: GB517562286
Email: john.hay@clockworkcyber.co.uk
Website: www.clockworkcyber.co.uk
Last updated: May 2026
1. About these Terms
These Terms of Business apply to the use of this website and to services supplied by Clockwork Cyber Limited, trading as Clockwork Cyber.
By using this website, placing an order, accepting a quotation, paying an invoice, responding to a pro forma invoice, or otherwise instructing Clockwork Cyber to begin work, the client agrees to these Terms.
Clockwork Cyber provides services to business customers only. By placing an order, the client confirms that they are acting in a business capacity and not as a consumer.
2. About Clockwork Cyber
Clockwork Cyber provides business-to-business cyber security, compliance, certification support, assessment support, technical testing, benchmarking and related advisory services.
Services may include, but are not limited to:
Cyber Essentials support;
Cyber Essentials Plus support or assessment activity where available;
IASME Cyber Assurance support;
CIS Benchmarking;
penetration testing services directly or through approved delivery partners;
vulnerability review and remediation guidance;
policy, risk and compliance documentation;
and related cyber security advisory services.
The exact services supplied will be those described in the relevant product page, quotation, order confirmation, email agreement, statement of work, scope confirmation or invoice.
3. Website use
The information on this website is provided for general business information purposes only.
Clockwork Cyber aims to keep website content accurate and up to date, but does not guarantee that all information is complete, current or suitable for every organisation.
Website content should not be treated as legal, regulatory, technical or certification advice specific to your organisation unless Clockwork Cyber has been formally engaged to provide that advice.
You must not misuse this website, attempt unauthorised access, interfere with its operation, introduce malicious code, scrape content in a way that affects service availability, or use the website for unlawful purposes.
4. Orders and service acceptance
Submitting an enquiry, placing an order or requesting a service does not automatically mean that Clockwork Cyber has accepted the work.
Clockwork Cyber may review the request, confirm the scope, request further information, issue a quotation, issue a pro forma invoice or decline the work where appropriate.
Clockwork Cyber may refuse, pause or cancel work where the scope is unclear, authority is incomplete, payment has not been received, the requested work is outside capability or availability, or the work presents unacceptable legal, ethical, security or operational risk.
5. Certification and assessment outcomes
Clockwork Cyber can support and guide clients towards cyber security, compliance and certification outcomes.
Clockwork Cyber does not guarantee that a client will pass, achieve or retain any certification. Certification outcomes depend on the client’s systems, evidence, answers, scope, remediation, cooperation, scheme rules, assessment findings and the relevant certification or assessment decision.
Clients remain responsible for the accuracy of information, evidence and declarations submitted as part of any certification or assessment process.
6. Client responsibilities
The client must provide accurate, complete and timely information, evidence, access, contact details and cooperation required to deliver the agreed service.
The client is responsible for ensuring that:
all information provided to Clockwork Cyber is accurate and not misleading;
the client has authority to instruct the work;
the client has authority to provide access to relevant systems, networks, cloud services, devices, records, reports or evidence;
all required internal approvals and third-party permissions are in place;
the client responds to reasonable requests for information or clarification;
identified issues are remediated where required;
and the client does not ask Clockwork Cyber to misrepresent evidence, conceal non-compliance, bypass scheme rules or act unlawfully.
Clockwork Cyber may pause, delay, refuse or end work where the client does not provide required information, evidence, payment, authority, access, remediation or cooperation within a reasonable timeframe.
7. Payment
Unless otherwise agreed in writing, payment must be received before work starts.
Where a pro forma invoice is issued, work will not begin until payment has been received and cleared.
Clockwork Cyber may pause or withhold delivery of services, reports, assessment activity or outputs where payment is overdue.
Prices are stated in pounds sterling. VAT will be applied where applicable.
8. Refunds and cancellation
Once work has started, fees are non-refundable except where Clockwork Cyber has failed to deliver the agreed service or where a refund is required by law.
Where the client cancels before work has started, Clockwork Cyber may refund the fee paid, less any non-recoverable third-party costs, payment processing fees or administrative costs already incurred.
Where work has started and the client cancels, fails to cooperate, fails to provide required information, or does not complete remediation or evidence requirements, Clockwork Cyber may retain fees for work already carried out, time reserved, third-party costs and committed resources.
