Master Terms and Conditions
These terms and conditions (which include the attached Data Processing Addendum) are issued by Fortis Cyber Security Limited with registered company number 11162256 and having its registered office at 20-22 Wenlock Road, London N1 7GU (“the Supplier”).
Fortis Cyber Security Limited provides a range of services which may include (by way of example only) managed services and professional services and reselling of various cloud services such as security cloud services, in accordance with these terms and conditions and the applicable ‘Associated Agreement’. The Supplier may amend or replace these terms and conditions on one month’s written notice to the Customer at any time (for existing Contracts the terms and conditions in place at the time that the Contract was made continue to apply for that Contract provided that (i) in the case of a fixed term contract, the updated terms and conditions will apply on and from the date of any renewal of the Contract and (ii) in the case of month-to-month contracts, the updated terms and conditions will apply on commencement of the month following the one month’s notice being given, unless the Customer agrees otherwise in writing). By ordering services such as but not limited to managed services, professional services and/or cloud services from the Supplier, the Customer accepts the terms and conditions that apply at that time. Any additional or different terms that the Customer includes in any communication with the Supplier will not be binding on the Supplier or included in any Contract unless expressly agreed upon in writing by the Supplier.
-
Definitions and Interpretation
-
Definitions: In these terms and conditions:
-
“Associated Agreement” means:
-
any agreement or statement of work or statement of supply that is entered into between the parties which is made pursuant to these terms and conditions (for example by referencing that it is made under these Master Terms and Conditions) and may include by way of example only a ‘Managed Services Agreement’ or ‘Statement of Work – Professional or Managed Services’, and/or ‘Cloud Supply Agreement’ or ‘Statement of Supply – SaaS Services; and
-
any additional terms and conditions (including by way of example only the ‘Professional Services Terms and Conditions’) together with:
-
the relevant order, proposal, statement of work or other document that is accepted and agreed by the Customer in the manner required under those additional terms and conditions; or
-
a request by the Customer of a type which is anticipated and not out of scope in any way under those terms and conditions and which is accepted by the Supplier in the manner required under those additional terms and conditions (including a request that is not required to be in writing where applicable under those additional terms and conditions, such as a request that is a “Small Task” under the Professional Services Terms and Conditions), which are expressed as being subject to these Master Terms and Conditions;
-
-
any written proposal (in final form) for supply of Tangible Products or Licensed Software (or for other Products, Services or Deliverables) issued by the Supplier to the Customer (including a proposal in an email or in a quote) which is expressed as being subject to these Master Terms and Conditions and which is intended as a proposal for acceptance by the Customer if the Customer wishes to proceed, for which neither an agreement nor statement of work nor statement of supply under (a) of this definition or additional terms and conditions under (b) of this definition apply, that is accepted and agreed by the Customer in writing in the manner required by the Supplier and within the timing (if any) specified in the relevant proposal.
“Confidential Information” means any information disclosed in confidence to one party by the other party including without limitation the Customer Data, whether of a business, financial, technical, or non-technical nature or otherwise and whether existing in hard copy form, electronically or otherwise but does not include any information which is:
-
on receipt by the recipient party, in the public domain or which subsequently enters the public domain without any breach of the Contract;
-
on receipt by the recipient party, already known by that party (otherwise than as a result of disclosure by the other party);
-
at any time after the date of receipt by the recipient party, received in good faith by the recipient party from a third party;
-
required by law to be disclosed by the recipient party;
“Contract” means these terms and conditions and the Data Processing Addendum, and the relevant Associated Agreement;
“Customer Data” means the Customer’s data including all text, sound, video or image files and the Customer’s software and includes Personal Data;
“Data Processing Addendum” means the data processing addendum attached to these terms and conditions;
“Data Protection Laws” means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection Act) and, to the extent applicable, the data protection or privacy laws of any other country, and includes any statutory modification or re-enactment of such laws for the time being in force;
The terms "personal data", “controller”, “processor”, “process”, “data subject” and “personal data breach” shall be interpreted in accordance with applicable Data Protection Laws;
“Force Majeure Event” means any war, riot, third party strike, pandemic, civil emergency, natural disaster, or other circumstance of a similar nature that is outside of the control of the affected party;
“Intellectual Property” means copyright, patents, designs, trademarks, trade names, goodwill rights, trade secrets, confidential information and any other intellectual proprietary right or form of intellectual property;
“Licensed Software” means software for which a license to use a copy of the software is granted by the relevant vendor to a customer (and so excludes software as a service/SaaS cloud services)
“Products, Deliverables and Services” means the products (including without limitation Tangible Products and Licensed Software), deliverables, cloud services and/or services to be performed by the Supplier, provided under an Associated Agreement, as described in the relevant Associated Agreement;
“Tangible Products” means physical products including but not limited to hardware and related equipment;
“Working Day” means a day other than a Saturday, Sunday, or public holiday in the United Kingdom.
