Terms and COnditions
Mitigo Terms and Conditions
1.0 Definitions
1.1. “Additional Services” means such additional services as may be agreed between MITIGO and the Client from time to time which may be set out in any Additional Services Addendum or may be agreed orally (for example in cases of emergency);
1.2. “Authorised User(s)” means an Employee authorised by the Client to have access to and use the E-Learning Portal;
1.3. “Client’s IT System” means the network or networks owned by the Client and connected devices owned by the Client (which excludes all of the following: web applications; web hosting; cloud hosted servers and cloud platforms);
1.4. “Client’s Trade Marks” means the sign, the word, or phrase, logo, picture, shape, whether registered or not which belong to the Client and which distinguish its goods or services from those of another company;
1.5. “Data Processor Addendum” means the form attached below which sets out the Parties’ obligations under the Data Protection Laws where MITIGO undertakes processing on behalf of the Client;
1.6. “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of this Agreement i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018 (“UK GDPR”); ii) the Data Protection Act 2018; iii) any other applicable data protection or privacy laws. Defined terms in this clause 1.6 have the same meaning as set out in the Data Processor Addendum;
1.7. “Documentation” means any documentation, which is made available to the Client by MITIGO (whether online or in hard-copy);
1.8. “E-Learning Portal” has the meaning set out in clause 2.3 (i) of these General Terms and Conditions;
1.9. “Employee” means from time to time all full-time and part-time employees of the Client only;
1.10. “Helpdesk Support” has the meaning set out at clause 2.4 of these General Terms and Conditions;
1.11. “Intellectual Property Rights” means any and all rights in patents, rights to inventions, copyright and related rights, moral rights, trade marks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world;
1.12. “Management Portal” has the meaning set out in clause 2.3 (ii) of these General Terms and Conditions;
1.13. “Material Breach” means a breach (including an anticipatory breach) which is not minimal or trivial in its consequences to the non-breaching party. In deciding whether any breach is material, no regard shall be had to whether it occurs by some accident, mishap, mistake or misunderstanding;
1.14. “Material Change” means any one or more of the following: (i) an increase by at least 10% of the number of Employees as set out in the Statement of Terms, (ii) the change of Client network or the addition of another network by the Client or (iii) the change of location or the addition of another location by the Client;
1.15. “MITIGO” means MITIGO LIMITED, incorporated under the laws of
England and Wales with registered number 15672839 and with registered office located at Southgate 2, 319 Wilmslow Road, Cheadle, Cheshire, SK8 3PW;
1.16. “Assessment” means the assessment of the Client’s IT Systems and Scanning as specifically described in clause 2.2 of these General Terms and Conditions;
1.17. “Other Maintenance Services” means the services described in clause 2.5 of these General Terms and Conditions;
1.18. “Portals” means the E-Learning Portal and the Management Portal;
1.19. “Qualified Personnel” means such individuals who are designated by the Client from time to time which shall not exceed 6 in number unless otherwise agreed by MITIGO;
1.20. “Scan or Scanning” means a scan of the Client’s IT System to search for security vulnerabilities;
1.21. “Services” means the packaged services consisting of the Assessment; the provision of the Portals, Helpdesk Support, Other Maintenance Services and any Additional Services;
1.22. “Statement of Terms” means the form signed by the Parties which set out the Contract Period, the number of Employees, and other details;
1.23. “Subcontractors” means the subcontractors, from time to time of MITIGO;
1.24. “United Kingdom” means the United Kingdom of Great Britain and Northern Ireland;
1.25. “United States” means the United States of America;
1.26. “Working Day” means any day (other than a Saturday or Sunday) on which banks are generally open in London for non-automated normal business;
1.27. “Working Hours” means 9am to 5pm on any Working Day.
MITIGO and the Client are individually referred to as a Party and collectively referred to as the “Parties”.
Unless the context otherwise requires:
(i) words in the singular shall include the plural and, in the plural, shall include the singular; and (ii) a reference to one gender shall include a reference to the other gender.
2.0 Services
2.1 MITIGO shall provide the Client with the following Services:
2.2 Assessment, being the annual assessment of the Client’s existing technical security arrangements and a vulnerability Scan of the Client’s IT System which MITIGO undertakes remotely.
Following the completion of the Assessment, MITIGO shall produce and provide the Client with: (i) a report reviewing the Client’s existing technical security arrangements, and (ii) such recommendations as MITIGO considers reasonable on how to address the risks and vulnerabilities identified during the Assessment, together the “Assessment Reports”.
