Terms and Conditions

Recitals

(A) SecureRoot Risk Advisory LLP (“SecureRoot”, “the Firm”, “we”, “us”, “our”) is a limited liability partnership registered under the Limited Liability Partnership Act, 2008, providing cybersecurity advisory, vulnerability assessment and penetration testing (“VAPT”), governance, risk and compliance (“GRC”), managed detection and response (“MDR”), security operations centre (“SOC”), virtual CISO (“vCISO”), data protection, and allied professional services.

(B) These Terms and Conditions (“Terms”, “Agreement”) govern all access to and use of the Website (www.secureroot.co) and all professional services delivered by SecureRoot to any client or user (“Client”, “you”, “your”).

(C) By accessing the Website, submitting an enquiry, signing a Statement of Work or Engagement Letter, or otherwise engaging SecureRoot’s services, you confirm that you have read, understood, and agree to be bound by these Terms. If you are entering into these Terms on behalf of a legal entity, you represent and warrant that you have authority to bind that entity.

(D) These Terms should be read together with SecureRoot’s Privacy Policy (SRRA/LEGAL/PP/2026/10) and Cookie Policy (SRRA/LEGAL/CP/2026/10), each of which is incorporated herein by reference.

1. Definitions and Interpretation

1.1 In these Terms, the following expressions have the meanings assigned to them, unless the context otherwise requires:

1.2 References to statutes include any amendment, re-enactment, or subordinate legislation made thereunder. “Includes” and “including” are not exhaustive. Headings are for convenience only and do not affect interpretation. The singular includes the plural and vice versa.

1.3 In case of conflict between these Terms and any SOW or Engagement Letter, the SOW or Engagement Letter shall prevail to the extent of the inconsistency, unless expressly stated otherwise.

2. Engagement and Scope of Services

2.1 SecureRoot will provide the Services as described in the applicable SOW or Engagement Letter. No Services shall commence until: (a) a SOW or Engagement Letter has been signed by both Parties; (b) where applicable, an Authorisation Letter / LOA has been executed; and (c) any agreed advance payment has been received.

2.2 Each SOW shall specify at minimum: (i) the scope and description of Services; (ii) in-scope assets, systems, or processes; (iii) the engagement timeline and key milestones; (iv) the Fees and payment schedule; (v) designated contacts for both Parties; and (vi) any Client obligations necessary to enable SecureRoot to perform the Services.

2.3 Out-of-Scope Work. Any work requested by the Client that falls outside the agreed scope of the SOW shall constitute a change request. SecureRoot will provide a written change order setting out the additional scope, timeline, and Fees. Work on change requests will not commence until the change order is signed by both Parties.

2.4 Client Cooperation. The Client acknowledges that SecureRoot’s ability to perform the Services depends on the timely provision of access, information, approvals, and cooperation by the Client and its personnel. Any delay caused by the Client’s failure to cooperate may result in revised timelines and/or additional Fees.

2.5 Subcontracting. SecureRoot reserves the right to engage qualified sub-contractors to assist in the delivery of Services, provided that: (a) SecureRoot remains responsible for the acts and omissions of sub-contractors; and (b) sub-contractors are bound by confidentiality and data protection obligations no less stringent than those in these Terms.

3. Specific Terms for VAPT and Security Testing Engagements

3.1 Authorisation Requirement. Security testing Services (VAPT, penetration testing, red team assessments, breach attack simulation, phishing simulation) may only be conducted against systems, networks, applications, or assets for which the Client has confirmed it holds the necessary authority and permission. The Client must execute an Authorisation Letter / LOA before testing commences. Unauthorized testing of third-party systems is strictly prohibited.

3.2 Client Representations. By executing an Authorisation Letter, the Client represents and warrants that:

• It owns, leases, or otherwise has lawful authority over all in-scope assets;
• It has obtained all necessary consents from third parties (including cloud providers, SaaS vendors, and co-located tenants) whose systems may be within or adjacent to the scope;
• It has notified its own IT, security, and operations teams of the testing window to prevent inadvertent incident response actions that could interfere with the engagement; and
• Testing the in-scope assets does not violate any applicable law, regulation, contract, or policy.

