We've kept this in plain English. Privacy and terms pages are usually written for lawyers reading other lawyers' work; this one is written for the contractors actually using the site. If anything is unclear, the contact addresses at the bottom are real people who will answer.
We're a UK limited company, registered with Companies House and the Information Commissioner's Office.
We don't store, process, or transmit our clients' Controlled Unclassified Information on Ancitus systems — engagement work happens inside your environment, with your access, on your tools.
We don't run third-party trackers, advertising pixels, or marketing automation; the only cookies on this site are the ones Cloudflare needs to keep it online and unscraped.
We're not a law firm or a Cyber AB-authorized C3PAO — anything on this site is information, not advice. For privacy questions, [email protected] goes straight to Deepak.
We collect personal information in two ways: directly from you when you contact us or subscribe to the newsletter, and automatically through standard server logs that keep the site online and defend it against bots and traffic spikes. Both are scoped narrowly. Neither involves third-party advertising trackers.
Information you give us directly — your name, work email, company, role, and whatever you write in the message field when you fill out a form, email us, or subscribe to the newsletter.
Information collected automatically when you visit the site — limited to what's required for the site to function and to defend it against bot traffic. No marketing trackers. No analytics pixels. No third-party scripts.
Responding to your enquiry. If you contact us via the form or email, we use the information you provide to reply, schedule a Discovery Call if appropriate, and keep a record of the conversation.
Delivering the work. If you become a client, we hold the information necessary to deliver the engagement — typically business contact details for your team, and any working notes maintained inside your environment under your access. No client CUI is held on Ancitus systems.
Sending the newsletter. If you sign up for our insights newsletter, we use your email to send you the insights you signed up for. We never sell, rent, or share newsletter lists.
Site security and operation. We use Cloudflare to host the site and defend it against malicious traffic. This generates limited technical data (IP addresses, request patterns) used solely to keep the site operational.
We use a small number of sub-processors to operate the site and run the business. We don't share data with any third party for marketing purposes.
UK and US tax authorities — if we become a client, we may share invoicing data with HMRC (UK) and, where applicable, the IRS (US) to meet our tax-reporting obligations.
Microsoft and Cloudflare are US-based, so personal information may be transferred outside the UK. These transfers are protected by the UK's adequacy decision for the EU-US Data Privacy Framework, the UK Extension to the framework, or by Standard Contractual Clauses where the framework doesn't apply. We don't transfer personal information to any country without an adequacy decision or appropriate safeguards.
To exercise any of these rights, email [email protected]. We respond within 30 days as required by UK GDPR.
Personal information you send us is held inside Microsoft 365 with multi-factor authentication and access logging. Site infrastructure runs on Cloudflare with TLS 1.3 enforced. We don't store any client CUI on Ancitus systems — when working on a client engagement, we operate inside the client's tenant under credentials they control, and CUI never leaves their environment. This is documented in the Customer Responsibility Matrix that accompanies every engagement.
This site uses a small number of cookies, all of them essential for the site to function or to defend it from automated attacks. We don't use analytics cookies, marketing cookies, or any third-party tracking technology — there's no Google Analytics, no Meta Pixel, no LinkedIn Insight Tag, no HubSpot tracking, no Microsoft Clarity, no Hotjar. Because the cookies we set are strictly necessary, you'll notice this site doesn't display a cookie consent banner. Under the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR, consent is not required for cookies that are strictly necessary for the service you've requested.
Forms on this site — Discovery Call form and newsletter signup — are submitted to our own backend running on Cloudflare Pages Functions. Submissions go directly from your browser to our infrastructure via Cloudflare's own infrastructure — no third-party domains are contacted when you submit a form, and no third-party cookies are set as part of form submission.
Modern browsers let you block, delete, or be alerted to cookies. The exact controls depend on your browser — the ICO maintains a guide at ico.org.uk/your-data-matters/online/cookies/. Note that blocking the cookies above may stop the contact form working, since the bot challenge depends on them.
The brief cookies footnote is deliberate. Training visitors across the web is not necessary for a CMMC consultancy, and the marketing infrastructure most B2B sites lean on tends to leak data that wasn't theirs to gather. If we add anything that changes this, we'll update the page first.
Standard plain-English terms covering what you can do with the site, what we make available on it, and how disputes get resolved. Service contracts for paid engagements are negotiated separately and override anything below.
By using ancitus.com, you accept these terms. They apply to anyone who visits the site, regardless of whether you become a client. You may use the site for lawful purposes only. You may not attempt to bypass the normal form's bot defences, scrape the site at volumes that affect availability, reverse-engineer the source code, or use the site to distribute malware, spam, or unlawful content.
The content on this site — articles, the CMMC reference materials, the design system, the source code — is published either as our own intellectual property or under licence from third parties. Where we cite third-party sources, we attribute them and link to the original. You're welcome to read, share, and reference the content reasonably. Republishing significant portions without permission isn't permitted. We do not display advertising and we do not accept paid placements; if we mention a tool, framework, or partner, that mention reflects our judgment, not a sponsored arrangement.
