Small Business Service Terms and Conditions
Mitigo Small Business Service Terms and Conditions
1.0 Definitions
1.1. “Additional Services” means such additional services as may be agreed between MITIGO and the Client from time to time which may be set out in any Additional Services Addendum or may be agreed orally (for example in cases of emergency);
1.2. “Assessment” means the assessment and Scanning as specifically described in clause 2.2 of these General Terms and Conditions;
1.3. “Authorised User(s)” means an Employee authorised by the Client to have access to and use the E-Learning Portal;
1.4. “Client’s IT System” means the network or networks owned by the Client and connected devices owned by the Client (which excludes all of the following: web applications; web hosting; cloud hosted servers and cloud platforms);
1.5. “Client’s Trade Marks” means the sign, the word, or phrase, logo, picture, shape, whether registered or not which belong to the Client and which distinguish its goods or services from those of another company;
1.6. “Data Processor Addendum” means the form attached below which sets out the Parties’ obligations under the Data Protection Laws where MITIGO undertakes processing on behalf of the Client;
1.7. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of this Agreement i) the General Data Protection Regulation (EU) 2016/679 (“GDPR“); ii) the Data Protection Act 2018; iii) any other applicable data protection or privacy laws. Defined terms in this clause 1.6 have the same meaning as set out in the Data Processor Addendum;
1.8. “Documentation” means any documentation, which is made available to the Client by MITIGO (whether online or in hard-copy);
1.9. “E-Learning Portal” has the meaning set out in clause 2.3 (i) of these General Terms and Conditions;
1.10. “Employee” means from time to time all full-time and part-time employees of the Client only;
1.11. “Helpdesk Support” has the meaning set out at clause 2.4 of these General Terms and Conditions;
1.12. “Intellectual Property Rights” means any and all rights in patents, rights to inventions, copyright and related rights, moral rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world;
1.13. “Management Portal” has the meaning set out in clause 2.3 (ii) of these General Terms and Conditions;
1.14. “Material Breach” means a breach (including an anticipatory breach) which is not minimal or trivial in its consequences to the non-breaching party. In deciding whether any breach is material, no regard shall be had to whether it occurs by some accident, mishap, mistake or misunderstanding;
1.15. “Material Change” means any one or more of the following: (i) an increase in the number of Employees to 15 or more, (ii) the change of Client network or the addition of another network by the Client or (iii) there is a change which affects Mitigo’s performance of the Services;
1.16. “MITIGO” means MITIGO LIMITED incorporated under the laws of
England and Wales with registered number 15672839 and with registered office located at Southgate 2, 319 Wilmslow Road, Cheadle, Cheshire, SK8 3PW;
1.17. “Other Maintenance Services” means the services described in clause 2.5 of these General Terms and Conditions;
1.18. “Portals” means the E-Learning Portal and the Management Portal;
1.19. “Qualified Personnel” means such individuals who are designated by the Client from time to time which shall not exceed 3 in number unless otherwise agreed by MITIGO;
1.20. “Scan or Scanning” means any scans undertaken by Mitigo to search for security vulnerabilities;
1.21. “Services” means the packaged services consisting of the Assessment; the provision of the Portals, Helpdesk Support, Other Maintenance Services and any Additional Services;
1.22. “Site” means the Client’s office(s) as set out in the applicable Statement of Terms;
1.23. “Statement of Terms” means the form signed by the Parties which set out the Contract Period, the number of Employees, and other details;
1.24. “Subcontractors” means the subcontractors, from time to time of MITIGO;
1.25. “United Kingdom” means the United Kingdom of Great Britain and Northern Ireland;
1.26. “United States” means the United States of America;
1.27. “Working Day” means any day (other than a Saturday or Sunday) on which banks are generally open in London for non-automated normal business;
1.28. “Working Hours” means 9am to 5pm on any Working Day.
MITIGO and the Client are individually referred to as a Party and collectively referred to as the “Parties”.
