Alchemy Assurance Terms & Conditions
Version 1.1 – 2nd July 2025
1 Definitions
“Company” means Cyber Alchemy Ltd.
“Client” means the legal entity receiving the Services.
“Services” means the penetration testing and/or cloud security audit services described in the Proposal.
“Engagement” means the scoped project defined in the Proposal, subject to these T&Cs.
“Report” means the written deliverable issued by the Company at the conclusion of testing.
“CVSS” means the Common Vulnerability Scoring System, version 4.0 (Base Score).
“Medium Finding” means a vulnerability with CVSS Base Score 4.0 – 6.9.
“High Finding” means a vulnerability with CVSS Base Score ≥ 7.0.
“Guarantee” means the outcome based pricing clause in section 4.
2 Scope & Pre requisites
2.1 The Client shall provide complete and accurate information regarding assets, IP ranges, URLs, cloud accounts, credentials, and any segmentation or allow listing required.
2.2 Changes to scope, environment, or access after project commencement require a written variation and may void the Guarantee.
3 Methodology & Severity Ratings
3.1 The Company follows industry standard methodologies (CREST, OWASP, NCSC, CIS Benchmarks) as relevant.
3.2 Technical severity is assigned using CVSS v4.0 Base Score only (no temporal or environmental modifiers).
3.3 Informational and Low findings are outside the Guarantee and invoicing calculation.
3.4 Proof of concept exploits will be provided where safe and practical.
4 Outcome Based Pricing Guarantee
| Result on Initial Report | Payment Due | Included Extra |
| No Medium or High Severity Findings | 70 % of the quoted fee | — |
| ≥ 1 Medium or High Severity Finding | 100 % of the quoted fee | • One free re‑test of Medium & High findings (section 5) • 4‑hour online training for up to 3 staff (section 6) |
4.1 Minimum engagement: 5 consultant days.
4.2 The Guarantee does not apply to:
- Engagements outside of Infrastructure Testing, Application Testing (Web, API and Mobile), and Cloud Assessments (AWS, Azure, GCP and Microsoft 365)
- Findings arising from out of scope assets.
- False positive findings disputed and removed under section 7.
5 Free Re-Test
5.1 Scope limited to verification of Medium & High findings reported in the Initial Report.
5.2 Client must (a) remediate findings, and (b) request scheduling within 14 calendar days of Report delivery.
5.3 Re test to be completed within 30 calendar days of scheduling, subject to resource availability.
5.4 One re test round only; further testing billed at standard rates.
5.5 Onsite re-testing does not include expenses, these are to be paid in full by the client.
5.6 Onsite also only applies to the UK (exuding Norther Ireland)
5.7 If material changes (patching, rebuild, migration) occur outside remediation, the Company may treat the activity as new scope and quote accordingly.
6 Training Session
6.1 Delivery: live webinar via Teams/Zoom; recording available for 30 days.
6.2 Content: Secure Application Development or Secure Infrastructure & Cloud Administration (Client selects one).
6.3 Attendees: up to 3 named individuals per engagement. Additional seats chargeable at our standard rate.
6.4 Training sessions are available 3 times a year, each client has up to a year from the initial report delivery to redeem their place.
7 Finding Disputes & Rating Challenges
7.1 The Client may dispute a finding or its CVSS rating by written notice within 10 business days of Report delivery, citing rationale and evidence.
7.2 The Company will review and respond within 10 further business days.
7.3 If unresolved, the parties shall jointly appoint an independent CREST registered consultant to adjudicate.
7.4 If the independent consultant upholds the Client’s position, the Company will:
- Adjust the invoice and refund any overpayment, and Bear 100 % of the consultant’s fee.
- If the finding is upheld, the Client bears 100 % of the consultant’s fee.
7.5 Disputes raised after the 10 day window will be addressed at the Company’s discretion and do not affect invoicing.
8 Governing Law & Jurisdiction
These T&Cs are governed by and construed in accordance with the laws of England & Wales, and the parties submit to the exclusive jurisdiction of its courts.
9 Acceptance
By signing the Proposal, the Client agrees to be bound by these T&Cs.
© 2025 Cyber Alchemy Ltd.