2.3 Access to the Portals, being:
the E-Learning Portal, being the platform accessible by the Authorised Users using secure login details and passwords. The E-Learning Portal contains online courses and training on cyber security awareness, follow-up online tests and various policies provided by MITIGO;
the Management Portal, being the platform accessible by the Qualified Personnel only using secure login details and passwords. The Management Portal contains management information, the Assessment Reports, the management information dashboard, all technical reports, get well plans, training and testing updates, policies and maintenance regime.
2.4 Helpdesk Support, being:
the telephone and email support available to the Qualified Personnel only during Working Hours designed to provide advice and guidance for the Client’s internal business only on any part of the Services.
2.5 Other Maintenance Services, being:
(i) the maintenance regime tailored to the Client’s needs and other management tasks;
(ii) simulated email attacks in order to assess Employees’ vulnerabilities (which shall be twice during any 12-month period unless otherwise agreed between the Parties);
(iii) periodic Scanning (every 6 months including the Scan undertaken during the Assessment or as may otherwise be agreed between the Parties);
(iv) following the Scanning MITIGO shall provide the client with a technical report detailing any vulnerabilities found; and
(v) the annual review of control framework and any updated policies and maintenance regime.
2.6 Any Additional Services.
3.0 Commencement and duration
The Service Agreement shall begin on the Start Date as set out in the Statement of Terms and shall, unless terminated pursuant to clause 13 of these General Terms and Conditions, continue for the Contract Period. The Service Agreement shall automatically renew for successive Contract Periods unless either Party gives to the other not less than three months written notice of termination to expire at the end of the first or any subsequent Contract Period.
4.0 Client’s obligations
4.1 The Client shall at all times:
(i) co-operate with MITIGO on all matters relating to the Service Agreement;
(ii) provide, in a timely manner, such information as MITIGO may reasonably request in order to provide the Services and ensure that all information that the Client provides is accurate in all material respects;
(iii) allow MITIGO and its Subcontractors access to the Site and to any other Client’s premises which may be required in order to perform the Services;
(iv) allow MITIGO and its Subcontractors remote access to the Client’s IT Systems;
(v) immediately after becoming aware, notify MITIGO in writing of any Material Change or any other changes which may affect MITIGO’s performance of the Services in any way. MITIGO reserves the right to increase the Fees in accordance with clause 7 of these General Terms and Conditions; and
(vi) ensure that their log-in details are kept confidential and secure and that their passwords comply with MITIGO’s security requirements and are changed regularly.
4.2 Without prejudice to clause 4.1, the Client shall, at all times, during Working Hours, make available to MITIGO such Employees and other individuals who are in charge of the Client’s IT Systems.
4.3 The Client shall notify MITIGO in writing as soon as reasonably possible of a change of Qualified Personnel.
4.4 Any technical equipment which MITIGO or its Subcontractors may use or install for the purposes of the Services, shall at all times remain the property of MITIGO, and the client shall allow MITIGO or its Subcontractors access to the Site or to any other Client’s premises to remove any such equipment.
5.0 Usage restrictions
5.1 MITIGO will provide login details for the number of Authorised Users and for the Qualified Personnel. Such login details are unique to each Authorised User or Qualified Personnel and shall not be shared between Authorised Users or Qualified Personnel or with any third party.
5.2 MITIGO shall grant the Client a non-exclusive, non-transferable licence to use and access the Portals in accordance with the terms of the Service Agreement and during the term of the Service Agreement only.
5.3 The Client warrants and undertakes with MITIGO that it shall not, and shall procure that no Authorised User or Qualified Personnel shall:
(i) copy or modify any part or create any derivative works from the Portals;
(ii) reverse, compile, disassemble or reverse engineer the Portals;
(iii) use the Portals in order to build a product or service which is the same as or similar to the Portals.
5.4 Without prejudice to clause 5.3, the Client shall not:
(i) use the Portals for a purpose other than as set out in the Service Agreement;
(ii) use the Portals for any illegal or immoral purpose;
(iii) make or distribute copies of the Portals from one computer to another or over a network;
(iv) export or re-export, directly or indirectly the Portals into any country prohibited by the export control laws of the United Kingdom or the United States.
