Subscription Agreement

Last updated: March 2026

1. Definitions

In this Agreement:

• "Service" means the Snubnose platform, including the web application at app.snubnose.io, associated APIs, and related tools and documentation.
• "Customer" means the organisation that has registered for the Service and entered into this agreement. A Customer may be a Supplier or an Assessor Organisation (see below).
• "Supplier" means a Customer using the Service for its own compliance and certification purposes, including DefStan 05-138, Cyber Essentials, and DCC assessments.
• "Assessor Organisation" means a DCC certifying body or assessor that uses the Service to review and assess Supplier data, and which may also use the Service for its own compliance purposes. Assessor Organisations are not charged for use of the Service.
• "Assessor" means an individual User acting on behalf of an Assessor Organisation.
• "User" means any individual granted access to the Service by the Customer, including employees, contractors, advisors, and Assessors.
• "Data" means all information, documents, and materials provided by or on behalf of the Customer, including organisation details, cybersecurity control assessments, evidence documents, scope assessments, audit reviews, and certification records.
• "AI Features" means the automated functionality within the Service that uses third-party artificial intelligence to analyse Data, including evidence validation and control applicability assessment.
• "Confidential Information" means non-public information disclosed by one party to the other, marked as confidential or reasonably understood to be confidential.
• "UK Data Protection Laws" means the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Data (Use and Access) Act 2025 (DUAA), each as amended from time to time.

2. Service Description and Scope

2.1 Overview

Snubnose is a compliance management platform designed to assist UK defence suppliers in pursuing DefStan 05-138 certification and associated cybersecurity requirements, including Cyber Essentials and Defence Cyber Collection (DCC) assessments.

2.2 Core Features

The Service provides:

• Automated evidence collection and organisation
• Cybersecurity control management and tracking
• Scoping assessment tools
• AI-assisted validation of evidence and control applicability
• Audit review and certification record management
• Role-based access and team collaboration

2.3 No Warranty of Certification

Snubnose is a management and assessment tool. The Service does not guarantee, represent, or warrant that use of the Service will result in any certification, compliance approval, or successful completion of regulatory processes. The Customer remains solely responsible for compliance with all applicable legal, regulatory, and contractual obligations.

3. Subscription Plans and Fees

3.1 Subscription Plans

Snubnose offers multiple subscription tiers including a free tier ("Free Plan") and paid subscription plans ("Paid Plans"). The Free Plan is available to organisations pursuing Level 0 DCC certification only and provides limited access to core platform features. Assessor Organisations are not charged for use of the Service under any plan (see Section 4.4). Paid Plans provide full access to the Service, including AI-assisted features, and are priced based on the Customer's organisational footprint (including factors such as number of locations, employees, and scope complexity). Current plan details and pricing are available at app.snubnose.io/pricing or as quoted by Snubnose.

3.2 Billing

Paid Plans are available on a monthly or annual billing cycle, as selected by the Customer at the time of subscription. Annual subscriptions are billed in advance for the full subscription year. Monthly subscriptions are billed in advance each month.

3.3 Payment Terms

All fees are quoted in GBP and are exclusive of VAT, which shall be added where applicable. Payment is due within 14 days of invoice unless otherwise agreed. Snubnose reserves the right to suspend access to the Service if payment is more than 30 days overdue.

3.4 Price Changes

Snubnose may adjust subscription fees upon renewal by providing at least 45 days' written notice before the start of the next billing period. If the Customer does not accept the revised fees, the Customer may terminate before the new billing period takes effect without penalty.

3.5 Refunds

Fees paid are non-refundable except where required by applicable law. If Snubnose terminates the agreement for reasons other than Customer breach, Snubnose shall refund any prepaid fees for the unused portion of the subscription term on a pro rata basis.

3.6 Free Plan Limitations

The Free Plan is provided "as is" with no service level commitments. Snubnose may modify, restrict, or discontinue the Free Plan at any time with 30 days' notice. Users on the Free Plan are subject to all other provisions of this Agreement.

