Legal

These standard terms and conditions apply to business clients only. They are published as a low-profile reference page and linked from the site footer only.

Standard Terms & Conditions

THEITREVOLUTION LTD, trading as RichardHam.co.uk · Registered in England & Wales, Company No. 16893727 · Registered office: 3rd Floor, 86-90 Paul Street, London EC2A 4NE
Version 1.1 · Published February 2026

Part A — General Terms

1. These Terms and how a contract is formed

1.1These Standard Terms & Conditions ("Terms") apply to all consultancy services provided by THEITREVOLUTION LTD, trading as RichardHam.co.uk, a company registered in England and Wales with company number 16893727, whose registered office is at 3rd Floor, 86-90 Paul Street, London EC2A 4NE ("the Consultant", "we", "us") to the business client identified in the Quotation ("the Client", "you"). They apply to the exclusion of any terms you seek to impose, including terms in or referred to in a purchase order.

1.2A Quotation is an invitation to treat, carries a unique number, and is valid for 30 days unless it states otherwise. A binding contract ("Engagement") forms only when (a) you accept the Quotation in writing — by email or by signing the Engagement Acceptance Form — identifying it by number, and (b) we confirm acceptance in writing. Instructing us to begin work does not itself form a contract, and we may decline any order before our written acceptance.

1.3If, at your written request, we perform work before an Engagement forms or before the clause 1.5 prerequisites are satisfied, you will pay for that authorised work at the Quotation rates (or, absent a Quotation, our then-standard rates) and these Terms apply to it; doing so does not waive clause 1.2 or 1.5 for the remaining scope.

1.4Each Engagement incorporates, and consists only of: these Terms as published at the Quotation date; the Quotation, including the Assumptions Register version it identifies (or, if none, the latest version we issued before your acceptance); any SOW; the Engagement Acceptance Form; and, where Part C applies, the completed and signed Annex. Where the parties have signed a Master Consultancy Agreement ("MCA") covering the work, the MCA and its SOWs govern instead of these Terms, except any part the MCA expressly incorporates.

1.5Work does not begin until the prerequisites stated in the Quotation or SOW are satisfied, including (where stated) payment of any deposit, issue of any purchase order, security clearances and system access, and confirmation of data-processing status under clause 8 — including, where Part C applies, a completed and signed Annex. Timelines extend by any period a prerequisite remains unsatisfied.

1.6If documents forming or governing an Engagement conflict, the order of precedence is: (a) a signed MCA and its SOWs; (b) the completed and signed Annex, but only in respect of the processing of personal data; (c) the SOW; (d) the Quotation, including its Assumptions Register; (e) Part C; (f) Part B; (g) Part A. A SOW, Quotation or Engagement Acceptance Form varies these Terms only where it identifies the clause number or paragraph letter varied and states the variation expressly; and nothing increases our liability beyond clause 10 except a written amendment referring to clause 10 by number, signed by a director of each party.

1.7Any variation of an Engagement must be in writing, identify the exact provision or scope item varied, and be agreed by an authorised representative of each party (email suffices).