9. Service delivery
Services are normally delivered remotely using email, video meetings, secure document sharing, client portals, certification platforms, cloud services, vulnerability scanning platforms or other agreed digital methods.
Reports and sensitive outputs will normally be delivered using secure document sharing rather than unsecured email attachments.
Once a report or output has been downloaded or accessed by the client, the client is responsible for protecting its copy.
10. Technical testing, assessment access and client authorisation
Some services may involve technical testing, scanning, benchmarking, evidence review, configuration review, device assessment, cloud service review or similar activity.
By purchasing or instructing a service that involves technical testing, scanning, benchmarking, evidence review or assessment activity, the client confirms that they have the legal authority to permit that activity for all systems, networks, devices, cloud services, applications, data, domains and third-party services included within the agreed scope.
The client authorises Clockwork Cyber and any approved delivery partner to carry out the testing, scanning, benchmarking, review or assessment activity required to deliver the purchased service, including Cyber Essentials Plus assessment activity, penetration testing and CIS Benchmarking, within the agreed scope, dates, methods and limitations.
The client is responsible for ensuring that any required third-party permissions are obtained before testing begins. This includes permissions from hosting providers, cloud providers, managed service providers, software vendors, landlords, parent companies, group companies or other system owners where applicable.
Clockwork Cyber may refuse, pause or stop work where authority, scope or permission is unclear, incomplete or withdrawn.
11. Scope confirmation for technical work
Before Cyber Essentials Plus technical assessment activity, penetration testing or CIS Benchmarking begins, Clockwork Cyber will require a scope confirmation. This may be accepted by email reply.
The scope confirmation may include:
systems, devices, users, cloud services, applications, domains, URLs, IP addresses or network ranges in scope;
systems or activities excluded from scope;
testing dates or windows;
emergency contact details;
business-critical or fragile systems;
third-party permissions;
authorised testing methods;
and any special restrictions or limitations.
For penetration testing, denial-of-service testing, destructive testing, social engineering, physical intrusion, password spraying, phishing and malware activity are excluded unless expressly agreed in writing.
Clockwork Cyber may pause or stop testing if it identifies a risk of service disruption, unclear authorisation, unexpected system behaviour or exposure outside the agreed scope.
12. Third-party providers and partners
Clockwork Cyber may use carefully selected third-party providers, suppliers or partners to support service delivery.
This may include providers of payment processing, accounting, secure document sharing, certification platforms, technical testing, vulnerability scanning, cloud services, professional advice or other business support.
Clockwork Cyber manages supplier and partner use through appropriate security, confidentiality, contractual and data protection controls.
13. Confidentiality
Clockwork Cyber and the client must keep non-public business, technical, security, commercial, financial and operational information confidential.
Confidential information may only be used for the purpose of delivering, receiving, managing or supporting the agreed service.
This does not prevent disclosure where required by law, regulation, court order, certification scheme requirement, insurer requirement, professional adviser requirement, or where disclosure is needed to respond to a security incident or protect systems and data.
14. Passwords, secrets and sensitive information
Clients must not send or upload passwords, private keys, MFA codes, recovery codes, secrets, unnecessary sensitive data or unrelated personal data to Clockwork Cyber unless specifically requested through an agreed secure process.
Where credentials or privileged access are required, the method of access must be agreed in advance and kept to the minimum necessary for the service.
15. Data protection
Clockwork Cyber handles personal data in line with its Privacy Policy, which is available on the website.
Clients must ensure that any personal data provided to Clockwork Cyber is necessary, lawful, accurate and relevant to the service.
Where Clockwork Cyber processes personal data on behalf of a client, the roles and responsibilities of the parties will depend on the service being provided and the applicable data protection law, contract, scheme rule or scope confirmation.
ICO Registration - ZC168828
16. Customer feedback, complaints and appeals
Clockwork Cyber records and reviews customer feedback to help monitor service quality and improve its processes.
A complaint is a concern about service quality, communication, delay, conduct, administration or another aspect of Clockwork Cyber’s service.
An appeal is a challenge to a decision, assessment view, outcome or judgement connected to work carried out by Clockwork Cyber, where an appeal route is applicable.