Unless the context otherwise requires:
(i) words in the singular shall include the plural and, in the plural, shall include the singular; and (ii) a reference to one gender shall include a reference to the other gender.
2.0 Services
2.1 MITIGO shall provide the Client with the following Services:
2.2 Assessment, being the annual assessment of the Client’s existing technical security arrangements which shall include: a remote internal and external network scan to search for vulnerabilities; a remote audit interview with a key member of staff; laptop/computer security sample assessment; a health check on certain key applications which may include Gmail, DropBox etc; and a configuration check on certain key controls which may include anti-virus, backups and firewall.
Following the completion of the Assessment, MITIGO shall produce and provide the Client with: (i) a vulnerability assessment report on the Client’s technical security arrangements, and (ii) such recommendations as MITIGO considers reasonable on how to address the risks and vulnerabilities identified during the Assessment, together the “Assessment Reports”.
2.3 Access to the Portals, being:
(i) the E-Learning Portal, being the platform accessible by the Authorised Users using secure login details and passwords. The E-Learning Portal contains online courses and training on cyber security awareness, follow-up online tests and various policies provided by MITIGO;
(ii) the Management Portal, being the platform accessible by the Qualified Personnel only using secure login details and passwords. The Management Portal contains the Assessment Reports, training and testing updates, and precedent policies.
2.4 Helpdesk Support, being:
the telephone and email support available to the Qualified Personnel only during Working Hours designed to provide advice and guidance for the client’s internal business only on any part of the Services.
2.5 Other Maintenance Services, being simulated email attacks in order to assess Employees’ vulnerabilities (which shall be twice during any 12-month period unless otherwise agreed between the Parties).
2.6 Any Additional Services.
3.0 Commencement and duration
The Service Agreement shall begin on the Start Date as set out in the Statement of Terms and shall, unless terminated pursuant to clause 13 of these General Terms and Conditions, continue for the Contract Period. The Service Agreement shall automatically renew for successive Contract Periods unless either Party gives to the other not less than three months written notice of termination to expire at the end of the first or any subsequent Contract Period.
4.0 Client’s obligations
4.1 The Client shall at all times:
(i) co-operate with MITIGO on all matters relating to the Service Agreement;
(ii) provide, in a timely manner, such information as MITIGO may reasonably request in order to provide the Services and ensure that all information that the Client provides is accurate in all material respects;
(iii) allow MITIGO and its Subcontractors access to any Client’s premises which may be required in order to perform the Services;
(iv) allow MITIGO and its Subcontractors remote access to the Client’s IT Systems;
(v) immediately after becoming aware, notify MITIGO in writing of any Material Change; and
(vi) ensure that their log-in details are kept confidential and secure and that their passwords comply with MITIGO’s security requirements and are changed regularly.
4.2 Without prejudice to clause 4.1, the Client shall, at all times, during Working Hours, make available to MITIGO such Employees and other individuals who are in charge of the Client’s IT Systems.
4.3 The Client shall notify MITIGO in writing as soon as reasonably possible of a change of Qualified Personnel.
4.4 Any technical equipment which MITIGO or its Subcontractors may use or install for the purposes of the Services, shall at all times remain the property of MITIGO, and the client shall allow MITIGO or its Subcontractors access to the Site or to any other Client’s premises to remove any such equipment.
5.0 Usage restrictions
5.1 MITIGO will provide login details for the number of Authorised Users and for the Qualified Personnel. Such login details are unique to each Authorised User or Qualified Personnel and shall not be shared between Authorised Users or Qualified Personnel or with any third party.
5.2 MITIGO shall grant the Client a non-exclusive, non-transferable licence to use and access the Portals in accordance with the terms of the Service Agreement and during the term of the Service Agreement only.
