Public standard terms for B2B advisory, lab, field and AI-enabled services.
Read in full. Negotiated where it matters.
Lean Practice Ltd. Company No. 07380829. VAT No. 272 7323 03. Registered office: Blake House, 18 Blake Street, York, YO1 8QG.
This Master Services Agreement sets out the standard terms on which Lean Practice Ltd, trading as Crux Performance, supplies professional advisory, operational decision and AI-enabled services to business clients.
It is designed to be incorporated into a signed Statement of Work. The Statement of Work identifies the client, the specific services, the fee, the timetable, the deliverables, the applicable version of this Agreement and any engagement-specific amendments.
The version that applies to a particular engagement is the version expressly identified in the signed Statement of Work. Later website updates do not amend an existing Statement of Work unless both parties agree in writing.
Contents1.1 This Agreement is between Lean Practice Ltd, a company registered in England and Wales with company number 07380829 and registered office at Blake House, 18 Blake Street, York, YO1 8QG, trading as Crux Performance (Crux), and the Client identified in a signed Statement of Work.
1.2 This Agreement takes effect between Crux and the Client on the date on which both parties sign the first Statement of Work that incorporates this Agreement, unless that Statement of Work states a different effective date.
1.3 Each party represents that it has authority to enter into the Agreement and that the person signing a Statement of Work on its behalf has authority to bind that party.
1.4 This Agreement is intended for business-to-business engagements only. The Client represents that it is acting in the course of business and not as a consumer.
2.1 This Agreement is a framework agreement. Crux is not obliged to supply, and the Client is not obliged to buy, any Services unless and until the parties sign a Statement of Work.
2.2 Each signed Statement of Work forms part of this Agreement and is binding from the date it is signed by both parties.
2.3 If there is a conflict between documents, the following order of precedence applies, unless the relevant document expressly states otherwise: first, the signed Statement of Work; second, any agreed data processing, security or AI-specific appendix to that Statement of Work; third, Schedule 1; fourth, Schedule 2; fifth, Schedule 3; and finally the main body of this Agreement.
2.4 A Statement of Work may vary these standard terms for that engagement only. A variation must be clear, express and in writing. A variation of the Data Processing Terms is effective only to the extent permitted by applicable Data Protection Laws.
2.5 Termination of this Agreement does not automatically terminate any Statement of Work already in force, unless the termination notice expressly states that the relevant Statement of Work is also terminated and the Agreement permits that termination.
Acceptable Use Rules means the rules in Schedule 2 and Schedule 3, together with any additional usage restrictions in the relevant Statement of Work.
Agreement means this Master Services Agreement, the schedules to it, and each Statement of Work signed under it.
Applicable Law means all laws, regulations, regulatory guidance, mandatory codes of practice and court orders applicable to a party or to the Services.
Authorised Users means the Client employees, workers, contractors or representatives authorised by the Client to use Crux AI or any other digital element of the Services under a Statement of Work.
Business Day means a day other than a Saturday, Sunday or public holiday in England.
Client Data means all data, documents, prompts, inputs, files, materials, records and other information supplied to Crux by or on behalf of the Client or submitted by Authorised Users into the Services.
Client Materials means Client Data and all pre-existing materials, content, systems, information and Intellectual Property Rights belonging to or licensed to the Client.
Confidential Information means all information of a confidential nature disclosed by or on behalf of one party to the other in connection with the Agreement, whether before or after the Effective Date, in any form and whether or not marked confidential. It includes commercial, financial, technical, operational, strategic, personal, product, software, methodology and security information. It excludes information that is public other than through breach of the Agreement, independently developed without use of the disclosing party's information, or lawfully received without confidentiality obligations.
Crux AI means any Crux Performance software, AI-enabled tool, interface, workflow, prompt architecture, knowledge base, automation, analysis layer or digital product supplied or made available under a Statement of Work.
Crux IP means the CRUX Method, Crux AI, the Website, Crux templates, frameworks, diagnostics, prompts, software, code, designs, models, workflows, know-how, trade secrets, documentation, training materials and all other Intellectual Property Rights owned by or licensed to Crux before or during an engagement, excluding Client Materials.
CRUX Method means Crux's proprietary methodology, including the Find, Name, Move and Own framework and associated concepts, materials, diagnostics, tools and ways of working.
Data Protection Laws means all applicable data protection and privacy laws, including the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the Data (Use and Access) Act 2025 as in force from time to time, and any replacement or supplemental legislation.
Deliverables means the final materials expressly identified as deliverables in a Statement of Work and supplied to the Client by Crux, excluding Crux IP except to the extent embedded in the Deliverables.
Effective Date means the date on which this Agreement first takes effect under clause 1.2.
Fees means the fees and charges payable by the Client to Crux for the Services as set out in the relevant Statement of Work.
High-Risk Use means any use of Crux AI or Outputs for a safety-critical, legally regulated, employment, credit, insurance, medical, legal, financial, law-enforcement, biometric, child-protection, critical-infrastructure or similarly sensitive decision; any use that produces legal or similarly significant effects for an individual without appropriate human review; or any use classified as prohibited, unacceptable-risk or high-risk under Applicable Law.
Intellectual Property Rights means patents, rights to inventions, copyright and related rights, trade marks, service marks, trade names, domain names, goodwill, rights to sue for passing off, design rights, database rights, software rights, moral rights, rights in confidential information, trade secrets, know-how and all similar rights anywhere in the world, whether registered or unregistered.
Outputs means content, recommendations, analysis, text, summaries, classifications, responses, diagrams, artefacts or other outputs generated by or through Crux AI or otherwise produced as part of the Services from Client Data or prompts.
Personal Data Breach has the meaning given in applicable Data Protection Laws.
Professional Services means Crux Lab, Crux Field, facilitated leadership decision events, embedded operational decision engagements, advisory work, workshops, coaching-style business support, implementation support and other non-software services supplied under a Statement of Work.
