1.1 The definitions and rules of interpretation in this condition apply in these terms and conditions (“Conditions”).
Contract any contract between the Supplier and the Customer for the supply and purchase of the Services formed in accordance with Condition 2
Customer a customer whose order for the Services is accepted by the Supplier in accordance with Condition 2; unless otherwise agreed in writing, this will be the entity to whom all correspondence and Quotations have been addressed.
Deliverables all Documents, products and materials developed by the Supplier solely in relation to a Contract in any form, including computer programs, data, reports and specifications;
Document includes any document in writing, any drawing, map, plan, diagram, design, picture or other image, tape, disk, digital or digitally created file or other device or record embodying information in any form;
Exhibits all Documents, information and materials required by the Supplier so as to enable the Supplier to carry out the Services including, computers, phones, computer programs, data, reports and specifications, original evidential material and any other material and/or items appropriate to the investigation and required by the Supplier so as to enable the Supplier to provide the Services;
Force Majeure any cause preventing the Supplier from performing its obligations which arises from or is attributable to acts, events, omissions or accidents beyond its control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Customer, Supplier or any other party), failure of a utility service, failure of IT systems and/or equipment, or transport network, act of God, war, terrorism, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors;
Intellectual Property Rights all patents, rights to inventions, utility models, copyright and related rights, trademarks, service marks, trade names, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, rights in computer software, database rights, topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world;
Normal Working Hours 09:00 until 17:00 on a Working Day;
Quotation a written quotation given by the Supplier to the Customer setting out, amongst other things, the scope of the Services and an estimate of the charges payable by the Customer in respect of such Services. All quotations are provided on the basis of information provided by the Customer to the Supplier but due to the nature of the Services cannot be expected to be prescriptive and Charges may vary in accordance with these Terms and Conditions after commencement of the Services.
Services the services to be provided by the Supplier under the Contract in accordance with these Conditions, Quotation and the Supplier’s obligations under the Contract, as may be amended from time to time in accordance with these Conditions;
Supplier CY4OR LEGAL Limited incorporated and registered in England and Wales with company number 06295131 whose registered office is at 7 St Petersgate, Stockport, Cheshire, SK1 1EB; CY4OR LEGAL Limited also trading as CYFOR, CYFOR SECURE and Biotas.
VAT value added tax chargeable under English law for the time being and any similar additional tax;
Working Day any day other than Saturday or Sunday or a bank or statutory holiday in England.
1.2 Condition headings shall not affect the interpretation of these Conditions.
1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors and permitted assigns.
1.4 Words in the singular shall include the plural and vice versa.
1.5 A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.
1.6 A reference to writing or written includes, but is not limited to, verbal, letters, faxes, emails and text messages.
1.7 Where the words include(s), including or in particular are used in these Conditions, they are deemed to have the words without limitation following them and where the context permits, the words other and otherwise are illustrative and shall not limit the sense of the words preceding them.
1.8 An obligation in a Contract on a person not to do something includes an obligation not to agree, allow, permit or acquiesce in that thing being done.
2 Application of Conditions
2.1 These Conditions shall:
2.2 Each order will be deemed to be an offer by the Customer to purchase the Services upon these Conditions. A Contract is formed when the order is accepted by the Supplier by way of written acknowledgement of order or by commencement of the Services. No Contract will come into existence until a written acknowledgement of order is issued by the Supplier or until the Supplier commences the provision of the Services, whichever occurs earlier.
2.3 Quotations are given by the Supplier on the basis that no Contract shall come into existence except in accordance with Condition 2.2. Any Quotation is valid for a period of 30 days from its date, provided that the Supplier has not previously withdrawn it. The Supplier reserves the right to withdraw or revise a Quotation at any time prior to accepting the order from the Customer.
3 Supplier’s obligations
3.1 The Supplier shall provide the Services and deliver the Deliverables to the Customer.
3.2 The dates mentioned in a Contract and/or any Quotation and/or any order are approximate only and time will not be of the essence as to any performance of the Services and/or delivery of the Deliverables, but the Supplier will use reasonable efforts to fulfil its obligations under a Contract in a timely manner. Additionally, the Supplier will not be liable for any delay in performing the Services and/or delivering the Deliverables that results from any delay or other failure by the Customer in providing any Exhibits and/or Documents and/or other information as may be required by the Contract.
