Terms of Service

1.1 CrownSync CE Readiness is an independent preparation tool that helps UK organisations prepare for Cyber Essentials certification. It is not affiliated with, endorsed by, or connected to the National Cyber Security Centre (NCSC), IASME Consortium, or any accredited Cyber Essentials certification body.

1.2 The service provides:

1. Access to the official Cyber Essentials Danzell self-assessment question set for preparation purposes
2. Tools for team collaboration and question assignment
3. Gap analysis and remediation guidance
4. Report generation and export functionality
5. Board sign-off workflow management

1.3 Completing an assessment on CrownSync CE Readiness does not constitute Cyber Essentials certification. Official certification must be obtained through an IASME-accredited certification body.

1.4 We do not guarantee that use of this service will result in successful Cyber Essentials certification. Certification outcomes depend on your organisation’s actual security controls and the assessment of an accredited certification body.

2.1 The service is currently provided free of charge during our launch period. All features are available to all users at no cost, including team collaboration, gap analysis, board sign-off, exports, and the contributor portal.

2.2 We reserve the right to introduce paid plans in the future. Existing users will receive reasonable advance notice before any charges are introduced, along with a preferential rate.

2.3 No payment information is collected during the free launch period.

3.1 You must be at least 18 years old and have authority to enter into these Terms on behalf of your organisation to create an account.

3.2 You must register with a work or organisational email address. Consumer email addresses such as Gmail, Hotmail, or Yahoo are not permitted.

3.3 You are responsible for maintaining the confidentiality of your account credentials and for all activity under your account.

3.4 You must notify us immediately at [email protected] if you suspect unauthorised access to your account.

3.5 We reserve the right to suspend or terminate accounts that violate these Terms or that we reasonably believe are being used fraudulently or abusively.

4.1 You may use the service only for lawful purposes and in accordance with these Terms.

4.2 You must not:

1. Provide false, misleading, or inaccurate information in your assessment answers
2. Use the service to circumvent or misrepresent your organisation’s actual security posture
3. Share your account credentials with unauthorised persons
4. Attempt to access other organisations’ assessment data
5. Use automated means to access or scrape the service
6. Attempt to reverse engineer, decompile, or extract the source code of the service
7. Use the service in any way that could damage, disable, or impair the service

4.3 You are solely responsible for the accuracy and completeness of information entered into the service. We accept no liability for certification outcomes based on inaccurate or incomplete answers.

5.1 As an assessment owner, you may invite team members and contributors to participate in your assessment.

5.2 By inviting contributors, you confirm that:

1. You have authority to share the assessment with them
2. They are employees, contractors, or authorised representatives of your organisation
3. You take responsibility for their use of the service in connection with your assessment

5.3 Contributor access is limited to answering assigned questions and is provided via a time-limited secure link. Contributors do not require a full account.

5.4 You are responsible for revoking contributor access when it is no longer required.

5.5 Contributors who wish to request erasure of their personal data may do so by emailing [email protected] or submitting a request at ce.crownsync.uk/privacy/erasure-request. Contributor personal identifiers will be anonymised within 30 days of a valid request. Assessment answers submitted by contributors will be retained in anonymised form as part of the organisation’s assessment record.

6.1 The Cyber Essentials question set is published by IASME on behalf of NCSC and is used in this service for preparation purposes only. All rights in the question set remain with NCSC and IASME.

6.2 The CrownSync CE Readiness platform, including its software, design, and original content, is owned by CrownSync LTD and protected by copyright and other intellectual property laws.

6.3 You retain ownership of all assessment answers and data that you and your team enter into the service.

6.4 You grant us a limited licence to store, process, and display your data solely for the purpose of providing the service to you.

7.1 We take the security of your assessment data seriously. Your data is stored on infrastructure located within the European Economic Area.

7.2 We will not share your assessment data with third parties except as described in our Privacy Policy at crownsync.uk/privacy-policy.

7.3 We implement appropriate technical and organisational measures to protect your data. However, no internet transmission is completely secure and we cannot guarantee absolute security.

When a user requests erasure of their personal data, CrownSync will anonymise personal identifiers associated with their account rather than deleting all associated data. Specifically:

• The user’s name and email address will be replaced with anonymised identifiers
• The user’s login account will be permanently deleted
• The organisation’s assessment data, audit records, and governance records will be retained in anonymised form

This approach is taken to protect the legitimate interests of the organisation and other users associated with the same assessment, and to maintain the integrity of audit and governance records. Anonymised data no longer constitutes personal data under UK GDPR and is retained in accordance with our Privacy Policy.

