Terms of Service

Certaria by Orion Data Analytics Ltd

Version 1.0 Effective Date: 3 April 2026 Last Updated: 3 April 2026

1. Introduction and Acceptance

These Terms of Service (“Terms”) govern your use of Certaria (“the Service”), a business application built on Microsoft Power Platform that helps organisations implement and maintain information security management systems in accordance with ISO 27001 standards.

Certaria is published and operated by Orion Data Analytics Ltd, a company registered in England and Wales (“Orion”, “we”, “us”, “our”).

By accessing or using Certaria, you agree to be bound by these Terms. If you do not agree to these Terms, you must not use the Service. Your organisation’s administrator must accept these Terms on your behalf before the Service can be deployed to your Microsoft 365 tenant.

2. Service Description

2.1 What Certaria Is

Certaria is a subscription-based software application that provides tools, templates, and processes to support the implementation and ongoing management of an Information Security Management System (ISMS) aligned with ISO 27001:2022 standards.

The Service operates as a managed solution installed directly into your organisation’s Microsoft 365 tenant and Dataverse environment. All data remains within your own cloud infrastructure at all times.

2.2 What Certaria Is Not

Certaria is a tool and a resource. It is not:

  • A guarantee of ISO 27001 certification. Certification decisions are made exclusively by independent, accredited certification bodies. Orion Data Analytics does not certify organisations, does not award certification, and does not guarantee that use of Certaria will result in certification success.
  • A replacement for professional legal, compliance, or security advice. You should engage qualified advisors to interpret standards, ensure regulatory compliance in your sector, and validate your implementation approach.
  • A substitute for your organisation’s own governance, risk management, and decision-making processes.
  • Responsible for Microsoft 365, Power Platform, or Dataverse availability, performance, or security (see Section 12).

2.3 Deployment Model

Certaria is deployed as a managed solution into your organisation’s own Microsoft 365 tenant. This means:

  • The application code is hosted and maintained by Orion.
  • Your data is stored in your own Dataverse environment and remains under your control.
  • Orion does not operate shared infrastructure, shared databases, or data processing services that process data from multiple organisations.
  • You retain full administrative control over access, permissions, and data within your tenant.

3. Subscriptions and Pricing

3.1 Subscription Plans

Certaria is available under two monthly subscription plans:

Standard Plan: GBP 399 per month

  • Includes deployment and management of Certaria in your tenant
  • Suitable for organisations with up to 20 employees
  • One designated ISMS Administrator

Business Plan: GBP 499 per month

  • Includes deployment and management of Certaria in your tenant
  • Suitable for organisations with up to 100 employees
  • Up to two designated ISMS Administrators

Pricing is exclusive of VAT where applicable. We will invoice VAT in accordance with UK legislation.

3.2 Subscription Term and Renewal

Subscriptions are billed monthly in advance. Your subscription will automatically renew each month unless you or we provide written notice of cancellation at least 30 days before the renewal date.

3.3 Payment Terms

Invoices are payable within 30 days of invoice date. Payment should be made to the bank account specified on your invoice. If payment is not received by the due date, we may suspend your access to Certaria until payment is made in full.

3.4 What’s Included

Your subscription includes:

  • Deployment and installation of the Certaria managed solution into your Microsoft 365 tenant
  • Monthly updates to Certaria features and templates
  • Access to documentation and guidance materials
  • One Copilot Studio capacity pack per tenant (included cost, approximately GBP 160 per month absorbed by Orion)
  • Email support to hello@oriondata.co.uk during standard working hours (Monday to Friday, 9 AM to 5 PM UK time, excluding UK public holidays)

3.5 What’s Not Included

Your subscription does not include:

  • Microsoft 365 licences (your responsibility)
  • Power Apps Premium licences for ISMS Admin users (your responsibility, approximately GBP 16.60 per user per month)
  • Implementation consulting, customisation, or integration work
  • Data migration from legacy systems
  • Training or onboarding beyond standard documentation

4. Customer Responsibilities and Prerequisites

4.1 Microsoft 365 Licences

You must maintain valid Microsoft 365 Business Premium licences (or higher tier) for all users who will use Certaria. This is your responsibility. Certaria cannot function without this licence.

4.2 Power Apps Premium Licences

Users designated as ISMS Administrators must have Power Apps Premium licences assigned to them. The cost of these licences is your responsibility. This is a Microsoft requirement for administrative access to the managed solution within your Dataverse environment.

