The following terms and conditions apply to the penetration testing services (the “Services”) provided by IARM Information Security Pvt Ltd (“IARM”) to the Customer, as specified in the accompanying Statement of Work (the “SOW”) issued by IARM to the Customer.
IARM Obligations
IARM will provide the Services specified in the SOW. All other cybersecurity monitoring, assessment, or additional consulting services will be subject to a separate agreement.
Customer Obligations
The Customer is responsible for selecting the penetration testing service, or combination of services, that best meets its needs. The Customer also agrees to provide specific external Internet Protocol (IP) addresses and domains as requested by IARM.
The Customer agrees to have a person available at all times during the penetration testing engagement to restore, as soon as possible, any service or server that becomes unavailable.
In the event that any or all of the Services require IARM to be present on-site at the Customer’s location, the Customer agrees to provide IARM’s Penetration Testing Team (PTT) with all necessary access to the Customer’s site and network to provide the Services. The Customer will also provide IARM in writing, in advance, with any applicable restrictions for PTT presence on the Customer’s site.
Payment Terms
The payment terms are as specified in the SOW. Pricing for the Services is based on the assumptions set forth in the SOW. If, during the course of providing the Services, IARM determines that the assumptions are substantially different from those set forth in the SOW, IARM reserves the right to adjust the pricing prior to the completion of the Services to reflect additional work required as a result of the change in assumptions.
Confidentiality Obligations
In connection with performing the Services, certain confidential or proprietary information may either be provided by the Customer to IARM or generated in the performance of the Services. This includes, without limitation, information regarding the infrastructure and security of the Customer’s information systems; the results of the penetration testing of the Customer’s information systems, insofar as those results may reveal specific vulnerabilities; any systems assessments and plans that relate specifically and uniquely to the vulnerability of the Customer’s information system; or any other document or data otherwise marked as confidential by the Customer as “Confidential” (“Confidential Information”).
IARM agrees to keep the Customer’s Confidential Information in confidence to the same extent and in the same manner as IARM protects its own confidential information, but in no event shall less than reasonable care be provided. The Customer’s Confidential Information will not be released in any identifiable form without the express written permission of the Customer or as required by lawfully authorized subpoena or similar compulsory directive. However, IARM shall make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure. IARM shall be permitted to disclose relevant aspects of such Confidential Information to its employees and third-party Cyber Security Services partners, including federal partners, provided that they agree to protect the Confidential Information to the same extent as required under this Agreement. IARM further agrees to use reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section. These confidentiality obligations shall survive the termination of this Agreement.
The Customer specifically acknowledges that as part of the Services, the PTT may need to view machine configuration data. IARM agrees that its PTT will avoid intentionally viewing or transferring any customer and user data. The Customer further acknowledges that if sniffers are used as part of the Services, it is possible that customer and/or user data may be captured. IARM agrees that should any personal data be captured, it will destroy any captured personal data and will not review it.
Additional Terms for On-Site Penetration Testing
In the event that the Services require the PTT to be on-site at the Customer’s facility, the Customer hereby acknowledges and consents to PTT presence on site. IARM agrees to comply with any reasonable restrictions for PTT access to the Customer’s site, provided that such restrictions do not unreasonably inhibit IARM’s ability to provide the Services.
Limitation of Liability
The Customer understands and agrees that there is an element of risk associated with penetration testing activities, especially when testing systems in a live environment. This risk includes the potential that some services on the Customer’s system may be rendered unavailable during the testing process. Although this risk is mitigated by the use of experienced professional penetration testers and tools obtained from trusted resources, it can never be fully eliminated. The Customer further understands and agrees that there is no guarantee that every vulnerability in its systems will be identified during the test.
IARM DOES NOT ASSUME ANY RESPONSIBILITY OR LIABILITY FOR ANY ACT OR OMISSION OR OTHER PERFORMANCE RELATED TO THE SERVICES, INCLUDING ANY ACT OR OMISSION BY CONTRACTORS OR SUBCONTRACTORS OF IARM, OR FOR THE ACCURACY OF THE INFORMATION PROVIDED AS PART OF THE SERVICES. THE SERVICES ARE PROVIDED ON AN “AS-IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED.
If IARM fails to perform the Services required under the SOW for any reason, IARM’s liability shall be limited SOLELY to the return of all, or an appropriate portion, of any consideration paid for the Services not performed.