2. Definitions

2.1In these Terms: "Acceptance" or "Sign-off" — the Client's confirmation, or deemed confirmation, under paragraph B7; "AI Output" — content, predictions, recommendations or code generated wholly or partly by an AI System; "AI System" — any machine-learning model, large language model, agentic system or software incorporating such technology; "Applicable Law" — all laws and regulations applying to a party from time to time, including Data Protection Legislation; "Assumptions Register" — the document of that name identified in the Quotation, recording the assumptions and dependencies on which it is based; "Business Day" — a day other than a weekend or public holiday in England; "Charges" — the fees and pre-agreed expenses payable for the Services under the Quotation or SOW, plus amounts payable under clauses 1.3, 4.1 and 5; "Confidential Information" — information disclosed by or for one party to the other in connection with an Engagement that is identified as confidential or that a reasonable person would consider confidential, including business, technical, financial and security information, the Engagement's terms and pricing, and personal data, but excluding information within the exceptions in clause 7.2; "Data Protection Legislation" — the UK GDPR (as amended, including by the Data (Use and Access) Act 2025), the Data Protection Act 2018 and PECR; "Deliverables" — outputs identified as deliverables in the Quotation or SOW; "Engagement" — a contract formed under clause 1.2, with any related work charged under clause 1.3; Quotations or SOWs expressly stated to be linked, or to be phases of one programme, together form a single Engagement for clause 10; "Engagement Acceptance Form" — our form of that name, provided on request or as part of the relevant engagement documents; "Pre-Existing Materials" — our materials, methods, templates, prompts, tools and know-how existing before, or developed independently of, the Engagement; "Provider Terms" — a Third-Party AI Provider's terms, policies, configuration options and service descriptions in force from time to time; "Quotation" — a numbered written quotation or proposal we issue; "Risk Acceptance Form" or "RAF" — a document recording a risk the Client elects to carry after our written recommendation, signed by the Client's named risk owner; "Services" — the consultancy services described in the Quotation or SOW, including production of the Deliverables; "SOW" — a statement of work agreed under an Engagement or an MCA; "Third-Party AI Provider" — any third party providing an AI System or hosting platform (for example Anthropic, Microsoft or Amazon Web Services).

2.2"Personal data", "controller", "processor", "data subject", "personal data breach", "processing" and "special categories of personal data" have the meanings given to them in the UK GDPR, whether or not capitalised, unless these Terms expressly provide otherwise; "Sub-processor" means another processor we engage to process personal data on your behalf.

3. The Services

3.1We will provide the Services with reasonable skill and care, in line with good practice for AI governance and security consultancy. The Services are advisory: unless expressly stated, we do not build, operate, host or maintain production systems, and hands-on configuration is performed on your infrastructure, under your control. Anything not stated in the Quotation or SOW is out of scope. Dates are estimates unless expressly agreed as contractual.

3.2Statements in Quotations about third-party AI platforms reflect our testing, the Provider Terms and providers' published information at the Quotation date; platform capabilities, models, prices and terms change outside our control. Estimated costs, savings and time reductions are good-faith estimates, not commitments.

4. Your obligations

4.1You will: provide timely access to systems, people, information and decisions; ensure information you give us is accurate and lawful for us to use; hold all licences and Third-Party AI Provider agreements in your own name; grant any system access on a least-privilege, time-limited basis and revoke it at completion; and meet the dependencies stated in the Quotation, SOW or Assumptions Register. Where your delay or failure affects our work, we are relieved of the affected obligations, timelines extend, and reserved days may be charged as stated in the Quotation or SOW.

4.2You retain sole responsibility for your own legal and regulatory compliance (including under Data Protection Legislation) and for all decisions made or actions taken — by you or your AI Systems — in reliance on the Services, the Deliverables or any AI Output. Our work is professional guidance, not legal advice, and transfers no compliance obligation to us unless a SOW expressly says so.

4.3You are responsible for maintaining regular, tested backups of your own systems and data, and for your own business continuity arrangements.

5. Charges and payment

5.1The Charges are as stated in the Quotation, exclusive of VAT (chargeable if and when we are VAT-registered) and of pre-agreed expenses recharged at cost. A day is up to eight hours; part-days are billed in half-day units. Committed rates apply only to work committed at the outset; later additions are billed at our then-standard rate. Any deposit required by the Quotation is payable before work begins and is credited against the final invoice; deposits are refundable only on termination under clause 11.1 for our breach or under clause 12.2, and only to the extent of Charges for work not performed.

5.2Invoices are payable within 14 days, without set-off. You will notify any invoice dispute within 7 days of receipt, paying the undisputed balance. Late payments attract interest and compensation under the Late Payment of Commercial Debts (Interest) Act 1998, and we may suspend work on 7 days' notice while an undisputed invoice is more than 14 days overdue.

