Celeri Victoria

Terms & Conditions

  • Home
  • Terms & Conditions

SECTION A — INTRODUCTION

  1. Parties and Purpose
    These Terms & Conditions (“Agreement”) govern the provision of professional services, products, and subscription offerings (collectively, “Services”) by Celeri Victoria, a corporation (“Provider”), to the client identified in the applicable order form, statement of work, or purchase order. The Agreement applies to engagements with commercial entities, municipal and federal government bodies, and enterprises of all sizes.
  2. Order of Precedence
    The Agreement consists of: (a) this Core Terms & Conditions; (b) any applicable Statement of Work (“SOW”); (c) Service Level Addendum (“SLA”); (d) Privacy & Data Processing Addendum (“DPA”); (e) Responsible Disclosure Policy; and (f) any mutually executed addenda. In case of conflict, the order above governs unless the parties expressly state otherwise in writing.

SECTION B — SCOPE OF SERVICES

  1. Services and Deliverables
    Provider will perform Services as described in one or more SOWs. Each SOW will include scope, deliverables, schedule, acceptance criteria, fees, project milestones, and personnel. Services may include, without limitation: offensive testing (penetration tests, red‑team engagements), hardware provisioning (hardened workstations, secure handsets), continuous monitoring, managed detection and response, advisory and architecture services, and software or firmware delivery.
  2. Changes and Change Orders
    Client may request changes to a SOW. Material changes (scope, schedule, resources, or fees) require a written change order signed by both parties. Provider may propose changes where required by law, safety, or risk tolerance; such proposals will include impact to cost and timeline.

SECTION C — TERM, RENEWAL, AND TERMINATION

  1. Term
    The Agreement commences on the effective date of the first executed SOW and remains in force until all active SOWs expire or are terminated, or the Agreement is terminated per these terms.
  2. Renewal
    Subscription and managed services renew automatically for successive terms as set out in the applicable SLA or order form unless either party provides written non‑renewal notice at least 30 days before term end.
  3. Termination for Convenience
    Either party may terminate a SOW for convenience on 60 days’ written notice. Client remains responsible for fees and expenses incurred through the effective termination date, and for any non‑cancelable third‑party costs.
  4. Termination for Cause
    Either party may terminate a SOW or the Agreement for material breach if the breaching party fails to cure within 30 days after written notice. Provider may suspend Services immediately (without liability) if Client’s actions create an imminent risk to personnel, systems, third parties, or legal compliance.
  5. Effect of Termination
    Upon termination: (a) Client will pay all outstanding fees and approved expenses; (b) Provider will deliver any completed deliverables and return Client materials as agreed; (c) each party will return or destroy Confidential Information per Section H; and (d) survival clauses (intellectual property, indemnities, limitations of liability, confidentiality, governing law) remain effective.

SECTION D — FEES, INVOICING, AND PAYMENT

  1. Fees
    Fees are as set forth in each SOW or order form. Fees may include fixed project fees, time & materials rates, subscription charges, hardware costs, and reimbursable expenses. Provider’s time is billed in accordance with the rates in the SOW; travel and out‑of‑pocket costs are billed at cost unless otherwise specified.
  2. Invoicing and Payment Terms
    Provider will invoice monthly or per milestone as set in the SOW. Payment is due within 30 days of invoice receipt unless otherwise specified. Late payments accrue interest at 1.5% per month or the maximum permitted by law, whichever is less. Provider may suspend Services for unpaid amounts 15 days after written notice.
  3. Taxes
    Client is responsible for all taxes, duties, and governmental charges, excluding Provider’s net income taxes. If Client is tax‑exempt, Client will provide valid documentation.

SECTION E — INTELLECTUAL PROPERTY

  1. Pre‑Existing IP
    Each party retains ownership of its pre‑existing intellectual property and tools (including Provider’s methodologies, frameworks, exploit code libraries, detection signatures, AI models, and proprietary test rigs) (“Background IP”). Nothing in this Agreement transfers ownership of Background IP.
  2. Deliverables and Client License
    Subject to full payment, Provider grants Client a non‑exclusive, non‑transferable, worldwide license to use deliverables (reports, remediation guidance, scripts created for Client) for Client’s internal business purposes. Provider retains the right to aggregate, anonymize, and use non‑identifying engagement data to improve Provider offerings and for benchmarking.
  3. Provider Rights and Research
    Provider may develop exploit techniques, proof‑of‑concepts, and tools in connection with Services. Provider may retain and use such artifacts for research, training, and product development, provided Client‑identifying data is removed and legal/contractual obligations (e.g., non‑disclosure, responsible disclosure) are respected.
  4. Feedback
    Client’s feedback, suggestions, or requests regarding Provider offerings may be used by Provider without restriction, subject to applicable confidentiality obligations.