-
Interpretation
-
In these terms and conditions, reference to the plural includes reference to the singular, and vice versa.
-
Headings inserted in these terms and conditions are for convenience of reference only and do not affect the interpretation of these terms and conditions.
-
reference to any legislation includes any statutory modification or re-enactment of that Act for the time being in force
-
-
Term
-
Each Contract will commence on the date specified in the relevant Associated Agreement or if not specified will commence on the date that the Associated Agreement is signed by both parties or, where signing by both parties is not required, on the date that the Customer accepts in writing or signs the relevant Associated Agreement (as applicable) .
-
Each Contract will, subject to the parties’ rights of earlier termination, continue:
-
for the term specified in the relevant Associated Agreement; or
-
if no term is specified, until terminated in accordance with the relevant Associated Agreement or under the termination provisions in these terms and conditions.
-
-
-
Order of Precedence
-
If there is any conflict or inconsistency between these terms and conditions and an Associated Agreement, the following order of precedence applies to the extent of that conflict or inconsistency (listed below in order of high to low priority):
-
the Data Processing Addendum;
-
each Associated Agreement (with the order of priority of the parts of each Associated Agreement being as described in the relevant Associated Agreement);
-
these terms and conditions.
-
-
-
Products, Deliverables and Services
-
The Suppler will provide Products, Deliverables and Services (as applicable) to the Customer:
-
in accordance with each Associated Agreement;
-
using reasonable care and skill;
-
using people who have the necessary skills and experience; and
-
in accordance with all applicable laws.
-
-
Any Contracts for supply of Licensed Software are deemed to include a provision that the Licensed Software is supplied by the Supplier subject to the relevant vendor’s license agreement (or the vendor’s license terms and conditions, as applicable) if no such provision is expressly included in the relevant Associated Agreement.
-
If the Customer requests services which are not covered by an existing Associated Agreement, the Supplier will issue a draft of the relevant Associated Agreement to the Customer for review and acceptance or signing (as applicable). Nothing in these terms and conditions commits the Supplier to providing products or services unless an applicable Associated Agreement is agreed and signed by both parties or accepted by the Customer in writing or signed by the Customer (as applicable).
-
The Customer will:
-
only use the Products, Deliverables and Services, for lawful purposes and not for fraudulent, illegal, or destructive purposes;
-
adhere to any specific requirements or restrictions in respect of the Products, Deliverables and Services included or referenced in an Associated Agreement;
-
not sell, re-sell, or otherwise provide the Products, Deliverables and Services to any third party unless such selling, re-selling, or provision is expressly permitted or anticipated in the relevant Associated Agreement;
-
not allow the Products, Deliverables or Services to be affected by any virus or destructive media, or use the Products, Deliverables or Services in any way which is intended to be, or is, detrimental to:
-
the use of those Products, Deliverables or Services by other customers of the Supplier or other users; or
-
the systems utilised to provide the Products, Deliverables and Services.
-
-
-
-
Customer’s Obligations
-
Without limiting the Customer’s obligations under any Associated Agreement, the Customer will:
-
where required to provide data to the Supplier, provide that data in a format suitable for import and otherwise as reasonably requested by the Supplier;
-
where the Supplier’s personnel will work on site at the Customer’s premises, provide for the safety of the Supplier’s personnel while on site in accordance with all applicable health and safety legislation;
-
meet all the Customer’s obligations as specified in these terms and conditions and in each Associated Agreement;
-
where applicable in light of the services provided under an Associated Agreement, undertake frequent and adequate backups of the Customer’s data, except and to the extent that the Supplier is providing relevant backup services under an Associated Agreement or under another written agreement between the parties. The Customer should ensure that backups are always completed, as well as ensuring the backups are secure and checking that they can be successfully restored;
-
make available to the Supplier in a timely manner (and in accordance with any timeframes which the Customer has agreed to) all assistance (including availability of relevant personnel), permissions (including permissions from any relevant third parties), information, facilities and access to systems reasonably required by the Supplier; and
-
follow the Supplier’s reasonable directions.
-
-
-
Pricing and Payment
-
Each Associated Agreement will specify the basis of the Supplier’s charges for the relevant supply of Products, Deliverables and Services and the Supplier will invoice the Customer accordingly. All amounts specified in an Associated Agreement are exclusive of any taxes unless expressly specified otherwise.