3.3 The Services supplied under a Contract shall continue to be supplied until, in the opinion of the Supplier, the project is completed or until the relevant Contract is terminated in accordance with Condition 11.
3.4 The Supplier shall provide the Services from such premises as it deems appropriate from time to time.
3.5 Where the Services include data hosting on a review platform (“Hosting”) the Supplier shall grant such licences to the Customer as may be necessary for the Customer’s use of the Services and the Supplier shall be entitled to suspend any such licences (without refund) in the event that they are not used within any 7 day period.
3.6 The Services shall be provided during Normal Working Hours and any support services agreed to be undertaken by the Supplier as part of the Services shall take place during Normal Support Hours. In the event that any additional support is required outside the Normal Support Hours, such support shall be provided at the Supplier’s standard rate, as notified to the Customer from time to time.
3.7 The Supplier shall use reasonable endeavours to make the Services, including Hosting, available during Normal Working Hours except for emergency or essential systems maintenance, provided that, where reasonably practicable, the Supplier shall give to the Customer at least 1 hours’ notice in advance.
3.8 Notwithstanding the foregoing, the Supplier does not warrant that the Services will be uninterrupted or error free.
3.9 The Customer acknowledges and agrees that the Supplier is only able to provide the Services based on the information and documents disclosed to it and the Supplier shall not be responsible for any errors when undertaking work on the Customer’s behalf. It is the Customer’s responsibility to check all Deliverables produced by the Supplier
3.10 The Supplier will, and usually only if requested to, by the Customer, conduct a Conflict Check. This Conflict Check is conducted on a best endeavours basis and will be conducted using information provided to it by the Customer. The Customer warrants that it will ensure the information it provides to the Supplier is free of errors and indemnifies the Supplier and its agents against any errors or omissions howsoever caused. CYFOR provides no warranties and accepts no liability whatsoever should a conflict be identified at any stage.
3.11 The supplier shall not provide any advice to the vendor party or any other third party in connection with the Services without prior consent of the Customer
3.12 The Supplier shall consult the Customer’s legal counsel prior to finalising advice, information, or any reports to the Customer in writing. Any advice, information, or reports that the Supplier provides shall be legally privileged and shall be provided to the Customer’s legal counsel.
4 Customer’s obligations
4.1 The Customer shall (and to the extent necessary to enable the Supplier to perform the Services, shall procure that its client (“Client”) shall):
5 Change, Variation and Extension to the scope
5.1 If either party wishes to change the scope or execution of the Services and/or Deliverables, it shall submit details of the requested change to the other in writing.
5.2 If the Customer requests a change to the scope or execution of the Services and/or Deliverables:
5.3 If the Supplier requests a change to the scope of the Services and/or Deliverables (whereupon to the extent the Supplier deems it appropriate, it shall provide the Customer with the information set out at Condition 5.2(a)), the Customer shall not unreasonably withhold or delay consent to it. If the Customer wishes the Supplier to proceed with the change, the Supplier shall do so after agreement on the necessary variations to its charges, the Services, Deliverables and any other relevant terms of the Contract to take account of the change and the Contract shall be varied in accordance with Condition 13.
5.4 In the event that the Customer requires an extension and/or variance to the scope of the Services and/or Deliverables (whether requested by the Customer or reasonably deemed to be necessary by the Supplier) and due to time constraints or other factors, it is impractical for the procedure set out Condition 5.2 to be followed then, upon acceptance (whether by communicating such acceptance or by commencing its performance) of such extension by the Supplier the Contract shall be varied in accordance with Condition 13 and the Supplier’s standard rates as set out in the Quotation shall apply in respect of the additional Services and/or Deliverables.