5.3Changes to scope must be agreed under clause 1.7 before we perform them, following an impact assessment of cost and timeline.

6. Intellectual property

6.1We retain all rights in Pre-Existing Materials. On payment in full for the relevant work, you receive a perpetual, non-exclusive, royalty-free licence to use, copy and adapt the Deliverables (including embedded Pre-Existing Materials) for the internal business purposes of you and your group companies. That licence extends to use on your behalf by your employees, contractors, managed service providers and professional advisers under confidentiality no less protective than clause 7, and may be transferred, on written notice to us, to a successor to the business to which the Engagement relates. You may not otherwise resell, publish or supply Deliverables to third parties without our written consent.

6.2Material authored by you or your personnel — including prompts, skills, agent instructions and your business logic within jointly developed material — and materials you supply remain yours. In jointly authored material, your contribution remains yours and our generic structure and methods remain Pre-Existing Materials, each licensed to the other as needed for clause 6.1 purposes. Scripts, code and configurations we write for you as part of the Services are Deliverables. Open-source components carry their own licence terms (identified on request) and provider-owned materials remain subject to the Provider Terms; neither is licensed or warranted by us beyond clause 6.1.

6.3We may reuse general skills, techniques and know-how, and may reuse engagement learnings only in genuinely anonymised form from which neither you nor any individual can be identified.

6.4You warrant that materials you supply do not infringe third-party rights, and you will indemnify us against third-party claims arising from our use of them as instructed. Your aggregate liability under this indemnity is limited to £250,000 per Engagement, except where the claim arises from your fraud or from materials you knew to be infringing.

7. Confidentiality

7.1Each party will keep the other's Confidential Information confidential, use it only for the Engagement, protect it with at least reasonable care, and disclose it only to its personnel, subcontractors, insurers, auditors and professional advisers who need it for the Engagement or for related insurance, audit or professional advice, and who are bound by equivalent confidentiality obligations — for five years after the Engagement ends, and indefinitely for trade secrets and personal data.

7.2Clause 7.1 does not apply to information that: is or becomes public without breach of these Terms; was already lawfully held without duty of confidence; is independently developed without use of the discloser's information; or must be disclosed by law or a regulator (with notice to the other party where lawful).

7.3Neither party will input the other's Confidential Information into any AI System unless approved between the parties in writing and configured, so far as the applicable Provider Terms and available controls permit, so that inputs and outputs are not used for provider model training. If you require a mutual NDA before information is exchanged, we will sign one; it sits alongside these Terms.

7.4Clause 11.3 does not require deletion of copies lawfully retained under it; retained copies remain subject to this clause 7 for as long as they are held.

8. Data protection and security

8.1Each party will comply with Data Protection Legislation as it applies to that party. Whether we act as controller or as your processor depends on the factual processing described in the Quotation, SOW and (where applicable) the Annex, not on labels alone. We act as an independent controller of business-contact and engagement-administration data. Where the Services involve only incidental access to personal data on your systems, that data remains under your control and Part C is not engaged. Where the Quotation or SOW appoints us to process personal data on your behalf, or the factual work would involve such processing, Part C applies and that processing must not begin until the Annex is completed and signed by both parties.

8.2If either party becomes aware that the work is changing such that we would process personal data on your behalf outside any completed Annex, it will notify the other without delay; we will stop the affected work, which will not begin or resume until the Annex is completed or updated and signed. You must not give us special category data, criminal offence data or identity documents (passports, driving licences) unless the Annex expressly provides for it with agreed safeguards.

8.3We maintain proportionate security (including encrypted devices and MFA) and will notify you without undue delay, and in any event within 48 hours, of any actual or reasonably suspected security incident affecting your information, your systems, or any account or access credential you have issued to us. You remain responsible for the security of your own systems, tenancies, credentials and the access you grant us.