-
Unless otherwise specified in an Associated Agreement, all invoices are issued by the Supplier on the commencement of work and are due for payment by the Customer within 30 days of the date of the invoice.
-
All reasonable accommodation, travel and other expenses incurred in providing Products, Deliverables and Services to the Customer will be charged to the Customer provided that such expenses are identified and agreed in advance. Expenses will be invoiced on a monthly basis by the Supplier.
-
Subject to clause 6.5, the Customer must pay all invoices in full without set-off or deduction of any kind.
-
If the Customer wishes to dispute an invoice, it must notify the Supplier in writing within 14 (fourteen) days of the date of the invoice and provide details of the dispute. The Customer may withhold payment of the disputed part of an invoice only and must pay that part (or any amount subsequently agreed or determined to be the correct amount owing) promptly on resolution of the dispute.
-
Without limiting any other remedies available to the Supplier for the Customer’s late payment or failure to pay any amount due, if any amount due is not paid by the Customer by the due date, the Supplier may:
-
charge the Customer statutory interest, calculated at the annual rate of 8% above the Bank of England base rate, on the balance of the amount due by the Customer from the due date until payment is received in full by the Supplier; and/or
-
charge the Customer all collection costs reasonably incurred by the Supplier in collection of the amount outstanding (including solicitor and/or collection agency fees); and/or
-
on 5 Working Days’ notice in writing, and subject to the applicable provisions of the Insolvency Act 1986 which may limit the Supplier’s right of suspension, suspend delivery of further Products, Deliverables and Services under the relevant Contract and/or any other Contract and/or may suspend delivery of services or deliverables under any other agreement between the Supplier and the Customer until the outstanding amount is paid in full.
-
-
Unless otherwise specified in the relevant Associated Agreement:
-
the Supplier may increase its pricing from time to time but not more often than once every 12 months;
-
the Supplier will give the Customer one month’s notice in writing of any price increase.
-
-
-
Taxes
-
In addition to the amounts due under clause 6, the Customer will pay the Supplier amounts equal to any applicable government taxes or duties however designated, including without limitation value-added tax (VAT), based on the relevant Contract (or the Products, Deliverables and/or Services provided under it), paid or payable by the Supplier in respect of the foregoing, exclusive however of taxes based on the Supplier’s income.
-
-
Ownership and Risk
-
Except as otherwise provided in the relevant Contract (and without limiting that Contract) and subject to the Intellectual Property provisions in that Contract:
-
ownership of Tangible Products supplied or to be supplied to the Customer under a Contract for sale and purchase of the Tangible Products will not pass to the Customer until the Customer has paid in full for the Tangible Products and any other amounts owing to the Supplier whether under that Contract or any other Contract;
-
-
where Tangible Products are supplied to the Customer otherwise than under a Contract for sale and purchase of the Tangible Products (and without limiting clause 8.1(a)), including without limitation under a Contract for provision of hardware-as-a-service, ownership of the Tangible Products will not pass to the Customer.Until ownership of the Tangible Products passes to the Customer pursuant to clause 8.1(a) above, and for the full term of any Contract of the type described in clause 8.1(b) and up until the Supplier or its nominee has possession of the Tangible Products following the expiration or termination of any such Contract, the Customer must:
-
hold the Tangible Products on trust for the Supplier as bailee, not part with possession of them and only use them in the ordinary course of business;
-
not rent, sell or transfer to any third party all or any part of Tangible Products or attempt to do so;
-
keep and maintain the Tangible Products in good condition and working order;
-
not relocate the Tangible Products from the Customer’s principal place of business or such other Customer premises to which the Tangible Products were delivered by or on behalf of the Supplier for use by the Customer or such other Customer premises as first agreed in writing by the Supplier;
-
not make alterations to the Tangible Products without Supplier’s prior written approval;
-
notify the Supplier promptly if any of the Tangible Products fail; and
-
-
keep the Tangible Products free and clear of any levies, liens or encumbrances. The risk of loss of or deterioration or damage to the Tangible Products passes to the Customer on delivery of the Tangible Products to the Customer. If the Customer considers that, on delivery, the Tangible Products are damaged, the Customer must promptly notify the Supplier in writing. It is the Customer’s responsibility to insure the Tangible Products as and from the date of delivery of the Tangible Products to the Customer.