6 Charges and payment
6.1 Invoices will be raised as agreed and/or at appropriate intervals. For the avoidance of doubt, Invoices will be addressed to the Customer (the entity to whom the Quotation was addressed) who will be responsible for Payment under the Contract. For the avoidance of doubt, changes to the Customer cannot be made without the Suppliers express permission and the provision of a new Quotation, after work has commenced in accordance with the Quotation or after an invoice has been raised.
6.2 Subject to Conditions 6.3 and 6.4, the total price for the provision of the Services and delivery of the Deliverables shall be the amount set out in the Quotation as amended in accordance with any scope extension, variance or changes as set out in Condition 5. The supplier will amend the Invoice and/or reissue an invoice to reflect any errors or omissions as appropriate in the Quotation.
6.3 The Supplier’s charges exclude the cost of hotels, subsistence, travelling and any other ancillary expenses reasonably and properly incurred by the Supplier in connection with the Services and/or Deliverables, and the costs of any materials or services reasonably and properly provided by third parties that are required by the Supplier for the supply of the Services and/or Deliverables. Such expenses, materials and third-party services shall be invoiced by the Supplier at cost price plus an administration charge of 5% of the total amount provided they have been agreed in advance with the customer.
6.4 The Supplier may at any time:
6.5 In the event that the Supplier has commenced the provision of the Services and subsequently the Customer no longer requires the Services (whether in accordance with its Clients’ instructions or otherwise), the Customer shall inform the Supplier of this in writing as soon as possible and the Customer shall be liable to pay the greater of 50% of the total price of the Services or the price payable for the Services provided by the Supplier to the Customer as at the date the Customer notifies the Supplier in writing that it no longer requires the Services.
6.6 The Supplier shall (if applicable) add to the price for the Services, and the Customer shall pay an amount equal to any VAT or other sales tax or duty applicable from time to time to the sale or supply of such Services.
6.7 Without prejudice to Condition 6.3, the Supplier reserves the right to invoice the Customer for the estimated charges set out in the Quotation prior to commencing the provision of the Services (and shall do so in any event where the Services include an international element). If the Customer fails to pay the Supplier in accordance with this Condition 6, the Supplier reserves the right to not commence the provision of the Services until such time as the Customer has paid the Supplier in accordance with this Condition 6. To the extent that the total charges for providing the Services and Deliverables:
6.8 The Customer shall make all payments due to the Supplier under any Contract immediately upon receipt of the relevant invoice, except where the service is for IT support or Cyber recurring revenue, in which case it will be on the 1st of every month and payable by standing order. For the avoidance of doubt, the Customer shall be responsible for all payments to the Supplier, regardless of the Customer’s arrangements with its clients.
6.9 In the event that the Customer requires funding from the Legal Aid Authority, or any other similar organisation or authorised third-party funder, so as to make the payments due to the Supplier under Condition 6.7, the Customer agrees that it shall:
(f) make all payments due to the Supplier within 30 days of the date of the invoice
For the avoidance of doubt, the Customer assumes all responsibility for making the payments due to the Supplier under Condition 6.7, irrespective of whether or not the Customer requires funding pursuant to Condition 6.8 and payment of the Supplier’s fees shall not be contingent upon such funding being obtained by the Customer.
6.10 Without prejudice to Condition 6.11, time of payment is of the essence of each Contract and the Supplier reserves the right to suspend the provision of Services and delivery of Deliverables to the Customer where any amounts are overdue under any Contract until all such amounts have been paid in full.
6.11 Where Services have been suspended in accordance with 6.9 and the Suspension of Services includes Hosting, a reconnection fee will apply. Such fee will be notified to the Customer, by the Supplier, in advance of the Suspension of Services.
6.12 Without prejudice to Condition 6.9, where the Services include Hosting, charges for such Hosting will continue and accrue in accordance with the estimate until the contract is Terminated, or notification is received in accordance with 11.5.
6.13 Without Prejudice to condition 6.15, the supplier reserves the right to raise an administration invoice to the Supplier for late payment of invoices. The administration fee will be notified to the Customer in advance but, in any event, will not be less then £50.
6.14 The Customer is not entitled to withhold payment of any amount due to the Supplier by way of any set-off or counterclaim.
