
Cyber Essentials AI Support Tool - Access Terms & Conditions
1. Definitions
1.1 “Fortis” means Fortis Cyber Security Limited.
1.2 “Client” means the organisation purchasing access to the Tool.
1.3 “Tool” means Fortis’ Cyber Essentials AI Support Tool and any associated AI assistants, configurations, prompts, workflows, templates, guidance content, assessment logic, and generated artefact/output formats.
1.4 “Cyber Essentials” / “CE” means the UK Cyber Essentials scheme requirements and related assessment questions.
1.5 “Access Period” means the time window during which the Client may use the Tool, as set out in Section 3.
1.6 “Client Content” means information, data, text, or documents input to the Tool by the Client and its authorised users.
1.7 “Outputs” means content generated by the Tool based on Client Content and user interactions.
2. Scope of Service (What the Tool Is / Is Not)
2.1 The Tool provides guided assistance to help the Client interpret and respond to Cyber Essentials assessment questions and related evidence prompts.
2.2 The Tool does not:
(a) guarantee certification or any specific assessment outcome;
(b) replace professional judgement, internal governance, or technical remediation;
(c) submit an assessment on the Client’s behalf unless explicitly agreed in writing; or
(d) constitute legal advice or compliance advice beyond Cyber Essentials.
2.3 The Client remains solely responsible for:
(a) the accuracy, completeness, and truthfulness of its assessment responses;
(b) implementing and maintaining required security controls; and
(c) ensuring its environment meets Cyber Essentials requirements at the point of submission.
3. Access Period and Timeline
3.1 Standard Access Period: Access begins on the date Fortis issues the Client’s login credentials (“Start Date”) and continues until the earliest of:
(a) [60] calendar days from the Start Date; or
(b) the Client submitting its CE assessment; or
(c) the certificate being issued; or
(d) the assessment being closed;
whichever occurs first.
3.2 Extensions: The Client may request an extension of [30] calendar days for an additional fee of £[X] + VAT, provided the request is made before the Access Period ends.
3.3 Suspension: Fortis may temporarily suspend access to protect security, perform maintenance, or investigate suspected misuse (see Section 8).
4. Licence and Permitted Use
4.1 Fortis grants the Client a limited, non-exclusive, non-transferable, revocable licence to access and use the Tool during the Access Period solely for the Client’s internal business purposes in connection with the Client’s Cyber Essentials assessment and certification.
4.2 Authorised Users: Access is limited to the Client’s employees and contractors who have a legitimate need to use the Tool for CE certification support and are subject to confidentiality obligations.
4.3 The Client must not (and must ensure its users do not):
(a) share login credentials outside the Client’s organisation;
(b) resell, sublicence, rent, lease, or provide bureau/time-sharing access to the Tool;
(c) copy, reproduce, scrape, harvest, or systematically extract any portion of the Tool, prompts, templates, logic, or content;
(d) reverse engineer, decompile, disassemble, recreate, or attempt to derive source components or underlying logic of the Tool; or
(e) use the Tool or Outputs to develop, create, train, benchmark, or improve any competing product or service.
5. Proprietary Rights, Prompts, Templates and Output Formats
5.1 The Tool (including any AI assistants, its configuration, supporting materials, templates, prompts, workflows, assessment logic, and generated artefact/output formats) is proprietary to Fortis (and/or its licensors). All intellectual property rights in the Tool remain with Fortis.
5.2 Access is provided for internal Cyber Essentials certification support only. Except as expressly permitted in these terms, the Client must not (and must ensure its users do not) copy, reproduce, reverse engineer, recreate, share prompts, export knowledge, redistribute, resell, disclose, publish, or use the Tool or its Outputs to create a competing product or service.
5.3 Prompt / Knowledge Export Restriction: The Client must not attempt to extract, compile, or build a library of prompts, templates, question-answer pairs, assessment logic, or outputs for reuse outside the permitted purpose, whether manually, automatically, or at scale.