Your organisation’s Global Administrator must grant Orion permission to deploy Certaria into your Microsoft 365 tenant. This consent is required before deployment can proceed. Your Global Administrator will be guided through the standard Microsoft consent flow to authorize the Certaria application.

4.4 Designation of ISMS Administrators

You must designate appropriate individuals as ISMS Administrators within Certaria. These individuals will have administrative access to the application and should be trusted, competent users with responsibility for your ISMS. You are responsible for:

  • Ensuring ISMS Administrators have appropriate Power Apps Premium licences
  • Monitoring and revoking administrator access when individuals leave your organisation
  • Ensuring ISMS Administrators understand their responsibilities
  • Ensuring ISMS Administrators do not misuse administrative capabilities

4.5 Data Ownership and Control

You own all data you input into Certaria. You are responsible for:

  • The accuracy, legality, and appropriateness of all data you store in the Service
  • Ensuring you have the right to input personal data and comply with data protection law (see Section 9)
  • Regular backups of your data (though Certaria data stored in Dataverse will benefit from Microsoft’s standard backup practices)
  • Maintaining appropriate access controls and security measures within your tenant
  • Complying with the Acceptable Use Policy (Section 7)

5. Intellectual Property Rights

5.1 Orion’s Ownership

Orion owns all intellectual property rights in:

  • The Certaria application code, functionality, and design
  • All templates, processes, guidance, and documentation provided as part of the Service
  • Any improvements, enhancements, or derivative works we create

This ownership is not affected by your use of the Service or any customisation you may request.

5.2 Your Ownership

You own all intellectual property rights in:

  • All data you input into Certaria (policies, procedures, records, etc.)
  • Any customisations specific to your organisation that you develop (though we make no warranty about their compatibility with future updates)

5.3 Licence Grant

Orion grants you a non-exclusive, non-transferable, revocable licence to use Certaria for your organisation’s internal business purposes, in accordance with these Terms and during your subscription period.

This licence terminates immediately upon suspension or termination of your subscription.

5.4 Restrictions

You must not:

  • Reverse engineer, decompile, disassemble, or attempt to derive the source code of Certaria
  • Rent, lease, loan, sell, or transfer Certaria to any third party
  • Use Certaria to provide services to customers or clients outside your organisation
  • Remove, obscure, or alter any proprietary notices, labels, or marks on Certaria

6. Certification Disclaimer

6.1 Certification Is Not Guaranteed

Certaria provides tools, processes, and guidance to support ISO 27001:2022 implementation. Certaria does not guarantee ISO 27001 certification and does not award or confer certification.

Certification is awarded exclusively by independent, accredited certification bodies (such as BSI, NQA, Lloyd’s Register, or equivalent). Whether your organisation achieves certification depends on many factors beyond Certaria’s scope, including your organisation’s commitment, implementation quality, governance, and the certification body’s assessment.

6.2 Your Responsibility for Compliance and Certification

You are solely responsible for:

  • Interpreting ISO 27001 standards correctly for your context
  • Engaging appropriate qualified advisors to validate your ISMS design and implementation
  • Selecting and contracting with an accredited certification body
  • Ensuring your ISMS meets all ISO 27001 requirements before certification audit
  • Meeting any certification body’s specific requirements or guidance

Orion provides tools only. We do not provide certification advice, audit planning, or certification readiness assurance.

6.3 No Professional Advice

Nothing in Certaria constitutes legal, compliance, security, or professional advice. If you require advice on interpreting standards, assessing risk, or meeting regulatory requirements in your sector, you must engage qualified professionals.

7. Acceptable Use Policy

You must not:

  • Use Certaria for any illegal purpose or in violation of any applicable law
  • Use Certaria to store content that is abusive, threatening, defamatory, obscene, or harassing
  • Attempt to gain unauthorised access to Certaria, other users’ data, or Orion’s systems
  • Transmit viruses, malware, or any code designed to disrupt or damage systems
  • Reverse engineer, decompile, or attempt to extract the source code of Certaria
  • Resell, redistribute, or make Certaria available to third parties outside your organisation
  • Use Certaria in ways that could damage, disable, or overburden the Service or Microsoft’s infrastructure
  • Use Certaria to benchmark against, monitor, or perform competitive analysis of Orion’s product
  • Violate Microsoft’s terms of service for Microsoft 365, Power Platform, or Dataverse

Breach of this policy may result in immediate suspension of your access without refund.

8. Service Availability and Performance

8.1 No Service Level Agreement

Certaria is currently in a design partner phase. We do not provide a formal Service Level Agreement (SLA) and do not guarantee specific uptime percentages or response times.