6.15 If the Customer fails to pay any amount due to the Supplier under any Contract on the due date, notwithstanding the provisions of Condition 6.8, the Supplier reserves the right to add interest to such amount at the rate of 8% over the base rate for the time being of The Bank of England for the period from the due date until and including the date of receipt (whether before or after judgment).
6.16 Without prejudice to the Supplier’s other rights and remedies, if the Customer fails to pay any amount due to the Supplier under any Contract on the due date, the Supplier shall be entitled, upon notification to the Customer, to remove the Customer’s data (and Exhibits) and destroy or permanently erase the same.
6.17 The Supplier reserves the right to alter or withdraw at any time any credit allowed to the Customer.
6.18 The Supplier may offset any amount owing to it from the Customer against any amount owed to the Customer by the Supplier.
7 Quality of Services
7.1 The Supplier warrants that the Services will be performed (and the Deliverables provided) with reasonable care and skill and that the Services will for a period of 30 days from performance substantially conform with any descriptions and specifications provided to the Customer by the Supplier.
7.2 The warranties in Condition 7.1 are given on the following conditions:
7.3 The Supplier is not liable for non-performance of any Services unless the Customer notifies the Supplier of the claim within 7 Working Days of the date of the alleged non-performance.
8 Intellectual Property Rights
8.1 The Supplier acquires title in and to all of the Intellectual Property Rights arising as a result of the Supplier performing the Services along with all other rights in and to the products of the Services (including the Deliverables) (“Services IPR”). Subject to receipt by the Supplier of payment in full of all amounts due under the Contract and subject to Condition 11, the Supplier hereby grants to the Customer a perpetual, non-exclusive, non-transferable right to use the Services IPR solely for the purpose of receiving the benefit of the Services. For the avoidance of doubt this refers to the processes themselves and not the data.
8.2 Save for the rights granted pursuant to Condition 8.1, the Customer shall not acquire any right, title, and/or interest in and to the Services IPR whether by virtue of the Contract or otherwise.
9 Exclusion of Liability
9.1 The Supplier does not exclude its liability (if any) to the Customer:
9.2 Except as provided in Condition 9.1, the Supplier will be under no liability to the Customer and the Customer will be under no liability to the Supplier whatsoever (whether in contract, tort (including negligence), breach of statutory duty, restriction or otherwise), for any of the following losses or damages whether direct, indirect or consequential:
9.3 Except as set out in Condition 9.1, the Supplier hereby excludes to the fullest extent permissible in law, all conditions, warranties and stipulations, express (other than those set out in these Conditions) or implied, statutory, customary or otherwise which, but for such exclusion, would or might subsist in favour of the Customer.
9.4 Each of the Supplier’s personnel, agents and sub-contractors may rely upon and enforce the exclusions and restrictions of liability in Conditions 9.2 and 9.3 in that person’s own name and for that person’s own benefit, as if the words “its personnel, agents and sub-contractors” followed the word “Supplier” wherever it appears in those Conditions.
9.5 Subject to Conditions 9.1 and 9.2, the entire liability of the Supplier arising out of or in connection with the Contract or supply, non supply or delay in supplying any of the Services or Deliverables, or otherwise in connection with the Services or Deliverables, whether in contract, tort (including negligence or breach of statutory duty) or otherwise, is limited to the price of the Contract.
9.6 The Customer acknowledges that the above provisions in Conditions 9.1 to 9.5 and this Condition 9.6 are reasonable and reflected in the price which would be higher without those provisions, and the Customer will accept such risk and/or insure accordingly.
10.1 In this Condition 10, “Confidential Information” means all information disclosed (whether in writing, orally or by another means and whether directly or indirectly) by a party (“Disclosing Party”) to the other party (“Receiving Party”) whether before or after the date of the Contract including, but not limited to, information relating to the Disclosing Party’s products, operations, processes, plans or intentions, product information, know-how, Intellectual Property Rights, trade secrets, market opportunities and/or business affairs.