5.5 MITIGO reserves the right to assess the Client’s usage of Helpdesk Support. In the event of high usage which in MITIGO’s reasonable opinion is excessive, MITIGO may need to restrict the amount of Helpdesk Support per month, in order to maintain a consistent level of high-quality services for all clients. Should this occur, MITIGO will contact the Client to prioritise the matters to be given telephone and email support.
6.0 Intellectual Property Rights
6.1 The Portals and all Intellectual Property Rights in the Portals belong to, vest in and are the exclusive property of MITIGO or its third-party providers.
6.2 The Documentation and all Intellectual Property Rights in the Documentation belong to and are vested in MITIGO or its third-party providers. Nothing in the Service Agreement shall be construed as an assignment of rights in favour of the Client. The Client shall use the Documentation during the term of the Services Agreement for its own internal business purposes only.
6.3 Without prejudice to clause 6.2, in the event of termination of the Service Agreement (other than pursuant to clause 13.1), and provided no payments due from the client to MITIGO are outstanding, the Client may continue to use, for its own internal business purposes only, the content of the following documents: the Assessment Reports, policies, the maintenance regime, and management information.
6.4 The Client shall grant MITIGO non-exclusive rights to use the Client’s Trade Marks during the term of the Service Agreement for the purpose of performing the Service Agreement.
7.0 Fees
7.1 The Parties may at any stage during the Service Agreement agree to increase the Fees due to the introduction of or a change in Additional Services.
7.2 MITIGO reserves the right to increase the Fees to MITIGO’s prevailing rates at any time during the Service Agreement in the event of a Material Change.
7.3 Without prejudice to clause 7.2, MITIGO reserves the right to increase the fees at any time during the Service Agreement where there shall have occurred a change which affects MITIGO’S performance of the Services.
7.4 Without prejudice to clauses 7.2 and 7.3, from the first anniversary of the Start Date, MITIGO can increase the Fees once a year by an amount up to or equal to the percentage by which the UK Retail Prices Index has increased by over the previous year or 5%, whichever be the greater. If the RPI rate is a decrease, the Fees will not be reduced.
8.0 Payment terms
8.1 The Client shall pay the Fees as specified in the applicable Statement of Terms to MITIGO.
8.2 The Client shall also pay additional sums at such rates and upon such terms as may be agreed (or in cases of emergency at Mitigo’s prevailing rates) in respect of any Additional Services.
8.3 In the event that the Client fails to pay any amount due under the Service Agreement, MITIGO reserves the right to charge late payment interest on any such overdue payment at the rate of 4 per cent. over the base rate of Barclays Bank Plc applicable from time to time.
8.4 The Client shall have no right of set-off.
9.0 Data Protection
9.1 The Services include the processing, as Data Processor, of Personal Data which is under the control of the Client. The terms of the Data Processor Addendum shall apply to such processing.
9.2 Prior to and during the provision of the Services, MITIGO may, as Data Controller, collect or receive Personal Data relating to the Client’s Employees, directors, agents, shareholders, suppliers, contractors, associates or others.
The Client is aware of MITIGO’s privacy policy at: https://mitigogroup.com/privacy–policy/.
The Client confirms that it is authorised to provide or permit access to this Personal Data and that the Client has provided any required privacy notices to all the relevant data subjects.
10.0 Warranties
10.1 The Parties warrant that they have the authority and the rights to enter into the Service Agreement.
10.2 MITIGO provides the Services and the Documentation on an “as is basis” only.
10.3 MITIGO does not warrant or guarantee that any part of the Services shall:
- operate without interruption or error-free or that errors can be corrected;
- not infringe any third party’s Intellectual Property Rights;
- be of satisfactory quality;
- be accurate;
- fit for any particular purpose; or
- be virus free.
10.4 All other warranties either express or implied by law or otherwise are hereby excluded.
11.0 Client Remains Responsible
Without prejudice to clause 10, the Client acknowledges and accepts the following:
(i) the Client is and at all times remains fully responsible for the Client’s IT System and its digital infrastructure generally (including without limitation their confidentiality, integrity, availability and resilience);
(ii) any Assessment or Scanning is based only on sampling, and can only look at the condition of the Client’s IT System at the time it is undertaken. It is not possible to review everything and there will always be parts or areas of the Client’s IT System which are not reviewed. Further, other security related issues will arise from time to time, including after any Assessment or Scanning has taken place;
(iii) any management information provided as part of the Services including any management information dashboards, any visual dashboard reports or display, Assessment Reports, technical reports, get well plans, cyber risk ratings, training and testing updates, other Maintenance Services and Helpdesk Support, are for guidance only, and are intended to help to improve the Client’s cyber resilience. MITIGO does not guarantee that the Client will be free from attacks, breaches and failures. No organisation is impregnable and all organisations will experience security incidents.