5.3 The Client warrants and undertakes with MITIGO that it shall not, and shall procure that no Authorised User or Qualified Personnel shall:
(i) copy or modify any part or create any derivative works from the Portals;
(ii) reverse, compile, disassemble or reverse engineer the Portals;
(iii) use the Portals in order to build a product or service which is the same as or similar to the Portals.
5.4 Without prejudice to clause 5.3, the Client shall not:
(i) use the Portals for a purpose other than as set out in the Service Agreement;
(ii) use the Portals for any illegal or immoral purpose;
(iii) make or distribute copies of the Portals from one computer to another or over a network;
(iv) export or re-export, directly or indirectly the Portals into any country prohibited by the export control laws of the United Kingdom or the United States.
5.5 MITIGO reserves the right to assess the Client’s usage of Helpdesk Support. In the event of high usage which in MITIGO’s reasonable opinion is excessive, MITIGO may need to restrict the amount of Helpdesk Support per month, in order to maintain a consistent level of high-quality services for all clients. Should this occur, MITIGO will contact the Client to prioritise the matters to be given telephone and email support.
6.0 Intellectual Property Rights
6.1 The Portals and all Intellectual Property Rights in the Portals belong to, vest in and are the exclusive property of MITIGO or its third-party providers.
6.2 The Documentation and all Intellectual Property Rights in the Documentation belong to and are vested in MITIGO or its third-party providers. Nothing in the Service Agreement shall be construed as an assignment of rights in favour of the Client. The Client shall use the Documentation during the term of the Services Agreement for its own internal business purposes only.
6.3 Without prejudice to clause 6.2, in the event of termination of the Service Agreement (other than pursuant to clause 13.1), and provided no payments due from the client to MITIGO are outstanding, the Client may continue to use, for its own internal business purposes only, the content of the following documents: the Assessment Reports, policies, and any management information.
6.4 The Client shall grant MITIGO non-exclusive rights to use the Client’s Trade Marks during the term of the Service Agreement for the purpose of performing the Service Agreement.
7.0 Fees
7.1 Subject to clauses 7.2, and 7.3, the Fees shall be fixed throughout the duration of the Service Agreement.
7.2 The Parties may at any stage during the Service Agreement agree to increase the Fees due to the introduction of or a change in Additional Services.
7.3 On the expiry of the first Contract Period and on each anniversary of that date Mitigo reserves the right to increase the Fees by an amount up to or equal to the UK Retail Price Index (RPI) “All Items” rate last previously published by the office for National Statistics (or by any other body to which the functions of that office may be transferred) or by 2%, whichever be the greater. If the RPI rate is a decrease, the Fees will not be reduced.
8.0 Payment terms
8.1 The Client shall pay the Fees as specified in the applicable Statement of Terms to MITIGO.
8.2 The Client shall also pay additional sums at such rates and upon such terms as may be agreed (or in cases of emergency at Mitigo’s prevailing rates) in respect of any Additional Services.
8.3 In the event that the Client fails to pay any amount due under the Service Agreement, MITIGO reserves the right to charge late payment interest on any such overdue payment at the rate of 4 per cent. over the base rate of Barclays Bank Plc applicable from time to time.
8.4 The Client shall have no right of set-off.
9.0 Data Protection
9.1 The Services include the processing, as Data Processor, of Personal Data which is under the control of the Client. The terms of the Data Processor Addendum shall apply to such processing.
9.2 Prior to and during the provision of the Services, MITIGO may, as Data Controller, collect or receive Personal Data relating to the Client’s Employees, directors, agents, shareholders, suppliers, contractors, associates or others.
The Client is aware of MITIGO’s privacy policy at: https://mitigogroup.com/privacy–policy/.
The Client confirms that it is authorised to provide or permit access to this Personal Data and that the Client has provided any required privacy notices to all the relevant data subjects.