9. Warranties and remedies

9.1We warrant only that the Services will be performed with reasonable skill and care; all other implied warranties and conditions are excluded to the fullest extent the law allows. We do not warrant that: any AI Output is accurate, complete or fit for purpose; any AI System will remain accurate, available or unchanged after completion; the Services will achieve any particular business, compliance or security outcome; or any Deliverable is error-free.

9.2If the Services or a Deliverable do not conform to clause 9.1, you will notify us in writing, describing the non-conformity in reasonable detail, within 30 days of performance or delivery — or, where it was not reasonably discoverable in that period, within 30 days of when you became or ought reasonably to have become aware of it. On valid notice we will first re-perform the affected Services or correct the Deliverable at no additional charge within a reasonable time; if we fail, or re-performance is not reasonably possible, we will refund the Charges paid for the affected Services. Re-performance is your first remedy, not your only remedy: subject to that sequence and to clause 10, your other rights and remedies are preserved.

10. Liability

10.1Nothing in these Terms limits or excludes either party's liability for death or personal injury caused by negligence, for fraud or fraudulent misrepresentation, or for any other liability that cannot lawfully be limited or excluded.

10.2Subject to clause 10.1, neither party is liable for loss of profits, revenue, business, anticipated savings or goodwill, or for indirect or consequential loss. Subject to clause 10.1, we are not liable for loss or corruption of data except: (a) our obligation to take reasonable care of your data in our possession; and (b) where our breach causes loss or corruption of your data, the reasonable direct costs of restoring it from your most recent backup. You remain responsible for backups under clause 4.3; we are not liable to recreate data that cannot be restored because no adequate backup existed.

10.3Subject to clauses 10.1 and 10.2, our total aggregate liability arising out of or in connection with an Engagement (including all linked Quotations and SOWs treated as one Engagement under clause 2.1) shall not exceed the greater of 125% of the Charges paid or payable under that Engagement and £10,000 — save that our aggregate liability for breach of clause 7, clause 8 or Part C shall not exceed £250,000.

10.4We have no liability for any claim (other than under clause 10.1) unless you notify us of it in writing, with reasonable detail of the facts relied on, within 24 months of when you became, or ought reasonably to have become, aware of those facts; proceedings on a notified claim must be commenced within 12 months of that notice, disregarding any period spent in mediation under clause 14.1.

10.5Subject to clause 10.1, we have no liability for: acts, omissions, content, availability, model changes or interruptions of any Third-Party AI Provider; hallucinations or errors in AI Outputs; decisions you or your AI Systems make; loss to the extent it would have been avoided by the verification required by Part B; or your legal or regulatory non-compliance. Nothing in this clause excludes our liability, subject to clauses 9 and 10, for our own failure to exercise reasonable skill and care in performing the Services. The limits in this clause 10 reflect the Charges, the advisory nature of the Services and the parties' agreed allocation of risk, including your ability to insure against or mitigate the relevant losses.

10.6We shall maintain, for the duration of each Engagement and 12 months after its completion, professional indemnity insurance of not less than £1,000,000 per claim and cyber liability insurance appropriate to the Services, with reputable insurers, providing reasonable evidence of cover on written request. This clause is an obligation to maintain cover; it is not a representation as to the terms, exclusions or territorial scope of any policy.

11. Term, termination and status

11.1Either party may terminate an Engagement: (a) with immediate effect by written notice if the other commits an irremediable material breach or suffers an insolvency event (inability to pay debts as they fall due, administration, liquidation, receivership, a voluntary arrangement or any analogous step); or (b) for a remediable material breach, by written notice specifying the breach and requiring remedy within 14 days, followed by written notice of termination if it is not remedied within that period.

11.2You may terminate an Engagement for convenience on 14 days' written notice, paying: the Charges for work performed to the termination date; all fees for days or work expressly committed in the Quotation or SOW (including committed programme days and committed retainer fees), whether or not they fall within the notice period; and non-cancellable expenses reasonably incurred.