SECTION F — CONFIDENTIALITY

  1. Definition
    “Confidential Information” includes non‑public business, technical, and operational information, including but not limited to architecture diagrams, credentials, vulnerability reports, remediation roadmaps, and Client data.
  2. Obligations
    Receiving party will: (a) use Confidential Information solely to perform obligations under this Agreement; (b) restrict access to employees, contractors, and agents on a need‑to‑know basis; and (c) protect it with reasonable care no less than that used to protect its own confidential information.
  3. Exclusions
    Confidential Information does not include information that: (a) is or becomes publicly available through no breach by receiving party; (b) was known prior to disclosure; (c) is rightfully received from a third party without restriction; or (d) is independently developed without reference to Confidential Information.
  4. Compelled Disclosure
    If compelled by law to disclose Confidential Information, the receiving party will (where permitted) notify disclosing party promptly and cooperate to seek protective orders or narrow disclosure.

SECTION G — WARRANTIES, DISCLAIMERS, AND ACCEPTANCE

  1. Warranties
    Provider warrants that Services will be performed by qualified personnel in a professional and workmanlike manner consistent with industry practice. For any breach of this warranty, Provider’s sole obligation will be to re‑perform the deficient Services at no additional charge or, at Provider’s option, refund the fees for the affected Services.
  2. Acceptance
    Client will accept deliverables based on the acceptance criteria in the applicable SOW. If no criteria exist, deliverables are accepted upon delivery unless Client provides written notice of rejection within 15 days specifying defects. Provider will remediate accepted defects in a commercially reasonable timeframe.
  3. Disclaimers
    EXCEPT AS EXPRESSLY PROVIDED IN SECTION 21, PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON‑INFRINGEMENT.

SECTION H — LIMITATION OF LIABILITY

  1. Exclusion of Consequential Damages
    NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING LOST PROFITS, LOSS OF BUSINESS, OR LOSS OF REPUTATION, WHETHER BASED IN CONTRACT, TORT, OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
  2. Liability Cap
    PROVIDER’S AGGREGATE LIABILITY FOR DIRECT DAMAGES ARISING FROM OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL FEES PAID BY CLIENT TO PROVIDER UNDER THE APPLICABLE SOW IN THE 12 MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY. THIS LIMITATION SHALL NOT APPLY TO LIABILITY ARISING FROM (A) GROSS NEGLIGENCE OR WILLFUL MISCONDUCT; (B) BREACH OF CONFIDENTIALITY; (C) MISAPPROPRIATION OF CLIENT DATA; OR (D) CLIENT’S INDEMNIFICATION OBLIGATIONS.

SECTION I — INDEMNIFICATION

  1. Mutual Indemnities
    Client will indemnify, defend, and hold Provider harmless from claims arising from Client’s use of deliverables in violation of law, Client’s failure to follow remediation guidance, or Client’s negligence. Provider will indemnify, defend, and hold Client harmless from third‑party claims alleging that Provider’s delivered software or tooling (excluding third‑party components) infringes a third party’s registered US patent or copyright, provided Client notifies Provider promptly and cooperates in defense. Provider’s indemnity remedies are limited by Section H.
  2. Procedure
    The indemnified party will promptly notify indemnifying party of a claim, permit control of defense to the indemnifying party, and cooperate reasonably. The indemnifying party will not settle a claim that admits liability without consent.

SECTION J — COMPLIANCE, EXPORTS, AND GOVERNMENT DATA

  1. Compliance with Laws
    Each party will comply with all applicable federal, state, and local laws and regulations. Provider will perform government engagements in accordance with applicable procurement rules and security standards referenced in the SOW.
  2. Export Controls
    Client acknowledges that Provider’s software and technical information may be subject to US export control laws. Client will not export or re‑export any deliverables in violation of such laws.
  3. Government and Controlled Unclassified Information (CUI)
    If Services involve government data or CUI, the parties will execute the DPA and any required flow‑downs. Provider will implement controls and handling procedures appropriate to the data classification and will cooperate with audits as set out in the SOW.