Termination
Either party may terminate the Services if the other party breaches these Terms and Conditions and such breach is not corrected within 30 days of receipt of written notice of the breach. The Customer shall be responsible for payment for the portion of the Services completed prior to the date of termination.
Force Majeure
Neither party shall be liable for performance delays or for non-performance due to causes beyond its reasonable control.
Relationship of the Parties
Neither the SOW nor these Terms and Conditions create an employment relationship, agency, joint venture, or partnership between the parties. Neither party is authorized to make any representation or commitment on behalf of the other party without its prior written consent. Each party shall be responsible for its own employees, contractors, and agents.
Governing Law
Unless otherwise specifically prohibited by the laws of the Customer’s jurisdiction, any disputes arising in connection with the Services or these Terms and Conditions shall be governed and interpreted by the laws of the Republic of India, without regard to its conflict of law provisions. In the event that the laws of the Customer’s jurisdiction require that the laws of that jurisdiction apply to all contracts entered into by the Customer, then the laws of that jurisdiction shall apply.
Additional Clause
In the event of a breach during the PT Assessment, it shall be the responsibility of the client organization to communicate with its external stakeholders (customers, regulators, law enforcement, etc.). IARM will extend all support to the client in all investigations, if required.
Entire Agreement
The SOW and these Terms and Conditions constitute the entire agreement between IARM and the Customer with respect to the Services, superseding any prior representations, discussions, negotiations, or other agreements, whether written or oral, between the parties. Except as otherwise expressly stated, in the event of a conflict between the terms of the Customer’s SOW and these Terms and Conditions, the provisions of these Terms and Conditions shall prevail.
Waiver and Severability of Terms
The failure of either party to exercise or enforce any right or provision of these Terms and Conditions shall not constitute a waiver of such right or provision. If any provision of these Terms and Conditions is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions of these Terms and Conditions shall remain in full force and effect.
For any customer complaints specific to the defined Statement of Work and associated activities, please refer to our complaints handling policy and procedure.
The following terms and conditions apply to the penetration testing services (the “Services”) provided by IARM Information Security Pvt Ltd (“IARM”) to the Customer, as specified in the accompanying Statement of Work (the “SOW”) issued by IARM to the Customer.
IARM Obligations
IARM will provide the Services specified in the SOW. All other cybersecurity monitoring, assessment, or additional consulting services will be subject to a separate agreement.
Customer Obligations
The Customer is responsible for selecting the penetration testing service, or combination of services, that best meets its needs. The Customer also agrees to provide specific external Internet Protocol (IP) addresses and domains as requested by IARM.
The Customer agrees to have a person available at all times during the penetration testing engagement to restore, as soon as possible, any service or server that becomes unavailable.
In the event that any or all of the Services require IARM to be present on-site at the Customer’s location, the Customer agrees to provide IARM’s Penetration Testing Team (PTT) with all necessary access to the Customer’s site and network to provide the Services. The Customer will also provide IARM in writing, in advance, with any applicable restrictions for PTT presence on the Customer’s site.
Payment Terms
The payment terms are as specified in the SOW. Pricing for the Services is based on the assumptions set forth in the SOW. If, during the course of providing the Services, IARM determines that the assumptions are substantially different from those set forth in the SOW, IARM reserves the right to adjust the pricing prior to the completion of the Services to reflect additional work required as a result of the change in assumptions.
Confidentiality Obligations
In connection with performing the Services, certain confidential or proprietary information may either be provided by the Customer to IARM or generated in the performance of the Services. This includes, without limitation, information regarding the infrastructure and security of the Customer’s information systems; the results of the penetration testing of the Customer’s information systems, insofar as those results may reveal specific vulnerabilities; any systems assessments and plans that relate specifically and uniquely to the vulnerability of the Customer’s information system; or any other document or data otherwise marked as confidential by the Customer as “Confidential” (“Confidential Information”).