Services means the services, access rights and deliverables to be supplied by Crux under a signed Statement of Work, including Professional Services and, where applicable, Crux AI.
Statement of Work or SOW means a document signed by both parties that describes a specific engagement or subscription and incorporates this Agreement. It may be called a Statement of Work, Order Form, Subscription Order, Engagement Letter, Proposal or similar document if it is accepted in writing by both parties as a Statement of Work under this Agreement.
Third-Party Services means software, hosting, AI models, APIs, datasets, platforms, applications, professional services or other third-party products or services used by Crux to supply the Services or separately used by the Client in connection with the Services.
Website means the Crux Performance website at www.cruxperformance.co.uk, or any successor website notified by Crux.
4.1 Crux shall supply the Services described in the relevant Statement of Work with reasonable skill, care and diligence and in accordance with the standards reasonably expected of a competent professional advisory and digital-services business.
4.2 The Services may include Crux Lab, Crux Field, access to Crux AI, training, advisory support, facilitation, diagnostics, implementation support and other services agreed in a Statement of Work.
4.3 The Services are professional and commercial decision-support services. They are not legal advice, regulated financial advice, investment advice, tax advice, medical advice, psychological therapy, counselling, clinical services or any other regulated professional service unless a Statement of Work expressly says otherwise.
4.4 Crux does not guarantee any specific commercial, operational, financial, cultural, behavioural or personal outcome. Outcomes depend on the Client's context, decisions, implementation, personnel, market conditions and other factors outside Crux's control.
4.5 Crux may provide similar services to other clients, including clients in the same sector, provided it complies with its confidentiality, data protection and intellectual-property obligations under this Agreement.
4.6 Time for performance is not of the essence unless the Statement of Work expressly states that it is.
5.1 Crux shall use suitably skilled personnel to supply the Services.
5.2 If a Statement of Work names a lead consultant or named individual, Crux shall use reasonable endeavours to make that individual available and shall consult the Client before a material substitution, except where substitution is required for illness, emergency, security, compliance or other reasonable operational cause.
5.3 Crux may use subcontractors and Third-Party Services to supply the Services. Crux remains responsible to the Client for the acts and omissions of subcontractors engaged by Crux in the performance of the Services, except to the extent the relevant issue is caused by the Client, an Authorised User or a Third-Party Service selected or separately contracted by the Client.
5.4 Crux shall comply with Applicable Law in supplying the Services.
5.5 If Crux cannot deliver a scheduled element of the Services for reasons within Crux's reasonable control, Crux shall reschedule the affected element at a mutually convenient time at no additional fee, unless the parties agree a different remedy in the Statement of Work.
5.6 Crux shall maintain commercially reasonable insurance appropriate to the nature of the Services and shall provide reasonable evidence of such insurance on request. Any specific insurance requirement must be stated in the relevant Statement of Work.
6.1 The Client shall cooperate with Crux as reasonably necessary to enable Crux to supply the Services, including by providing timely access to relevant information, personnel, premises, systems, decisions and approvals.
6.2 The Client is responsible for the accuracy, completeness, legality and suitability of Client Materials and for ensuring that it has all rights, consents and notices required to provide Client Materials to Crux and to permit Crux to use them for the Services.
6.3 The Client shall identify in advance any special requirements, health and safety rules, accessibility requirements, confidentiality requirements, security requirements, regulatory constraints, vulnerable persons, industrial-relations sensitivities or other material context relevant to the Services.
6.4 The Client is responsible for its own decisions, implementation, internal communications, change management and use of the Services and Outputs.
6.5 The Client shall ensure that Authorised Users comply with this Agreement, the Acceptable Use Rules and any instructions reasonably issued by Crux for the safe, lawful and effective use of the Services.
6.6 The Client shall not provide special-category personal data, criminal-offence data, patient data, children's data, consumer credit data, regulated financial data or other sensitive data to Crux unless the relevant Statement of Work expressly permits it and sets out the required controls.
6.7 The Client shall pay the Fees in accordance with clause 7 and the relevant Statement of Work.
7.1 The Fees for each engagement are set out in the relevant Statement of Work. All Fees are exclusive of VAT and other applicable taxes unless expressly stated otherwise.
7.2 Unless the Statement of Work states otherwise, all amounts are payable in pounds sterling and invoices are payable within thirty (30) days of the invoice date.
7.3 The Client shall reimburse expenses only where the relevant Statement of Work permits them or the Client has approved them in writing. Approved expenses are charged at cost unless the Statement of Work states otherwise.
7.4 If the Client is required by law to make a withholding or deduction from any payment, the Client shall increase the payment so that Crux receives the amount it would have received without the withholding or deduction, unless the withholding or deduction is expressly required by law and cannot lawfully be grossed up.
7.5 If the Client disputes an invoice, it shall notify Crux in writing within ten (10) Business Days of receipt of the invoice, giving reasonable details of the disputed amount and the reason for the dispute. The Client shall pay all undisputed amounts by the due date. The parties shall work in good faith to resolve any invoice dispute promptly.
7.6 If the Client fails to pay an undisputed amount by the due date, Crux may charge interest and recover compensation and reasonable recovery costs in accordance with the Late Payment of Commercial Debts (Interest) Act 1998, or any replacement statutory regime, without prejudice to any other rights or remedies.
7.7 If an undisputed amount remains unpaid more than thirty (30) days after the due date, Crux may suspend the affected Services on five (5) Business Days' written notice until the overdue amount is paid. Crux may suspend Crux AI or other digital access immediately where required to protect security, comply with law or prevent misuse.
7.8 Unless the Statement of Work states otherwise, cancellation or postponement charges, if any, must be agreed in the Statement of Work. The Client remains liable for Fees for Services performed and reasonable non-cancellable costs committed before cancellation or postponement.