8.2 Reasonable Endeavours

We will use reasonable endeavours to:

  • Keep Certaria available and functioning
  • Deploy updates and fixes promptly when issues are identified
  • Provide email support during standard working hours

However, availability and performance cannot be guaranteed.

8.3 Microsoft Infrastructure Dependency

Certaria depends on Microsoft 365, Power Platform, and Dataverse. We are not responsible for:

  • Outages or degradation of Microsoft services
  • Changes to Microsoft’s pricing, features, or terms of service
  • Microsoft’s discontinuation of any service component
  • Performance issues caused by your Microsoft 365 environment, tenant configuration, or network

See Section 12 (Third Party Services) for details.

8.4 Scheduled Maintenance

We may perform scheduled maintenance on Certaria from time to time, which may temporarily affect availability. We will use reasonable endeavours to schedule maintenance outside your organisation’s working hours and to provide notice where possible.

9. Data Processing and Privacy

9.1 Data Controller and Processor

For the purposes of data protection law (UK GDPR, DPA 2018):

  • Your organisation is the Data Controller. You decide what data is processed and for what purposes.
  • Orion is a Data Processor. We process data only on your instructions and in accordance with a Data Processing Agreement (DPA).

9.2 Data Processing Agreement

We will execute a Data Processing Agreement (DPA) with you, which supplements these Terms. The DPA sets out the legal basis, scope, nature, purpose, and duration of data processing, along with each party’s rights and obligations.

The DPA is incorporated into these Terms by reference and is available on request.

9.3 Personal Data in Certaria

You may choose to store personal data in Certaria (such as names of employees, contractors, or individuals mentioned in risk assessments). You are responsible for:

  • Ensuring you have a lawful basis to process this data
  • Providing necessary privacy notices to individuals
  • Ensuring data protection law is complied with
  • Ensuring any international data transfers are legal

Orion will process this data only on your instructions and in accordance with the DPA.

9.4 Privacy Policy

Our Privacy Policy describes how Orion collects and processes data about you and your organisation outside of Certaria (such as contact information, account details, and usage analytics). The Privacy Policy is available at oriondata.co.uk/privacy and is incorporated into these Terms by reference.

9.5 Data Retention After Termination

When your subscription terminates, your data remains in your Dataverse environment. We do not delete it from your tenant. You are responsible for archiving or deleting your own data. See Section 12 (Termination and Offboarding).

10. Updates and Changes to Certaria

10.1 Automatic Updates

Certaria is updated regularly by Orion. Updates are deployed automatically to your tenant and may be released without prior notice. Updates typically include:

  • Bug fixes
  • Security patches
  • New features
  • Template updates
  • Guidance and documentation updates

10.2 Compatibility with Your Data

We design updates to be backwards compatible with your existing data. However, in rare cases, updates may require minor data model changes. We will inform you of any significant changes that may affect your workflows.

You are responsible for testing Certaria after updates if you have custom configurations or integrations.

10.3 Material Changes to Features

If we make material changes that affect the core functionality of Certaria or your ability to use it as expected, we will provide 30 days’ written notice to your organisation’s primary contact.

During the notice period, you have the right to terminate your subscription without penalty if the change is not acceptable to you.

10.4 Feature Deprecation

From time to time, we may discontinue features or functionality, typically to simplify the product or focus resources elsewhere. We will provide at least 60 days’ notice of deprecation.

11. Intellectual Property Indemnification

11.1 Orion’s Indemnification

Orion indemnifies and holds you harmless against any claim that Certaria (as provided by Orion and used in accordance with these Terms) infringes any UK copyright, patent, trade secret, or trademark of a third party.

If such a claim arises, Orion will, at its option and expense:

  • Obtain the right for you to continue using Certaria; or
  • Replace or modify Certaria to make it non-infringing; or
  • If neither is commercially reasonable, terminate your subscription and refund prepaid fees for the terminated portion of your subscription.

