Home Mission Expertise Briefing Contact
⚠️ Immediate Assistance
Legal & Compliance

Rules of Engagement

The terms, conditions, and professional standards that govern every Echelon Security Consulting engagement — from initial contact through final deliverable and beyond.

Effective Date 01 January 2026
Last Reviewed April 2026
Jurisdiction Kingdom of Thailand
Registration Lic. No. 88-2910-TH
📋

These Rules of Engagement ("ROE") constitute a binding framework that applies to all service agreements, consulting engagements, and professional relationships between Echelon Security Consulting LLC ("ESC") and its clients. By commissioning any ESC service, clients confirm their acceptance of these terms. Specific engagements may carry supplemental agreements where required.

Section 01

Parties & Definitions

These Rules of Engagement govern the professional relationship between Echelon Security Consulting LLC ("ESC," "we," "our," or "the Firm"), a limited liability company registered in Thailand (Lic. No. 88-2910-TH), and any entity or individual ("Client," "you," or "the Client") that commissions, contracts, or engages ESC for professional services.

For the purposes of this document, the following definitions apply:

  • "Engagement" — any formal consulting, advisory, assessment, or operational support assignment contracted between ESC and a Client.
  • "Deliverable" — any report, document, presentation, tool, or artefact produced by ESC in the course of an Engagement.
  • "Scope of Work" (SOW) — the written description of objectives, activities, and boundaries agreed upon before an Engagement commences.
  • "Authorisation Letter" — a written document signed by the Client confirming ESC's permission to conduct specific activities on specific systems, premises, or personnel.
  • "Sensitive Information" — any data, credential, finding, or intelligence uncovered or received in the course of an Engagement that is not publicly available.
  • "Third Party" — any organisation, system, or individual that is not a direct party to the Engagement but may be encountered or implicated during it.
Section 02

Scope of Engagement

ESC provides services across four core practice areas. Each engagement is scoped specifically to the Client's defined requirements; no assumption of broader coverage is implied.

Service Area Description Requires Written SOW
Strategic Advisory Geopolitical risk, regulatory strategy, and executive-level threat intelligence briefings. Yes
Human Risk & Resilience Social engineering assessments, deepfake defence protocols, and security culture programmes. Yes
Converged Security Physical-digital convergence reviews, OT/ICS assessments, and supply chain governance audits. Yes
Crisis Leadership Incident response leadership, business continuity planning, and post-incident strategic advisory. Conditional
Retainer Support Ongoing advisory, intelligence feeds, and on-call response within a defined monthly hours package. Yes

Scope Boundary Notice: Any activity not explicitly listed in the agreed Scope of Work is considered out-of-scope. Clients must submit a formal Change Request to expand scope. ESC reserves the right to decline scope changes that conflict with these Rules of Engagement or applicable law.

Section 03

Engagement Lifecycle

All ESC engagements follow a structured lifecycle to ensure clarity, quality, and accountability at every stage. The phases below apply to substantive engagements; expedited procedures apply for urgent incident response.

01
Discovery
Initial consultation to understand the Client's requirements, risk environment, and objectives. No fee applies to this phase.
02
Proposal & SOW
ESC issues a formal Scope of Work proposal, including objectives, methodology, timeline, deliverables, and fee structure.
03
Authorisation
Execution of the Engagement Agreement and, where applicable, the Authorisation Letter. No active work commences before this step.
04
Execution
ESC conducts agreed activities in accordance with the SOW, maintaining regular communication with the designated Client point of contact.
05
Reporting
Delivery of Deliverables in the format agreed, including an executive summary, detailed findings, and prioritised recommendations.
06
Closure & Review
Formal sign-off, document retention per our Privacy Protocol, and an optional post-engagement review session.
Section 04

Client Obligations

The success of any engagement depends on active and timely cooperation from the Client. Clients agree to the following obligations upon commencement of an engagement:

Cooperation & Access

  • Designate a primary point of contact with sufficient authority to provide decisions and approvals throughout the engagement.
  • Provide timely access to relevant personnel, documentation, systems, and premises as defined in the SOW.
  • Respond to ESC requests for information or clarification within the timeframes agreed in the project plan.
  • Ensure that internal stakeholders are informed of ESC's presence and the nature of the engagement to the extent necessary for safe and effective delivery.