3.3 Rules of Engagement. Unless expressly agreed otherwise in writing, the following rules apply to all security testing engagements:

• Testing is limited strictly to the assets, IP ranges, URLs, and environments listed in the SOW and Authorisation Letter. Any discovered out-of-scope vulnerabilities will be reported to the Client but not actively exploited.
• SecureRoot will not intentionally cause production system outages, data loss, or service disruption. Testing will be conducted in a manner designed to minimise operational impact.
• Destructive testing (e.g., intentional data destruction, ransomware simulation on live data) requires explicit prior written approval in the SOW.
• If SecureRoot discovers evidence of an existing compromise or active threat actor during testing, it will immediately notify the Client’s designated security contact.
• SecureRoot personnel involved in testing will be named in the Authorisation Letter and will carry copies of the LOA during any on-site testing activities.

3.4 Free Retest. SecureRoot includes one complimentary retest of remediated findings within 90 days of delivery of the final report, limited to the vulnerabilities identified in the original engagement. Retests conducted after 90 days or covering additional scope will be charged at the prevailing day rate.

3.5 Client Indemnity for Authorisation Failures. The Client shall indemnify, defend, and hold harmless SecureRoot and its partners, employees, and agents from and against any claims, losses, fines, penalties, or legal costs arising from the Client’s breach of clauses 3.1 or 3.2, including claims by third parties whose systems were tested without proper authorisation.

4. Fees, Invoicing, and Payment

4.1 Fees are as set out in the applicable SOW or Engagement Letter. All Fees are quoted exclusive of Goods and Services Tax (GST) and any other applicable taxes unless expressly stated otherwise. The Client is responsible for all applicable taxes on the Fees.

4.2 Standard Payment Schedule. Unless otherwise agreed in the SOW:

• 50% of the total Fees are payable in advance upon execution of the SOW, before Services commence;
• 50% of the total Fees are payable upon delivery of the draft final report.

4.3 Invoices. SecureRoot will issue GST-compliant tax invoices in accordance with the Goods and Services Tax Act, 2017. Invoices are payable within 30 days of the invoice date unless otherwise specified.

4.4 Late Payment. Without prejudice to any other rights, if the Client fails to pay any invoice by the due date:

• SecureRoot reserves the right to charge interest on the overdue amount at the rate of 2% per month (or the maximum rate permitted by applicable law, if lower), calculated from the due date to the date of actual payment;
• SecureRoot may suspend delivery of Services until all outstanding amounts (including interest) are paid in full, without liability for any resulting delays; and
• SecureRoot may engage a debt-collection agency or initiate legal proceedings to recover the outstanding amount, and the Client shall be liable for all reasonable recovery costs.

4.5 Disputed Invoices. If the Client disputes any portion of an invoice in good faith, it shall: (a) notify SecureRoot in writing within 10 business days of the invoice date, specifying the nature of the dispute; and (b) pay the undisputed portion by the due date. The Parties shall use reasonable efforts to resolve disputes within 15 business days of notification.

4.6 Expenses. Unless included in the agreed Fees, the Client shall reimburse SecureRoot for all reasonable out-of-pocket expenses incurred in the delivery of Services (including travel, accommodation, and specialist tools), provided such expenses are approved in writing in advance by the Client.

5. Intellectual Property Rights

5.1 SecureRoot IP. All tools, methodologies, frameworks, templates, know-how, and pre-existing materials used or developed by SecureRoot in connection with the Services remain the exclusive property of SecureRoot. Nothing in these Terms shall be construed to transfer ownership of SecureRoot’s proprietary tools, testing methodologies, or background IP to the Client.

5.2 Deliverables. Upon full payment of all Fees due under the applicable SOW, SecureRoot grants the Client a non-exclusive, non-transferable, royalty-free licence to use the Deliverables (including reports, recommendations, and documentation) for the Client’s internal business purposes only. The Client may not:

• Reproduce, distribute, or disclose the Deliverables to third parties (other than the Client’s auditors, regulators, or legal advisors under obligations of confidentiality) without SecureRoot’s prior written consent;
• Use the Deliverables, or any findings therein, to take legal action against SecureRoot; or
• Remove, alter, or obscure any SecureRoot branding, copyright notices, or disclaimers contained in the Deliverables.