8.1 The service is provided “as is” and “as available” without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

8.2 We do not warrant that:

1. The service will be uninterrupted, error-free, or secure
2. Any gaps identified by the service represent a complete or accurate assessment of your security posture
3. Following remediation guidance will result in successful Cyber Essentials certification
4. The question set will remain current — the CE scheme is updated periodically and we endeavour to update the service promptly but cannot guarantee immediate alignment

8.3 The remediation guidance provided is general in nature and does not constitute professional cybersecurity advice. For complex environments, we recommend engaging an NCSC-assured Cyber Advisor. This includes, without limitation, guidance relating to firewall configuration, authentication settings, software updates, malware protection, and any other technical controls referenced within the application.

CrownSync CE Readiness provides general guidance and suggestions to help organisations understand and address Cyber Essentials requirements. This guidance is provided for informational purposes only.

We strongly recommend that you:

• Verify all technical guidance against your specific hardware, software, and network configuration before implementing any changes
• Engage a qualified IT professional or your managed service provider before making changes to firewalls, network devices, authentication systems, or other critical infrastructure
• Test any configuration changes in a non-production environment where possible
• Maintain backups of all configurations before making changes

CrownSync LTD accepts no liability for:

• Any damage, data loss, service disruption, or security incident arising from following guidance provided within the application
• Any failure to achieve Cyber Essentials certification, regardless of whether guidance was followed
• The accuracy, completeness, or suitability of technical guidance for your specific environment
• Any third-party products, services, or documentation referenced within the application

The technical guidance provided in this application is based on general best practices and publicly available information. Your specific environment may require different steps or approaches. When in doubt, always consult a qualified IT professional.

Nothing in this application constitutes professional IT consultancy, security consultancy, or legal advice.

The assessment owner may use CrownSync to assign remediation tasks to individuals outside their organisation, including contractors, managed service providers, and other third parties. By using this feature, the assessment owner confirms they have the authority to share task details with those individuals and that doing so is consistent with their own data protection obligations.

CrownSync LTD accepts no liability for the actions or omissions of any third party assigned a remediation task through the platform.

9.1 To the fullest extent permitted by law, CrownSync LTD accepts no liability for any loss, damage, or failure to achieve Cyber Essentials certification arising from use of the service. This includes but is not limited to:

1. Failed Cyber Essentials certification attempts
2. Loss of business, contracts, or revenue resulting from failed certification
3. Any indirect, consequential, or special loss
4. Loss or corruption of data beyond our reasonable control

9.2 Our total liability to you for any claim arising from use of the service shall not exceed £100.

9.3 Nothing in these Terms excludes or limits our liability for death or personal injury caused by our negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded by law.

10.1 We reserve the right to modify, suspend, or discontinue the service (or any part of it) at any time, with or without notice.

10.2 We will make reasonable efforts to provide advance notice of significant changes or discontinuation where practicable.

11.1 You may close your account at any time by contacting [email protected].

11.2 We may suspend or terminate your account immediately if you breach these Terms.

11.3 On termination:

1. Your access to the service will cease
2. You may request an export of your data within 30 days
3. Your personal data will be handled in accordance with our Privacy Policy — personal identifiers will be anonymised upon a valid erasure request while organisational assessment data is retained

12.1 We may update these Terms from time to time. We will notify registered users of material changes by posting a notice within the application. Continued use of the service after changes take effect constitutes acceptance of the updated Terms.

13.1 These Terms are governed by the laws of England and Wales.

13.2 Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Once a board sign-off has been completed and all required approvals received, the assessment is permanently locked and cannot be modified. Users wishing to make changes after sign-off must start a new assessment. This measure protects the integrity of the signed declaration.

The board sign-off feature records a formal declaration from a director or equivalent confirming that the assessment information is accurate. This declaration is not a substitute for official Cyber Essentials certification issued by an IASME-accredited certification body. CrownSync LTD accepts no liability for any reliance placed on a board sign-off declaration.

Sign-off links are issued to named signatories only. Forwarding a sign-off link to another person, or approving an assessment on behalf of a named signatory without their explicit instruction, is a misuse of the platform. The person clicking the approve button makes a formal declaration that they are the named signatory and are authorised to sign off the assessment. CrownSync LTD accepts no liability for approvals completed by persons other than the named signatory.

Users may create multiple assessments for the same organisation. Each assessment is an independent record. Signed-off assessments are retained for 12 months in read-only form.

CrownSync maintains an audit log of all significant actions within an assessment including question answers, sign-off decisions, and data exports. This log is retained for up to 6 years following the assessment period for governance and legal purposes, and is accessible to the assessment owner at any time. In the event of an erasure request, audit log entries are anonymised rather than deleted — the event record is retained but personal identifiers are removed.

Under UK GDPR you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate personal data
• Right to erasure — request anonymisation of your personal identifiers (subject to legitimate retention interests as described in our Privacy Policy)
• Right to restriction — request that we restrict processing of your data
• Right to portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interests

Exercise these rights through your account at /account/privacy or by emailing [email protected]. We will respond within 30 days.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk. Our ICO registration number is ZC109210.