12. Intellectual Property Indemnity
12.1 MITIGO shall defend the Client against any claim brought against the Client by a third party that the Client’s use of the Portals and the Documentation, infringes any Intellectual Property Rights of such third party (a “Claim”) and MITIGO shall indemnify the Client for any amounts awarded against the Client in judgment or settlement of any such claim, provided that:
(i) the Client gives prompt notice of any Claim to MITIGO;
(ii) the Client provides reasonable co-operation to MITIGO in the defence and settlement of the Claim, at MITIGO’s expense;
(iii) the Client makes no statement or comments in respect of the Claim; and
(iv) the Client gives sole authority to MITIGO to defend or settle the Claim.
12.2 In the defence or settlement of the Claim, MITIGO may obtain for the Client the right to continue using the infringing element in the Portals or the Documentation, replace or modify the infringing element so that it becomes non-infringing or, if such remedies are not reasonably available, terminate the Service Agreement without liability to the Client.
12.3 MITIGO shall have no liability if the infringement alleged in the Claim is based on:
(i) any information provided by the Client to MITIGO;
(ii) the use by the Client or any Qualified Personnel or any Authorised User of the Portals or the Documentation in breach of these General Terms and Conditions or any instructions given to the Client by MITIGO;
(iii) the use by the Client or any Qualified Personnel or any Authorised User of the Portals or the Documentation after notice of alleged or actual infringement from MITIGO or any appropriate authority;
(iv) any change or addition to the Portals or the Documentation by the Client or any third party; or
(v) combination, operation or use of the Portals or the Documentation with any third-party program, equipment or documents.
12.4 This clause 12 sets out the Client’s sole and exclusive rights and remedies, and MITIGO’s entire obligations and liability, for any claim by a third party that the Client’s use of the Portals or the Documentation infringes any Intellectual Property Rights of such third party.
12.5 The Client shall indemnify and keep indemnified MITIGO against all liabilities, damages, costs, losses, claims, expenses, demands and proceedings arising from or incurred by reason of any infringement or alleged infringement of any Intellectual Property Rights to the extent based on any of the matters in clause 12.3.
13.0 Termination
13.1 Without affecting any other right or remedy available to it, MITIGO may terminate the Service Agreement with immediate effect by giving written notice to the Client if:
(i) the Client fails to pay any amount due under the Service Agreement on the due date for payment and remains in default for not less than seven days (regardless of whether the Client has been notified that such amount is outstanding); or
(ii) the Client commits a Material Breach of any term of the Service Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 (fourteen) days after being notified in writing to do so.
13.2 The Client may terminate the Service Agreement with immediate effect by giving written notice to MITIGO if MITIGO commits a Material Breach of any term of the Service Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 (thirty) Working Days of being notified in writing to do so.
13.3 Either Party may terminate the Service Agreement with immediate effect by giving written notice to the other party if the other party is bankrupt or insolvent or becomes unable to pay its debts as they fall due or an event analogous to any of the aforesaid shall occur in any jurisdiction.
14.0 Confidential Information
14.1 Except as provided by clauses 14.3 and 14.4, the Parties shall at all times during the continuance of the Service Agreement and after its termination use their best endeavours to keep all restricted information (as defined below) confidential and accordingly must not:
(i) disclose any restricted information to any other person; or
(ii) use any restricted information for any purpose other than the performance of their obligations under the Service Agreement.
14.2 References to ‘restricted information’ are references to any information disclosed to either party (“Receiving Party”) by the other party (“Disclosing Party”) pursuant to or in connection with the Service Agreement, whether orally, digitally or in writing and whether or not it is expressly stated to be confidential or marked as such.
14.3 Any restricted information may be disclosed by the Receiving Party to:
- any governmental or other authority or regulatory body; or
- any employees of the Receiving Party or of any of the aforementioned person;
but only to the extent necessary for the purposes contemplated by the Service Agreement or as is required by law, and subject in each case to the Receiving Party using its best endeavours to ensure that the person in question keeps the information confidential and does not use it except for the purposes for which the disclosure is made.