5.3 Client Materials. The Client retains all IPR in materials, data, and information provided to SecureRoot for the purpose of delivering the Services (“Client Materials”). The Client grants SecureRoot a non-exclusive licence to use Client Materials solely for the purpose of performing the Services.

5.4 Feedback. If the Client provides SecureRoot with feedback, suggestions, or recommendations regarding the Services, SecureRoot may use such feedback without restriction and without obligation to the Client, and all IPR in such feedback shall vest in SecureRoot.

6. Confidentiality

6.1 Each Party (the “Receiving Party”) agrees to: (a) keep all Confidential Information of the other Party (the “Disclosing Party”) strictly confidential; (b) not disclose Confidential Information to any third party without the Disclosing Party’s prior written consent, except as permitted under clause 6.2; and (c) use Confidential Information only for the purpose of performing or receiving the Services.

6.2 Permitted Disclosures. The Receiving Party may disclose Confidential Information:

• To its employees, directors, contractors, and professional advisors who have a need to know for the purpose of the engagement, provided they are bound by confidentiality obligations at least as stringent as those in this clause;
• As required by applicable law, regulation, or court order, provided that (to the extent permitted by law) the Receiving Party gives the Disclosing Party prompt written notice and cooperates with the Disclosing Party in seeking a protective order; or
• With the prior written consent of the Disclosing Party.

6.3 Exclusions. Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was known to the Receiving Party before disclosure without restriction; (c) is independently developed by the Receiving Party without use of the Confidential Information; or (d) is received from a third party without restriction and without breach of any obligation of confidentiality.

6.4 Security Testing Reports. VAPT reports, penetration testing findings, and related Deliverables contain Sensitive Security Information. The Client shall treat such reports as Confidential Information of the highest sensitivity and implement access controls to limit distribution within the Client organisation to those with a direct need to know.

6.5 Duration. Confidentiality obligations under this clause survive termination or expiry of the Agreement for a period of five (5) years. Obligations with respect to trade secrets shall continue for as long as the information remains a trade secret under applicable law.

6.6 Non-Disclosure Agreement. Where a separate Non-Disclosure Agreement (NDA) has been executed between the Parties, the NDA shall govern confidentiality obligations. In the event of conflict between the NDA and this clause, the NDA shall prevail.

7. Data Protection and Privacy

7.1 Each Party shall comply with all applicable data-protection laws in connection with the performance of the Services, including the DPDPA, GDPR, UK GDPR, and CCPA/CPRA as applicable.

7.2 Where SecureRoot processes Personal Data on behalf of the Client as a Processor, the Parties shall execute a Data Processing Agreement (DPA) setting out the subject matter, duration, nature and purpose of processing, types of Personal Data, categories of Data Subjects, and the obligations and rights of the Client as Controller, in compliance with Art. 28 GDPR and § 8(2) DPDPA.

7.3 Full details of SecureRoot’s processing of Personal Data in its own capacity as Controller (e.g., for marketing, recruitment, billing) are set out in the Privacy Policy (SRRA/LEGAL/PP/2026/10).

8. Warranties and Disclaimers

8.1 Mutual Warranties. Each Party warrants that: (a) it has full power and authority to enter into and perform these Terms; (b) entering into and performing these Terms does not breach any other agreement; and (c) it will comply with all applicable laws in the performance of its obligations.

8.2 Service Warranty. SecureRoot warrants that the Services will be performed with the care, skill, and diligence reasonably expected of a competent professional cybersecurity firm, in accordance with applicable industry standards and the specifications set out in the SOW.