11.3On termination or expiry: you will revoke our access to your systems, and each party will return or securely delete the other's Confidential Information, except copies (a) in routine backups until overwritten in the ordinary cycle, (b) required for legal, regulatory, tax, accounting or insurance purposes or a legal hold, and (c) one archival copy evidencing the Engagement — all retained copies remaining subject to clause 7. On written request we will confirm in writing that, subject to those exceptions, we hold no further copies.

11.4The following survive termination or expiry: clauses 2, 4.2, 5 (in respect of accrued Charges), 6, 7, 8, 9.2 (for non-conformities validly notified), 10, 11.3, this clause 11.4, 13.6 to 13.8 and 14, together with paragraphs B1 to B5 and, where engaged, Part C to the extent its obligations continue after processing ends.

11.5We are an independent contractor responsible for our own tax; nothing creates employment, agency or partnership. We may provide a suitably qualified substitute with your consent (not to be unreasonably withheld).

12. Force majeure

12.1Neither party is liable for delay or failure caused by events beyond its reasonable control, including the failure, degradation or withdrawal of any Third-Party AI Provider's service, provided the affected party: notifies the other without undue delay, describing the event and its expected effect; uses reasonable endeavours to mitigate its impact and to identify reasonable alternative means of performance; and resumes performance promptly once the event ends. Throttling, rate limits and capacity constraints of Third-Party AI Providers are relief events (affected timelines extend and we are not in breach) but do not of themselves constitute force majeure.

12.2If a force majeure event continues for 60 days, either party may terminate the affected Engagement on written notice, paying for work performed; we will refund any Charges prepaid for work not performed at the termination date.

13. General

13.1Notices must be in writing, delivered by hand, pre-paid first-class post or email to the addresses in the Quotation (or as updated by notice), and are deemed received: by hand, on delivery; by post, on the second Business Day after posting; by email, at the time of sending if before 5pm on a Business Day and otherwise at 9am on the next Business Day, provided no delivery-failure message is received.

13.2Neither party will, during the Engagement and for six months after it ends, solicit the employment or engagement of the other's personnel who were materially involved in the Engagement. This does not prevent: general advertisements or recruitment campaigns not targeted at those personnel; responding to an unsolicited approach; or hiring discussions that began before the Engagement.

13.3Neither party will name the other as a client or supplier, or use the other's name, logo or marks in publicity, case studies, bids or marketing, without the other's prior written consent in each case.

13.4Each party will comply with Applicable Law in performing the Engagement, including the Bribery Act 2010 and the Modern Slavery Act 2015.

13.5Neither party may assign or transfer an Engagement without the other's prior written consent (not to be unreasonably withheld or delayed), except that we may assign to a successor to all or substantially all of our business on written notice. We may subcontract only with your prior written consent (not to be unreasonably withheld), remaining responsible for the subcontractor's work; Sub-processors are governed by paragraph C3.

13.6The documents listed in clause 1.4 are the entire agreement for the Engagement and supersede all prior proposals, correspondence and representations on its subject matter. Each party confirms it has not relied on, and waives claims for innocent or negligent misrepresentation based on, any statement not set out in those documents; nothing limits liability for fraudulent misrepresentation. Each individual accepting or signing for a party confirms they are authorised to bind it.

13.7Variations are governed by clauses 1.6 and 1.7. No delay or partial exercise of a right waives it; a waiver is effective only in writing. Rights and remedies are cumulative, not exclusive, except as expressly stated (including the clause 9.2 remedy sequence). An invalid provision is severed or modified to the minimum extent necessary and the remainder continues. No third party has rights under the Contracts (Rights of Third Parties) Act 1999.

13.8An Engagement, the Engagement Acceptance Form, the Annex and any variation may be executed electronically and in counterparts, each an original. Headings do not affect interpretation; "including" means "including without limitation"; "writing" includes email.