14.4 Any restricted information may be used by the Receiving Party for any purpose, or disclosed by the Receiving Party to any other person, to the extent only that:
(i) it is at the time of use or disclosure, public knowledge through no fault of the Receiving Party; or
(ii) it can be shown by the Receiving Party, to the reasonable satisfaction of the Disclosing Party, to have been known by it before it was disclosed by the Disclosing Party, provided that the Receiving Party must not disclose any restricted information that is not public knowledge.
15.0 Anti-Bribery
The Parties shall comply with all applicable laws, statutes, regulations, and codes relating to antibribery and anti-corruption including but not limited to the Bribery Act 2010 in the UK.
16.0 Right of audit
Subject to MITIGO providing the Client with 14 days’ prior written notice, MITIGO reserves the right to:
(i) enter and inspect the Site(s);
(ii) inspect and audit the Client’s IT Systems; and
(iii) inspect, audit and takes copies of the relevant records and other documents to verify the Client’s compliance with the Service Agreement.
17.0 Limitation of Liability
17.1 Nothing in the Service Agreement shall be deemed to limit or exclude either Party’s liability for:
- death or personal injury caused by negligence;
- fraud or fraudulent misrepresentation; and
- any other liability that cannot by law be limited or excluded.
17.2 Subject to clause 17.1, neither Party shall, in any event be liable whether in contract (by way of indemnity or otherwise), tort (including negligence), misrepresentation, restitution or otherwise under or in connection with the Service Agreement for:
(i) any special, indirect, or consequential loss or damage;
(ii) any direct or indirect loss of profit, turnover, business, business opportunity, revenue, contracts, goodwill, reputation, anticipated savings or management time; or
(iii) loss or corruption of data.
17.3 Subject to clause 17.1, MITIGO’s maximum liability to the Client in respect of any claim (or series of connected claims) under or in connection with the Service Agreement whether arising in contract (including by way of indemnity), tort (including negligence), misrepresentation, restitution or otherwise will be limited to a sum equivalent to the total Fees paid by the Client under the Service Agreement during the 12 (twelve) month period immediately before the date on which the cause of action first arose.
18.0 General
18.1 Entire agreement. The Service Agreement expresses the entire agreement between the MITIGO and the Client and supersedes any negotiations or prior agreements in respect of its subject matter.
18.2 Variation. Where the Service Agreement renews in accordance with clause 3.0, the version of MITIGO’s General Terms and Conditions in force 3 months before such renewal shall apply to the new Contract Period. It is the Client’s responsibility to check the General Terms and Conditions (available at https://mitigogroup.com/terms-conditions/) 3 months before the renewal. Where there is any conflict with any non Fee related amendments to the General Terms and Conditions which are specified in the Statement of Terms, the latter shall prevail.
18.3 No waiver. No failure to exercise and no delay in exercising on the part of either Party any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any right, power or privilege preclude any other or further exercise thereof or the exercise of any other right, power or privilege. If either Party shall expressly waive any breach, default or omission hereunder, no such waiver shall apply to, or operate as, a waiver of similar breaches, defaults or omissions or be deemed a waiver of any other breach, default or omission hereunder.
18.4 Publicity. The Client gives its consent to MITIGO to use the Client’s Trade Marks in order to make public announcements concerning the existence, subject-matter or terms of the Service Agreement, or the relationship between the Parties.
18.5 Non Solicitation.
(i) The Client shall not, directly or indirectly, at any time during the Service Agreement or within 12 months of its termination, solicit or entice away from MITIGO or employ or attempt to employ any person who is, or has been, employed or engaged by MITIGO in the provision of Services.
(ii) If during the Service Agreement or within 12 months of its termination, the Client breaches clause 18.5 (i), the Client shall pay to MITIGO the greater of:
(a) the relevant individual’s gross annual salary (including all benefits) at the time of their resignation or departure; and
(b) the equivalent of 30% of the relevant individual’s new annual salary or payments (including all benefits);
it being agreed that such sum is reasonable and proportionate to protect MITIGO’s legitimate commercial interests.
18.6 Notice. Any notice given to a Party under the Service Agreement shall be writing and shall be:
(i) sent by pre-paid first-class post or other next working day delivery service to its address as specified on the relevant Statement of Terms or such other address as may
(ii) have been notified to the other (in accordance with this provision); or (iii) sent by email to the address specified on the relevant Statement of Terms.
