HomeTerms & Conditions

Terms & Conditions

The terms governing your use of the EIC Limited website and engagement of our professional cybersecurity and compliance services.

Effective: 1 January 2025Version: 2.0

1. Agreement to These Terms

By accessing or using the EIC Limited website at www.eicsecure.com (the “Website”), or by engaging EIC Limited (“EIC”, “we”, “us”, or “our”) to perform any cybersecurity or compliance services, you confirm that you have read, understood, and agree to be bound by these Terms & Conditions (“Terms”) and our Privacy Policy.

If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity to these Terms. If you do not have that authority, or do not agree to these Terms, you must not access the Website or engage our services.

These Terms apply to all visitors to the Website and to all clients who engage EIC for professional services. For professional services engagements, these Terms are supplemented by — and in the event of conflict, superseded by — the specific terms of the signed engagement letter or statement of work (SOW) between EIC and the client.

Engagement letters take precedence: Where a signed engagement letter or statement of work exists between EIC and a client, the specific terms of that agreement govern the engagement. These Terms apply to matters not addressed in the engagement letter and to website use in all cases.


2. Our Services

EIC Limited provides cybersecurity and compliance consultancy services to organisations operating in Bangladesh, Singapore, Malaysia, Vietnam, Philippines, Bahrain, and Nepal. Our services include, but are not limited to:

EIC Limited professional services
ServiceTypeDescription
PCI DSS ComplianceQSA RequiredFull PCI DSS v4.0 assessment by a PCI SSC-listed QSA organisation. AI-accelerated scoping via CardIntel cuts assessment time by 30–40%.
SWIFT CSP AssessmentMandatoryMandatory compliance assessment for all SWIFT-connected financial institutions. 7-step methodology. EIC is an authorised SWIFT CSP assessor.
ISO 27001 CertificationISOEnd-to-end ISMS design, implementation, and certification support. Complio platform automates evidence collection and board reporting.
ISO 22301 BCMSISOBusiness continuity management system design and certification. Prove your organisation can operate through disruption.
Penetration TestingCRESTCREST-accredited VAPT: web, network, mobile, cloud, and red team engagements.
SOC ServicesManaged24/7 security operations centre. SIEM implementation, incident response, and threat intel.
IT AuditAdvisoryDetailed assessment of your IT controls, infrastructure, and operational processes against industry best practices.
Vulnerability ManagementCRESTAutomated vulnerability scanning and expert remediation guidance to keep your infrastructure secure 24/7.
CMMI AppraisalAuthorisedCapability maturity model integration appraisals. Demonstrate process maturity to regulators, clients, and partners.

Service delivery is subject to a signed engagement letter or statement of work that defines the specific scope, deliverables, timeline, fees, and acceptance criteria for each engagement. EIC reserves the right to decline to provide services at its discretion.

All assessments and certifications delivered by EIC are based on the standards and requirements in force at the time of the engagement. EIC is not responsible for changes to standards, regulatory requirements, or accreditation body guidance that occur after the completion of an engagement. Clients are advised to engage EIC for annual re-assessments to maintain current compliance posture.


3. Client Obligations

To enable EIC to deliver services effectively and on schedule, clients agree to the following obligations:

3.1 Cooperation and Access

  • Provide EIC’s team with timely access to personnel, systems, environments, documentation, and facilities required to perform the agreed services.
  • Designate a named client contact who is authorised to make decisions and escalate issues on behalf of the client organisation.
  • Respond to EIC’s requests for information, approvals, and sign-offs within the timeframes specified in the engagement letter. Delays caused by the client may affect the project timeline and may result in additional fees.
  • Ensure that any third-party systems, vendors, or cloud platforms in scope for the engagement are made available to EIC within agreed timelines.

3.2 Accurate Information

  • Provide complete, accurate, and current information about systems, processes, network architecture, and data flows relevant to the engagement scope.
  • Disclose all known vulnerabilities, prior audit findings, regulatory notices, and compliance gaps that may be relevant to the scope of services.
  • Notify EIC promptly of any material changes to the in-scope environment during the course of the engagement.

3.3 Authorisations

  • Obtain all necessary internal approvals, board authorisations, and third-party consents required to authorise EIC’s access to systems and data for the purposes of the engagement — including written authorisation for penetration testing activities.
  • For penetration testing engagements, the client must provide a signed Rules of Engagement (RoE) document before testing commences. EIC will not commence testing without written authorisation. Clients are responsible for ensuring that authorisation covers all systems in scope, including third-party-hosted infrastructure.
  • Ensure that all applicable regulatory notifications required prior to assessment commencement have been made (e.g., notifications to Bangladesh Bank, MAS, or BNM as required by applicable law).