8.3 Disclaimers. Except as expressly set out in clause 8.2, the Services and Deliverables are provided “as is” without any other warranty, express or implied, including warranties of merchantability, fitness for a particular purpose, or non-infringement. SecureRoot does not warrant that:

• The Services will identify all vulnerabilities, threats, or weaknesses in the Client’s systems — security testing is, by nature, a point-in-time assessment of identified attack surfaces;
• Implementation of the Deliverables will prevent all future security incidents, data breaches, or losses;
• The Client’s systems are or will be compliant with all applicable laws and regulations — compliance is the Client’s responsibility.

9. Limitation of Liability

9.1 Neither Party shall be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages, including (without limitation) loss of profit, loss of business, loss of revenue, loss of goodwill, loss of anticipated savings, loss of data, or cost of substitute services, even if advised of the possibility of such damages.

9.2 SecureRoot’s total aggregate liability to the Client under or in connection with this Agreement (whether in contract, tort (including negligence), breach of statutory duty, misrepresentation, or otherwise) shall not exceed the total Fees paid by the Client to SecureRoot under the specific SOW giving rise to the claim in the twelve (12) months immediately preceding the event giving rise to the claim.

9.3 The limitations in clauses 9.1 and 9.2 shall not apply to liability:

• For death or personal injury caused by SecureRoot’s negligence;
• For fraud or fraudulent misrepresentation;
• Arising from SecureRoot’s wilful misconduct or gross negligence;
• Under clause 3.5 (Client indemnity for authorisation failures, which shall operate independently); or
• Which cannot be limited or excluded by applicable law.

9.4 The Client is responsible for maintaining adequate insurance cover (including cyber liability insurance) commensurate with its risk exposure. SecureRoot shall not be liable for losses or damages that would have been prevented by adequate Client-side security controls, timely implementation of recommendations, or appropriate insurance.

10. Indemnification

10.1 Client Indemnity. The Client shall indemnify, defend, and hold harmless SecureRoot and its partners, employees, sub-contractors, and agents (“SecureRoot Indemnitees”) from and against any claims, losses, damages, fines, penalties, costs (including reasonable legal fees), and expenses arising out of or in connection with:

• The Client’s breach of any representation, warranty, or obligation under these Terms;
• The Client’s breach of clauses 3.1 or 3.2 (authorisation for security testing);
• Any claim by a third party arising from the Client’s use or misuse of the Deliverables; and
• The Client’s violation of any applicable law, regulation, or third-party right.

10.2 SecureRoot Indemnity. SecureRoot shall indemnify, defend, and hold harmless the Client from and against any third-party claims of IPR infringement arising directly from the Deliverables as delivered by SecureRoot, provided that the Client: (a) promptly notifies SecureRoot of the claim; (b) gives SecureRoot sole control of the defence; and (c) cooperates reasonably with SecureRoot at SecureRoot’s expense.

11. Term and Termination

11.1 Term. These Terms come into effect on the Effective Date and continue until all SOWs executed under these Terms have been completed or terminated, unless earlier terminated in accordance with this clause.

11.2 Termination for Convenience. Either Party may terminate any individual SOW by giving 30 days’ written notice to the other Party. In such event:

• The Client shall pay all Fees for Services performed up to and including the termination date, plus any non-cancellable expenses already committed by SecureRoot;
• Where SecureRoot terminates for convenience, it shall refund any advance payments attributable to Services not yet commenced as at the termination date; and
• SecureRoot shall deliver to the Client all completed or substantially completed Deliverables.

11.3 Termination for Cause. Either Party may terminate this Agreement or any SOW immediately by written notice if the other Party:

• Commits a material breach of the Agreement and (where the breach is capable of remedy) fails to remedy it within 15 business days of written notice specifying the breach;
• Becomes insolvent, is unable to pay its debts, passes a resolution for winding up, has a liquidator, administrator, or receiver appointed, or enters into any arrangement with creditors; or
• Commits fraud or wilful misconduct in connection with this Agreement.

11.4 Effect of Termination. Upon termination: (a) each Party shall promptly return or securely destroy the other Party’s Confidential Information (retaining copies only as required by law or for legitimate audit purposes); (b) all licences granted under these Terms shall immediately cease; and (c) all accrued rights and liabilities of either Party shall survive termination. Clauses 5, 6, 7, 9, 10, 13, 14, and 15 shall survive termination or expiry of these Terms.