3.7 Upgrades and Downgrades

The Customer may upgrade or downgrade their subscription plan at any time. Upgrades take effect immediately and are billed on a pro rata basis. Downgrades take effect at the start of the next billing period. Downgrading from a Paid Plan to the Free Plan is only available where the Customer meets Free Plan eligibility criteria.

3.8 Taxes

The Customer is responsible for all applicable taxes, levies, and duties imposed by taxing authorities. Where Snubnose is required to collect taxes, they will be added to the invoice.

4. Account Registration and User Responsibilities

4.1 Account Registration

To use the Service, the Customer must:

• Be a UK organisation legally able to enter into binding contracts
• Designate one or more authorised representatives as account administrators
• Provide accurate, current, and complete registration information

4.2 Account Security

The Customer is responsible for:

• Maintaining the confidentiality of all account access credentials
• Controlling authorised User access and account management
• Notifying Snubnose immediately of any unauthorised access or suspected security breaches
• Ensuring Users comply with this Agreement

4.3 User Roles and Permissions

Users are granted access based on assigned roles:

• Superadmin — full platform access and organisation management
• Auditor — review and assessment capabilities
• User — standard platform access for control and evidence management

Snubnose reserves the right to update or modify role definitions and available permissions.

4.4 Assessor Access

Assessor Organisations access the Service under the following terms:

• Invitation by Supplier. Assessors gain access to a Supplier's workspace only when invited by that Supplier. The Supplier controls whether to grant, restrict, or revoke Assessor access at any time.
• Own Organisation. Assessor Organisations may also register their own organisation on the platform and use the Service for their own DCC certification evidence preparation. When doing so, they are treated as a Supplier for the purposes of that organisation's data.
• No Fees. Assessor Organisations are not charged subscription fees for use of the Service, whether for assessment of Suppliers or for their own compliance purposes.
• Introduction by Snubnose. Snubnose may facilitate introductions between Suppliers and Assessor Organisations (on or off the platform), but the decision to grant an Assessor access to a Supplier's workspace remains solely with the Supplier.
• Data Responsibility. When an Assessor accesses a Supplier's data, the Supplier remains the data controller for that data. The Assessor shall treat all Supplier data accessed through the platform as confidential and shall not use it for any purpose other than conducting the relevant DCC assessment or certification review.
• Acceptance of Terms. By accessing the Service, Assessor Organisations and their individual Assessors agree to be bound by this Agreement. Assessor Organisations are "Customers" for the purposes of all applicable provisions (including acceptable use, confidentiality, and data protection), except those relating to subscription fees and billing.

4.5 Multiple Organisations

Customers may register multiple organisations under separate accounts. A single User may have access to their own organisation's workspace and, if invited, to other organisations' workspaces (for example, an Assessor accessing Supplier workspaces). The Customer is responsible for maintaining separate access controls and ensuring Users access only authorised organisations.

5. Acceptable Use

5.1 Lawful Use

The Customer and Users shall not:

• Use the Service for any unlawful purpose or in violation of any applicable laws
• Attempt to gain unauthorised access to the Service, systems, or Data
• Interfere with or disrupt the Service, networks, or infrastructure
• Introduce malware, viruses, or other harmful code
• Attempt to reverse-engineer, decompile, or access the source code of the Service
• Conduct automated access (including scraping or bots) without explicit written permission
• Reproduce, duplicate, or redistribute the Service or its functionality
• Use the Service for competitive intelligence or analysis of Snubnose's technology

5.2 Data Integrity

The Customer shall ensure that Data:

• Is accurate, complete, and lawfully obtained
• Does not infringe third-party intellectual property or privacy rights
• Complies with all applicable data protection and employment laws
• Does not contain malware or other harmful content

5.3 Misuse

Snubnose may suspend or terminate access if it reasonably believes the Service is being used in breach of this Agreement or applicable law.

6. Customer Data and Ownership

6.1 Data Ownership

The Customer retains all right, title, and interest in the Data. Snubnose acquires no ownership or intellectual property rights in the Data.

6.2 Licence Grant

By providing Data to Snubnose, the Customer grants Snubnose a limited, non-exclusive licence to:

• Host, store, and process the Data to provide the Service
• Create backups and redundant copies for disaster recovery and security
• Analyse Data using AI Features to generate assessments and insights
• Generate aggregated, anonymised analytics about Service usage (without identifying the Customer or specific Data)

This licence is limited to the purposes of providing the Service and does not extend to commercial use or sale of Data or insights derived from Data.