IARM agrees to keep the Customer’s Confidential Information in confidence to the same extent and in the same manner as IARM protects its own confidential information, but in no event shall less than reasonable care be provided. The Customer’s Confidential Information will not be released in any identifiable form without the express written permission of the Customer or as required by lawfully authorized subpoena or similar compulsory directive. However, IARM shall make reasonable efforts, consistent with applicable law, to limit the scope and nature of such required disclosure. IARM shall be permitted to disclose relevant aspects of such Confidential Information to its employees and third-party Cyber Security Services partners, including federal partners, provided that they agree to protect the Confidential Information to the same extent as required under this Agreement. IARM further agrees to use reasonable steps to ensure that Confidential Information received under this Agreement is not disclosed in violation of this Section. These confidentiality obligations shall survive the termination of this Agreement.
The Customer specifically acknowledges that as part of the Services, the PTT may need to view machine configuration data. IARM agrees that its PTT will avoid intentionally viewing or transferring any customer and user data. The Customer further acknowledges that if sniffers are used as part of the Services, it is possible that customer and/or user data may be captured. IARM agrees that should any personal data be captured, it will destroy any captured personal data and will not review it.
Additional Terms for On-Site Penetration Testing
In the event that the Services require the PTT to be on-site at the Customer’s facility, the Customer hereby acknowledges and consents to PTT presence on site. IARM agrees to comply with any reasonable restrictions for PTT access to the Customer’s site, provided that such restrictions do not unreasonably inhibit IARM’s ability to provide the Services.
Limitation of Liability
The Customer understands and agrees that there is an element of risk associated with penetration testing activities, especially when testing systems in a live environment. This risk includes the potential that some services on the Customer’s system may be rendered unavailable during the testing process. Although this risk is mitigated by the use of experienced professional penetration testers and tools obtained from trusted resources, it can never be fully eliminated. The Customer further understands and agrees that there is no guarantee that every vulnerability in its systems will be identified during the test.
IARM DOES NOT ASSUME ANY RESPONSIBILITY OR LIABILITY FOR ANY ACT OR OMISSION OR OTHER PERFORMANCE RELATED TO THE SERVICES, INCLUDING ANY ACT OR OMISSION BY CONTRACTORS OR SUBCONTRACTORS OF IARM, OR FOR THE ACCURACY OF THE INFORMATION PROVIDED AS PART OF THE SERVICES. THE SERVICES ARE PROVIDED ON AN “AS-IS” BASIS, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED.
If IARM fails to perform the Services required under the SOW for any reason, IARM’s liability shall be limited SOLELY to the return of all, or an appropriate portion, of any consideration paid for the Services not performed.
Termination
Either party may terminate the Services if the other party breaches these Terms and Conditions and such breach is not corrected within 30 days of receipt of written notice of the breach. The Customer shall be responsible for payment for the portion of the Services completed prior to the date of termination.
Force Majeure
Neither party shall be liable for performance delays or for non-performance due to causes beyond its reasonable control.
Relationship of the Parties
Neither the SOW nor these Terms and Conditions create an employment relationship, agency, joint venture, or partnership between the parties. Neither party is authorized to make any representation or commitment on behalf of the other party without its prior written consent. Each party shall be responsible for its own employees, contractors, and agents.
Governing Law
Unless otherwise specifically prohibited by the laws of the Customer’s jurisdiction, any disputes arising in connection with the Services or these Terms and Conditions shall be governed and interpreted by the laws of the Republic of India, without regard to its conflict of law provisions. In the event that the laws of the Customer’s jurisdiction require that the laws of that jurisdiction apply to all contracts entered into by the Customer, then the laws of that jurisdiction shall apply.
Additional Clause
In the event of a breach during the PT Assessment, it shall be the responsibility of the client organization to communicate with its external stakeholders (customers, regulators, law enforcement, etc.). IARM will extend all support to the client in all investigations, if required.
Entire Agreement
The SOW and these Terms and Conditions constitute the entire agreement between IARM and the Customer with respect to the Services, superseding any prior representations, discussions, negotiations, or other agreements, whether written or oral, between the parties. Except as otherwise expressly stated, in the event of a conflict between the terms of the Customer’s SOW and these Terms and Conditions, the provisions of these Terms and Conditions shall prevail.
Waiver and Severability of Terms
The failure of either party to exercise or enforce any right or provision of these Terms and Conditions shall not constitute a waiver of such right or provision. If any provision of these Terms and Conditions is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions of these Terms and Conditions shall remain in full force and effect.
For any customer complaints specific to the defined Statement of Work and associated activities, please read our complaints handling policy and procedure below.