8.1 Each party shall keep the other party's Confidential Information confidential and shall not use, disclose, copy or modify it except as permitted by this Agreement or as necessary to perform or receive the Services.
8.2 A receiving party may disclose Confidential Information to its employees, officers, contractors, subcontractors, professional advisers, insurers, auditors and financing providers who need to know it for the purposes of this Agreement, provided they are bound by confidentiality obligations or professional duties of confidence.
8.3 A receiving party may disclose Confidential Information to the extent required by law, court order or a competent regulator. Where lawful and practicable, it shall give the disclosing party prompt notice and reasonable assistance to seek confidential treatment or protective measures.
8.4 Each party shall apply at least reasonable care to protect the other party's Confidential Information and, in any event, no less care than it applies to its own comparable confidential information.
8.5 On request or termination, each party shall return, delete or destroy the other party's Confidential Information in its possession or control, except that it may retain copies to the extent required by law, regulation, insurance, professional-record keeping, internal governance or automatic backup systems. Retained copies remain subject to this clause 8.
8.6 Crux may use skills, knowledge, experience, ideas, techniques and know-how of general application retained in the unaided memory of its personnel, provided it does not disclose or misuse Client Confidential Information.
8.7 Crux may use anonymised and aggregated information derived from the Services for benchmarking, research, product improvement and thought leadership, provided it does not identify the Client, any individual or disclose Client Confidential Information.
8.8 This clause 8 survives termination for as long as the relevant information retains its confidential character. Trade secrets are protected for so long as they remain trade secrets.
9.1 Crux IP remains owned by Crux or its licensors. Nothing in this Agreement transfers Crux IP to the Client.
9.2 Client Materials remain owned by the Client or its licensors. The Client grants Crux a non-exclusive, royalty-free licence to use, copy, host, process, adapt and display Client Materials to the extent reasonably required to supply, secure, support and improve the Services in accordance with this Agreement.
9.3 Subject to payment of all Fees due under the relevant Statement of Work, Crux grants the Client a perpetual, worldwide, non-exclusive, non-transferable licence to use the final Deliverables for the Client's internal business purposes.
9.4 The licence in clause 9.3 includes the right for the Client to copy, adapt and use Client-specific Deliverables internally as part of its operating model, governance, decision processes, training or implementation work. It does not include the right to sell, license, publish, distribute externally, commercialise, reverse-engineer or create a competing product or service from Crux IP.
9.5 The Client shall not remove proprietary notices from Crux Materials or present Crux IP as its own methodology or product.
9.6 Where Deliverables include third-party materials, open-source software, datasets, model outputs or Third-Party Services, the Client's rights are subject to the applicable third-party terms notified to the Client or reasonably apparent from the context.
9.7 Crux may reuse its general know-how, templates, structures, prompts, techniques, learning and non-confidential improvements developed during an engagement, provided it does not disclose Client Confidential Information or Client Materials.
9.8 If a third party alleges that Crux IP or Deliverables supplied by Crux infringe that third party's Intellectual Property Rights, Crux may, at its option, procure the right for continued use, modify the relevant item so it is non-infringing, replace it with a substantially equivalent item, or terminate the affected Services and refund prepaid Fees for the unused affected Services. This clause 9.8 does not apply to claims caused by Client Materials, Client instructions, Client modifications, use contrary to this Agreement, or combination with items not supplied by Crux.
9.9 This clause 9 survives termination.
10.1 Each party shall comply with Data Protection Laws in connection with this Agreement.
10.2 Where Crux processes personal data on behalf of the Client as processor, Schedule 1 applies and forms part of this Agreement.
10.3 Where Crux determines the purposes and means of processing personal data, including business-contact administration, Website use, marketing, account management, finance, compliance, service analytics and its own business records, Crux acts as controller and shall process that personal data in accordance with its privacy notice and Data Protection Laws.
10.4 Where the parties are independent controllers or joint controllers for any processing activity, the relevant Statement of Work or other written arrangement shall identify the applicable roles and responsibilities.
10.5 The Client shall not submit personal data into Crux AI or other digital Services unless the relevant Statement of Work or Schedule 1 permits that processing and the Client has satisfied all transparency, lawful-basis, minimisation and security requirements under Data Protection Laws.
10.6 If the Client requests processing that, in Crux's reasonable opinion, may breach Data Protection Laws or create a materially heightened risk, Crux may refuse the request, require additional safeguards, suspend the affected processing or terminate the affected Statement of Work.
11.1 Where a Statement of Work gives the Client access to Crux AI or another digital Service, Schedule 2 applies in addition to the main body of this Agreement.
11.2 Crux AI is a decision-support tool. It is not intended to replace professional judgement, management accountability, legal review, regulated advice, risk assessment, safeguarding procedures, clinical judgement, financial advice or human oversight.
11.3 The Client shall ensure that all Outputs are reviewed by appropriately skilled humans before the Client relies on them, shares them externally, implements them or uses them to make decisions affecting individuals, customers, employees, suppliers or other third parties.
11.4 The Client shall not use Crux AI for any High-Risk Use unless the relevant Statement of Work expressly permits that use and sets out the additional legal, technical, governance, testing and human-oversight controls required.
11.5 Crux may make reasonable changes to Crux AI, including changes to features, models, prompts, workflows, suppliers, security controls and user interfaces, provided that the changes do not materially reduce the core functionality purchased under the relevant Statement of Work during the current subscription period.
12.1 Crux shall implement appropriate technical and organisational measures for the Services, taking into account the nature, scope, context and risk of the Services. Schedule 3 sets out baseline security measures for digital Services unless the Statement of Work states otherwise.
12.2 The Client is responsible for configuring and using the Services securely, managing Authorised Users, protecting credentials, controlling the Client environment and maintaining appropriate internal policies, training and backups.