6.3 Data Access

Snubnose may access Data only to:

• Provide the Service and support
• Debug technical issues
• Ensure security and prevent fraud
• Comply with legal obligations
• Respond to lawful requests

Snubnose will request written approval before accessing Data for any purpose beyond these.

6.4 Sub-processing

Snubnose uses the following sub-processors to handle Data:

• Fly.io — application hosting and managed PostgreSQL database (London, UK)
• Tigris (via Fly.io) — S3-compatible file storage for evidence documents
• Anthropic — AI processing for evidence validation and control analysis via the Claude API
• Resend — transactional email delivery
• Google — OAuth authentication and address autocomplete (Google Places API)
• Microsoft — OAuth authentication (via Azure AD / Entra ID)

Full details of sub-processors and the data they process are set out in the Data Processing Agreement (Annex B) and the Privacy Policy. The Customer is deemed to have accepted these sub-processors on execution of this Agreement. Snubnose will provide at least 30 days' notice of any material changes to sub-processors.

7. Intellectual Property

7.1 Snubnose IP

Snubnose retains all right, title, and interest in:

• The Service, including all software, code, functionality, design, and user interfaces
• Documentation, templates, and guidance materials
• Improvements, modifications, and derivative works created by Snubnose
• Pre-existing intellectual property incorporated into the Service
• Feedback and suggestions provided by the Customer

7.2 Limited Licence

Snubnose grants the Customer a limited, non-exclusive, non-transferable licence to access and use the Service during the term, solely for the Customer's internal compliance and certification purposes.

7.3 Restrictions

The Customer shall not:

• License, sublicense, sell, resell, rent, or lend the Service
• Create derivative works based on the Service
• Use any trademark, logo, or branding of Snubnose without written permission

7.4 Feedback

Any feedback, comments, or suggestions provided by the Customer regarding the Service may be used by Snubnose without obligation or attribution.

8. AI-Assisted Features Disclosure

8.1 Third-Party AI Processing

The Service includes AI Features that use third-party artificial intelligence, specifically Anthropic's Claude API, to:

• Validate evidence against control requirements
• Assess control applicability and scoping
• Generate recommendations and analysis

8.2 Data Residency and Transmission

All Customer Data is stored in the United Kingdom (Fly.io London region). No Customer Data is permanently stored outside the UK.

When using AI Features, relevant portions of the Customer's Data are transmitted to Anthropic's systems in the United States for real-time processing only. This transmission is transient: data is sent, processed, and the response returned within a single API request. No Customer Data is retained by Anthropic beyond the duration of that request (see Section 8.3).

The Customer may opt out of AI Features entirely (see Section 8.4), in which case no Data is transmitted outside the UK.

8.3 Anthropic's Data Handling

Snubnose has enrolled in Anthropic's Zero Data Retention (ZDR) programme. Under this arrangement:

• Anthropic does not retain any Customer Data submitted via the API beyond the duration of each individual request
• Customer Data is not stored, logged, cached, or used by Anthropic for model training, improvement, or any other purpose
• A Data Processing Agreement incorporating Standard Contractual Clauses has been executed between Snubnose and Anthropic
• Data is transmitted to US infrastructure for real-time processing only — no Customer Data is stored at rest in the United States
• Snubnose's enrolment in the ZDR programme may be verified by the Customer upon reasonable written request

8.4 Opting Out

The Customer may disable AI Features at any time by submitting a written request to legal@snubnose.io. Snubnose shall process the request and disable AI Features for the Customer's account within 5 business days of receiving the request. AI Features are not required for the core functionality of the Service, and the platform remains fully operational without them; however, certain assistive features (such as automated evidence validation and control applicability assessment) will be unavailable. Snubnose intends to provide a self-service toggle within the platform to allow Customers to enable or disable AI Features directly.