SECTION K — INCIDENT HANDLING & NOTIFICATION

  1. Incident Response
    Provider will notify Client without undue delay upon discovery of an event that materially affects Provider systems hosting Client data or Services. Notification will include available facts, remediation measures, and recommended Client actions. Provider’s incident obligations are further described in the DPA and SLA.
  2. Forensic Access
    During an incident, Provider may perform forensics and remediation activities. Client will provide reasonable access and assistance. If an incident implicates both parties, coordination protocols in the SOW or DPA will guide joint response.

SECTION L — SUBCONTRACTORS AND SUPPLIERS

  1. Subcontracting
    Provider may engage subcontractors to perform parts of the Services. Provider remains responsible for subcontractor performance and compliance with confidentiality and data handling obligations. Provider will notify Client of material subcontractors upon request.
  2. Third‑Party Software
    Deliverables may include third‑party components subject to separate license terms. Provider will disclose such components and provide applicable license terms. Client’s use of third‑party components is governed by those licenses.

SECTION M — INSURANCE

  1. Insurance
    Provider will maintain commercial general liability, professional liability/errors & omissions, and cyber insurance (or equivalent) with commercially reasonable limits. Provider will provide certificates of insurance upon request and subject to confidentiality constraints.

SECTION N — ASSIGNMENT

  1. Assignment
    Neither party may assign this Agreement without the other party’s prior written consent, except that Provider may assign to an affiliate or successor in connection with a merger or sale of substantially all assets, provided Client’s rights are not diminished.

SECTION O — FORCE MAJEURE

  1. Force Majeure
    Neither party will be liable for delays or failures resulting from causes beyond reasonable control (acts of God, strikes, pandemics, government actions). Affected party will notify the other and use reasonable efforts to mitigate impact.

SECTION P — NOTICES

  1. Notices
    Notices under this Agreement must be in writing and sent to the addresses set forth in the SOW or order form, or to the parties’ legal contacts. Notices are effective upon receipt.

SECTION Q — GOVERNING LAW AND DISPUTE RESOLUTION

  1. Governing Law
    This Agreement is governed by the laws of the State of [State], excluding its conflict‑of‑laws rules, except where federal law expressly governs.
  2. Dispute Resolution
    The parties will attempt to resolve disputes in good faith. If unresolved within 60 days, either party may seek injunctive relief or submit disputes to the federal or state courts. Each party waives jury trial to the extent permitted by law.

SECTION R — MISCELLANEOUS

  1. Entire Agreement
    This Agreement constitutes the entire agreement and supersedes prior oral or written agreements related to its subject matter.
  2. Amendments
    Amendments must be in writing and signed by authorized representatives.
  3. Severability
    If any provision is invalid or unenforceable, the remainder remains in effect and the parties will replace the invalid provision with a valid one that closely reflects original intent.
  4. Relationship of Parties
    The parties are independent contractors; no agency, partnership, or joint venture is created.
  5. Survival
    Provisions intended to survive termination (intellectual property, confidentiality, liability limitations, indemnities, governing law) will survive.

Privacy & Data Processing Addendum (DPA)