-
Without limiting any other remedies that the Supplier may have in respect of failure or delay by the Customer to pay for the Tangible Products or any other Products, Deliverables or Services, if the Customer fails to pay for the Tangible Products or applicable Contract in accordance with the relevant Contract (whether a Contract of the type described in clause 8.1(a) or (b) or otherwise) by the due date(s) for payment, or if the Supplier considers that the Tangible Products are “at risk”, the Supplier may (without limiting any other rights or remedies it may have) enter the Customer’s premises at any time and without notice to take possession of the Tangible Products without incurring any liability to the Customer or any other person. The Customer is not permitted to revoke the permission granted in this clause. In the event that the Supplier takes possession of the Tangible Products under this clause, the Supplier will:
-
copy the Customer Data (if any) that is on the relevant Products excluding any Customer Data that is stored in cloud-based services (in the format reasonably determined by the Supplier at its discretion) (‘Copy of Customer Data’); and
-
make the Copy of Customer Data available to the Customer and notify the Customer accordingly, provided that the Supplier has no obligation to retain the Copy of Customer Data for more than 14 days after making it available to the Customer;
-
after creating the Copy of Customer Data, delete the Customer Data from the Products, Deliverables and Services.
-
-
-
Customer Data
-
Subject to clauses 10 and 11, the Supplier will access the Customer Data only as required in the performance of the relevant Contract.
-
Nothing in a Contract transfers ownership of the Customer Data to the Supplier.
-
-
Personal Data and Data Protection
-
The parties will comply with their respective obligations set out in the Data Processing Addendum.
-
-
Confidential Information
-
Each party agrees to:
-
hold in confidence all Confidential Information disclosed to it by the other party and disclose that information to its directors, employees, and contractors only to the extent required in the performance of the Contract;
-
ensure that all Confidential Information is protected at all times from unauthorised access or use by, or disclosure to, any third party or misuse, damage or destruction by any person.
-
-
A party may disclose the other party’s Confidential Information to law enforcement or government authorities to the extent required by law if it first notifies the other party of the obligation to disclose the Confidential Information, provided that a party is not required to notify the other party under this clause if it is not legally permitted to do so or if the timing within which the party is required by law to disclose the Confidential Information does not permit prior notification to the other party.
-
-
Intellectual Property
-
The Supplier or its licensors own the Intellectual Property in the means, methods, processes, and know-how used by the Supplier to provide the Products, Deliverables, and Services and to otherwise perform the Supplier’s obligations under the Associated Agreements.
-
The provisions relating to Intellectual Property ownership in relation to particular Products, Deliverables and Services are included in the relevant Associated Agreement.
-
-
Warranties
-
Each party warrants that it has all requisite right, power, and authority to enter into each Contract.
-
The Customer warrants that the Customer Data supplied to the Supplier does not contain any sensitive or special category personal data and undertakes not to supply any such data without the Supplier’s prior written consent.
-
The Supplier will use reasonable endeavours to assist the Customer to deal with the relevant vendor (via the Distributor where applicable) on any warranty claims in respect of the Tangible Products and Licensed Software and, except as otherwise provided under an Associated Agreement, in respect of any cloud services that the Supplier resells to the Customer.
-
Subject to clause 13.3, the Supplier has no obligation in respect of defects or failure of Tangible Products or Licensed Software including, without limitation, that in the event of any defect or failure of Tangible Products, the Supplier has no obligation to provide any interim hardware or other equipment.
-
Except as provided under clause 13.1 and in any express warranties contained in an Associated Agreement, to the extent permitted by law, all warranties, terms and conditions (including without limitation, warranties and conditions as to fitness for purpose and merchantability) implied by legislation or otherwise, are excluded by the Supplier.
-
-
Termination of Contracts
-
Except for any termination barred under the applicable provisions of the Insolvency Act 1986 and without limiting any rights that have accrued under a Contractor any rights or remedies otherwise available under or in respect of a Contract, either party may terminate a Contract immediately (or with effect from any later date that it may nominate) by written notice to the other party if:
-
one or more Insolvency Events occurs in relation to that other party. For the purposes of this clause, ‘Insolvency Event’ means, in respect of a party:
-
the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;
-
the other party takes or has taken against it (other than in relation to a solvent restructuring) any step or action towards its entering bankruptcy, administration, provisional liquidation or any composition or arrangement with its creditors, applying to court for or obtaining a moratorium, being wound up (whether voluntarily or by order of the court), being struck off the register of companies, having a receiver appointed to any of its assets, or its entering a procedure in any jurisdiction with a similar effect to a procedure listed in this clause 14.1(a)ii.
-
-
the other party commits a material breach of any of its obligations under the Contract and fails to remedy that breach within 30 (thirty) days of prior written notice of such breach. For the purposes of this clause 14.2 (b), non-payment by the Customer for a period of 30 days or more after due date of any undisputed invoice constitutes a material breach by the Customer.