11.2 Your Indemnification

You indemnify and hold Orion harmless against any claim arising from:

  • Your use of Certaria in breach of these Terms or applicable law
  • Your data stored in Certaria (including claims that your data infringes third-party rights)
  • Your customisations or integrations
  • Your misuse or unauthorised use of Certaria

12. Third Party Services

12.1 Dependency on Microsoft 365 and Power Platform

Certaria depends entirely on Microsoft 365 Business Premium, Microsoft Power Platform, and Microsoft Dataverse. You are responsible for:

  • Maintaining valid licences for these Microsoft services
  • Complying with Microsoft’s terms of service
  • Monitoring Microsoft’s announcements regarding service changes, deprecations, or discontinuations

12.2 Orion Is Not Responsible for Microsoft Services

Orion is not responsible for:

  • Microsoft service outages, degradation, or unavailability
  • Microsoft’s changes to pricing, features, or terms
  • Microsoft’s discontinuation of Power Platform, Power Apps, Dataverse, or any component
  • Performance, security, or reliability of Microsoft infrastructure
  • Compliance or regulatory implications of Microsoft’s services

If Microsoft discontinues a service that Certaria depends on, Orion will use reasonable endeavours to migrate Certaria to an alternative platform but makes no guarantee of success or timeline.

12.3 Third Party Integrations

Certaria may integrate with other third-party services via Power Automate, Power Query, or APIs. You are responsible for:

  • Understanding the terms and privacy policies of any third-party service you integrate with
  • Ensuring you have appropriate licences or agreements with third parties
  • Complying with third-party terms of service

Orion is not liable for issues arising from third-party service failures, unavailability, or policy changes.

13. Limitation of Liability

13.1 Cap on Liability

Except where law does not permit limitation, Orion’s total liability to you for all claims arising under or related to these Terms, Certaria, or the underlying subject matter (whether in contract, tort, negligence, statutory duty, or otherwise) is limited to the total subscription fees you have paid in the 12 months preceding the claim.

If you have not been a customer for 12 months, the cap is limited to the total fees paid to date.

13.2 Exclusion of Consequential Damages

Neither party is liable for indirect, incidental, special, consequential, or punitive damages, including:

  • Loss of revenue, profit, business opportunity, or anticipated savings
  • Loss of data or data corruption (even if advised of the possibility of such loss)
  • Loss of reputation or goodwill
  • Business interruption

This exclusion applies even if the party has been advised of the possibility of such damages.

13.3 Exceptions to Liability Limitations

Sections 13.1 and 13.2 do not limit liability for:

  • Either party’s indemnification obligations (Section 11)
  • Breach of Sections 4.1 (Your Data Ownership), 5 (Intellectual Property), or 7 (Acceptable Use)
  • Death or personal injury caused by negligence
  • Fraud or wilful misconduct
  • Any liability that cannot be limited under UK law

14. Confidentiality

14.1 Confidential Information

Each party may disclose confidential information to the other (such as business plans, technical specifications, or pricing). Confidential information must be clearly marked or identified.

14.2 Obligations

Each party will:

  • Protect the other’s confidential information using at least the same degree of care used for its own confidential information
  • Limit access to employees and contractors with a legitimate need to know
  • Not disclose confidential information without written consent, except where required by law

14.3 Exceptions

Confidentiality obligations do not apply to information that:

  • Is already public knowledge
  • Is independently developed without reference to the other’s information
  • Is lawfully received from a third party without confidentiality obligations
  • Must be disclosed to comply with law, court order, or regulatory requirement (provided the disclosing party gives reasonable notice to allow the other party to seek protection)

15. Termination and Suspension

15.1 Termination by Either Party

Either you or Orion may terminate your subscription by providing 30 days’ written notice to the other party.

Termination notice should be sent to hello@oriondata.co.uk (if you are terminating) or to your organisation’s primary contact (if Orion is terminating).

15.2 Immediate Suspension by Orion

Orion may immediately suspend your access to Certaria without notice if:

  • You breach Section 7 (Acceptable Use Policy)
  • Your payment is 30 days overdue
  • You breach other material terms and fail to remedy within 10 days of written notice
  • We determine in good faith that suspension is necessary to protect Orion, our infrastructure, other users, or law

15.3 Effect of Termination

Upon termination or suspension:

  • Your licence to use Certaria terminates immediately
  • Your access to Certaria will be disabled
  • If suspended (rather than terminated), you may restore access by remedying the breach and paying any outstanding amounts

15.4 What Happens to Your Data

Your data remains in your Dataverse environment and under your control. Orion does not delete customer data from tenants. You are responsible for exporting, archiving, or deleting your own data.

If you wish to export your data before termination, Certaria provides a standard export function to export all records as Microsoft Excel files.

16. Offboarding

16.1 Data Export

Certaria includes a standard export capability (Section 15.4) that allows you to export all your records as Excel files. You may use this feature at any time while your subscription is active, or after termination if you request us to provide temporary access.