3.4 Compliance with Laws

Clients are responsible for their own compliance with all applicable laws and regulations in their jurisdiction. EIC’s services assist clients in working towards compliance with specific standards and frameworks — they do not constitute legal advice and do not guarantee regulatory approval, certification, or the absence of future audit findings. Clients should seek independent legal counsel for regulatory compliance matters.

Penetration testing authorisation: Unauthorised penetration testing of third-party systems is illegal in all seven jurisdictions in which EIC operates. The client is solely responsible for ensuring that all systems included in a penetration testing scope are owned by or operated with the authorisation of the client. EIC accepts no liability for client-caused scope errors.


4. Fees and Payment

4.1 Fee Structure

Fees for EIC’s professional services are set out in the engagement letter or statement of work and are denominated in the currency agreed between the parties (typically USD or BDT for Bangladesh-based engagements). All fees are exclusive of applicable taxes, including Value Added Tax (VAT), Supplementary Duty, and withholding taxes where applicable.

4.2 Payment Terms

  • Invoicing: EIC invoices clients at the milestones or intervals specified in the engagement letter. Standard payment terms are net 30 days from invoice date unless otherwise agreed in writing.
  • Advance payment: For new clients and engagements above a specified value (as noted in the engagement letter), EIC may require an advance payment of up to 50% of the total engagement fee before commencement.
  • Late payment: Invoices unpaid beyond the due date accrue interest at 2% per month (or the maximum rate permitted by Bangladesh law, whichever is lower) from the due date until full payment is received. EIC reserves the right to suspend services for accounts more than 30 days overdue.
  • Disputed invoices: If a client disputes any portion of an invoice, they must notify EIC in writing within 10 business days of the invoice date, specifying the basis of the dispute. Undisputed portions of an invoice remain payable on the original due date.

4.3 Expenses

Reasonable out-of-pocket expenses incurred in the performance of services (including travel, accommodation, and subsistence where on-site work is required) will be billed to the client at cost, with supporting documentation, unless a fixed-fee arrangement inclusive of expenses is specified in the engagement letter.

4.4 Scope Changes

Any change to the agreed scope of services that results in additional work must be agreed in a written change order signed by both parties before the additional work commences. EIC is not obligated to perform out-of-scope work without a signed change order, and client requests for additional deliverables do not create an obligation on EIC to deliver them without agreed additional fees.


5. Intellectual Property

5.1 EIC’s Pre-Existing Intellectual Property

EIC retains all intellectual property rights in its pre-existing methodologies, frameworks, tools, templates, know-how, and proprietary platforms — including but not limited to CardIntel (payment data discovery and PCI DSS scoping), Complio (compliance management platform), and Infiltra (vulnerability management). Nothing in these Terms or in any engagement letter transfers ownership of EIC’s intellectual property to the client.

5.2 Deliverables

Upon full payment of all fees due under an engagement, EIC assigns to the client all intellectual property rights in the specific deliverables produced for that engagement — including assessment reports, remediation roadmaps, policy documents, and implementation artefacts — to the extent they constitute original works created by EIC specifically for the client. This assignment excludes:

  • EIC’s pre-existing IP and proprietary tools incorporated in or used to produce the deliverables;
  • EIC’s general methodologies, frameworks, and assessment approaches;
  • Any third-party content or tools included in deliverables (which remain subject to their respective licences).

5.3 Licence to Use EIC’s Platform Tools

Where an engagement includes access to EIC’s proprietary platforms (CardIntel, Complio, Infiltra), EIC grants the client a non-exclusive, non-transferable, revocable licence to use the platform solely for the purposes of the relevant engagement and for the licence term specified in the engagement letter. This licence terminates upon the earlier of: (a) expiry of the licence term; (b) termination of the engagement; or (c) non-payment of applicable platform fees.

5.4 Client Materials

The client retains all intellectual property rights in materials, data, systems documentation, and other information provided to EIC for the purposes of the engagement. EIC has no right to use client materials for any purpose other than performing the agreed services.

5.5 Website Content

All content on the EIC Website — including text, graphics, logos, service descriptions, case study summaries, blog articles, and guides — is the intellectual property of EIC Limited and is protected by copyright. You may not reproduce, distribute, modify, or create derivative works from Website content without EIC’s prior written consent. Brief quotation with attribution for non-commercial informational purposes is permitted.


6. Confidentiality

6.1 Mutual Obligation

Both EIC and the client acknowledge that in the course of an engagement each party may receive or have access to Confidential Information belonging to the other party. Each party agrees to:

  • Hold the other party’s Confidential Information in strict confidence;
  • Use Confidential Information only for the purposes of the engagement;
  • Not disclose Confidential Information to any third party without the prior written consent of the disclosing party, except as permitted below;
  • Protect Confidential Information using at least the same degree of care applied to its own confidential information, and in no case less than reasonable care.