12.3 The Client shall not, and shall ensure that Authorised Users do not, access or use the Services in breach of the Acceptable Use Rules, Applicable Law, third-party rights, security requirements or written instructions reasonably issued by Crux.
12.4 Crux may suspend access to all or part of the Services immediately if Crux reasonably believes that continued access may create a security risk, breach Applicable Law, infringe third-party rights, compromise Crux systems, expose personal data, or enable misuse of Crux AI or Crux IP. Crux shall notify the Client as soon as reasonably practicable unless law or security reasons prevent notice.
12.5 The Client shall promptly notify Crux of any suspected unauthorised access to Crux AI, compromise of Authorised User credentials, misuse of Outputs, security vulnerability or other incident affecting the Services.
13.1 Each party warrants that it has full power and authority to enter into and perform this Agreement.
13.2 Crux warrants that it shall perform the Professional Services with reasonable skill, care and diligence.
13.3 Except as expressly set out in this Agreement, all warranties, conditions and terms implied by statute, common law or otherwise are excluded to the fullest extent permitted by law.
13.4 Crux does not warrant that Crux AI, Outputs or any digital Service will be uninterrupted, error-free, vulnerability-free, compatible with all Client systems, or that Outputs will be complete, accurate, up-to-date, unique, non-infringing, suitable for a particular purpose or free from bias or hallucination.
13.5 The Client acknowledges that advisory work, operational change, AI-enabled analysis and decision support involve judgement, uncertainty and dependency on Client implementation. The Client remains responsible for deciding whether and how to act on any recommendation, Deliverable or Output.
13.6 No oral or informal statement by Crux changes this Agreement unless recorded in a signed Statement of Work or written variation.
14.1 Nothing in this Agreement excludes or limits either party's liability for death or personal injury caused by negligence, fraud, fraudulent misrepresentation, wilful concealment, deliberate default, breach of confidentiality where the law does not permit limitation, or any other liability that cannot lawfully be excluded or limited.
14.2 Nothing in this Agreement limits the Client's obligation to pay undisputed Fees, taxes, interest or recovery costs due under this Agreement.
14.3 Subject to clauses 14.1, 14.2 and 14.5, each party's total aggregate liability arising under or in connection with a Statement of Work, whether in contract, tort including negligence, breach of statutory duty, misrepresentation, restitution or otherwise, shall not exceed the greater of: (a) the Fees paid or payable under that Statement of Work in the twelve (12) months before the event giving rise to the claim; and (b) fifty thousand pounds sterling (£50,000).
14.4 The cap in clause 14.3 applies separately to each Statement of Work, unless the relevant Statement of Work states that a different cap applies.
14.5 Subject to clause 14.1, each party's total aggregate liability for claims arising from breach of confidentiality, breach of Data Protection Laws, breach of Schedule 1, breach of Schedule 3, security incidents caused by that party's breach of this Agreement, and third-party Intellectual Property Rights infringement claims under clause 9.8, shall not exceed the greater of: (a) two hundred per cent (200%) of the Fees paid or payable under all Statements of Work between the parties in the twelve (12) months before the event giving rise to the claim; and (b) two hundred and fifty thousand pounds sterling (£250,000).
14.6 Subject to clause 14.1, neither party shall be liable to the other for indirect, consequential or special loss; loss of profit; loss of revenue; loss of sales; loss of business; loss of business opportunity; loss of anticipated savings; loss of goodwill; reputational damage; wasted management time; or loss, corruption or restoration of data, except to the extent that direct loss, corruption or restoration of data is recoverable under clause 14.5 following a breach of Schedule 1 or Schedule 3.
14.7 Crux is not liable for losses to the extent caused by Client Materials, Client instructions, Client decisions, Client implementation, the Client's failure to maintain backups, use of Outputs without appropriate human review, use of the Services contrary to this Agreement, or Third-Party Services selected, configured or separately contracted by the Client.
14.8 The Client shall indemnify Crux against losses, damages, costs and expenses arising from third-party claims caused by Client Materials, Client misuse of Crux IP, Client breach of the Acceptable Use Rules, Client High-Risk Use not expressly agreed in a Statement of Work, or Client breach of Data Protection Laws, except to the extent caused by Crux's breach of this Agreement.
14.9 A party shall not bring a claim under or in connection with this Agreement more than two (2) years after the date on which the party became aware, or ought reasonably to have become aware, of the facts giving rise to the claim. This clause does not apply to claims for payment of Fees, claims for breach of confidentiality, claims for infringement or misuse of Intellectual Property Rights, data protection claims, fraud or claims that cannot lawfully be time-limited in this way.
14.10 The parties agree that the limitations and exclusions in this clause 14 are reasonable, having regard to the nature of the Services, the commercial context, the availability of insurance, the ability to agree different caps in a Statement of Work and the Fees payable.
15.1 This Agreement starts on the Effective Date and continues until terminated in accordance with this clause 15.
15.2 Either party may terminate this Agreement, but not any Statement of Work then in force, by giving thirty (30) days' written notice.
15.3 Either party may terminate this Agreement or any affected Statement of Work immediately by written notice if the other party commits a material breach and, if the breach is capable of remedy, fails to remedy it within thirty (30) days after written notice requiring remedy.
15.4 Crux may terminate a Statement of Work immediately by written notice if an undisputed amount remains unpaid more than sixty (60) days after the due date and at least five (5) Business Days after Crux has given notice of intended termination.
15.5 Either party may terminate this Agreement or any Statement of Work immediately by written notice if the other party becomes insolvent, enters administration or liquidation, has a receiver or administrator appointed, makes an arrangement with creditors, ceases or threatens to cease business, or suffers an equivalent event in any jurisdiction.
15.6 Crux may terminate or suspend all or part of the Services immediately where necessary to comply with Applicable Law, sanctions, export controls, court order, regulatory requirement, security requirement or third-party provider requirement.