10.0 Warranties
10.1 The Parties warrant that they have the authority and the rights to enter into the Service Agreement.
10.2 MITIGO provides the Services and the Documentation on an “as is basis” only.
10.3 MITIGO does not warrant or guarantee that any part of the Services shall:
- operate without interruption or error-free or that errors can be corrected;
- not infringe any third party’s Intellectual Property Rights;
- be of satisfactory quality;
- be accurate;
- fit for any particular purpose; or
- be virus free.
10.4 All other warranties either express or implied by law or otherwise are hereby excluded.
11.0 Client Remains Responsible
Without prejudice to clause 10, the Client acknowledges and accepts the following:
(i) the Client is and at all times remains fully responsible for the Client’s IT System and its digital infrastructure generally including any hardware or software owned or operated by the Client, Employees or Contractors and whether hosted by the Client or any third parties (including without limitation as regards confidentiality, integrity, availability and resilience);
(ii) any Assessment or Scanning is based only on sampling, and can only look at the condition of some elements of the Client’s IT System at the time it is undertaken. It is not possible to review everything and there will always be parts or areas of the Client’s IT System which are not reviewed. Further, other security related issues will arise from time to time, including after any Assessment or Scanning has taken place;
(iii) any management information provided as part of the Services including Assessment Reports, technical reports, training and testing updates, other Maintenance Services and Helpdesk Support, are for guidance only, and are intended to help to improve the Client’s cyber resilience. MITIGO does not guarantee that the Client will be free from attacks, breaches and failures. No organisation is impregnable and all organisations will experience security incidents.
12. Intellectual Property Indemnity
12.1 MITIGO shall defend the Client against any claim brought against the Client by a third party that the Client’s use of the Portals and the Documentation, infringes any Intellectual Property Rights of such third party (a “Claim”) and MITIGO shall indemnify the Client for any amounts awarded against the Client in judgment or settlement of any such claim, provided that:
(i) the Client gives prompt notice of any Claim to MITIGO;
(ii) the Client provides reasonable co-operation to MITIGO in the defence and settlement of the Claim, at MITIGO’s expense;
(iii) the Client makes no statement or comments in respect of the Claim; and
(iv) the Client gives sole authority to MITIGO to defend or settle the Claim.
12.2 In the defence or settlement of the Claim, MITIGO may obtain for the Client the right to continue using the infringing element in the Portals or the Documentation, replace or modify the infringing element so that it becomes non-infringing or, if such remedies are not reasonably available, terminate the Service Agreement without liability to the Client.
12.3 MITIGO shall have no liability if the infringement alleged in the Claim is based on:
(i) any information provided by the Client to MITIGO;
(ii) the use by the Client or any Qualified Personnel or any Authorised User of the Portals or the
(iii) Documentation in breach of these General Terms and Conditions or any instructions given to the Client by MITIGO;
(iv) the use by the Client or any Qualified Personnel or any Authorised User of the Portals or the Documentation after notice of alleged or actual infringement from MITIGO or any appropriate authority;
(v) any change or addition to the Portals or the Documentation by the Client or any third party; or combination, operation or use of the Portals or the Documentation with any third-party program, equipment or documents.
12.4 This clause 12 sets out the Client’s sole and exclusive rights and remedies, and MITIGO’s entire obligations and liability, for any claim by a third party that the Client’s use of the Portals or the Documentation infringes any Intellectual Property Rights of such third party.
12.5 The Client shall indemnify and keep indemnified MITIGO against all liabilities, damages, costs, losses, claims, expenses, demands and proceedings arising from or incurred by reason of any infringement or alleged infringement of any Intellectual Property Rights to the extent based on any of the matters in clause 12.3.
13.0 Termination
13.1 Without affecting any other right or remedy available to it, MITIGO may terminate the Service Agreement with immediate effect by giving written notice to the Client if:
(i) the Client fails to pay any amount due under the Service Agreement on the due date for payment and remains in default for not less than seven days (regardless of whether the Client has been notified that such amount is outstanding); or
(ii) the Client commits a Material Breach of any term of the Service Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 (fourteen) days after being notified in writing to do so.