Accuracy of Information

  • Provide accurate, complete, and up-to-date information in all pre-engagement questionnaires, briefings, and documentation.
  • Promptly notify ESC of any material changes to the organisation's environment, systems, or risk landscape that may affect the scope or safety of the engagement.
  • Disclose any known legal, regulatory, or contractual restrictions that may limit ESC's activities before the engagement commences.

Authorisation

  • Ensure that all necessary internal approvals, board authorisations, and third-party consents are obtained before active work begins.
  • Warrant that the individual signing the Engagement Agreement and Authorisation Letter has the legal authority to bind the Client organisation.
Section 05

ESC Obligations

ESC commits to the following professional standards across every engagement, without exception:

  • Competence: ESC will only accept engagements for which it possesses the requisite expertise and capacity to deliver to the highest professional standard.
  • Confidentiality: All information obtained during an engagement will be treated as strictly confidential and handled in accordance with our Privacy Protocol and the terms of any applicable NDA.
  • Objectivity: Findings, recommendations, and reports will reflect ESC's independent professional judgement, free from external pressure or commercial bias.
  • Timeliness: ESC will adhere to the project timeline agreed in the SOW and communicate promptly if any circumstances arise that may affect delivery.
  • Safety: ESC will conduct all activities in a manner that minimises disruption, avoids unnecessary risk to Client systems or personnel, and complies with all applicable safety protocols.
  • Transparency: ESC will promptly disclose any conflict of interest, limitation of scope, or significant finding that materially affects the Client's security posture.
  • Documentation: ESC will maintain accurate records of all activities performed and provide evidence trails sufficient to satisfy regulatory or legal review where required.
Section 06

Authorisation & Permissions

For engagements involving active testing, physical access, social engineering simulations, or any activity that could disrupt systems or affect personnel, written authorisation is a mandatory prerequisite.

Authorisation Letter Requirements

A valid Authorisation Letter must be signed by a duly authorised representative of the Client and must explicitly identify:

  • The full legal name and registration details of the authorising organisation.
  • The specific systems, networks, physical locations, or individuals that are in scope.
  • The type of activities authorised (e.g., network scanning, physical access, simulated phishing).
  • The date range during which activities are permitted, including any blackout periods.
  • The name and contact details of the internal emergency point of contact empowered to halt activities if required.

Third-Party Systems: If the agreed scope includes systems, networks, or premises owned or operated by a third party (e.g., a cloud provider, co-location facility, or managed service provider), the Client is solely responsible for obtaining prior written permission from that third party before ESC commences activity. ESC will not proceed without confirmation that such permission has been granted.

Emergency Stop Procedure

Either party may invoke an immediate halt to all active engagement activities by contacting the designated emergency point of contact via the agreed channel (typically WhatsApp or telephone). ESC will suspend activities within 15 minutes of a valid stop instruction and await written guidance before resuming.

Section 07

Confidentiality

Discretion is foundational to every ESC engagement. Both parties agree to treat all information exchanged during an engagement as strictly confidential.

ESC Confidentiality Commitments

  • ESC will not disclose any Client information, findings, or engagement details to any third party without the Client's prior written consent, except as required by applicable law.
  • All ESC personnel and contractors assigned to an engagement are bound by individual confidentiality obligations of equal or greater stringency to these ROE.
  • Deliverables will be transmitted only via secure, encrypted channels agreed in advance with the Client.
  • Physical documents containing Sensitive Information will be handled and disposed of in accordance with ESC's secure document management procedure.

Mutual Obligations

Where a mutual non-disclosure agreement (NDA) is executed, it supplements but does not replace these provisions. In the event of conflict between an NDA and these ROE, the more protective provision prevails.

Exceptions

  • Information that is or becomes publicly available through no fault of ESC.
  • Information independently developed by ESC without reference to Client confidential information.
  • Disclosure required by court order, regulatory authority, or applicable law — in which case ESC will provide prompt prior notice to the Client where legally permissible.
Section 08

Intellectual Property

Client Ownership of Deliverables

Upon receipt of full payment for an engagement, the Client is granted a perpetual, non-exclusive, non-transferable licence to use Deliverables for their internal business purposes. Ownership of bespoke Deliverables created solely for the Client may be fully transferred upon written agreement and where explicitly stated in the SOW.