15.7 On termination or expiry of a Statement of Work, the Client shall pay all Fees and approved expenses for Services performed up to the effective termination date, together with reasonable non-cancellable costs committed before termination.
15.8 On termination or expiry of access to Crux AI, the Client and Authorised Users shall stop using Crux AI. Crux shall handle Client Data in accordance with Schedule 1 and any applicable retention or export provisions in the Statement of Work.
15.9 Termination or expiry does not affect accrued rights or liabilities. Clauses which by their nature should survive termination shall survive, including clauses 7, 8, 9, 10, 12.5, 13, 14, 15.7 to 15.9, 16, 19, 20 and 21 and Schedules 1 to 3 to the extent relevant.
16.1 Neither party may use the other party's name, logo, trade marks or branding in public marketing without prior written consent, except that the Client may identify Crux internally as a supplier and Crux may identify the Client internally for account-management, finance, insurance and professional-adviser purposes.
16.2 Crux may publish a case study, testimonial, quotation, named reference or public description of the engagement only with the Client's prior written approval of the specific wording and, where applicable, the specific logo or brand asset to be used.
16.3 The Client may withdraw approval for future publication of a case study, testimonial, quotation or logo use by giving thirty (30) days' written notice. Withdrawal does not require Crux to recall materials already printed, distributed or archived, but Crux shall stop new publication after the notice period.
16.4 Nothing in this clause 16 permits disclosure of Confidential Information or personal data.
17.1 Each party shall comply with all Applicable Law relating to anti-bribery, anti-corruption, tax evasion facilitation, sanctions, export controls, modern slavery, health and safety, equality and data protection in connection with this Agreement.
17.2 Neither party shall offer, promise, give, request, agree to receive or accept any bribe or improper advantage in connection with this Agreement.
17.3 The Client shall not use, export, re-export, transfer or make available the Services, Crux AI, Outputs or Deliverables in breach of sanctions, export-control laws or restrictions imposed by a relevant third-party provider.
17.4 If the Client operates in a regulated sector or intends to use the Services for regulated activity, the Client is responsible for identifying the applicable requirements and ensuring that the Statement of Work includes the controls, approvals and subject-matter expertise required for that regulated use.
17.5 Neither party shall solicit for employment any employee or contractor of the other party who is materially involved in the Services during the relevant Statement of Work and for six (6) months after it ends, except through general recruitment activity not targeted at that person. This clause does not prevent a person from responding to a general advertisement or approaching a party independently.
18.1 Neither party is liable for failure or delay in performing obligations, other than payment obligations, to the extent caused by an event beyond its reasonable control.
18.2 Force majeure events may include natural disaster, war, terrorism, civil disorder, epidemic, pandemic, government action, failure of public infrastructure, widespread communications outage, industrial action affecting third parties, cyber-attack on third-party infrastructure, supplier failure caused by a force majeure event, or sickness or incapacity of key personnel where no reasonable substitute is available.
18.3 The affected party shall notify the other party promptly, use reasonable endeavours to mitigate the impact and resume performance as soon as reasonably practicable.
18.4 If a force majeure event prevents performance of a material part of a Statement of Work for more than ninety (90) consecutive days, either party may terminate the affected Statement of Work by written notice without liability for future performance, without affecting accrued obligations.
19.1 A notice under this Agreement must be in writing and sent to the postal or email address stated in the relevant Statement of Work, or any replacement address notified in writing.
19.2 A notice sent by email is deemed received on the next Business Day after sending, provided the sender does not receive an automated failure or bounce-back message. A notice sent by pre-paid first-class post in the United Kingdom is deemed received two (2) Business Days after posting.
19.3 Formal service of legal proceedings must not be made by email unless the receiving party has expressly agreed to service by email for those proceedings.
20.1 No failure or delay in exercising a right or remedy is a waiver. A waiver is effective only if in writing and signed by the waiving party.
20.2 If any provision is invalid, illegal or unenforceable, it shall be modified to the minimum extent necessary to make it valid, legal and enforceable. If modification is not possible, it shall be deemed deleted and the rest of the Agreement shall continue in force.
20.3 This Agreement, together with each Statement of Work and any schedules or appendices, constitutes the entire agreement between the parties in relation to its subject matter and supersedes prior discussions, proposals, representations and agreements. Nothing in this clause limits liability for fraud, fraudulent misrepresentation or wilful concealment.
20.4 A variation is binding only if in writing and signed by authorised representatives of both parties, except where this Agreement expressly allows Crux to make operational, security or service changes.
20.5 The Client shall not assign, transfer, charge, subcontract or otherwise deal with its rights or obligations under this Agreement without Crux's prior written consent, not to be unreasonably withheld or delayed. Crux may assign or transfer this Agreement to an affiliate, successor, purchaser of its business or company reorganisation vehicle on written notice, provided the assignee is capable of performing Crux's obligations.
20.6 Nothing in this Agreement creates a partnership, joint venture, employment relationship or agency between the parties.
20.7 Except as expressly stated, a person who is not a party to this Agreement has no right to enforce it under the Contracts (Rights of Third Parties) Act 1999.
20.8 This Agreement and any Statement of Work may be executed in counterparts and by electronic signature. Electronic signatures are valid if the signer intends to authenticate the document and any required formalities are satisfied.
20.9 The Client shall not withhold, set off or deduct any amount from sums due to Crux except to the extent required by law or agreed in writing by Crux.
21.1 This Agreement and any dispute or claim arising out of or in connection with it, including non-contractual disputes or claims, are governed by the laws of England and Wales.
21.2 Before starting court proceedings, either party may give written notice of a dispute. Senior representatives of the parties shall then meet or speak within fifteen (15) Business Days to try to resolve the dispute in good faith.