8.5 Accuracy and Limitations

AI Features provide analysis and recommendations only. The Customer remains solely responsible for:

• Verifying all assessments and recommendations
• Making final compliance and certification decisions
• Ensuring Data accuracy and completeness
• Obtaining independent expert advice where appropriate

8.6 Export Controls

The Customer acknowledges that Data provided to the Service may include information relevant to UK export control legislation, including the Export Control Order 2008 and the Trade and Investment Act 2021. The Customer is solely responsible for:

• Determining whether any Data constitutes controlled goods, technology, or information under applicable export control laws
• Obtaining any necessary export licences or authorisations from the Foreign, Commonwealth & Development Office (FCDO) or other relevant authority before providing such Data to the Service
• Ensuring that the transmission of Data to third-party sub-processors (including Anthropic in the United States) complies with all applicable export control requirements

Snubnose shall cooperate with the Customer in meeting export control obligations upon reasonable written request. The Customer may opt out of AI Features (see Section 8.4) to ensure that no Data is transmitted outside the United Kingdom.

9. Insurance and Certifications

9.1 Insurance

Snubnose maintains cyber liability insurance with a reputable insurer, providing coverage for event management, data protection investigations, data protection fines (where legally payable), liability, and business interruption. Details of current coverage levels are available to the Customer upon reasonable written request.

9.2 Security Certifications

Snubnose holds current Cyber Essentials certification and is pursuing Cyber Essentials Plus certification. Snubnose shall use reasonable efforts to maintain its Cyber Essentials certification (or equivalent) throughout the Subscription Term. Evidence of current certification is available upon request.

9.3 Certification Roadmap

Snubnose shall notify the Customer of any material changes to its security certifications, including lapses, revocations, or upgrades. Should Snubnose fail to maintain Cyber Essentials certification, the Customer may request a remediation plan within 30 days or terminate without penalty.

10. Confidentiality

10.1 Mutual Obligations

Each party shall:

• Maintain Confidential Information in strict confidence
• Limit access to employees, contractors, and advisors with a need to know
• Protect Confidential Information using reasonable security measures
• Not disclose Confidential Information without prior written consent (except as required by law)

10.2 Exceptions

Confidential Information does not include information that:

• Is or becomes publicly available through no breach by the receiving party
• Is independently developed without reference to the Confidential Information
• Is lawfully received from a third party without confidentiality obligations
• Must be disclosed to comply with applicable law or court order (with prompt notice where permitted)

10.3 Data Protection

Data shall be treated as Confidential Information. Snubnose's handling of Data is further governed by the Data Processing Agreement, the Privacy Policy, and UK Data Protection Laws.

11. Service Availability

11.1 Reasonable Efforts

Snubnose will use reasonable efforts to maintain Service availability and performance. However, Snubnose does not guarantee uninterrupted or error-free service.

11.2 Uptime Commitment

Snubnose commits to maintaining Service availability of at least 99.9% per calendar month ("Uptime Commitment"), measured as the percentage of total minutes in the month during which the Service is available and materially functional.

11.3 Uptime Exclusions

The Uptime Commitment excludes downtime caused by:

• Scheduled maintenance notified at least 48 hours in advance
• Force Majeure events (see Section 18)
• Issues caused by the Customer's systems, network, or equipment
• Third-party services outside Snubnose's reasonable control
• Actions or omissions of the Customer or its Users

11.4 Service Credits

If Snubnose fails to meet the Uptime Commitment in any calendar month, the Customer may request a service credit as follows:

• 99.0% to 99.9% availability: 5% of the monthly subscription fee
• 95.0% to 99.0% availability: 10% of the monthly subscription fee
• Below 95.0% availability: 25% of the monthly subscription fee

Service credits must be requested in writing within 30 days of the affected month. Credits are applied against future invoices and do not entitle the Customer to a cash refund. Service credits are the Customer's sole and exclusive remedy for failure to meet the Uptime Commitment.

11.5 Uptime Reporting

Snubnose shall make uptime performance data available to the Customer upon reasonable request.

11.6 Scheduled Maintenance

Snubnose may conduct scheduled maintenance and updates with at least 48 hours' notice. Maintenance may cause temporary service interruptions. Scheduled maintenance windows do not count against the Uptime Commitment.