12. Use of the Website

12.1 Permitted Use. Access to and use of the Website is subject to these Terms. You may use the Website for lawful purposes only and in accordance with these Terms. You must not:

• Use the Website in any way that violates any applicable local, national, or international law or regulation;
• Use the Website to transmit or distribute malicious code, viruses, or any other harmful or disruptive software;
• Attempt to gain unauthorised access to any part of the Website or its underlying systems (any such activity constitutes an offence under the Information Technology Act, 2000 and equivalent legislation in other jurisdictions);
• Use automated means (bots, scrapers, crawlers) to harvest content from the Website without SecureRoot’s prior written consent;
• Post or transmit any content that is defamatory, obscene, offensive, discriminatory, or that infringes any third-party rights; or
• Use the Website to submit false, misleading, or fraudulent enquiries.

12.2 Availability. SecureRoot endeavours to maintain the Website’s availability but does not guarantee that it will be uninterrupted, error-free, or free from viruses. SecureRoot may suspend, restrict, or withdraw the Website at any time without notice for maintenance, security, or operational reasons.

12.3 Third-Party Links. The Website may contain links to third-party websites. SecureRoot is not responsible for the content, accuracy, or practices of linked sites and does not endorse them. Access to linked sites is at your own risk.

12.4 Website Content. All content on the Website (text, images, graphics, case studies, whitepapers) is the property of SecureRoot or its licensors and is protected by copyright. You may not reproduce, distribute, or create derivative works without SecureRoot’s prior written consent.

13. Anti-Bribery, Anti-Corruption, and Ethical Conduct

13.1 Each Party warrants that it has not offered, given, received, or agreed to give or receive any gift, payment, or other benefit (whether in cash or in kind) to or from any government official, public authority, or any other person in connection with this Agreement that would constitute a bribe or otherwise violate applicable anti-corruption laws, including the Prevention of Corruption Act, 1988 (India) and, where applicable, the UK Bribery Act 2010 and the US Foreign Corrupt Practices Act.

13.2 SecureRoot operates a zero-tolerance policy towards modern slavery, forced labour, and human trafficking, consistent with the principles of the UK Modern Slavery Act 2015 and equivalent legislation. Neither Party shall engage any person subject to forced, compulsory, trafficked, or child labour in connection with the performance of this Agreement.

13.3 Each Party shall maintain reasonable procedures to prevent the facilitation of tax evasion by associated persons, consistent with applicable law.

14. Force Majeure

14.1 Neither Party shall be in breach of the Agreement or liable for any delay or failure to perform its obligations to the extent that such delay or failure results from a Force Majeure Event, provided that the affected Party: (a) promptly notifies the other Party of the Force Majeure Event and its likely duration; (b) uses reasonable efforts to mitigate the effect of the Force Majeure Event; and (c) resumes performance as soon as reasonably practicable.

14.2 Financial obligations (including the obligation to pay Fees for Services already rendered) are not excused by Force Majeure.

14.3 If a Force Majeure Event continues for more than 60 consecutive days, either Party may terminate the affected SOW by 14 days’ written notice without liability (other than for Services already performed and expenses already incurred).

15. Governing Law and Dispute Resolution

15.1 These Terms, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with them, shall be governed by and construed in accordance with the laws of India, including the Indian Contract Act, 1872, the Information Technology Act, 2000, the Limited Liability Partnership Act, 2008, and applicable rules and regulations made thereunder.