21.3 If the dispute is not resolved within thirty (30) days after the dispute notice, either party may refer the dispute to mediation under a procedure agreed by the parties or, failing agreement, nominated by the Centre for Effective Dispute Resolution. Mediation is not required for debt recovery, urgent injunctions, protection of Confidential Information or Intellectual Property Rights, data protection issues requiring urgent action, or preservation of limitation periods.
21.4 Subject to clause 21.3, the courts of England and Wales have exclusive jurisdiction to settle disputes or claims arising out of or in connection with this Agreement, including non-contractual disputes or claims.
This Schedule applies where Crux processes personal data on behalf of the Client as processor. Terms such as controller, processor, personal data, processing, data subject, personal data breach and supervisory authority have the meanings given in Data Protection Laws.
1. Roles and scope
1.1 For the processing described in the relevant Statement of Work or in the processing particulars below, the Client is the controller and Crux is the processor, unless the Statement of Work states otherwise.
1.2 Crux shall process personal data only on the Client's documented instructions, including this Agreement and the relevant Statement of Work, unless required by law. If Crux is required by law to process personal data other than on the Client's instructions, Crux shall inform the Client before processing unless the law prohibits notice.
1.3 Crux shall promptly inform the Client if, in Crux's opinion, an instruction infringes Data Protection Laws.
2. Processing particulars
| Subject matter | Delivery, support, security, administration and improvement of the Services described in the Statement of Work. |
| Duration | The term of the relevant Statement of Work and any retention period required for handover, legal, regulatory, backup, audit or dispute purposes. |
| Nature of processing | Collection, recording, organisation, structuring, storage, hosting, retrieval, consultation, use, analysis, adaptation, transmission, disclosure to approved subprocessors, restriction, deletion and destruction. |
| Purpose | To deliver Professional Services, manage engagement logistics, administer Authorised Users, provide Crux AI, support the Client, secure the Services, comply with law and maintain business records. |
| Types of personal data | Business contact details, job titles, employer details, attendance records, user account details, system logs, workshop materials, survey responses, feedback, notes, prompts, documents and other personal data submitted by or on behalf of the Client. Special-category or criminal-offence data is excluded unless expressly permitted in the Statement of Work. |
| Categories of data subjects | Client employees, workers, contractors, directors, officers, consultants, stakeholders, event delegates, Authorised Users and other individuals whose personal data is submitted by or on behalf of the Client. |
| Client instructions | The instructions in this Agreement, the Statement of Work and any written instruction agreed by the parties. |
| Special controls | Any additional retention, residency, encryption, access, subprocessor, AI-use or deletion requirements must be stated in the Statement of Work. |
3. Personnel and confidentiality
3.1 Crux shall ensure that persons authorised to process personal data are subject to appropriate confidentiality obligations and receive appropriate instructions concerning the processing.
4. Security
4.1 Crux shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and accidental loss, destruction, damage, alteration or disclosure, taking into account the nature, scope, context and risk of the processing.
4.2 The baseline measures in Schedule 3 apply where relevant to the Services. Additional measures may be agreed in the Statement of Work.
5. Subprocessors
5.1 The Client gives Crux general authorisation to appoint subprocessors for the Services, provided Crux complies with this paragraph 5.
5.2 Crux shall ensure that each subprocessor is subject to written obligations that provide materially equivalent protection for personal data as this Schedule, including Article 28 obligations where applicable.
5.3 Crux shall maintain a list of material subprocessors used for the Services in the Statement of Work, on the Website or otherwise on request. Crux shall give reasonable notice of material changes to subprocessors where practicable. The Client may object on reasonable data-protection grounds within ten (10) Business Days of notice. If the parties cannot resolve the objection, Crux may avoid using the subprocessor for the affected Services or terminate the affected Services without further liability, refunding prepaid Fees for unused affected Services.
5.4 Crux remains liable to the Client for subprocessors' processing of personal data to the extent required by Data Protection Laws and this Agreement.
6. International transfers
6.1 Crux shall not make a restricted transfer of personal data outside the United Kingdom unless the transfer is permitted by Data Protection Laws, including by adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, an applicable exception or another lawful transfer mechanism.
6.2 Where a transfer mechanism requires transfer details, security measures or transfer-risk information, the parties shall cooperate reasonably to complete the required documentation. The Client acknowledges that some Third-Party Services may involve international transfers if identified in the Statement of Work or subprocessor information.
7. Data-subject requests and controller assistance
7.1 Taking into account the nature of the processing, Crux shall provide reasonable assistance to the Client by appropriate technical and organisational measures, insofar as possible, to help the Client respond to requests from data subjects exercising rights under Data Protection Laws.
7.2 Crux shall provide reasonable assistance to the Client with security obligations, personal data breach notifications, data protection impact assessments and prior consultation with a supervisory authority, taking into account the nature of the processing and information available to Crux.
7.3 Crux may charge reasonable fees for assistance under paragraphs 7.1 and 7.2, except to the extent the assistance is required because of Crux's breach of this Schedule.
8. Personal data breaches
8.1 Crux shall notify the Client without undue delay after becoming aware of a Personal Data Breach affecting personal data processed by Crux on behalf of the Client. Where reasonably practicable, Crux shall aim to notify within forty-eight (48) hours of becoming aware.
8.2 Crux's notice shall include available information reasonably required by the Client to assess the Personal Data Breach and meet its notification obligations. Crux may provide information in phases as it becomes available.
8.3 Crux shall take reasonable steps to mitigate and remediate a Personal Data Breach affecting personal data processed by Crux on behalf of the Client.
9. Deletion and return
9.1 At the Client's choice, Crux shall delete or return personal data processed on behalf of the Client after the end of the Services, unless law requires retention. If the Client does not make a choice within thirty (30) days after termination or expiry, Crux may delete the personal data in accordance with its retention processes.