-
-
Additional rights of termination that apply to individual Associated Agreements may be included in each of those agreements.
-
-
Consequences of Termination
-
On termination of a Contract, in addition to any other consequences of termination included in the relevant Associated Agreement, and unless otherwise agreed in writing in the relevant Associated Agreement, and without limiting either party's rights or remedies:
-
each party will, on request, delete or return the other’s Confidential Information and any full or partial copies of the Confidential Information in its possession or control in respect of that Contract except for any information or copies that:
-
it may be required to hold or continue to process under applicable laws, including for compliance, audit, or legal reasons; and it may be entitled to retain and process in its capacity as data controller, including on the basis of the Supplier’s legitimate interests. Any digital copies of Confidential Information (which includes without limitation personal data), are considered deleted where they are put beyond further use by the relevant party;
-
-
all amounts owed to the Supplier under the Contract which accrued before termination will be due and payable in accordance with the payment terms in that Contract;
-
the Supplier will deliver to the Customer all Deliverables for which the Customer has paid in full.
-
On any termination of a Contract, all clauses which by their nature survive termination, will survive the termination.
-
-
-
Liability and Indemnity
-
The Supplier’s liability under a Contract is limited to direct loss only, not exceeding the amount paid to the Supplier under the Associated Agreement for the specific services connected to such direct loss.
-
To the extent permitted by law, in no event is the Supplier liable for any indirect loss or for any loss of profits, lost savings, loss of data, business interruption, incidental or special damages, or for any consequential loss. In addition, the Supplier is not liable for any damages claimed by the Customer based on any third-party claim, including, but not limited to, any claim in negligence. In no event is the Supplier liable for any damages caused (whether directly or indirectly) by the Customer not accepting or not acting on a recommendation made to the Customer in writing by the Supplier or the Customer’s failure to perform its responsibilities under the Contract.
-
The Customer indemnifies the Supplier against any costs (including legal costs on a solicitor and own client basis, all and any court costs and witness fees and related legal expenses), expenses, claims, demands or liability whether direct, indirect or otherwise, and whether arising in contract, tort (including negligence), equity or otherwise, arising out of, and must at the Supplier’s request, and subject to clause 16.4 and any reasonable conditions imposed at the Supplier’s discretion, at the Customer’s own cost defend or settle, any claim, action or proceedings brought against the Supplier in connection with:
-
any software, services, documents or materials issued, provided or made available by the Customer to the Supplier for use or access by the Supplier in the performance by the Supplier of a Contract where that use or access infringes or is alleged to infringe the intellectual property rights of any third party; or
-
a breach by the customer of a Contract.
-
-
If the Supplier wishes to rely on an indemnity under clause 16.3, the Supplier:
-
must ensure that the Customer is notified promptly in writing of the relevant claim, action, or proceedings ("Claim") once it becomes aware of the Claim;
-
will make no admission of liability regarding the Claim nor any offers of settlement regarding the Claim without the Customer’s written approval;
-
may, at its discretion, grant control of the defence or settlement to the Customer;
-
will, where the Supplier has granted control of the defence or settlement negotiations to the Customer:
-
co-operate reasonably with the Customer in defending or settling the Claim and make its employees available to give statements, advice, and evidence, as the Customer may reasonably request, all at the expense of the Customer; and
-
give the Customer sufficient authority and relevant information in its possession or control in order to assist the Customer to conduct the defence of the Claim and all negotiations for its settlement or compromise.
-
-
-
-
Dispute Resolution
-
In the event of any dispute arising between the parties in relation to a Contract, no party may commence any proceedings relating to the dispute (except where the party seeks urgent interlocutory or injunctive relief) unless that party has complied with the procedures in this clause 17.
-
The party initiating the dispute (“the first party”) must provide written notice of the dispute to the other party (“the other party”) and nominate in that notice the first party’s representative for the negotiations. The other party must within fourteen days of receipt of the notice, give written notice to the first party naming its representative for the negotiations ("Other Party's Notice"). Each nominated representative will have authority to settle or resolve the dispute. The parties will co-operate with each other and endeavour to resolve the dispute through discussion and negotiation.
-
If the dispute is not resolved within one month following the date of the Other Party's Notice (or such longer period as may be agreed upon in writing by the parties), either party may utilise any other legal remedies available to it in seeking to resolve the dispute.
-
-
Non-Solicitation
-
Neither party will, without the written consent of the other party, solicit, employ, or otherwise engage the services of, the other party’s personnel (including employees and contractors). This clause will apply from commencement of the first Contract between the parties and will continue until there has been no Contract between the parties for a continuous period of twelve months (and if there is subsequently a Contract between the parties the non-solicitation period will re-commence).