  1. Purpose
    This DPA describes data handling obligations where Provider processes Client Data (including Personal Data and Controlled Unclassified Information) in connection with Services.
  2. Definitions
    “Client Data” means electronic data, content, or information provided by or on behalf of Client, or created by Provider for Client, excluding anonymized/aggregated data. “Personal Data” has the meaning under applicable US state and federal privacy laws. “Processor/Controller” roles are as allocated in the SOW.
  3. Roles and Instructions
    Where Provider acts as Processor, Provider will process Client Data only on documented instructions from Client, including SOW and any written directives. Provider will not process Client Data for other commercial purposes except as permitted in Section 6 (Anonymized Data) or as required by law.
  4. Data Classification and Handling
    Client will label data per classification guidance (e.g., Public, Internal, Confidential, CUI). Provider will handle Client Data in accordance with the applicable classification, including storage, encryption, access controls, and separation from other clients’ data.
  5. Security Controls
    Provider will implement administrative, technical, and physical safeguards appropriate to the data classification and risk, including but not limited to: access controls, encryption at rest and in transit, logging and monitoring, least‑privilege access, vulnerability management, and secure development practices. Specific controls and standards (e.g., NIST SP 800‑53/800‑171, FedRAMP, CIS Benchmarks) applicable to a given SOW will be specified therein.
  6. Anonymized & Aggregate Data
    Provider may collect and use anonymized, aggregated, or de‑identified metadata arising from Services to improve products and for benchmarking, provided such data cannot be reasonably re‑identified and does not include CUI or Personal Data as defined by applicable law.
  7. Subprocessors and Flow‑Downs
    Provider may engage subprocessors to process Client Data. Provider will: (a) maintain a list of subprocessors and update Client upon material changes; (b) flow down equivalent contractual obligations to subprocessors; and (c) remain liable for subprocessors’ compliance.
  8. Transfer and Location
    Client Data will be stored and processed in the locations specified in the SOW. Cross‑border transfers will comply with applicable law; Client consents to transfers as necessary to deliver Services.
  9. Incident Notification & Response
    Provider will notify Client without undue delay upon becoming aware of a breach involving Client Data. Notification will include nature, scope, affected data types, mitigation steps taken, and recommended Client actions. For incidents involving CUI or regulated personal data, Provider will follow the notification timelines and reporting formats required by applicable laws and contract clauses.
  10. Retention & Deletion
    Provider will retain Client Data only as necessary to provide Services or as required by law. Upon termination or written request, Provider will delete or return Client Data in a mutually agreed format within the timeframe in the SOW, except where retention is required by law. Provider will certify deletion upon request.
  11. Audit Rights
    Client (or an agreed independent auditor) may audit Provider’s relevant facilities and controls (subject to confidentiality and reasonable notice) to verify compliance with this DPA. Audit scope, frequency, and cost allocation will be set out in the SOW.
  12. Data Subject Requests
    To the extent Provider processes Personal Data, Provider will assist Client in responding to data subject requests, subject to reasonable fees if requests are excessive.
  13. CUI and Government‑Specific Obligations
    For government engagements involving CUI, Provider will comply with applicable federal requirements (e.g., FAR, DFARS, NIST SP 800‑171), flow down obligations to subcontractors, and provide required attestations or plans as required in the SOW.
  14. Liability
    Provider’s obligations and liabilities with respect to Client Data are governed by this DPA and the liability limitations in the Core Terms, except that breaches of confidentiality and willful misconduct may give rise to greater liability.

Service Level Addendum (SLA)

  1. Applicability
    This SLA applies to managed, subscription, or support Services as defined in the SOW. Terms in this SLA supplement the Core Terms; in conflict, this SLA controls for covered Services.
  2. Service Availability
    Provider will use commercially reasonable efforts to provide Services with an uptime target of 99.9% per calendar month, excluding scheduled maintenance and Force Majeure events. Downtime measurement and exclusions are defined in the SOW.
  3. Response & Resolution Targets
    Incident Severity Levels and targets:

(Service Level Addendum — continued)

  1. Response & Resolution Targets (continued)
  • Severity 1 (Critical): Production outage or material compromise of critical systems — Response within 15 minutes; initial remediation actions within 2 hours.
  • Severity 2 (High): Significant degradation of production services or suspected compromise of sensitive data — Response within 1 hour; containment/mitigation plan within 8 hours.
  • Severity 3 (Medium): Non‑critical functionality loss, elevated suspicious activity — Response within 4 hours; remediation plan within 48 hours.
  • Severity 4 (Low): Informational issues, routine requests — Response within 24 hours; resolution per agreed schedule.
  1. 24/7 Support, Escalation & Remote Access
    Provider maintains 24/7 incident intake and on‑call engineering for Severity 1 and 2 incidents. Escalation contacts and procedures are listed in the SOW. Provider may use secure remote admin channels to access Client systems for diagnostics and remediation; such access will be logged and used only with Client authorization per the SOW.
  2. Maintenance Windows & Notifications
    Planned maintenance windows will be scheduled with at least 72 hours’ notice except in emergencies. Provider will use reasonable efforts to perform maintenance during agreed low‑impact periods.
  3. Service Credits
    If Provider fails to meet availability targets (measured per SOW), Client may request service credits calculated as a percentage of monthly fees for the affected service tier, capped at 50% of that month’s fee. Service credits are Client’s sole financial remedy for SLA failures.
  4. Measurement & Reporting
    Provider will provide monthly service reports including uptime, incident metrics (MTTD, MTTR), patch and change statistics, and security posture summaries as agreed in the SOW.
  5. Exceptions & Exclusions
    SLA commitments exclude (a) Client‑caused outages or misconfigurations; (b) third‑party outages beyond Provider’s control; (c) scheduled maintenance; (d) force majeure events; and (e) misuse or unauthorized access by Client personnel.