14. Disputes, law and jurisdiction

14.1Disputes escalate first to a principal or director of each party, who will attempt in good faith to resolve them within 14 days. Failing that, either party may refer the dispute to mediation under the CEDR Model Mediation Procedure by written notice; the parties share the mediator's and CEDR's fees equally and bear their own costs. If the dispute is not settled within 60 days of the mediation notice, or the other party refuses or fails to participate, either party may commence proceedings. Nothing in this clause prevents issuing proceedings to preserve a limitation period or the clause 10.4 period, seeking urgent injunctive relief, or recovering an undisputed debt.

14.2These Terms and each Engagement, including non-contractual disputes, are governed by the law of England and Wales, and the courts of England and Wales have exclusive jurisdiction.

Part B — AI Terms

B1.Nature of AI Output. AI Outputs are probabilistic and may be inaccurate, incomplete, outdated, biased or fabricated ("hallucinations") however plausible they appear. We make no representation as to the accuracy, reliability, legality or fitness of any AI Output, whether produced during the Services or by systems we configure or recommend, and accept no liability for hallucinations or other erroneous content generated by Third-Party AI Providers' systems. Nothing in this paragraph excludes our liability, subject to clauses 9 and 10, for our own failure to exercise reasonable skill and care in performing the Services.

B2.Human verification. You will ensure a suitably qualified person reviews any AI Output before it is relied on for a significant business, financial, security or compliance decision, provided to a third party or published, or used in any decision producing legal or similarly significant effects on an individual; other AI Outputs receive review proportionate to the risk of the use. You will maintain human oversight of automated decision-making where Data Protection Legislation requires it (UK GDPR Article 22 as amended by, or Articles 22A–22D as inserted by, the Data (Use and Access) Act 2025, as and when in force). We have no liability for loss to the extent it would have been avoided by the verification this paragraph requires.

B3.Providers and model changes. You contract directly with Third-Party AI Providers and accept the Provider Terms yourself; we are not a party to them and do not resell or guarantee their services. Providers may change, retrain or retire models, pricing (including promotional rates) and data-handling commitments at any time; our advice, validation results and configurations are accurate only as at the date given, for the model versions then available, and we have no duty to update them after delivery unless separately engaged.

B4.Training data and retention. We will not ourselves use your Confidential Information or personal data to train any AI model. Where the Quotation or SOW identifies the systems and controls selected, we will configure them so inputs and outputs are not used for provider model training, to the extent the applicable Provider Terms and available controls actually support that setting; we do not promise controls a provider does not offer or that have not been selected. AI Systems may retain conversation history, logs and caches on devices and provider infrastructure; retention, device management and deletion controls on your tenancy and endpoints are your responsibility.

B5.Prompts, skills and outputs. Prompts, agent instructions, skills and prompt libraries we develop are our Pre-Existing Materials, licensed to you under clause 6; prompts, skills and agent instructions authored by you or your personnel, and your business logic within any jointly developed material, are and remain yours. Where we adapt your material into templates, the adapted material is a Deliverable with our generic structure treated as Pre-Existing Materials, unless the Quotation or SOW states otherwise. As between us, AI Outputs generated in your own tenancy belong to you, subject to the Provider Terms and to the limits of applicable law — purely AI-generated content may have limited or uncertain copyright protection under current UK law, and we give no warranty that AI Outputs do not infringe third-party rights.

B6.Security limits. AI Systems carry evolving risks (prompt injection, data exfiltration via connected tools, jailbreaking, supply-chain compromise) that controls reduce but cannot eliminate. Security advice, assessments and configurations reflect good practice and threat knowledge as at the date given, describe the environment only as observed and in scope, are not penetration tests or certifications unless expressly stated, and are not a guarantee that any system is or will remain secure. Residual risk stays with you. Where the Quotation or SOW provides for Risk Acceptance Forms, risks you elect to carry after our written recommendation are recorded on a RAF signed by your named risk owner; otherwise our written recommendation and your written decision in correspondence suffice.