Any notice shall be deemed to have been received:
(iv) if sent by pre-paid first-class post or other next Working Day delivery service, at 9.00 am on the second Working Day after posting or at the time recorded by the delivery service; and
(v) if sent by email, at the time of transmission, or, if this time falls outside Working Hours in the place of receipt, when Working Hours resume.
This clause does not apply to the service of any proceedings or other documents in any legal action.
18.7 Third Party Rights. The Service Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Service Agreement.
18.8 No assignment. The Client shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Service Agreement.
18.9 MITIGO may assign, sub-contract or deal in any way with any of its rights and obligations under the Service Agreement.
18.10 Complaints. If during the term of the Service Agreement the Client has a complaint, it should be directed by email to complaints@mitigogroup.com. The complaint will be acknowledged as soon as reasonably practicable. The complaint will be investigated, and a response will normally be provided within 1 week of receipt. Where that is not possible, the Client will be informed of the progress of the investigation. The outcome of the investigation and a decision will be provided to the Client by email.
18.11 Governing Law and Jurisdiction. The Service Agreement shall be governed by the laws of England and Wales. The Parties hereby irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any claim or matter arising out of or in connection with the Service Agreement (including any application by either Party for an injunction or any other emergency relief).
DATA PROCESSOR ADDENDUM
1. DEFINITIONS
1.1 Terms such as “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processor Addendum;
1.3 “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2
(Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Controller in accordance with section 1;
1.4 “Controller” means the Client;
1.5 “Data Protection Laws” means in relation to any Personal Data which is Processed in the performance of the Service Agreement i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018 (“UK GDPR”); ii) the Data Protection Act 2018, and iii) any other applicable data protection or privacy laws;
1.6 “EEA” means the European Economic Area;
1.7 “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Service Agreement;
1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Processor or any Sub-processor;
1.9 “Processor” means MITIGO;
1.10 “Service Agreement” means the agreement into which this Addendum is incorporated;
1.11 “Services” means the services described in the Service Agreement;
1.12 “Standard Contractual Clauses” means standard contractual clauses for the transfer of personal data to third countries or an international organisation, issued by the UK Information Commissioner’s Office and approved under section 119A of the Data Protection Act 2018, including the international data transfer addendum to EU standard contractual clauses set out in the annex of the Commission Implementing Decision (EU) 2021/914;
1.13 “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process personal data on behalf of the Controller;
1.14 “Supervisory Authority” means (a) the Information Commissioner’s Office; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
2. PROCESSING OF THE PERSONAL DATA
2.1 The parties acknowledge that, for the purposes of the Data Protection Laws, Client is the Controller and MITIGO is the Processor.
2.2 Each party confirms that in the performance of the Service Agreement it will comply with Data Protection Laws.
2.3 The Processor shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the Service Agreement and as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Controller’s documented instructions (whether in the Service Agreement or otherwise) unless processing is required by applicable law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.
2.4 The Processor shall immediately inform the Controller if, in its opinion, an instruction pursuant to the Service Agreement or this Addendum infringes the GDPR or other Data Protection Laws.
3. CONTROLLER WARRANTY
3.1 Controller warrants that it has all necessary rights to provide the Personal Data to Processor for the Processing to be performed in relation to the Services.
3.2 To the extent required by Data Protection Laws, Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Controller is responsible for communicating the fact of such revocation to the Processor, and Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data.
4. CONFIDENTIALITY
4.1 The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
4.2 The Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 3 above in the context of that person’s or party’s duties to the Processor.
4.3 The Processor shall ensure that all such persons or parties involved in the processing of Personal Data:
4.3.1 are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
4.3.2 have undergone adequate training in the use, care, protection and handling of Personal Data.
5. SECURITY
5.1 The Processor shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, and shall take all measures required pursuant to Article 32 GDPR.
5.2 The parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Processor will therefore evaluate the technical and organisational measures it has implemented on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with Data Protection Laws.
6. SUB-PROCESSING
6.1 So far as permitted by law and subject to section 3, the Controller grants to the Processor general authorisation to engage any Sub-processor to process Personal Data.
6.2 As at the date of the Service Agreement the Controller hereby authorises the Processor to engage the Sub-processors set out in Annex 2 (Authorised Sub-processors).
6.3 The Processor shall inform the Controller of any intended changes concerning the addition or replacement of any Sub-processors, thereby giving the Controller the opportunity to object to such changes.