ESC Retained IP

  • All pre-existing methodologies, frameworks, tools, templates, and proprietary knowledge used by ESC remain the exclusive intellectual property of ESC.
  • Generic analytical frameworks, scoring matrices, and assessment templates incorporated into Deliverables remain ESC's property, even if customised for the Client.
  • ESC retains the right to develop and use generalised, anonymised learnings derived from an engagement to improve its services, provided no Client-identifiable information is used.

No Reverse Engineering: Clients may not reverse engineer, decompile, reproduce, or redistribute any ESC tool, methodology, or proprietary framework, whether received in a Deliverable or observed during the engagement, without prior written consent from ESC.

Section 09

Fees & Payment

ESC's fee structure is agreed on a per-engagement basis and detailed in the relevant SOW or Letter of Engagement. The following general terms apply unless otherwise specified in writing.

Standard Terms

  • Retainer & deposit: Engagements with a total value exceeding THB 100,000 (or equivalent) require a non-refundable deposit of 30–50% of the total fee, payable upon execution of the Engagement Agreement.
  • Invoicing: Invoices are issued upon agreed milestones or monthly in arrears for retainer engagements. Payment is due within 30 days of the invoice date unless otherwise agreed.
  • Late payment: Overdue invoices accrue interest at 1.5% per month from the due date. ESC reserves the right to suspend services until outstanding amounts are settled.
  • Expenses: Pre-approved out-of-pocket expenses (travel, accommodation, specialist tools) are billed at cost with supporting receipts and are not subject to markup unless otherwise agreed.
  • Currency: Fees are quoted and invoiced in Thai Baht (THB) or USD as agreed. Clients bear any foreign exchange conversion costs.

Cancellation & Rescheduling

  • 14+ days notice: Engagement may be rescheduled at no additional charge. Deposit transferred to the rescheduled date.
  • 7–13 days notice: 25% cancellation fee applies to the total engagement value.
  • Less than 7 days notice: 50% cancellation fee applies. Work already completed is billable in full.
  • Force Majeure: Cancellations due to documented force majeure events (natural disaster, government directive, etc.) will be handled equitably on a case-by-case basis.
Section 10

Limitation of Liability

ESC provides advisory and consulting services based on information available at the time of the engagement. The following limitations apply in all circumstances:

  • No guarantee of security: ESC's findings and recommendations reduce security risk but do not guarantee immunity from future incidents. No security assessment can identify every potential vulnerability.
  • Advisory nature: ESC's reports constitute professional opinion and recommendations, not legal or regulatory advice. Clients should seek independent legal counsel for compliance determinations.
  • Cap on liability: ESC's total liability to the Client for any and all claims arising from an engagement shall not exceed the total fees paid for that specific engagement, except in cases of gross negligence or wilful misconduct.
  • Consequential loss: ESC is not liable for any indirect, consequential, incidental, or punitive loss, including loss of profit, loss of business, or reputational damage, howsoever caused.
  • Third-party actions: ESC accepts no liability for the actions of threat actors, third-party vendors, or any party not under ESC's direct control, even if their activities are related to the subject matter of the engagement.
  • Client-provided information: ESC relies on the accuracy of information provided by the Client. ESC is not liable for findings or recommendations that prove inaccurate due to incomplete or misleading information provided by the Client.
Section 11

Ethical Standards

ESC operates to the highest standards of professional ethics. These principles are non-negotiable and apply to every member of the ESC team on every engagement.

🎯
Integrity
We report findings as discovered, regardless of their implications for the Client or ESC.
🔒
Discretion
We never discuss, reference, or leverage one Client's information in any other engagement.
⚖️
Independence
We maintain independence from vendors and decline engagements with undisclosed conflicts of interest.
🌏
Cultural Sensitivity
We operate respectfully across diverse jurisdictions, customs, and organisational cultures.
🛑
Do No Harm
We will not conduct activities that cause disproportionate disruption or that could endanger individuals.
📣
Transparency
We proactively communicate limitations, scope changes, and significant findings without delay.