-
A party may as a condition of granting its consent under clause 18.1 above, require the other party to pay to it a fee of 30% of the person’s gross annual remuneration to cover the cost of replacing the employee or contractor.
-
-
Notices
-
Any notice or other communication in connection with a Contract must be:
-
marked for the attention of the primary contact person and delivered or sent to the address of the other party by prepaid post or email, as set out in the relevant Associated Agreement.
-
-
Notices or other communications are deemed received:
-
if delivered by hand, on delivery;
-
if delivered by post:
-
on the fifth Working Day following posting if sent and received within the United Kingdom; and
-
on the tenth day following posting if posted internationally; or
-
-
if sent by email, on sending the email provided that no email is successfully sent if the sender receives any type of delivery notification failure and provided further that the onus is on the sender to ensure that the email has been successfully received by the recipient.
-
-
-
Force Majeure
-
Either party may suspend its obligations to perform under a Contract if it is unable to perform as a direct result of a Force Majeure Event. Any such suspension of performance must be limited to the period during which the Force Majeure Event continues.
-
Where a party's obligations have been suspended pursuant to clause 20.1 for a period of 30 days or more, the other party may immediately terminate the Contract by giving notice in writing to the other party.
-
-
General
-
Assignment:
-
Subject to clause 21.1(b), neither the Customer nor the Supplier may assign or otherwise transfer all or any Contracts between the Supplier and the Customer or its rights under a Contract without the prior written consent of the other party.
-
The Supplier may, in connection with a merger, acquisition or sale of all or substantially all of the Supplier’s business or as part of a corporate restructure and without the consent of the Customer, assign the Contracts between the Supplier and the Customer and, with effect from that assignment, the assignee is deemed substituted for the Supplier as a party to the Contracts and the Supplier is fully released from all of its obligations under those Contracts. The Supplier will notify the Customer of any assignment made pursuant to this clause 21.1(b) prior to the assignment unless it is not permitted to do so in which case it will notify the Customer as soon as practical following the assignment.
-
-
Contractors: The Supplier may perform its obligations under a Contract by the use of Supplier-selected independent contractors and/or subcontractors provided that the Supplier remains responsible to the Customer in accordance with the Contract.
-
Other agreements: Subject to clauses 11 and 12, nothing in these terms and conditions prevents the Supplier from entering into similar agreements with others that are the same or similar to any Contract entered into with the Customer or from providing products, deliverables or services which are the same or similar to the Products, Deliverables or Services provided under a Contract.
-
Entire agreement: Each Contract constitutes the complete and exclusive statement of the agreement between the parties, superseding all proposals or prior agreements, oral or written, and all other communications between the parties relating to the subject matter of that Contract.
-
Third parties: No person who is not a party to a Contract has any right to enforce its terms and shall have no right under the Contracts (Rights of Third Parties) Act 1999.
-
Further assurances: The parties must each do all such further acts (and sign any documents), as may be necessary or desirable for effecting the transactions contemplated by the Contract.
-
Amendments: Subject to clause 21.1 and except as specifically provided in a Contract, no amendment to a Contract will be effective unless:
-
the amendment is in writing and signed by both parties (if the relevant Associated Agreement was signed by both parties); or
-
the amendment is in writing and signed by the Customer (if the relevant Associated Agreement was such that only the Customer needed to sign the Associated Agreement; or
-
the amendment is in writing and accepted in the same manner that, in accordance with the Associated Agreement, the Associated Agreement was made.
-
-
Waiver: No exercise or failure to exercise or delay in exercising any right or remedy by a party will constitute a waiver by that party of that or any other available right or remedy.
-
Partial invalidity: If any provision of a Contract or its application to any party or circumstance is or becomes invalid or unenforceable to any extent, the remainder of the Contract and its application will not be affected and will remain enforceable to the greatest extent permitted by law.
-
Relationship of the Parties: The parties agree that the Supplier is an independent contractor to the Customer and that nothing in these terms and conditions or any Contract constitutes a partnership, joint venture or relationship of employer and employee between the parties. Neither party may:
-
act or hold itself out as an agent or representative of the other party; or
-
assume or create any obligations on behalf of the other party.
-
-
-
Governing Law
-
Each Contract is governed by the laws of England and Wales. The parties hereby submit to the non-exclusive jurisdiction of the courts of England and Wales.
-
DATA PROCESSING ADDENDUM
-
General and Roles
-
Under each Contract, the Customer engages the Supplier to provide the Products, Deliverables and Services and in providing them, the Supplier may act as either a controller or a processor of the personal data.