10.2 During the term of the Contract and after termination or expiry of the Contract for any reason, the Receiving Party:
10.3 During the term of the Contract, the Receiving Party may disclose Confidential Information of the Disclosing Party to any of its directors, other officers, employees, sub-contractors and customers (“Recipient”) to the extent that disclosure is necessary for the purpose of the Contract and provided that such persons are placed under written obligations of confidentiality equivalent to those contained in this Condition 10 (save that any Recipient shall not be entitled to further disclose any Confidential Information of the Disclosing Party unless it is required to be disclosed by law or unless the Disclosing Party expressly agrees to such disclosure).
10.4 Condition 10.2 does not apply to Confidential Information which:
11.1 Without prejudice to any other rights or remedies which may arise, either party may terminate the Contract without liability to the other (save for the Customer’s liability to the Supplier as set out in Condition 6.5) on giving the other party not less than one months’ written notice, except where the service is for IT support or Cyber recurring revenue, in which case the term for the customer will be a minimum 12 month period and only after the 1st anniversary can notice to terminate the contract be given with one months’ notice .
11.2 Without prejudice to any other rights or remedies which may arise, the Supplier may terminate the Contract immediately on giving notice if:
11.3 On termination of a Contract for any reason, any indebtedness of the Customer to the Supplier pursuant to that Contract shall become immediately due and payable and the Supplier is relieved of any further obligations to the Customer pursuant to that Contract.
11.4 On termination of a Contract for non-payment, the Supplier shall be entitled, upon written notification to the Customer with 30 days’ notice, to remove the Customer’s data (and Exhibits) and destroy or permanently erase the same.
11.5 In the event that the Supplier is providing Hosting to the Customer, such Hosting shall continue notwithstanding termination of the Contract until such time as the Customer gives notice of termination in respect of such Hosting to the Supplier or the Supplier terminates the Contract as above and the Customer shall continue to be responsible for the fees for such Hosting until such time.
11.6 Termination of the Contract, however it arises, shall not affect or prejudice the accrued rights of the parties as at termination or the continuation of any provision expressly stated to survive, or implicitly surviving termination. For the avoidance of doubt, upon termination of the Contract the licence granted pursuant to Condition 8.1 shall terminate.
12 Erasing of Data
12.1 In the event that Data Erasure is undertaken as part of this Contract whether by way of termination of the Contract or as part of a provided Service, the Customer will use industry standard techniques specifically designed for this purpose.
12.2 The Supplier will ensure, as far as is reasonably practicable, that all Data from it’s normal operating systems, including any independent archives, is securely erased and irretrievable. The supplier is not able to erase Data from media that is used for the purposes of its Infrastructure Backup and Disaster Recovery purposes. As these archives are superseded, previous Archives will be securely Erased and ultimately the Data will be securely erased.
13 Marketing and Public Relations
13.1 Without prejudice to condition 10, the Customer reserves the right to use generic and appropriately sanitised references to the services it has supplied in its Marketing and Public Relations collateral.
14 Force Majeure
14.1 The Supplier shall not be deemed to be in breach of the Contract or otherwise liable to the Customer in any manner whatsoever for any failure or delay in performing its obligations under the Contract due to Force Majeure.
15.1 Subject to Condition 5, no variation of a Contract and/or these Conditions shall be valid unless it is in writing and signed by or on behalf of each of the parties.
16.1 A waiver of any right under a Contract is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and the circumstances for which it is given.
16.2 Unless specifically provided otherwise, rights arising under a Contract are cumulative and do not exclude rights provided by law.
17 Assignment and sub-contracting
17.1 The Customer shall not, without the prior written consent of the Supplier, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under any Contract.
17.2 The Supplier is entitled at any time to assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights under any Contract and may sub-contract or delegate in any matter any or all of its obligations under any Contract.
18 No partnership or agency
18.1 Nothing in a Contract is intended to, or shall operate to, create a partnership between the parties, or to authorise either party to act as agent for the other, and neither party shall have authority to act in the name or on behalf of or otherwise to bind the other in any way (including the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
19 Rights of third parties
19.1 Subject to Condition 9.4, a person who is not a party to a Contract shall have no rights under the Contract (Rights of Third Parties) Act 1999 to enforce any terms of such Contract.