11.7 Service Interruptions

Snubnose is not liable for:

• Unavailability due to scheduled maintenance or necessary updates
• Service interruptions due to issues beyond Snubnose's reasonable control
• Loss of access or functionality due to technical issues, bugs, or infrastructure failures

Subject to the service credit provisions in Section 11.4, the Customer's sole remedy for Service unavailability is as set out in this Section 11.

11.8 Disaster Recovery

Snubnose maintains disaster recovery and business continuity measures including:

• Automated daily backups to prevent data loss
• Redundancy across infrastructure components
• Security monitoring and incident response procedures
• A target Recovery Time Objective (RTO) of 4 hours — the maximum time to restore Service availability following a major incident
• A target Recovery Point Objective (RPO) of 1 hour — the maximum period of data loss in the event of a major incident

RTO and RPO targets represent reasonable endeavours and are not guaranteed in all circumstances. Snubnose shall notify the Customer without undue delay of any incident that is likely to exceed these targets.

12. Limitation of Liability

12.1 Exclusions

To the maximum extent permitted by UK law, neither party shall be liable for:

• Indirect, incidental, special, or consequential damages
• Lost profits, revenue, business opportunity, or anticipated savings
• Damage to reputation or goodwill
• Loss of or corruption of Data
• Costs of substitute services

This exclusion applies even if a party has been advised of the possibility of such damages.

12.2 Liability Cap

Except for breaches of confidentiality, indemnification obligations, or claims arising from a party's fraud or gross negligence, each party's total liability under this Agreement shall not exceed the greater of: (a) the fees paid by the Customer in the 24 months preceding the claim; or (b) £25,000.

12.3 Data Loss Liability

Snubnose shall not be liable for any loss or corruption of Data, except where such loss results directly from Snubnose's gross negligence or wilful misconduct. The Customer is responsible for maintaining independent backups of all Data.

12.4 AI Features Liability

Snubnose's liability for errors, inaccuracies, or failures of AI Features is limited as described in Section 12.2. The Customer acknowledges that AI-generated analysis may be incorrect and shall not rely solely on AI assessments without independent verification.

13. Indemnification

13.1 Customer Indemnification

The Customer shall indemnify, defend, and hold harmless Snubnose from any claims, damages, losses, or expenses (including reasonable legal fees) arising from:

• The Customer's breach of this Agreement
• The Customer's use of the Service in violation of applicable law
• Data provided by the Customer that infringes third-party rights or violates law
• A User's misuse of the Service or breach of this Agreement
• Claims by third parties related to the Customer's Data or use of the Service

13.2 Snubnose Indemnification

Snubnose shall indemnify, defend, and hold harmless the Customer from claims that the Service, as provided by Snubnose, infringes a third party's intellectual property rights, provided the Customer:

• Promptly notifies Snubnose of the claim
• Grants Snubnose sole control of the defence and settlement
• Provides reasonable cooperation

13.3 Indemnification Conditions

Indemnification obligations are conditioned on the indemnified party mitigating damages and not settling claims without the indemnifying party's consent.

14. Term and Termination

14.1 Term

The initial subscription term ("Initial Term") commences on the date of account activation and continues for the period corresponding to the Customer's selected billing cycle (monthly or annual). Thereafter, the subscription automatically renews for successive periods of equivalent length ("Renewal Terms") unless either party provides written notice of non-renewal at least 30 days before the end of the then-current term. The Initial Term and all Renewal Terms together constitute the "Subscription Term".

14.2 Termination for Cause

Snubnose may terminate access immediately if:

• The Customer breaches a material provision of this Agreement and does not cure within 14 days of written notice
• The Customer or a User engages in unlawful activity or poses a security risk
• The Customer's account is used for purposes that violate this Agreement or applicable law

14.3 Termination for Non-Payment

Snubnose may suspend or terminate the Customer's access if fees remain unpaid for more than 30 days after written notice of non-payment.

14.4 Termination for Convenience

The Customer may terminate a Paid Plan at any time by providing notice through their account settings or in writing. Termination takes effect at the end of the then-current billing period. No refund is provided for the remaining portion of a billing period already paid.