13.2 The Client may terminate the Service Agreement with immediate effect by giving written notice to MITIGO if MITIGO commits a Material Breach of any term of the Service Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 (thirty) Working Days of being notified in writing to do so.
13.3 Either Party may terminate the Service Agreement with immediate effect by giving written notice to the other party if the other party is bankrupt or insolvent or becomes unable to pay its debts as they fall due or an event analogous to any of the aforesaid shall occur in any jurisdiction.
13.4 In the event of a Material Change, Mitigo shall be entitled to terminate the Service Agreement at any time by giving not less than 1 month’s written notice to the Client.
14.0 Confidential Information
14.1 Except as provided by clauses 14.3 and 14.4, the Parties shall at all times during the continuance of the Service Agreement and after its termination use their best endeavours to keep all restricted information (as defined below) confidential and accordingly must not:
(i) disclose any restricted information to any other person; or
(ii) use any restricted information for any purpose other than the performance of their obligations under the Service Agreement.
14.2 References to ‘restricted information’ are references to any information disclosed to either party (“Receiving Party”) by the other party (“Disclosing Party”) pursuant to or in connection with the Service Agreement, whether orally, digitally or in writing and whether or not it is expressly stated to be confidential or marked as such.
14.3 Any restricted information may be disclosed by the Receiving Party to:
- any governmental or other authority or regulatory body; or
- any employees of the Receiving Party or of any of the aforementioned person;
but only to the extent necessary for the purposes contemplated by the Service Agreement or as is required by law, and subject in each case to the Receiving Party using its best endeavours to ensure that the person in question keeps the information confidential and does not use it except for the purposes for which the disclosure is made.
14.4 Any restricted information may be used by the Receiving Party for any purpose, or disclosed by the Receiving Party to any other person, to the extent only that:
(i) it is at the time of use or disclosure, public knowledge through no fault of the Receiving Party; or
(ii) it can be shown by the Receiving Party, to the reasonable satisfaction of the Disclosing Party, to have been known by it before it was disclosed by the Disclosing Party, provided that the Receiving Party must not disclose any restricted information that is not public knowledge.
15.0 Anti-Bribery
The Parties shall comply with all applicable laws, statutes, regulations, and codes relating to antibribery and anti-corruption including but not limited to the Bribery Act 2010 in the UK.
16.0 Right of audit
Subject to MITIGO providing the Client with 14 days’ prior written notice, MITIGO reserves the right to:
(i) enter and inspect the Site(s);
(ii) inspect and audit the Client’s IT Systems; and
(iii) inspect, audit and takes copies of the relevant records and other documents to verify the Client’s compliance with the Service Agreement.
17.0 Limitation of Liability
17.1 Nothing in the Service Agreement shall be deemed to limit or exclude either Party’s liability for:
- death or personal injury caused by negligence;
- fraud or fraudulent misrepresentation; and
- any other liability that cannot by law be limited or excluded.
17.2 Subject to clause 17.1, neither Party shall, in any event be liable whether in contract (by way of indemnity or otherwise), tort (including negligence), misrepresentation, restitution or otherwise under or in connection with the Service Agreement for:
(i) any special, indirect, or consequential loss or damage;
(ii) any direct or indirect loss of profit, turnover, business, business opportunity, revenue, contracts, goodwill, reputation, anticipated savings or management time; or
(iii) loss or corruption of data.
17.3 Subject to clause 17.1, MITIGO’s maximum liability to the Client in respect of any claim (or series of connected claims) under or in connection with the Service Agreement whether arising in contract (including by way of indemnity), tort (including negligence), misrepresentation, restitution or otherwise will be limited to a sum equivalent to the total Fees paid by the Client under the Service Agreement during the 12 (twelve) month period immediately before the date on which the cause of action first arose.
18.0 General
18.1 Entire agreement. The Service Agreement expresses the entire agreement between the MITIGO and the Client and supersedes any negotiations or prior agreements in respect of its subject matter.