Professional Services Statement of Work (SOW)

  1. Project Overview
  • Project description: (Concise summary of objectives: pentest, red team, device deployment, continuous monitoring, smart‑city assessment, smart contract audit, etc.)
  1. Scope of Work
  • In‑scope systems, networks, applications, devices (including asset identifiers and environments: prod, staging, test).
  • Out‑of‑scope items explicitly listed.
  • Methodologies to be used (manual testing, automated scanning, red‑team emulation, social engineering, physical testing) and any constraints.
  1. Deliverables
  • Pre‑engagement plan (rules of engagement).
  • Mid‑engagement status reports (for long engagements).
  • Final report: executive summary, technical findings with reproducible steps, risk ratings, remediation guidance, retest plan.
  • Tooling or scripts delivered (license terms).
  • Knowledge transfer session(s).
  1. Schedule & Milestones
  • Kickoff date, testing windows, intermediate checkpoints, final delivery, retest windows.
  1. Acceptance Criteria
  • Acceptance based on deliverables meeting the defined criteria; Client to acknowledge receipt and provide feedback within 15 days.
  1. Client Responsibilities
  • Provide point(s) of contact, necessary access, test accounts, relevant documentation, and approvals for tests (including social engineering/physical testing as applicable).
  • Ensure any third‑party consents required for scoped assets.
  1. Rules of Engagement & Safety
  • Testing hours, blast radius limits, allowable methods, escalation paths for discovered critical vulnerabilities, and immediate stop conditions.
  • Handling of production data, data sanitation, and agreed non‑destructive testing boundaries.
  1. Pricing & Payment
  • Fixed fee or T&M rates, milestone payments, and any reimbursable expenses.
  1. Confidentiality & Data Handling
  • Reinforce DPA obligations and any project‑specific data handling measures.
  1. Change Control
  • Process for scope changes and associated cost/time impacts.
  1. Signatures
  • Authorized representatives and dates.

Responsible Disclosure & Vulnerability Handling Policy

  1. Purpose
    To provide a clear, lawful, and constructive process for researchers and third parties to report vulnerabilities affecting Provider offerings or Client assets tested under authorized engagements.
  2. Scope
    Covers vulnerabilities in Provider products, managed services platforms, and findings from authorized testing where third parties may discover residual issues.
  3. Submission Process
  • Report vulnerabilities to: security‑reports@[company].com (or designated intake portal).
  • Required information: affected asset/product, proof of concept, steps to reproduce, impact assessment, and reporter contact details.
  • Provider will acknowledge receipt within 48 hours.
  1. Handling Timeline
  • Triage within 5 business days to determine severity and remediation owner.
  • For high/critical issues, Provider will provide initial remediation ETA within 10 business days and a patch or mitigation plan as promptly as feasible.
  • Provider will coordinate with reporter on disclosure timelines; public disclosure will be deferred until fixes are available or risk otherwise mitigated.
  1. Safe Harbor & Legal Protections
    Provider commits not to pursue legal action against good‑faith reporters who follow this policy and refrain from privacy invasions, data exfiltration, or denial‑of‑service activity beyond necessary proof‑of‑concept. Reports that exceed these bounds may be declined and could trigger legal remedies.
  2. Recognition and Remediation Credits
    Provider may, at its discretion, recognize contributors publicly or provide bounty or remediation credits per a separate program.

Appendix: Definitions; Governing Law & Dispute Resolution (Supplement)

  1. Definitions (selected)
  • “Client Data”: defined in the DPA.
  • “CUI”: Controlled Unclassified Information as defined in federal regulations.
  • “Deliverables”: reports, code, appliances, or artifacts delivered under an SOW.
  • “Services”: Provider offerings described in the Agreement.
  1. Governing Law, Venue, and Dispute Resolution (reiteration)
  • Governing law: State of [State], excluding conflict‑of‑laws.
  • Venue: federal or state courts in [County], [State].
  • Injunctive relief preserved for protection of Confidential Information and intellectual property.