20.1 If any Condition is held by any court, tribunal or administrative body of competent jurisdiction to be wholly or partly illegal, invalid or unenforceable in any respect then this shall not affect any other Conditions of the Contract, which shall remain in full force and effect.
21 Whole Agreement
21.1 These Conditions and any Contract constitute the whole agreement between the parties relating to the subject matter they cover and supersede any arrangements, understanding or previous agreements between the parties relating to such subject matter.
21.2 Each party acknowledges that in entering into these Conditions and any Contract (including the appropriate Quotation) it does not rely on any representation or warranty (whether made innocently or negligently) that is not set out in these Conditions and any Contract (including the appropriate Quotation). Each party agrees that its only liability in respect of those representations and warranties that are set out in these Conditions and any Contract (including the appropriate Quotation) (whether innocently or negligently) shall be for breach of contract.
21.3 Nothing in this Condition shall limit or exclude any liability for fraud.
22.1 Notice given under the Contract shall be in writing, and sent to the registered office of the other party (or such other address, fax number or person as the relevant party may notify to the other party) and shall be delivered personally, sent by fax or email or sent by pre-paid, first-class post or recorded delivery. A notice is deemed to have been received, if delivered personally, at the time of delivery, in the case of fax or email, at the time of transmission, in the case of pre-paid first class post or recorded delivery, 48 hours from the date of posting and, if deemed receipt under this Condition 20 is not within business hours (meaning 9.00am to 5.30pm Monday to Friday on a day that is a Working Day), at 9.00am on the first Working Day following delivery. To prove service, it is sufficient to prove that the notice was transmitted by fax, to the fax number of the party or, in the case of post, that the envelope containing the notice was properly addressed and posted.
23 Governing law and jurisdiction
23.1 The Contract and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims), shall be governed by, and construed in accordance with English law.
23.2 The parties irrevocably agree to submit to the exclusive jurisdiction of the courts of England and Wales.
DATA PROTECTION TERMS
1.1. For the purpose of this Appendix 1, the following terms have the meanings ascribed to them (and are in addition to the definitions at condition 1.1):
“Data Controller”, “Data Processor”, “Data Subject“, “Personal Data” and “Processing” shall have the same meanings as are assigned to those terms in the Data Protection Act 2018 (the “Act”);
“Data Processing Terms” means the terms in this Appendix;
“Personal Data” shall have the meaning ascribed to it in the Act, and includes Special Categories of Personal Data as defined therein;
“Regulations” means the General Data Protection Regulations (EU) 2016/679 and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
“Staff” means any employee, worker or other individual or body corporate as the case may be which the Supplier uses or engages to supply, or in relation to, the Services.
2.1. The parties agree that, in respect of Personal Data which are provided to the Supplier by the Client pursuant to the Contract, then, for the purposes of the Data Processing Terms, the Client is deemed to be the Data Controller and the Supplier is deemed to be the Data Processor.
2.2. These Data Processing Terms shall apply to all Personal Data provided by the Client to the Supplier under the Contract.
2.3. The Supplier shall comply with the Act and Regulations to the extent that they are applicable to the Services provided by the Supplier.
3.1. The Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under the Contract:
(a) process that Personal Data only on the written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier to process the Personal Data (Applicable Data Processing Laws). Where the Supplier is relying on Applicable Data Processing Laws, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Data Processing Laws unless those Applicable Data Processing Laws prohibit the Supplier from so notifying the Customer;
(b) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Personal Data, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting the Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to the Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);
(c) ensure that all personnel who have access to and/or process the Personal Data are obliged to keep the Personal Data confidential; and
(d) only transfer Personal Data outside of the European Economic Area (EEA) where the following conditions are fulfilled:
(i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer;
(ii) the Data Subject (as defined in the Data Protection Legislation) has enforceable rights and effective legal remedies;
(iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any of the Personal Data that is transferred; and
(iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data;
(e) ensure that all its computers and portable electronic devices (including laptops, tablets, smart phones and USB sticks) that will be used for storing, sending and receiving the Personal Data are appropriately protected against unauthorised use by encryption/passwords and appropriate firewalls/anti-virus packages (with regular and frequent updates being applied) and are physically stored securely when not in use;
(f) ensure that Personal Data transported by portable storage media or by telecommunications network shall be fully encrypted or password protected or sent by a secure virtual private network (“VPN”) as appropriate and all such data must be wiped from the storage media used for transporting the data or destroyed such that it cannot be recovered once the data has been transferred to the target system;
(g) ensure that the data centre premises on which Personal Data are stored are ISO27001 compliant and compliant with other appropriate security and audit standards throughout the term of the Contract;
(h) inform the Customer immediately upon becoming aware that Personal Data has been used or Processed in a manner which is not expressly permitted by these Data Processing Terms;
(i) inform the Customer immediately upon becoming aware of any actual or suspected, threatened or ‘near miss’ incident of accidental or unlawful destruction or accidental loss, alteration, unauthorised or accidental disclosure of or access to the Personal Data or other data security breach in relation to the Personal Data, or if the Personal Data is lost (temporarily or permanently) or has the potential to be misused in any way.