16.2 Managed Solution Removal

After your subscription ends, Orion will not actively remove the Certaria managed solution from your tenant. However:

  • The solution will become non-functional because Orion will not maintain it or provide updates
  • You may uninstall the solution yourself via your Power Platform admin portal
  • Data stored in the solution will remain in your Dataverse until you delete it

If you request, we can provide instructions for uninstalling Certaria from your tenant.

16.3 No Data Held by Orion

Orion does not retain any copy of your data after termination. All your data is stored in your own Dataverse environment, so you have full control over retention and deletion.

17. Governing Law and Dispute Resolution

17.1 Governing Law

These Terms are governed by the laws of England and Wales, without regard to its conflict of law principles.

17.2 Dispute Resolution

If a dispute arises between us, the parties agree to first attempt to resolve it through good faith negotiation between appropriate representatives of each organisation within 30 days of the dispute arising.

17.3 Courts and Jurisdiction

If good faith negotiation fails, either party may bring legal proceedings in the courts of England and Wales. You and Orion consent to the exclusive jurisdiction of these courts.

18. Entire Agreement

These Terms, together with the Privacy Policy and the Data Processing Agreement, constitute the entire agreement between you and Orion concerning Certaria and supersede all prior and contemporaneous agreements, representations, and understandings.

If any conflict exists between these Terms, the Privacy Policy, and the DPA, the order of precedence is: DPA, then these Terms, then Privacy Policy.

Any prior quotations, proposals, statements, or representations concerning Certaria (whether written or oral) are void unless confirmed in writing by an authorized representative of Orion.

19. Amendments to These Terms

Orion may amend these Terms from time to time. Material changes will be communicated to your organisation’s primary contact with at least 30 days’ notice.

Your continued use of Certaria after the notice period indicates your acceptance of the amended Terms. If you do not accept amendments, you may terminate your subscription as described in Section 15.1.

20. Severability

If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, or if that is not possible, it will be severed.

The remaining provisions will remain in full force and effect.

21. Waiver

No failure or delay by either party in exercising any right, power, or remedy constitutes a waiver of that right, power, or remedy. A single or partial exercise does not preclude further exercise of the same or any other right, power, or remedy.

Waiver of any provision must be in writing and signed by the waiving party.

22. Force Majeure

Neither party is liable for failure to perform its obligations under these Terms if such failure results from an event of force majeure beyond the party’s reasonable control, including:

  • Acts of God (earthquakes, floods, storms, etc.)
  • Wars, terrorism, civil unrest
  • Government action or regulation
  • Epidemic or pandemic
  • Strikes or labour action
  • Infrastructure failure affecting the broader internet or cloud services

The affected party must notify the other within 14 days of the force majeure event and use reasonable endeavours to resume performance.

If performance is prevented for more than 90 days due to force majeure, either party may terminate the subscription without penalty.

23. Assignment

23.1 Orion’s Right to Assign

Orion may assign these Terms and its rights and obligations to any successor in interest (including as part of a merger, acquisition, or reorganisation) without your consent.

23.2 Your Restrictions

You may not assign these Terms or your rights and obligations without Orion’s prior written consent. Any purported assignment in violation of this section is void.

24. Notice

Any notice, demand, or communication required or permitted under these Terms must be in writing and delivered:

  • By hand
  • By email to hello@oriondata.co.uk (if addressed to Orion) or to your organisation’s primary contact email (if addressed to you)
  • By post to the address provided on your account

Notice is deemed received upon email delivery (or next business day if outside working hours) or upon post delivery to the address provided.

25. Contact Information

For questions about these Terms, Certaria, or to provide notice:

Orion Data Analytics Ltd Email: hello@oriondata.co.uk Website: oriondata.co.uk

End of Terms of Service

Summary for Review

These Terms of Service cover:

  • What Certaria is and explicitly what it is not (including the certification disclaimer)
  • How it’s deployed (managed solution in your own tenant)
  • Pricing and subscription mechanics
  • What you must provide (Microsoft 365 licences, Power Apps Premium for admins, Global Admin consent)
  • IP ownership (Orion owns the app, you own your data)
  • Data protection and processing (you’re controller, we’re processor, DPA required)
  • Acceptable use and restrictions
  • Availability (no SLA in design partner phase)
  • Liability cap (12 months’ subscription fees)
  • Termination and data control (you keep your data in your tenant)
  • Dispute resolution (good faith negotiation, then England and Wales courts)

The tone is professional but readable, avoiding unnecessarily dense legalese while remaining legally robust for UK jurisdiction. Ready to publish.