5.4 Permitted Sharing of Outputs (limited):
(a) The Client may share Outputs internally for the purpose of completing CE certification.
(b) The Client may share relevant Outputs externally only to the extent necessary to submit the Cyber Essentials assessment and supporting evidence to an authorised Certification Body.
(c) If the Client uses an IT provider/MSP to support remediation for CE, the Client may share Outputs with that provider solely for CE support, provided the provider is bound by confidentiality obligations at least as protective as these terms.
5.5 Nothing in this section prevents the Client from using its own underlying facts, configurations, and policies independently of the Tool.
6. Client Responsibilities and Acceptable Use
6.1 The Client will ensure all users:
(a) are authorised;
(b) keep credentials secure; and
(c) follow reasonable security practices (including MFA if provided).
6.2 The Client should not input:
(a) personal data unless necessary and minimised;
(b) special category data (e.g., health) unless explicitly agreed in writing; or
(c) highly sensitive secrets (e.g., private keys, full admin passwords).
6.3 The Client is responsible for maintaining backups of any materials it uploads and for retaining copies of its final CE responses.
7. Data, Confidentiality, and Privacy
7.1 Each party will keep the other’s confidential information confidential and use it only to perform obligations under these terms.
7.2 Client Content: The Client retains ownership of Client Content.
7.3 Fortis may process Client Content to provide the Tool, generate Outputs, provide support, maintain security, and improve the Tool. Fortis will process personal data (if any) in accordance with applicable data protection laws and Fortis’ privacy notice.
7.4 Where required, the parties will enter into a Data Processing Agreement (DPA).
8. Availability, Support, and Changes
8.1 Fortis will use reasonable efforts to make the Tool available during the Access Period, excluding planned maintenance and events outside Fortis’ reasonable control.
8.2 Support is provided via [email/support portal] during [business hours, e.g., 09:00–17:00 UK time, Mon–Fri] for basic access issues and general usage guidance.
8.3 Fortis may update, change, or enhance the Tool from time to time. If a change materially reduces functionality during an active Access Period, Fortis will use reasonable efforts to provide notice.
9. Fees and Payment
9.1 Fees are as stated in the quote, order form, or Statement of Work.
9.2 Unless otherwise agreed, fees are payable in advance. Overdue amounts may result in suspension of access.
9.3 Extension fees (if applicable) are charged as per Section 3.2.
10. Disclaimers
10.1 Outputs are generated using automated methods and may be incomplete, incorrect, or not suitable for the Client’s specific environment.
10.2 The Client must validate Outputs and apply appropriate judgement before relying on them.
10.3 Fortis does not warrant that use of the Tool will ensure CE certification, nor that service will be uninterrupted or error-free.
11. Limitation of Liability
11.1 Nothing limits liability for death or personal injury caused by negligence, fraud, or any liability that cannot be limited by law.
11.2 Subject to 11.1, Fortis’ total aggregate liability arising out of or in connection with the Tool and these terms will not exceed the fees paid by the Client for the Access Period.
11.3 Fortis is not liable for indirect or consequential losses, including loss of profits, revenue, business, data, or goodwill.
11.4 Fortis is not liable for certification outcomes, assessor decisions, or the Client’s failure to meet CE requirements.
12. Termination
12.1 These terms start on the Start Date and end automatically at the end of the Access Period unless terminated earlier.
12.2 Either party may terminate immediately on written notice if the other commits a material breach and fails to remedy within 14 days (where remedy is possible).
12.3 Fortis may terminate or suspend access immediately for suspected misuse, credential sharing, security threats, or non-payment.
12.4 On termination/expiry, the Client’s licence ends and access will be removed. Sections relating to confidentiality, IP/proprietary rights, liability, and governing law survive.
13. Governing Law
13.1 These terms are governed by the laws of England and Wales.
13.2 The courts of England and Wales have exclusive jurisdiction.
Effective Date: 16/06/2026