Complaints and appeals should be sent to:
john.hay@clockworkcyber.co.uk
Clockwork Cyber aims to acknowledge complaints and appeals within 2 working days.
Clockwork Cyber aims to provide a final complaint response or initial appeal outcome within 10 working days. Where more time is required, the reason and revised target date will be recorded and communicated.
Where a complaint or appeal relates to an IASME scheme, certification body decision, assessment judgement or other external scheme process, Clockwork Cyber may need to follow the relevant scheme, certification body or regulator process. This may include escalation to the relevant certification body, IASME or other scheme authority where required.
17. Intellectual property
Unless otherwise agreed in writing, Clockwork Cyber retains ownership of its templates, methods, tools, working papers, know-how, processes and pre-existing materials.
The client may use final reports and deliverables supplied by Clockwork Cyber for its own internal business purposes, certification activity, audit activity, remediation, governance and supplier assurance.
The client must not resell, publish, copy, adapt or distribute Clockwork Cyber materials for unrelated commercial use without written permission.
Website content, branding, text, documents, templates, graphics and other materials remain the property of Clockwork Cyber or its licensors unless stated otherwise.
18. Liability
Subject to the exclusions below, Clockwork Cyber’s total aggregate liability to the client arising out of or in connection with the relevant service, whether in contract, delict, tort, negligence, breach of statutory duty or otherwise, shall be limited to £1,000 per service/order.
Nothing in these Terms limits or excludes liability for death or personal injury caused by negligence, fraud, fraudulent misrepresentation, or any other liability that cannot lawfully be limited or excluded.
Clockwork Cyber shall not be liable for indirect or consequential loss, loss of profit, loss of business, loss of contract, loss of anticipated savings, loss of goodwill, loss of opportunity, or loss arising from inaccurate, incomplete or delayed information provided by the client.
The client remains responsible for its own systems, decisions, remediation, certification submissions, evidence, security controls, backups, business continuity arrangements and risk acceptance decisions.
19. Refusal, suspension or termination
Clockwork Cyber may refuse, suspend or end work where:
the client asks Clockwork Cyber to act unlawfully;
the client asks Clockwork Cyber to misrepresent evidence or conceal non-compliance;
the client asks Clockwork Cyber to bypass certification or scheme requirements;
the client does not provide required information, evidence, access or payment;
the client does not have authority to permit testing or assessment activity;
continued work may create unacceptable legal, ethical, security or operational risk;
or the client behaves abusively, dishonestly or unreasonably.
20. Security and vulnerability reporting
Clockwork Cyber welcomes responsible reporting of security concerns relating to its website or services.
If you believe you have identified a security vulnerability, please email:
john.hay@clockworkcyber.co.uk
Please include enough detail to allow Clockwork Cyber to understand and investigate the issue, including the affected page, service, system, steps to reproduce, screenshots where appropriate, and any relevant technical details.
Clockwork Cyber will aim to acknowledge vulnerability reports within 2 working days and provide an initial assessment within 5 working days. Updates will be provided until the issue is resolved, where appropriate.
Anyone reporting a vulnerability must act responsibly and must not:
access, modify, delete or exfiltrate data;
disrupt services;
attempt social engineering;
attempt physical intrusion;
perform denial-of-service testing;
use malware;
or publicly disclose the issue before Clockwork Cyber has had a reasonable opportunity to investigate and resolve it.
21. Links to other websites
This website may contain links to third-party websites or services.
Clockwork Cyber is not responsible for the content, availability, security or privacy practices of third-party websites. Use of third-party websites is at the user’s own risk and may be subject to separate terms and privacy policies.
22. Changes to these Terms
Clockwork Cyber may update these Terms from time to time. The version published on the website will apply unless a different version has been expressly agreed in writing.
23. Governing law
These Terms are governed by Scots law.
The courts of Scotland shall have jurisdiction over disputes arising from or connected with these Terms, unless another jurisdiction is required by law.
24. Contact
For questions about these Terms, contact:
Clockwork Cyber Limited
Email: john.hay@clockworkcyber.co.uk
Website: www.clockworkcyber.co.uk
Registered office: Rowallan Drive, ML1 5WX
25. Modern Slavery and Human Trafficking Statement
https://clockworkcyber.co.uk › pages › modern-slavery-and-human-trafficking-statement