-
The Customer and the Supplier each agree to comply with their obligations under the Data Protection Laws.
-
The parties have determined that, for the purposes of Data Protection Laws:
-
subject to clause 1.3(b), the Supplier will act as a controller of any personal data it processes in connection with each Contract in relation to the employees, contractors and agents of the Customer who engage directly with the Supplier, such as the signatories of the Contract, management and directors, and any authorised users or representatives of the Customer. Similarly, the Customer will act as a controller of any personal data it processes in relation to the Supplier’s employees, contractors and agents where it processes such data for its own business purposes.
Where the Customer instructs the Supplier to process personal data of any individual, the Supplier will act as a processor of such personal data.
-
-
Should the determination in clause 1.3 change, then each party will work together in good faith to make any changes which are necessary to this Data Processing Addendum. The terms used in this Data Processing Addendum have the meanings given to them in the definition section of the Master Terms and Conditions (clause 1) or in the Data Protection Laws if not defined in these terms and conditions or in this Data Processing Addendum.
-
-
Processing of Personal Data
-
When processing personal data as the Customer’s processor, the Supplier will:
-
Instructions from Customer: process personal data only on the Customer’s written instructions (which may be set pout as part of a contract) unless otherwise required to do so by the Data Protection Laws in which case the Supplier will inform the Customer of that legal requirement before Processing unless the Supplier is prohibited from informing the Customer by that law;
-
Confidentiality: ensure that the Supplier’s personnel who have access to and/or process the personal data have obligations of confidentiality to the Supplier;
-
Security: comply with the security obligations in clause 3 below which the Customer has reviewed and confirms are appropriate;
-
Data subjects’ rights: assist the Customer (to the extent possible given the nature of processing and information available to the Supplier) with responding to data subjects’ requests and with the Customer’s compliance with its obligations under the Data Protection Laws Assist Customer: assist the Customer with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
-
Personal data breach: notify the Customer without undue delay if the Supplier becomes aware of a personal data breach affecting the personal data and provide the Customer with such assistance as may be reasonably required to comply with obligations under the Data Protection Laws;
-
Deleting and returning data: on the Customer’s request, either delete or return to the Customer all of the relevant personal data unless the Data Protection Laws require processing of personal data. Personal data is considered deleted where it is put beyond further use by the Supplier; and
-
Compliance and audits: on the Customer’s request, make available to the Customer all information necessary to demonstrate the Supplier’s compliance with this Data Processing Addendum. To the extent the Customer (acting reasonably) considers the Supplier’s information to be insufficient, the Supplier will allow for and contribute to audits including inspections conducted by the Customer or another auditor mandated from time to time in accordance with clause 5 below.
-
-
The Customer warrants that it is and undertakes that it will at all relevant times remain duly and effectively authorised to give to the Supplier lawful data processing instructions.
-
-
Security
-
Subject to clause 3.2 below, the Supplier will implement appropriate technical and organisational measures to safeguard the personal data, including those described in Appendix 2.
-
In assessing the appropriate level of security for clause 3.1 above, the Supplier will ensure that the measures are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures.
-
-
Customer’s Authorisations
-
The Customer gives the Supplier its prior general authorisation to:
-
to appoint subprocessors; and
-
transfer the personal data outside of the UK,
-
-
in each case as may be required by the Supplier to provide the services and subject to compliance with the Data Protection Laws. Before appointing or replacing any subprocessor, the Supplier will give the Customer prior written notice. If, within two weeks of receipt of that notice, the Customer notifies the Supplier in writing of any objections (acting reasonably) to the proposed appointment, the Supplier will not appoint the proposed subprocessor. If the Customer cannot demonstrate, to the Supplier's reasonable satisfaction, that the objection is due to an actual or likely breach of the Data Protection Laws, the Customer shall indemnify the Supplier for any losses, damages, costs (including legal fees) and expenses suffered by the Supplier in accommodating the objection.
-
With respect to each subprocessor, the Supplier will:
-
require the sub-processor to agree to obligations substantially similar to those imposed on the Supplier under this Data Processing Addendum; and
-
remain liable to the Customer for the acts and omissions of the sub-processor.
-
-
Where the Supplier transfers the Customer’s personal data outside of the United Kingdom, the Supplier will ensure that any such international transfer will be carried out in accordance with the Data Protection Laws, including by making the transfers on the basis of an adequacy regulation (such as in case of transfers to countries in the EEA), appropriate safeguards (such as on the basis of an international data transfer agreement (IDTA) or International Data Transfer Addendum to the EU SCCs following the risk assessment) or derogation.