15.2 Dispute Resolution Process. In the event of any dispute, controversy, or claim arising out of or relating to this Agreement or the breach, termination, or validity thereof, the Parties shall follow the following escalation process:

• Step 1 — Negotiation: either Party may give written notice of a dispute. The Parties’ designated representatives shall meet (in person or virtually) within 15 business days of the notice to attempt to resolve the dispute in good faith.
• Step 2 — Mediation: if the dispute is not resolved within 30 days of the notice (or such longer period as agreed in writing), either Party may refer the dispute to mediation administered by the Indian Institute of Arbitration and Mediation (IIAM) or another mutually agreed mediator. The cost of mediation shall be shared equally.
• Step 3 — Arbitration: if mediation fails to resolve the dispute within 45 days of appointment of the mediator, either Party may refer the dispute to binding arbitration in accordance with the Arbitration and Conciliation Act, 1996 (as amended by the Arbitration and Conciliation (Amendment) Act, 2021). The seat of arbitration shall be Kanpur, Uttar Pradesh. The arbitral tribunal shall consist of a sole arbitrator mutually agreed by the Parties, or, failing agreement within 15 days of request, appointed by the High Court of Judicature at Allahabad. The language of the proceedings shall be English.

15.3 Pending resolution of any dispute, the Parties shall continue to perform their respective obligations under the Agreement (other than the specific obligation in dispute).

15.4 Jurisdiction. Subject to clause 15.2, the courts of Gautam Buddha Nagar (Greater Noida), Uttar Pradesh shall have non-exclusive jurisdiction over any matter not capable of resolution by arbitration. Nothing in this clause limits the right of either Party to seek urgent injunctive or other equitable relief from any court of competent jurisdiction.

15.5 International Clients. Where the Client is resident or established in the EU/EEA, UK, or the United States, mandatory consumer or data-protection rights that cannot be waived by contract under the laws of the Client’s jurisdiction shall apply notwithstanding clause 15.1.

16. General Provisions

16.1 Entire Agreement. These Terms, together with any applicable SOW, Engagement Letter, DPA, and NDA, constitute the entire agreement between the Parties with respect to the subject matter hereof and supersede all prior agreements, representations, and understandings (whether written or oral) relating to the same subject matter.

16.2 Amendments. SecureRoot reserves the right to update these Terms at any time. The updated Terms will be published on www.secureroot.co with a revised Effective Date. Material changes will be notified to Clients with active SOWs by email at least 30 days before they take effect. Continued engagement of SecureRoot’s Services following the effective date of updated Terms constitutes acceptance of the updated Terms.

16.3 Waiver. Failure by either Party to enforce any right or remedy under these Terms on any occasion shall not constitute a waiver of that right or remedy on any subsequent occasion. No waiver is effective unless made in writing and signed by an authorised representative of the waiving Party.

16.4 Severability. If any provision of these Terms is held by a competent authority to be invalid, unlawful, or unenforceable to any extent, such provision shall be severed from the remaining Terms, which shall continue to be valid and enforceable to the fullest extent permitted by law.

16.5 Assignment. The Client may not assign, transfer, or sub-licence any of its rights or obligations under these Terms without SecureRoot’s prior written consent. SecureRoot may assign or transfer its rights and obligations to an affiliate or to a successor entity in the event of a merger, acquisition, or sale of all or substantially all of its assets, by giving the Client reasonable prior notice.

16.6 Notices. All notices under these Terms shall be in writing and delivered by: (a) email (with read receipt or electronic delivery confirmation) to the addresses specified in the SOW or Engagement Letter; or (b) courier or registered post to the registered office address. Notices by email are effective on the day of sending (if a business day) or the next business day. Notices by post are effective 3 business days after posting.

16.7 Relationship of Parties. SecureRoot and the Client are independent contractors. Nothing in these Terms creates any partnership, joint venture, agency, employment, or fiduciary relationship between the Parties.

16.8 No Third-Party Beneficiaries. These Terms are for the sole benefit of the Parties and their respective permitted successors and assigns. Nothing herein shall create or be deemed to create any right in or on behalf of any third party.

16.9 Language. These Terms are drafted in the English language. In the event of any conflict between an English version and a translation, the English version shall prevail.

16.10 Counterparts. Any SOW or Engagement Letter may be executed in counterparts (including electronic signatures via DocuSign, Adobe Sign, or equivalent), each of which shall constitute an original, and all of which together shall form one and the same instrument. Electronic signatures are accepted as valid under the Information Technology Act, 2000 (§ 5).