14.5 Effect of Termination

Upon termination or expiry of the Subscription Term:

• (a) The Customer's access to the Service ceases at the end of the then-current billing period (or immediately in the case of termination for cause)
• (b) The Customer may export Data during a 30-day grace period following termination
• (c) Snubnose shall delete the Customer's Data within 90 days of termination, unless retention is required by law or the Customer requests earlier deletion
• (d) Sections 6 (Ownership), 7 (IP), 10 (Confidentiality), 12 (Limitation of Liability), 13 (Indemnification), and 17 (Governing Law) survive termination

15. Data Portability and Deletion

15.1 Data Export

Upon request and during the subscription term, the Customer may export Data in standard formats (CSV, JSON, or similar).

15.2 Data Deletion on Termination

Within 30 days of termination, the Customer may request that Snubnose delete all Data. Snubnose shall use reasonable efforts to securely delete Data, although some residual copies may remain in backup systems for a limited period.

15.3 Legal Holds

Notwithstanding Section 15.2, Snubnose may retain Data to the extent required by applicable law, legal process, or to enforce this Agreement.

15.4 Anonymisation

Snubnose may retain anonymised or aggregated Data after deletion for analytical and service improvement purposes.

16. Modifications to Terms

16.1 Right to Modify

Snubnose may modify this Agreement at any time by posting updated terms on the Service or via email notification.

16.2 Notice and Effect

Snubnose will provide at least 30 days' notice of material changes. If the Customer does not accept modifications, the Customer may terminate within the notice period without penalty.

16.3 Continued Use

Continued use of the Service after the effective date of modifications constitutes acceptance of updated terms.

17. Governing Law and Dispute Resolution

17.1 Governing Law

This Agreement is governed by and construed in accordance with the laws of England and Wales, without regard to conflicts of law principles.

17.2 Jurisdiction

Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales for any dispute arising from or relating to this Agreement.

17.3 Dispute Resolution

Before initiating legal proceedings, the parties shall attempt to resolve disputes through good faith negotiation. If negotiation fails, either party may commence proceedings in accordance with Section 17.2.

17.4 Alternative Dispute Resolution

The parties may mutually agree to submit disputes to mediation or arbitration under English law.

18. Force Majeure

18.1 Definition

Force Majeure includes events beyond reasonable control, including acts of God, natural disasters, war, terrorism, pandemics, government action, and telecommunications or utility failures.

18.2 Effect

A party shall not be liable for failure to perform obligations due to Force Majeure events, provided the party:

• Promptly notifies the other party
• Uses reasonable efforts to resume performance
• Does not unreasonably delay in mitigating effects

18.3 Termination Right

If a Force Majeure event prevents performance for more than 60 days, the non-affected party may terminate without liability.

19. General Provisions

19.1 Severability

If any provision of this Agreement is held invalid or unenforceable, that provision shall be severed, and the remaining provisions shall continue in full force.

19.2 Waiver

No waiver of any provision or breach shall constitute a waiver of any other provision or breach. Failure to enforce a right does not constitute waiver of that right.

19.3 Entire Agreement

This Agreement, together with the Privacy Policy, the Data Processing Agreement, and any separate service agreement, constitute the entire agreement regarding the Service and supersede all prior agreements, understandings, and negotiations.

19.4 Assignment

The Customer may not assign this Agreement without Snubnose's written consent. Snubnose may assign this Agreement to a successor or affiliate with notice to the Customer. Permitted assignments do not relieve a party of its obligations.

19.5 Notices

Notices shall be sent to the addresses specified in the Customer's account or to the email addresses provided:

• Snubnose: legal@snubnose.io
• Customer: address on file with Snubnose

19.6 Counterparts

This Agreement may be executed in counterparts, each constituting an original and all together constituting one agreement.

19.7 Third-Party Beneficiaries

This Agreement does not create rights in third parties.

20. Contact Information

For questions regarding this Agreement, please contact:

Snubnose Ltd
Company number: 17048932
Registered in England & Wales
Email: legal@snubnose.io
Website: snubnose.io

For data protection and privacy matters, please contact privacy@snubnose.io or see our Privacy Policy.