-
-
Audit Rights
-
Information and audit rights of the Customer only arise to the extent that a Contract does not otherwise give the Customer information and audit rights meeting the relevant requirements of Data Protection Laws.
-
The Supplier may, on reasonable grounds, object to the proposed auditor in which case the Customer will propose an alternate auditor.
-
The Customer will give the Supplier reasonable (but not less than 30 days) advance notice of any audit or inspection and will make (and ensure that its auditor makes) reasonable endeavours to avoid causing any damage, injury or disruption to the Supplier's premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
-
The Supplier need not give access to its premises for the purposes of such an audit or inspection for the purposes of more than one audit or inspection in any calendar year.
-
-
Restricted Transfers
-
Sharing of the personal data by the Customer with the Supplier is not a Restricted Transfer given that both parties are in the United Kingdom.
-
Where the Services involve a ‘Restricted Transfer’ as between the Customer and the Supplier, the Customer (as ‘data exporter’) and the Supplier (as ‘data importer’) each agrees to enter into an IDTA or an International Data Transfer Addendum to the EU SCCs in respect of that Restricted Transfer. In the event of any conflict or inconsistency between this Data Processing Addendum and the IDTA or Data Transfer Addendum to the EU SCCs (as applicable), the IDTA or Data Transfer Addendum to the EU SCCs (as applicable) will prevail.
-
-
Order of Precedence
-
Nothing in this addendum reduces the Supplier's obligations under a Contract in relation to the protection of personal data or permits the Supplier to process (or permit the processing of) personal data in a manner which is prohibited by the Contract
-
Subject to clause 7.1, in the event of inconsistencies between the provisions of this Data Processing Addendum and the other parts of these Master Terms and Conditions or any Associated Agreement, the provisions of this Data Processing Addendum will prevail.
-
-
Changes in Data Protection Laws
-
Either party may by at least 30 calendar days' written notice propose variations to this Data Processing Addendum which it reasonably considers to be necessary to address the requirements of any change in the Data Protection Laws.
-
If a party gives notice under clause 8.1, the parties will promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the changes to the Data Protection Laws.
-
-
Liability
-
The exclusions and limitations of liability in clause 16 of the Master Terms and Conditions apply to this Data Processing Addendum.
-
APPENDIX 1 TO DATA PROCESSING ADDENDUM DETAILS OF PROCESSING OF PERSONAL DATA
This Appendix 1 includes certain details of the processing of personal data.
Subject matter of processing
Data shared and/or uploaded by the Customer
Duration of processing
As may be necessary for the provision of the Services pursuant to each Contract
Purpose of processing
Provision of the Services pursuant to the Contracts
Nature of processing
Access, compute, store and such other Services as may be agreed and initiated by the Customer from time to time pursuant to the Contracts
Categories of personal data
Data shared and/or uploaded by the Customer which may include, but is not limited to, names, contact details, addresses, dates of birth, usage information and transaction details.
Categories of data subjects
May include, but is not limited to, Customer’s employees (including where not used by the Supplier for its own business processes, but where for example the Supplier accesses or backs up human resources data as part of the services), clients, suppliers, end users and other categories as instructed by the Customer and as may be further clarified in the relevant Associated Agreement.
APPENDIX 2 TO DATA PROCESSING ADDENDUM
DETAILS OF TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
-
The Supplier will implement appropriate technical and organisational measures to safeguard the personal data, including amongst other things as appropriate:
-
the pseudonymisation and encryption of personal data;
-
use HTTP Secure for secure communication over networks;
-
subject to clause 2 of this appendix, ensure the ongoing confidentiality, integrity and availability of personal data;
-
implement information security and data protection policies and ensure these are followed by the Supplier’s staff when processing personal data;
-
provide information security and data protection trainings to the Supplier’s staff who have access to personal data;
-
ensure resilience of the Supplier’s computer systems and subject to clause 2 of this appendix, ensure that personal data is stored on secure systems with access controls in place to limit physical, system and information access to only authorised employees;
-
implement appropriate business continuity and disaster recovery plans within the Supplier’s business that will, subject to clause 2 of this appendix, ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
-
prior due diligence of companies with whom the Supplier may share personal data to assess the security controls the company has in place to protect personal data;
-
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
-
-
The Customer acknowledges that the implementation and maintenance by the Supplier of the technical and organisational measures outlined above, and the assurances given by the Supplier as specified above (“Supplier Commitments”):
-
are dependent on third party products and services and as such the Supplier’s ability to meet the Supplier Commitments is limited to commitments made by the relevant third party in its standard agreement/terms and conditions;
-
may be impacted by factors outside of the control of the Supplier, for which the Supplier is not responsible.
-