3.2. Notwithstanding paragraph 3.1 of this Appendix 1, the Supplier shall:
3.2.1 inform the Customer and the Client within 2 (two) Working Days in the event that the Supplier receives a request from a Data Subject seeking to exercise their rights under the Act in relation to the Personal Data and not to respond to the Data Subject other than to acknowledge receipt of the request;
3.2.2 assist the Customer and the Client, at the Customers cost, with all Data Subject information requests which may be received from any Data Subject in relation to any Personal Data; or in complying with any obligations relating to security and consulting with supervisory bodies, providing reasonable prior written notice has been given.
3.2.3 allow its data processing facilities, procedures and documentation to be submitted for scrutiny, inspection or audit by the Customer and/or the Client in order to ascertain compliance with the terms of these Data Processing Terms within twenty (20) Working Days of such a request from the Customer and/or the Client and to provide reasonable information assistance and co-operation to the Customer and/or the Client if this right is exercised. In the event that the Customer and/or the Client has to come onto premises where the Personal Data is being processed in order to carry out any scrutiny, inspection or audit, the Customer and/or the Client shall reimburse any reasonable costs directly incurred by the Supplier in permitting the Customer and/or the Client to exercise their rights under this paragraph. No customer penetration testing or vulnerability scanning is allowed during any Customer or Client audits as such actions could impact the Supplier’s ability to service other clients; and
3.2.4 ensure that non-authorised persons are prevented from entering areas of its premises where Personal Data is stored and used. Where this is not possible, all visitors must always be escorted.
4.1 The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and its duly authorised sub-contractors (which the Customer hereby acknowledges may be located outside of the EEA) for the duration and purposes of the Contract.
4.2 The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to the Supplier and its duly authorised sub-contractors (which the Customer hereby acknowledges may be located outside of the EEA) for the duration and purposes of the Contract
4.3 The Customer acknowledges and agrees that details of the Customer’s name, address and payment record may be submitted to a credit reference agency for the purpose of the Supplier establishing the Customer’s commercial credibility and to protect the Supplier’s business interests. Such credit search results may be retained by the Supplier for the duration of the provision of the Services
4.4 The Customer consents to the Supplier using 3rd party couriers, postal services, document processing and other subcontractors as third-party processors of the Personal Data under the Contract. The Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor a written agreement incorporating terms which are substantially similar to those set out in this condition. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this condition.
4.5 The Customer shall indemnify the Supplier against all liabilities, costs, expenses, damages and losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by the Supplier arising out of or in connection with the breach of this condition by the Customers, its employees or agents and/or the Data Protection Legislation by the Customer, its employees or agents
5.1. The Supplier shall not retain data for longer than is necessary and shall be in accordance with agreed retention schedules and EU/UK law.
5.2. The Supplier may be required to comply with any reasonable data retention guidelines as issued by the Customer and/or the Client and as amended from time to time (additional costs may flow to the Customer for non-standard retention, such costs to be agreed in writing by the parties). This may require certain data to be identified for retention and made available to the Customer in electronic form by the Supplier and the Supplier shall comply with the same.
INFORMATION SECURITY TERMS