B7.Acceptance and handover. A Deliverable is accepted when you confirm in writing that it materially conforms to its description in the Quotation or SOW, or on the earlier of the 10th Business Day after delivery (if you have not by then notified a material non-conformity under clause 9.2) and your first productive use of it other than review or testing. From Acceptance of the final Deliverable (or completion of the Services if none are defined), operational responsibility for delivered AI systems — configuration, monitoring, spend, users, policy enforcement and provider relationships — rests with you, unless a support engagement is agreed.

Part C — Data Processing Terms

C1.When Part C applies. Part C applies only where the Quotation or SOW expressly appoints us to process personal data on your behalf as processor and the Annex has been completed and signed by both parties; it gives effect to Article 28(3) UK GDPR. Until then, Part C has no effect and we must not process personal data on your behalf (clauses 8.1 and 8.2). The parties' roles are determined by the factual processing described in the SOW and Annex, not by labels. When Part C applies, you are controller and we are processor of the personal data described in the Annex, and we will process it only for the purposes and duration the Annex states.

C2.Processor obligations. We will: process personal data only on your documented instructions (the Annex, the SOW and lawful written instructions under them) unless UK law requires otherwise — informing you first unless prohibited — and tell you if we consider an instruction infringes Data Protection Legislation; ensure persons authorised to process it are bound by confidentiality; implement the technical and organisational measures in the Annex (as a minimum: encrypted devices, MFA, least-privilege time-limited access, no copying of your personal data off your systems unless the Annex requires it, and no use of it in AI Systems except as approved under clause 7.3 with training disabled); taking account of the nature of the processing, assist you with data subject rights (including the complaints procedure under the Data (Use and Access) Act 2025) and your Articles 32–36 obligations, including cooperation with the Information Commissioner, at your reasonable cost except where the assistance arises from our breach; notify you without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting your personal data, describing — so far as then known, with updates as information becomes available — its nature, the categories and approximate numbers of data subjects and records, the likely consequences, the measures taken or proposed, and a contact point; at your choice delete or return the data at the end of processing and delete existing copies (subject to clause 11.3's retention exceptions), certifying deletion in writing on request; and make available information to demonstrate Article 28 compliance, answering reasonable questionnaires and permitting one audit per 12 months (more after a personal data breach) on 14 days' written notice, in business hours, at your cost, under confidentiality, excluding other clients' data and our unrelated proprietary materials.

C3.Sub-processors. You authorise the Sub-processors listed in the Annex and give general written authorisation for changes. We will give at least 14 days' written notice of any addition or replacement, stating the Sub-processor's name, service, processing location, the data involved and any transfer mechanism. You may object on reasonable data-protection grounds within that period; the parties will seek a reasonable alternative, and if none exists within a further 14 days, either party may terminate the affected Services on written notice and we will refund Charges prepaid for processing not performed. We remain fully liable for our Sub-processors and will impose terms no less protective than this Part C. For the avoidance of doubt, Third-Party AI Providers and platform vendors you contract in your own name (including Microsoft and Anthropic in respect of your own tenancy and model deployments) are your own providers, are not our Sub-processors, and are outside Part C.

C4.International transfers. We will not transfer your personal data outside the UK without your prior written authorisation and a lawful transfer mechanism (adequacy regulations, the ICO IDTA or UK Addendum, or the statutory data protection test). For these purposes a transfer includes making the data accessible from outside the UK, including through remote access, remote support, telemetry, logging or AI model routing; the transfer paths authorised are recorded in the Annex.

C5.Liability. Liability under Part C is subject to clause 10, including the £250,000 cap in clause 10.3. Nothing in Part C reduces either party's direct statutory liability to data subjects or the Information Commissioner, or affects the apportionment of compensation between controller and processor under Article 82 UK GDPR.

Part D — Version

These Terms are version 1.1, published February 2026 at richardham.co.uk/terms. The version in force at the date of your Quotation applies to your Engagement. Superseded versions are available on request.

Annex — Data Processing Particulars

Where Part C applies, the data processing particulars are completed as part of the relevant engagement documents and signed by both parties before processing begins. The completed annex is engagement-specific and is available on request as part of the contracting process.