18.2 Variation. No variation of the Service Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
18.3 No waiver. No failure to exercise and no delay in exercising on the part of either Party any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, power or privilege preclude any other or further exercise thereof or the exercise of any other right, power or privilege. If either Party shall expressly waive any breach, default or omission hereunder, no such waiver shall apply to, or operate as, a waiver of similar breaches, defaults or omissions or be deemed a waiver of any other breach, default or omission hereunder.
18.4 Publicity. The Client gives its consent to MITIGO to use the Client’s Trade Marks in order to make public announcements concerning the existence, subject-matter or terms of the Service Agreement, or the relationship between the Parties.
18.5 Notice. Any notice given to a Party under the Service Agreement shall be writing and shall be:
(i) sent by pre-paid first-class post or other next working day delivery service to its address as specified on the relevant Statement of Terms or such other address as may
(ii) have been notified to the other (in accordance with this provision); or (iii) sent by email to the address specified on the relevant Statement of Terms.
Any notice shall be deemed to have been received:
(iv) if sent by pre-paid first-class post or other next Working Day delivery service, at 9.00 am on the second Working Day after posting or at the time recorded by the delivery service; and
(v) if sent by email, at the time of transmission, or, if this time falls outside Working Hours in the place of receipt, when Working Hours resume.
This clause does not apply to the service of any proceedings or other documents in any legal action.
18.6 Third Party Rights. The Service Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Service Agreement.
18.7 No assignment. The Client shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Service Agreement.
18.8 MITIGO may assign, sub-contract or deal in any way with any of its rights and obligations under the Service Agreement.
18.9 Complaints. If during the term of the Service Agreement the Client has a complaint, it should be directed by email to complaints@mitigogroup.com. The complaint will be acknowledged as soon as reasonably practicable. The complaint will be investigated, and a response will normally be provided within 1 week of receipt. Where that is not possible, the Client will be informed of the progress of the investigation. The outcome of the investigation and a decision will be provided to the Client by email.
18.10 Governing Law and Jurisdiction. The Service Agreement shall be governed by the laws of England and Wales. The Parties hereby irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any claim or matter arising out of or in connection with the Service Agreement (including any application by either Party for an injunction or any other emergency relief).
DATA PROCESSOR ADDENDUM
1. DEFINITIONS
1.1 Terms such as “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processor Addendum;
1.3 “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2
(Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 1;
1.4 “Controller” means the Client;
1.5 “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement i) the General Data Protection Regulation (EU) 2016/679 (“GDPR“); ii) the Data Protection Act 2018, and iii) any other applicable data protection or privacy laws;
1.6 “EEA” means the European Economic Area;
1.7 “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Service Agreement;
1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
1.9 “Processor” means MITIGO;
1.10 “Service Agreement” means the agreement into which this Addendum is incorporated;
1.11 “Services” means the services described in the Service Agreement;
1.12 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
1.13 “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process personal data on behalf of the Controller;
1.14 “Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
2. PROCESSING OF THE PERSONAL DATA
2.1 The parties acknowledge that, for the purposes of the Data Protection Laws, Client is the Controller and MITIGO is the Processor.
2.2 Each party confirms that in the performance of the Service Agreement it will comply with Data Protection Laws.
2.3 The Processor shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Service Agreement and as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (whether in the Service Agreement or otherwise) unless processing is required by applicable law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
2.4 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to the Service Agreement or this Addendum infringes the GDPR or other Data Protection Laws.
3. CONTROLLER WARRANTY
3.1 Controller warrants that it has all necessary rights to provide the Personal Data to Processor for the Processing to be performed in relation to the Services.
3.2 To the extent required by Data Protection Laws, Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Controller is responsible for communicating the fact of such revocation to the Processor, and Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data.
4. CONFIDENTIALITY
4.1 The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2 The Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 3 above in the context of that person’s or party’s duties to the Processor.
