Terms & Conditions
These Terms & Conditions apply to all services provided by LSP Leadership Ltd (“we”, “us”, “our”) and form part of any Statement of Work (“SOW”) or written agreement entered into with a client (“Client”).
All contracts for the provision of services by LSP Leadership Ltd are formed subject to these Terms & Conditions, the relevant Statement of Work, and any agreed supporting documentation. No variation to these terms shall be effective unless agreed in writing by both parties. Any additional work outside the scope of an agreed SOW will be subject to separate written agreement.
We shall provide consultancy, coaching, training, and related professional services as set out in the applicable Statement of Work.
We shall use reasonable skill and care in the delivery of services in accordance with the Statement of Work and accepted professional standards.
Unless otherwise agreed, one invoice will be issued per engagement or intervention. Requests for additional invoicing may incur an administrative charge.
We may engage approved subcontractors to support delivery. All subcontractors are subject to due diligence, confidentiality obligations, and contractual controls proportionate to the services provided.
Reasonable pre‑agreed expenses incurred in connection with service delivery (including travel and accommodation) shall be payable by the Client.
Each party shall keep confidential all non‑public information disclosed in connection with the engagement and shall not disclose it except as required by law or with prior written consent. This obligation survives termination.
Each party retains ownership of intellectual property it owned prior to the engagement. All intellectual property created by LSP Leadership Ltd in the course of providing the services remains our property. We grant the Client a non‑exclusive, non‑transferable licence to use such materials solely for internal purposes related to the engagement, unless otherwise agreed in writing.
We maintain proportionate technical and organisational measures to protect information, including certification to Cyber Essentials Plus and Cyber Assurance Level 2.
Each party shall comply with applicable data protection law.
The parties acknowledge that their respective roles under UK GDPR (controller, processor, or otherwise) shall depend on the nature of the services and will be as set out in the Statement of Work or agreed in writing. Personal data will be processed only for the purposes of delivering the services and in accordance with our Privacy Policy. Data retention will follow applicable legal, regulatory, and contractual requirements.
We may refer to the Client by name and logo in client lists. Case studies or detailed descriptions will only be published with prior written consent.
The Client agrees not to solicit or employ our staff or associate consultants during the engagement and for 12 months thereafter without prior written consent.
Either party may terminate the agreement with 28 calendar days’ written notice. Fees for services scheduled or delivered during the notice period remain payable in accordance with the SOW.
Our total liability arising out of or in connection with the services shall be limited to the fees paid under the relevant Statement of Work. Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud, or any liability which cannot be excluded under law.
The parties shall seek in good faith to resolve disputes through discussion and, where appropriate, mediation before commencing legal proceedings.
Neither party shall be liable for failure to perform due to events beyond its reasonable control. This does not relieve the Client of payment obligations for services already provided.
These Terms, together with the Statement of Work and any agreed appendices, constitute the entire agreement between the parties.
This agreement is governed by the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction.
Personal Data
Upon successful award of the contract and depending on the nature and purpose of personal data, LSP Leadership can undertake a Data Protection Impact Assessment (DPIA) as required.
It is important to note that LSP Leadership only utilises public cloud offerings from Microsoft. Apart from desktop and laptop computers, there is no physical infrastructure, or private data centres utilised in the provision of IT Services. All staff work from home locations on individual company machines, so a network diagram would not assist in any further understanding of this very basic set up.
LSP utilise several layers of control to protect their data assets utilising the built-in controls from Microsoft 365 and third party tools.
Access Control: All users have their own individually unique login to any systems they use, and all users have MFA enabled, along with conditional access for access to only known locations of devices.
Security Monitoring: Audit logs are kept for 90 days from the M365 environment and are automatically reviewed to raise incidents for escalation. Such incidents may include events for escalation such as:
LSP also operates all company devices on a zero trust principle with MDR. Unless something is explicitly allowed to run, then a default deny is in place. This is also backed up with a 24/7 service where any IOCs are reported by phone for escalating, and machines can be locked down remotely.
All company machines are remotely monitored and managed for the deployment of security updates and as stipulated by their holding of Cyber Essentials Plus, any high and critical severity updates (those with a CVSS score of 7.0 or more) are deployed within 14 days.
All data is encrypted at transit and at rest within the Microsoft 365 public cloud environment, with individual company machines also having encrypted local hard drives, using native manufacturers methods, namely bitlocker or filevault.
All data is stored in our Microsoft public cloud environment, for details of the Microsoft 365 encryption standards please see https://learn.microsoft.com/en-us/purview/encryption
The Microsoft data centres used are the UK, Dublin and Amsterdam for data storage and processing.
Data held within our Microsoft environment is segregated on the principle of ‘least privilege’ meaning that only those requiring access to the data for their work, will be granted access, no one with in the environment operates with administrative privileges.
LSP Leaderships Microsoft 365 environment is hardened beyond its default state with:
LSP Leadership have an automated patch deployment system, and we are certified to Cyber Essentials Plus, any high and critical severity updates (those with a CVSS score of 7.0 or more) are deployed within14 days.
LSP Leadership also subscribe to a MDR service backed by a 24/7 SOC that proactively monitors logs, looking for IOCs as part of our IPS and IDS services from the Microsoft Environment and local devices.
No private systems are utilised to require penetration testing, only public cloud services are used. As part of our Cyber Essentials Plus we have a yearly audited vulnerability scan of local systems, and an ongoing quarterly scan to identify any vulnerabilities on an ongoing basis.
The logging across LSP Leaderships Digital Environment includes the collection of logs for automatic processing from company devices and it’s Microsoft 365 environment.
These logs are analysed for IOCs 24/7/365 by our SOC who also call us on a 24/7 basis to alert us to them and assist if required in locking down devices or accounts.
This policy has been approved & authorised by:
Name: Sharon Warner
Position: Group Finance & Operations Manager
Date: 23/04/26
Date of last review: 06/05/26