6.4 With respect to each Sub-processor, the Processor shall:
6.4.1 carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
6.4.2 include terms in the contract between the Processor and each Sub-processor which are equivalent to those set out in this Addendum, and shall supervise compliance thereof;
6.4.3 insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Controller into the contract between the Processor and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Controller may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies); and
6.4.4 remain fully liable to the Controller for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
7. DATA SUBJECT RIGHTS
7.1 The Processor shall without undue delay notify the Controller if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in chapter III of GDPR, and shall provide full details of that request.
7.2 The Processor shall cooperate as reasonably requested by the Controller to enable the Controller to comply with any exercise of rights by a data subject under any Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under any Data Protection Laws in respect of Personal Data or the Service Agreement, which shall include:
7.2.1 the provision of all information reasonably requested by the Controller within any reasonable timescale specified by the Controller in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
7.2.2 where applicable, providing such assistance as is reasonably requested by the Controller to enable the Controller to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
7.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Controller to allow the Controller to respond effectively to relevant complaints, communications or requests.
8. INCIDENT MANAGEMENT
8.1 In the case of a Personal Data Breach, the Processor shall, without undue delay, notify the Personal Data Breach to the Controller providing the Controller with sufficient information which allows the Controller to meet any obligations to report a Personal Data Breach under Data Protection Laws. Such notification shall as a minimum:
8.1.1 describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
8.1.2 communicate the name and contact details of the Processor’s data protection officer or other relevant contact from whom more information may be obtained;
8.1.3 describe the likely consequences of the Personal Data Breach; and
8.1.4 describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8.2 The Processor shall fully co-operate with the Controller and take such reasonable steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each Personal Data Breach, in order to enable the Controller to meet any requirement under Data Protection Laws.
8.3 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. The Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by law to which the Processor is subject, in which case the Processor shall to the extent permitted by such law inform the Controller of that legal requirement.
9. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
9.1 The Processor shall, at the Controller’s request, provide reasonable assistance to the Controller with any data protection impact assessments which are required under Article 35 GDPR and with any prior consultations to any Supervisory Authority of the Controller or any of its affiliates which are required under Article 36 UK GDPR, in each case in relation to processing of Personal Data by the Processor on behalf of the Controller and taking into account the nature of the processing and information available to the Processor.
10. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
The Processor shall following the termination of the Service Agreement, at the choice of the Controller, delete or return all Personal Data to the Controller and delete any existing copies unless the Processor is under a legal obligation to store any of the Personal Data.
11. AUDIT RIGHTS
11.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with Data Protection Laws and allow for and contribute to audits, including inspections by the Controller or another auditor mandated by the Controller.
11.2 Any such audits or inspections shall take place during normal working hours and on reasonable prior notice.
12. INTERNATIONAL TRANSFERS
12.1 The Processor shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the UK without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data), unless authorised in writing by the Controller in advance.
12.2 When requested by the Controller, the Processor shall promptly enter into (or procure that any relevant Sub-processor of the Processor enters into) an agreement with the Controller on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the UK without an adequate level of protection.
13. LIABILITY
13.1 The disclaimers and limitations of liability set out under the Service Agreement shall apply also to this Addendum.
14. COSTS
14.1 The Controller shall pay any reasonable costs and expenses incurred by the Processor in meeting the Controller’s requests made under sections 2, 9 or 11.
15. MISCELLANEOUS
15.1 Any obligation imposed on the Processor under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of the Service Agreement.
15.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Service Agreement and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between the Service Agreement or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The processor shall process Personal Data for the duration of the Service Agreement.
The nature and purpose of the processing of Personal Data
The processing of Personal Data shall be undertaken as necessary to perform the Services.
The types of Personal Data to be processed
Contact details (e.g. full name, job title, email address, phone numbers, postal address). Grades and test results, performance and evaluation reports. Job and task responsibilities. Contract data. Personal Data contained in management information and reports.
The categories of data subject to whom the Personal Data relates
Employees, directors, shareholders, agents, suppliers, contractors and associates of the Controller.
ANNEX 2: AUTHORISED SUB-PROCESSORS
PANCENTRIC LIMITED – UK; EPIGNOSIS – US and UK.
ANNEX 3: AUTHORISED TRANSFERS OF CONTROLLER PERSONAL DATA
Pancentric Limited of 197 Long Lane, London, SE1 4DP. Data Storage.
Epignosis LLC, a US company of 315 Montgomery Street, San Francisco, California, CA 94194 USA. Data Storage.