6.2 Definition of Confidential Information

“Confidential Information” means any non-public information disclosed by one party to the other in connection with the engagement, whether disclosed orally, in writing, or through access to systems — including: assessment findings and reports, network architecture and system configurations, vulnerability data, client business strategies and financial data, EIC’s methodologies, tools, and pricing. Information is not Confidential Information if it: (a) is or becomes publicly available through no fault of the receiving party; (b) was already known to the receiving party; (c) is independently developed without use of the Confidential Information; or (d) is received from a third party free of any obligation of confidentiality.

6.3 Permitted Disclosures

Either party may disclose Confidential Information to its employees, contractors, and professional advisers who need to know it for the purposes of the engagement and who are bound by equivalent confidentiality obligations. Either party may also disclose Confidential Information if required by applicable law, court order, or regulatory authority — provided that the disclosing party gives the other party prior written notice (to the extent legally permissible) and cooperates with any effort to obtain a protective order.

6.4 Penetration Testing Reports

Assessment reports produced by EIC — including penetration testing reports, vulnerability assessments, and PCI DSS ROC/AOC documentation — contain highly sensitive information about the client’s security posture. The client is responsible for appropriately securing these reports and limiting distribution on a strict need-to-know basis. EIC strongly advises against transmitting these reports via unencrypted email.

6.5 Survival

Confidentiality obligations survive the termination or expiry of an engagement for a period of five (5) years, or indefinitely in respect of any Confidential Information that constitutes a trade secret under applicable law.


7. Limitation of Liability

7.1 Cap on Liability

To the maximum extent permitted by applicable law, EIC’s total aggregate liability to the client — whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise — in respect of any and all claims arising out of or in connection with an engagement shall not exceed the total fees actually paid by the client to EIC under that specific engagement in the twelve (12) months preceding the event giving rise to the claim.

7.2 Exclusion of Consequential Loss

To the maximum extent permitted by applicable law, EIC shall not be liable to the client for any:

  • Loss of profits, revenue, or business opportunity;
  • Loss of anticipated savings;
  • Loss of goodwill or reputational damage;
  • Loss or corruption of data;
  • Business interruption losses;
  • Any indirect, consequential, special, or punitive losses or damages,

even if EIC has been advised of the possibility of such losses.

7.3 No Guarantee of Certification or Audit Outcome

EIC provides professional services to assist clients in working towards compliance with applicable standards and frameworks. EIC does not guarantee that any client will achieve or maintain certification, pass a regulatory audit, or achieve any particular compliance outcome. Certification decisions are made by independent certification bodies, and audit outcomes are determined by regulators, both of which are beyond EIC’s control. EIC’s liability in respect of an unsuccessful certification or audit is limited to re-performance of identified deficient services at EIC’s cost, subject to the overall liability cap in Section 7.1.

7.4 No Guarantee Against Future Security Incidents

EIC’s assessments, penetration tests, and vulnerability management services reflect the security posture of the client’s environment at the time of the assessment. No assessment can provide a guarantee against future security incidents, breaches, or vulnerabilities that emerge after the assessment date or that fall outside the agreed assessment scope. EIC is not liable for security incidents, breaches, or regulatory actions arising after the completion of an engagement.

7.5 Client Responsibilities

EIC’s liability is reduced proportionally to the extent that any loss or damage is caused or contributed to by: (a) the client’s failure to comply with its obligations under Section 3; (b) the client’s failure to implement remediation recommendations in a timely manner; (c) inaccurate or incomplete information provided by the client; or (d) client modifications to the in-scope environment after the assessment date without EIC’s knowledge.

Legal advice: These limitation of liability clauses are intended to be commercially reasonable and reflect standard practice in the professional services industry. Clients are encouraged to seek independent legal advice and to ensure they have appropriate cyber insurance in place. EIC carries professional indemnity insurance commensurate with the nature and scale of its engagements.


8. Indemnification

The client agrees to indemnify, defend, and hold harmless EIC Limited and its directors, officers, employees, contractors, and agents from and against any claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

  • The client’s breach of these Terms or any engagement letter;
  • The client’s provision of inaccurate, incomplete, or misleading information to EIC;
  • The client’s failure to obtain required authorisations — including authorisations for penetration testing of third-party systems;
  • Any claim by a third party arising from the client’s use of EIC’s deliverables in a manner not contemplated or authorised by EIC;
  • The client’s failure to implement remediation recommendations and any resulting security incident or regulatory action.

EIC agrees to indemnify, defend, and hold harmless the client from and against third-party claims arising directly from EIC’s wilful misconduct or gross negligence in the performance of services, subject always to the limitation of liability in Section 7.


9. Governing Law

These Terms, and any dispute, controversy, or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims), shall be governed by and construed in accordance with the laws of the People’s Republic of Bangladesh, without regard to its conflict of law principles.