Complaints are a valid way of alerting an organisation to potential problems in the way it conducts its business. Through the investigation of complaints, we can gain a clearer appreciation of how or where things might be going wrong. Complaints allow us to analyse how we administer policies and programs, deal with clients and manage issues. They also help us to identify areas that need attention, and this in turn can lead to improvements in service delivery and better decision-making
IARM Information Security always aims to provide high quality services which meet the customer needs. We believe we achieve this most of the time. As such, we aim always to deliver excellent customer service. We hope that our customers and business partners need never have cause for concern. However, should they feel this is not the case, then this procedure outlines how to approach us to seek resolution.
We view any complaints as an opportunity to learn and improve for the future. More importantly, it also gives us the chance to put things right for the complainant.
A complaint is any expression of dissatisfaction, whether justified or not, about any aspect of IARM Information Security and its service delivery.
Where Complaints Come From
Complaints may come from any individual or organisation who has a legitimate interest in IARM Information Security. A complaint can be received either by email or posted letter. This policy does not cover complaints from staff, who should refer to IARM’s internal grievance policy.
Confidentiality
All complaint information will be handled sensitively, telling only those who need to know and following any relevant data protection requirements.
Responsibility
Overall responsibility for this policy and its implementation lies with the board of IARM Information Security.
The complainant should specify the areas they feel are unsatisfactory and send to:
By Email :
To,
ccg-iarm@iarminfo.com
Please also include:
On receipt of a complaint, IARM Information Security will provide an acknowledgement to the complaint within 1 business days. It will then undertake a full investigation and aim to provide a full resolution within 10 business days. Where we are not able to resolve the complaint within 10 business days the complainant will be given an update on progress.
Stage One
On receipt of a complaint, it is logged and investigated. In many cases, a complaint is best resolved by the person responsible for the issue being complained about. Often the issue can be resolved swiftly and where appropriate this will be the first step in the process.
If the complaint relates to a specific employee of IARM, they will be informed and given a fair opportunity to respond.
Stage Two
If the complainant feels that the problem has not been satisfactorily resolved at Stage One, they can request that the complaint is reviewed at Director level.
At this stage, the complaint will be escalated to the IARM Information Security Director(s) with the aim to agree a satisfactory agreement within 5 working days.
The Director(s) may investigate the facts of the case themselves or delegate a suitably senior person to do so. This may involve reviewing the paperwork of the case and speaking with the person who dealt with the complaint at Stage One. The person who dealt with the original complaint at Stage One will also be kept informed of what is happening.
If the complaint relates to a specific person, they will be notified and given a further opportunity to respond.
Whether the complaint is upheld or not, IARM Information Security will provide a written response to the complaint outlining the actions taken to investigate the complaint and the conclusion. The decision taken at this stage is final.
Where the topic of the complaint is covered by our Terms & Conditions, the Clauses within the Terms & Conditions take precedence.
As part of our Integrated Management System which include Quality and Information Security, Complaints are held for a period of 12 months and reviewed annually to identify any trends which may indicate a need to take further action. After this period all records of complaints are deleted as appropriate.
|
Responsible – the person(s) responsible for developing and implementing the policy. |
Thanikainathan |
|
Accountable – the person who has ultimate accountability (correct and thorough completion of the task) and authority for the policy. |
Ganesh N |
|
Consulted – the person(s)/groups to be consulted (who provide information for the task, usually Subject Matter Experts) prior to final policy implementation or amendment. |
HR, IT Function, HoDs of Functions |
|
Informed – the person(s)/groups to be informed after policy implementation or amendment. |
Employees, 3rd party personnel as in scope |
|
Document Name |
Complaints Handling Policy & Procedure |
|
Version |
2.0 |
|
Author / Designation |
Vignesh C |
|
Reviewer / Designation |
Thanikainathan T S |
|
Approver / Designation |
Ganesh N |
|
Approved Date |
12-May-2025 |
|
Release Date |
14-May-2025 |
|
Distribution List |
All the employees of IARM Information Security |
|
Version Number |
Change Requested By |
Approved By |
Revision Date (DD-MMM-YYYY) |
Sections Modified / Summary of Changes |
|
2.0 |
Vignesh C |
Ganesh N |
14-May-2025 |
Author updated due to employee change |
|
1.0 |
Mohanabai S |
Ganesh N |
12-June-2023 |
Initial release |