9.2 Personal data in backups or archives may be retained until overwritten or deleted in the ordinary backup cycle, provided it is protected and not actively processed except for restoration, security, legal or compliance purposes.
10. Audit and information
10.1 Crux shall make available information reasonably necessary to demonstrate compliance with this Schedule.
10.2 The Client may audit Crux's compliance with this Schedule no more than once in any twelve-month period, unless a material Personal Data Breach or regulator request justifies an additional audit. Audits must be on at least twenty (20) Business Days' notice, during normal business hours, subject to confidentiality, security and reasonable scope controls. Remote evidence review shall be preferred unless an on-site audit is reasonably necessary.
10.3 The Client shall not appoint an auditor who is a competitor of Crux or who is not bound by appropriate confidentiality obligations. The Client shall bear its audit costs and Crux may charge reasonable costs for supporting an audit, except where the audit is required because of Crux's material breach of this Schedule.
11. Precedence
11.1 If there is a conflict between this Schedule and another part of the Agreement, this Schedule prevails for the processing of personal data as processor, unless the other term provides greater protection for personal data or is expressly agreed as a lawful variation of this Schedule.
This Schedule applies to Crux AI and any software-as-a-service, portal, application, AI-enabled workflow or other digital service supplied under a Statement of Work.
1. Access rights
1.1 Subject to payment of the applicable Fees and compliance with this Agreement, Crux grants the Client a non-exclusive, non-transferable, non-sublicensable right for Authorised Users to access and use Crux AI during the subscription or access period stated in the Statement of Work for the Client's internal business purposes.
1.2 The Client shall ensure that only Authorised Users access Crux AI. User accounts are personal to the named or assigned user and must not be shared unless Crux has expressly agreed otherwise.
1.3 The Client is responsible for all activity under Authorised User accounts except to the extent caused by Crux's breach of this Agreement.
2. Use restrictions
2.1 The Client shall not and shall ensure that Authorised Users do not:
2.2 Crux may impose reasonable usage limits, rate limits, storage limits, file-size limits and technical controls to protect the service, manage capacity and prevent misuse.
3. AI outputs and human oversight
3.1 Crux AI may produce inaccurate, incomplete, outdated, biased, non-unique or unsuitable Outputs. The Client shall review Outputs before reliance and shall not use Outputs as the sole basis for decisions affecting legal rights, employment, access to services, financial position, health, safety, regulatory status or other significant interests of any person.
3.2 The Client is responsible for validating Outputs against the Client's facts, policies, legal obligations, risk appetite and operating environment.
3.3 Crux may provide guidance on good use of Crux AI. The Client shall ensure Authorised Users receive appropriate training and instructions before using Crux AI in material business processes.
4. Client Data, Inputs and Outputs
4.1 As between the parties, the Client owns Client Data and Inputs. Crux does not claim ownership of Client-specific Outputs generated from Client Data, subject to Crux's ownership of Crux IP and third-party rights.
4.2 Crux may process Client Data, Inputs, Outputs, metadata and usage data to provide, secure, support, monitor, troubleshoot, maintain and improve the Services, comply with law and enforce this Agreement.
4.3 Crux shall not use Client Confidential Information, Client Data, Inputs or Client-specific Outputs to train or improve public foundation models or third-party general-purpose AI models unless the Client expressly agrees in the Statement of Work or another written opt-in.
4.4 Crux may use anonymised or aggregated usage, performance and diagnostic data to improve, secure and develop the Services, provided it does not identify the Client, any individual or reveal Client Confidential Information.
5. Third-party AI providers and service changes
5.1 Crux AI may use Third-Party Services, including hosting providers, model providers, analytics providers, identity providers and support tools. Where those Third-Party Services process personal data on behalf of the Client, they shall be treated as subprocessors under Schedule 1.
5.2 Crux may change Third-Party Services where reasonably required for security, performance, availability, cost, compliance, product improvement or supplier management, provided the change does not materially reduce the core functionality purchased under the current Statement of Work.
5.3 The Client acknowledges that Third-Party Services may have their own downtime, errors, limitations, content filters, usage policies and service changes. Crux is not liable for Third-Party Services selected or separately contracted by the Client.
6. Availability, support and maintenance
6.1 Unless the Statement of Work includes a specific service level agreement, Crux shall use reasonable endeavours to make Crux AI available, excluding planned maintenance, emergency maintenance, Third-Party Service outages, internet failures, Client-side issues and force majeure events.
6.2 Crux may perform maintenance and updates from time to time. Where practicable, Crux shall schedule planned maintenance to minimise material disruption.
6.3 Support arrangements, response targets and support hours are as set out in the Statement of Work. If no support terms are stated, Crux shall provide reasonable email support during Business Days for material access or functionality issues.
7. High-risk and regulated uses
7.1 Crux AI is not designed for High-Risk Use unless a Statement of Work expressly says otherwise.
7.2 If the Client is subject to the EU Artificial Intelligence Act, sector-specific AI rules, financial-services regulation, employment regulation, public-sector procurement rules, healthcare regulation, education regulation or other specific rules governing AI or automated decision-making, the Client is responsible for notifying Crux before use and ensuring the Statement of Work allocates the required compliance obligations.
7.3 The Client shall not use Crux AI in the European Union or for EU-facing activities in a way that is prohibited or high-risk under the EU Artificial Intelligence Act unless the Statement of Work expressly permits the use and sets out a compliance plan.
8. Beta and experimental features
8.1 Crux may offer beta, preview or experimental features. Unless the Statement of Work states otherwise, such features are provided for evaluation only, may be changed or withdrawn at any time and must not be used for production or material business decisions without Crux's written agreement.
9. Suspension and removal
9.1 Crux may suspend or restrict access to Crux AI if it reasonably believes the Client or an Authorised User has breached this Schedule, compromised security, breached law, exceeded usage limits, exposed personal data, infringed third-party rights or created material operational risk.