For clients engaging EIC for services delivered primarily in Singapore, Malaysia, Vietnam, Philippines, Bahrain, or Nepal, the parties may agree in the specific engagement letter to designate an alternative governing law. In the absence of such agreement, Bangladesh law governs.

Governing law and dispute forums by jurisdiction
JurisdictionApplicable LawLocal Regulatory ContextDispute Forum (Default)
🇧🇩 Bangladesh (HQ)Laws of Bangladesh; Companies Act 1994; Limitation Act 1908Bangladesh Bank, BTRC, NBR oversight where applicableCourts of Dhaka, Bangladesh
🇸🇬 SingaporeLaws of Singapore (if agreed in engagement letter)MAS regulatory requirements for financial sector clientsSingapore International Arbitration Centre (SIAC)
🇲🇾 MalaysiaLaws of Malaysia (if agreed)BNM requirements for financial sectorAsian International Arbitration Centre (AIAC)
🇻🇳 VietnamLaws of Vietnam (if agreed)SBV requirements for fintech/banking clientsVietnam International Arbitration Centre (VIAC)
🇵🇭 PhilippinesLaws of the Philippines (if agreed)BSP, NPC requirementsPhilippine Dispute Resolution Centre (PDRCI)
🇧🇭 BahrainLaws of Bahrain (if agreed)CBB requirements for financial sectorBahrain Chamber for Dispute Resolution (BCDR)
🇳🇵 NepalLaws of Nepal (if agreed)NRB requirements for banking sectorCourts of Kathmandu, Nepal

The governing law and dispute forum applicable to a specific engagement may be varied by written agreement in the engagement letter. The table above represents defaults in the absence of such agreement.


10. Dispute Resolution

10.1 Good Faith Negotiation

If a dispute arises between EIC and a client in connection with these Terms or any engagement, the parties shall first attempt to resolve it through good faith negotiation. Either party may notify the other in writing that a dispute exists. Senior representatives of both parties shall meet (in person or by video call) within 15 business days of such notice to attempt resolution.

10.2 Mediation

If the dispute is not resolved within 30 days of the initial written notice (or such longer period as the parties agree in writing), either party may refer the dispute to mediation conducted by a mutually agreed mediator. Mediation costs shall be shared equally unless the parties agree otherwise.

10.3 Arbitration

If mediation is unsuccessful or if either party declines to participate in mediation, the dispute shall be finally resolved by binding arbitration. For engagements governed by Bangladesh law, arbitration shall be conducted under the Arbitration Act 2001 (Bangladesh) before a sole arbitrator appointed by mutual agreement, or in the absence of agreement, by the Bangladesh International Arbitration Centre (BIAC). For engagements where an alternative governing law is agreed, arbitration shall be conducted at the applicable forum identified in the table in Section 9.

10.4 Emergency and Injunctive Relief

Nothing in this Section prevents either party from seeking urgent injunctive or other equitable relief from a court of competent jurisdiction to prevent irreparable harm — particularly in respect of actual or threatened breaches of confidentiality obligations or intellectual property rights.

10.5 Limitation Period

Any claim arising out of or in connection with an EIC engagement must be made within two (2) years of the date on which the party bringing the claim first became aware (or should reasonably have become aware) of the facts giving rise to the claim. Claims made after this limitation period are barred.


11. Changes to These Terms

EIC reserves the right to update or modify these Terms at any time. We will provide notice of material changes by:

  • Posting the updated Terms on the Website with a revised effective date and version number;
  • Sending email notice to clients with active engagements at least 30 days before material changes take effect.

Your continued use of the Website or engagement of EIC’s services after the effective date of any changes constitutes your acceptance of the updated Terms. If you do not agree to the revised Terms, you must cease using the Website and contact EIC to discuss the terms of your ongoing engagement (if any).

Changes to these Terms do not affect the terms of any signed engagement letter or statement of work that is already in force — those agreements remain governed by the version of these Terms in effect at the time of signing, unless the engagement letter expressly provides otherwise.

Version History

Terms and conditions version history
VersionDateKey Changes
2.01 January 2025Full rewrite. Replaced placeholder content. Updated governing law to Bangladesh. Added 7-country service scope table. Added SWIFT CSP, CMMI, and Infiltra service descriptions. Updated dispute resolution to include BIAC arbitration. Added penetration testing authorisation requirements.
1.0ArchivedInitial draft (now superseded). Contact legal@eicsecure.com for archived version.

12. Contact

If you have questions about these Terms, wish to report a breach, or need to discuss the terms of a specific engagement, please contact us:

Legal Enquiries

Registered Address

EIC Limited, House 15, Road 7, Niketan, Gulshan, Dhaka 1212, Bangladesh

Website: www.eicsecure.com

For data protection enquiries, please contact privacy@eicsecure.com as described in our Privacy Policy.