4.3 The Processor shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1 are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2 have undergone adequate training in the use, care, protection and handling of Personal Data.
5. SECURITY
5.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
5.2 The parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Processor will therefore evaluate the technical and organisational measures it has implemented on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with Data Protection Laws.
6. SUB-PROCESSING
6.1 So far as permitted by law and subject to section 3, the Controller grants to the Processor general authorisation to engage any Sub-processor to process Personal Data.
6.2 As at the date of the Service Agreement the Controller hereby authorises the Processor to engage the Sub-processors set out in Annex 2 (Authorised Sub-processors).
6.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Sub-processors, thereby giving the Controller the opportunity to object to such changes.
6.4 With respect to each Sub-processor, the Processor shall:
6.4.1 carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
6.4.2 include terms in the contract between the Processor and each Sub-processor which are equivalent to those set out in this Addendum, and shall supervise compliance thereof;
6.4.3 insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Controller may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies); and
6.4.4 remain fully liable to the Controller for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
7. DATA SUBJECT RIGHTS
7.1 The Processor shall without undue delay notify the Controller if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
7.2 The Processor shall cooperate as reasonably requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Service Agreement, which shall include:
7.2.1 the provision of all information reasonably requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
7.2.2 where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
7.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
8. INCIDENT MANAGEMENT
8.1 In the case of a Personal Data Breach, the Processor shall, without undue delay, notify the Personal Data Breach to the Controller providing the Controller with sufficient information which allows the Controller to meet any obligations to report a Personal Data Breach under Data Protection Laws. Such notification shall as a minimum:
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2 communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 The Processor shall fully co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Controller to meet any requirement under Data Protection Laws.
8.3 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1 The Processor shall, at the Controller’s request, provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Controller or any of its affiliates which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and information available to the Processor.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
The Processor shall following the termination of the Service Agreement, at the choice of the Controller, delete or return all Personal Data to the Controller and delete any existing copies unless the Processor is under a legal obligation to store any of the Personal Data.
11. AUDIT RIGHTS
11.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with Data Protection Laws and allow for and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller.
11.2 Any such audits or inspections shall take place during normal working hours and on reasonable prior notice.
12. INTERNATIONAL TRANSFERS
12.1 The Processor shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data), unless authorised in writing by the Controller in advance.
12.2 When requested by the Controller, the Processor shall promptly enter into (or procure that any relevant Sub-processor of the Processor enters into) an agreement with the Controller on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the EEA without an adequate level of protection.
13. LIABILITY
13.1 The disclaimers and limitations of liability set out under the Service Agreement shall apply also to this Addendum.
14. COSTS
14.1 The Controller shall pay any reasonable costs and expenses incurred by the Processor in meeting the Controller’s requests made under sections 2, 9 or 11.
15. MISCELLANEOUS
15.1 Any obligation imposed on the Processor under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of the Service Agreement.
15.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Service Agreement and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between the Service Agreement or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The processor shall process Personal Data for the duration of the Service Agreement.
The nature and purpose of the processing of Personal Data
The processing of Personal Data shall be undertaken as necessary to perform the Services.
The types of Personal Data to be processed
Contact details (e.g. full name, job title, email address, phone numbers, postal address). Grades and test results, performance and evaluation reports. Job and task responsibilities. Contract data. Personal Data contained in management information and reports.
The categories of data subject to whom the Personal Data relates
Employees, directors, shareholders, agents, suppliers, contractors and associates of the Controller.
ANNEX 2: AUTHORISED SUB-PROCESSORS
PANCENTRIC LIMITED – UK; EPIGNOSIS – US and UK.
ANNEX 3: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
Pancentric Limited of 197 Long Lane, London, SE1 4DP. Data Storage.
Epignosis LLC, a US company of 315 Montgomery Street, San Francisco, California, CA 94194 USA. Data Storage.