9.2 Crux may remove or restrict Client Data or Outputs if required by law, a third-party provider, security controls or reasonable abuse-prevention processes.
These baseline measures apply where relevant to digital Services. They are designed to be proportionate to a specialist B2B advisory and AI-enabled services business. Specific enterprise, regulated-sector, residency or certification requirements must be stated in the Statement of Work.
1. Governance and supplier management
1.1 Crux shall maintain internal responsibility for security and shall take reasonable steps to ensure personnel and suppliers understand their security responsibilities.
1.2 Crux shall use reasonable due diligence when selecting material Third-Party Services used to host, process, secure or support Client Data.
1.3 Crux shall maintain appropriate contractual protections with material suppliers, including confidentiality and data-protection terms where applicable.
2. Access control
2.1 Crux shall restrict access to Client Data to personnel and suppliers with a business need to access it for the Services.
2.2 Crux shall use reasonable authentication controls for administrative access and shall remove access when no longer required.
2.3 The Client is responsible for managing Authorised Users, maintaining accurate user lists, promptly removing users who no longer require access and protecting Client-side credentials.
3. Data protection and encryption
3.1 Crux shall use appropriate measures designed to protect Client Data in transit and at rest where supported by the relevant systems and proportionate to the risk.
3.2 Crux shall separate Client Data logically from other clients' data where supported by the relevant systems and proportionate to the service architecture.
3.3 The Client shall not upload sensitive data unless expressly permitted and shall apply minimisation, pseudonymisation or anonymisation where appropriate.
4. Secure development and AI security
4.1 Where Crux develops or configures software for Crux AI, Crux shall use reasonable secure development practices proportionate to its size and the nature of the Services.
4.2 Crux shall take reasonable steps to address AI-specific risks such as prompt injection, data leakage, unsafe tool use, inappropriate retrieval, model or provider misuse, and unauthorised disclosure of system instructions.
4.3 Crux shall not knowingly deploy malicious code and shall take reasonable steps to remediate material vulnerabilities in Crux-controlled software that materially affect the Services.
5. Monitoring, logging and incident response
5.1 Crux may monitor usage, logs and security events to operate, support, secure and improve the Services and to investigate suspected misuse.
5.2 Crux shall maintain a reasonable incident-response process for material security incidents affecting the Services.
5.3 Crux shall notify the Client of material security incidents affecting Client Data without undue delay after becoming aware, taking account of legal, security and investigative constraints.
6. Backups, continuity and deletion
6.1 Crux shall maintain backup or recovery arrangements appropriate to the relevant digital Service, unless the Statement of Work states that the Client is responsible for backups.
6.2 The Client is responsible for maintaining its own copies of Client Materials, Deliverables and business-critical Outputs unless the Statement of Work expressly makes Crux responsible for backup or archival storage.
6.3 Deletion and return of personal data are governed by Schedule 1. Deletion and return of non-personal Client Data are governed by the Statement of Work or, if no specific term applies, by Crux's reasonable retention and deletion processes.
7. Client security responsibilities
7.1 The Client shall configure, access and use the Services securely; maintain endpoint, browser, email and network security; train Authorised Users; review Outputs before use; and promptly report suspected misuse, vulnerability or compromise.
7.2 The Client shall not conduct penetration testing, vulnerability scanning, load testing, scraping, automated extraction or security testing of Crux systems without Crux's prior written permission.
A Statement of Work should include the fields below. The wording can be adapted for the relevant engagement, but the incorporation wording should be kept clear so the applicable MSA version is not disputed.
1. Recommended incorporation wording
This Statement of Work incorporates the Crux Performance Master Services Agreement, May 2026 publication version, published at www.cruxperformance.co.uk/master-services-agreement as at [insert date]. The online MSA may be updated from time to time, but this Statement of Work is governed by the version identified in this paragraph unless the parties agree otherwise in writing.
2. Required fields
| Parties | Legal names, company numbers if applicable, registered offices, notice addresses and signing authorities. |
| MSA version | Exact MSA version/date/URL incorporated into the SOW. |
| Services | Description of Crux Lab, Crux Field, Crux AI or other Services to be supplied. |
| Deliverables | Final outputs, reports, artefacts, workshops, access rights or subscription features. |
| Timeline | Start date, milestones, delivery dates, dependencies and whether time is of the essence. |
| Fees | Fees, payment schedule, VAT, expenses, currency, purchase-order requirements and cancellation or postponement fees. |
| Client responsibilities | Information, personnel, approvals, premises, systems, decisions and implementation responsibilities. |
| Crux personnel | Named lead consultant if any, substitution rules if different from the MSA. |
| Crux AI access | Subscription period, Authorised Users, usage limits, support hours, SLA if any, beta features and special restrictions. |
| Data protection roles | Controller/processor/independent-controller roles for each processing activity. |
| Processing particulars | Any changes or additions to Schedule 1, including personal-data types, data-subject categories and retention. |
| Sensitive data | Whether special-category, criminal-offence, children's, patient, regulated or other sensitive data is permitted. |
| Subprocessors and transfers | Material subprocessors, hosting locations, international transfer mechanisms and residency requirements. |
| Security requirements | Any security measures beyond Schedule 3, including MFA, encryption, audit, penetration testing, certifications or customer policies. |
| AI governance | Whether any High-Risk Use is permitted and, if so, the required legal, technical, testing, transparency and human-oversight controls. |
| Publicity | Whether Crux may use the Client name/logo or publish a case study/testimonial. |
| Special terms and signatures | Any agreed variations, order of precedence, signature blocks and dates. |
3. Signature block
| Signed for and on behalf of Crux | Signed for and on behalf of the Client |
| Signature: | Signature: |
| Name: | Name: |
| Title: | Title: |
| Date: | Date: |