ESC personnel who become aware of a violation of these ethical standards are required to report it internally. Clients who believe an ESC team member has acted in breach of these principles are encouraged to contact ESC's senior management directly at [email protected].

Section 12

Prohibited Activities

ESC will not undertake, facilitate, or support any of the following activities under any circumstances, regardless of Client instruction, commercial pressure, or the stated purpose of the engagement:

  • Any activity that violates applicable criminal law in Thailand or in any jurisdiction relevant to the engagement.
  • Unauthorised access to systems, networks, or premises — i.e., any access not covered by a valid, signed Authorisation Letter.
  • The collection, use, or disclosure of personal data in a manner that violates Thailand's PDPA or any applicable regional data protection law.
  • Industrial espionage, theft of trade secrets, or any activity that constitutes a criminal offence against a third party.
  • Engagement with sanctioned entities, individuals on applicable watch lists, or clients operating in violation of international sanctions regimes.
  • The development, deployment, or facilitation of malware, destructive exploits, or offensive cyber tools intended for use against non-consenting parties.
  • Any engagement the primary purpose of which is to harm, harass, surveil, or coerce individuals without lawful authority.
  • Activities designed to fabricate, manipulate, or destroy evidence in connection with legal, regulatory, or insurance proceedings.

Immediate Termination: If ESC discovers during an engagement that the Client is directing or intending to direct ESC activity toward any prohibited purpose, ESC will immediately suspend all work, notify appropriate authorities where legally required, and terminate the engagement without refund of fees paid.

Section 13

Suspension & Termination

Suspension by ESC

ESC may suspend an engagement immediately and without penalty in the following circumstances:

  • The Client has failed to provide access, authorisation, or information necessary for safe and effective delivery.
  • ESC has reasonable grounds to believe that continuing would expose ESC, the Client, or a third party to unlawful risk or harm.
  • Payment obligations are overdue by more than 14 days and no satisfactory payment plan has been agreed.
  • A force majeure event prevents ESC from safely conducting engagement activities.

Termination by Either Party

Either party may terminate an engagement by providing 14 days' written notice. In the event of termination:

  • The Client is liable for all fees accrued for work completed up to the termination date, plus any non-recoverable costs already incurred.
  • ESC will deliver any completed Deliverables upon receipt of payment for work done to date.
  • Confidentiality and intellectual property provisions survive termination indefinitely.

Termination for Cause

Either party may terminate immediately for material breach that is not remedied within seven (7) days of written notice. ESC may terminate immediately and without notice where a prohibited activity (Section 12) is identified.

Section 14

Governing Law & Dispute Resolution

These Rules of Engagement, and any engagement governed by them, are subject to and shall be construed in accordance with the laws of the Kingdom of Thailand, without regard to its conflict of law provisions.

Dispute Resolution Process

  • Step 1 — Direct negotiation: The parties will first attempt to resolve any dispute through good-faith negotiation between senior representatives within 30 days of written notice of a dispute.
  • Step 2 — Mediation: If direct negotiation fails, the parties agree to non-binding mediation administered by a mutually agreed mediator in Bangkok, Thailand, within 60 days.
  • Step 3 — Arbitration: Any dispute not resolved through negotiation or mediation shall be finally determined by binding arbitration in Bangkok, Thailand, in accordance with the rules of the Thai Arbitration Institute (TAI). Proceedings shall be conducted in English unless both parties agree otherwise.

Jurisdiction Note: Clients operating from jurisdictions outside Thailand acknowledge that ESC's primary legal domicile is Bangkok, Thailand, and that Thai law governs all engagement terms unless a specific bilateral agreement provides otherwise.

Section 15

Contact & Queries

For questions about these Rules of Engagement, to raise a concern about ESC's conduct, or to initiate formal dispute proceedings, please contact ESC's leadership team directly:

General Inquiries[email protected]
Telephone+66 65 989 8638
Registered Address Echelon Security Consulting LLC
Sathorn Square Tower, 37th Floor
98 N Sathon Rd, Silom, Bang Rak
Bangkok 10500, Thailand
Lic. No. 88-2910-TH
WhatsApp+66 65 989 8638
LINEConnect via LINE

ESC is committed to resolving all concerns promptly, professionally, and with the same discretion we apply to every client relationship.

Get In Touch Privacy Policy Code of Conduct