Reading this site does not establish a consulting engagement, a contractual relationship, or any duty of care between you and Ancitus. The information here is general, written by an informed practitioner, and intended as a starting point for conversation. Nothing on this site overrides what's in your formal engagement contract, and nothing here overrides what your prime contractor, your assessor, your contracting officer, or your lawyer tells you about your specific situation.
If you'd like advice that's specific to your circumstances, the way to engage is via a Discovery Call leading to a signed engagement contract. The engagement contract — typically a Master Services Agreement plus a Statement of Work — is the operative document. Nothing on this site overrides what's in that contract.
We link to third-party sites for reference and citation purposes — government publications, regulatory authorities, news articles, and tooling vendors. We don't control those sites and we're not responsible for their content. Clicking a link is your decision.
We've taken reasonable care to make sure the site is accurate, but compliance regulations evolve and our copy may not reflect the most recent change. To the fullest extent permitted by law, Ancitus accepts no liability for losses arising from reliance on site content alone. Liability under engagement contracts is governed separately by those contracts. Nothing in these terms limits or excludes our liability for fraudulent misrepresentation, or any other liability that cannot be excluded under English law.
These terms, and any disputes arising from your use of this site, are governed by the laws of England & Wales. Disputes are subject to the exclusive jurisdiction of the English courts.
We may update these terms from time to time. The "Effective" date at the top of the page reflects the most recent revision. Continued use of the site after a revision is taken as acceptance of the updated terms.
Some of the most useful things we can tell you are the things we are not. CMMC sits across security, regulatory, and contract law, and those overlap with tax, employment, and privacy regimes. We work in cybersecurity readiness; the boundaries of that work matter, and we want the boundaries clear before a single fact crosses the wire. The list below is what we'd say in person if you asked.
The articles, reference materials, and resources on this site discuss CMMC, NIST SP 800-171, DFARS, and related regulatory frameworks. They're written for informed practitioners and accurate to the best of our knowledge as of the publication date of each piece. None of it is legal advice, regulatory advice, or fiduciary advice. Regulatory frameworks change; specific situations vary; what's appropriate to one contractor may not be appropriate to the next. If you need legal advice, hire a lawyer; if you need contracts advice, hire a contracts specialist.
Ancitus is a CMMC implementation consultancy. We are not the Cyber AB (the CMMC accreditation body), and we are not a Certified Third-Party Assessment Organization (C3PAO). We hold permission to use the Cyber AB Registered Practitioner credential, and the assessment itself is conducted by independent C3PAOs. Ancitus's Cyber AB Registered Practitioner Organization (RPO) credential is currently in process — until issued, our work is offered as a non-certified consultancy under our own qualification, not under Cyber AB authorization.
Where we quote, link, or refer to materials from third parties — including official sources (NIST, DoD CIO, Cyber AB), legal publications (Holland & Knight, Womble Bond Dickinson), news outlets, or research vendors — those references reflect our practitioner-side reading of the original published source. We attribute clearly and link to the original wherever possible. The accuracy of cited material is the responsibility of the original publisher, not Ancitus.
The pricing on the various pages is current and accurate as of the page's last updated date. What varies between contractors is the actual engagement scope — driven by your specific environment, the cloud platform in play, and the gap between your current state and assessment ready. The Statement of Work for any specific engagement names the actual price and scope; the site shows you the typical range so you can budget. The site is not a binding offer.
We sometimes write about regulatory frameworks that are changing or evolving — DoD enforcement phases, future C3PAO capacity, future CMMC scope, ICO guidance. These are professional judgments, based on current evidence, and may not be accurate as of the date you read them. The CMMC regime is new and evolving; assume forward-looking statements have a half-life.
Some of the strongest claims we make are about what we won't do. Naming the exclusions explicitly is more useful than claiming everything.
We don't conduct C3PAO assessments — that's a deliberate firewall, not a capability gap.
We don't sell, resell, or earn commission on cloud licenses or third-party tooling.
We don't store, process, or transmit client CUI on Ancitus systems.
We don't run third-party trackers, advertising pixels, or marketing automation on this site.
We don't share enquiry data with marketing networks or data brokers.
We're not a law firm, an accountancy, or your tax advisor — engage qualified specialists for any of those.
Real people read both inboxes below. If you've read this far and have a privacy question, a data subject access request, or a question about the terms, write to whichever address fits. We respond within 30 days as required by UK GDPR — usually sooner.
If you want to know what personal information we hold about you, correct it, delete it, port it, or restrict our processing, this is the address. We respond within 30 days as required by UK GDPR.
For questions about the terms, the disclaimers, attribution of cited content, or anything that isn't a privacy data-subject request. Replies typically within one business day.