CARBON GLANCE SOFTWARE TERMS OF SERVICE
Table of Contents
1. INTERPRETATION
1.1 CARBON GLANCE LTD incorporated and registered in Scotland with company number SC763269 whose registered office is at 5 South Charlotte Street, Edinburgh, Scotland, EH2 4AN (hereinafter ‘the Supplier’) will provide the Services on the terms and conditions set out in these Conditions to the exclusion of any other terms and conditions. These Conditions supersede and prevail over any other terms and conditions.
1.2 The definitions and rules of interpretation in this paragraph apply in these Conditions.
“Additional Services” means the Additional Services (if any) agreed between the Supplier and the Customer.
“Additional Services Fees” means the Additional Service Fees (if any) payable by the Customer to the Supplier for the Additional Services, as agreed.
“Appendix” means the appendix to these Conditions.
“Authorised Users” means those employees, directors, consultants, agents, independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, subject to a maximum of 5 Authorised Users, unless otherwise agreed in writing between the Supplier and the Customer.
“Business Day” means a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
“Charges” means together, the Subscription Fees and (if applicable) the Additional Services Fees.
“Conditions” means these terms and conditions and the Appendix.
“Confidential Information” means information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in paragraphs 10.5 or 10.6.
“Customer” means the legal or natural person that is authorised by the Supplier to use the Services and to include Authorised Users.
“Customer Data” means the data inputted by the Customer, Authorised Users, or the Supplier on the Customer’s behalf, for the purpose of using the Services or facilitating the Customer’s use of the Services.
“Data Protection Legislation” has the meaning given to it in the Appendix.
“Documentation” means the documents made available to the Customer by the Supplier, which set out a description of the Services, key contacts of the Supplier and the user instructions for the Services.
“Effective Date” means the date when the amount due in the Order Form is fully paid.
“Order Form” means the invoice generated by the application programming interface (API) of Stripe, Inc. for the Customer in relation to the Services.
“Permitted Use” means the training and improvement of the Supplier’s technology and future technology, and the creation of a database of emissions data of non-EU suppliers. This database will contain no data about the Customer or the quantities of imported goods.
“Services” means the set up, subscription and support services provided by the Supplier to the Customer pursuant to these Conditions via the Carbon Pricing Platform.
“Software” means the online software applications used or provided by the Supplier as part of the Services.
“Subscription Fees” means the Subscription Fees payable by the Customer to the Supplier for the Software.
“Subscription Term” means the annual subscription term that commences on the Effective Date and continues for 365 consecutive days, in accordance with these Conditions.
“Supplier” means Carbon Glance Ltd, as more particularly described in paragraph 1.1.
“Support” means the support provided in relation to the Software, as set out in paragraphs 4.3 to 4.4.
“User Subscriptions” means the user subscriptions purchased by the Customer pursuant to paragraph 8.1 which entitle Authorised Users to access and use the Services and the Documentation in accordance with these Conditions.
“Virus” means any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
1.3 Paragraph headings shall not affect the interpretation of these Conditions.
1.4 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality).
1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.6 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular, and a reference to one gender shall include a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as it is in force as at the Effective Date.
1.8 A reference to a statute or statutory provision shall include all subordinate legislation made as at the Effective Date under that statute or statutory provision.
1.9 A reference to writing or written includes e-mail.
1.10 References to paragraphs are to the paragraphs of these Conditions.
2. USER SUBSCRIPTIONSÂ
2.1 Subject to the Customer purchasing the User Subscriptions in accordance with paragraphs 3.3 and 8.1, the restrictions set out in this paragraph 2 and the other terms and conditions of these Conditions, the Supplier grants to the Customer a non-exclusive, non-transferable right, without the right to grant sublicences, to permit the Authorised Users to use the Services and the Documentation during the Subscription Term solely for the Customer’s internal business operations.
2.2 In relation to the Authorised Users, the Customer undertakes that:
(a) it will not allow or suffer any User Subscription to be used by more than one individual Authorised User unless it has been reassigned in its entirety to another individual Authorised User, in which case the prior Authorised User shall no longer have any right to access or use the Services and/or Documentation;
(b) each Authorised User shall keep a secure password for its use of the Services; and
(c) if any audits reveal that the Customer has underpaid Charges to the Supplier, then without prejudice to the Supplier’s other rights, the Customer shall pay to the Supplier an amount equal to such underpayment as calculated in accordance with the prices set out in the Order Form, together with the costs of the audit, within 10 Business Days of the date of the relevant audit.
2.3 The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or is otherwise illegal or causes damage or injury to any person or property, and the Supplier reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches the provisions of this paragraph.
2.4 The Customer shall not:
(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the Supplier and the Customer and except to the extent expressly permitted under these Conditions:
(i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or
(ii) attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software;
(b) use the Services and/or Documentation except through the Authorised Users;
(c) access all or any part of the Services and Documentation in order to build a product or service which competes with the Services;
(d) use the Services and/or Documentation to provide services to third parties (regardless of whether payment is received);
(e) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available, to any third party; or
(f) introduce, or permit the introduction of, any Virus into the Supplier’s network and information systems.
2.5 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, will promptly notify the Supplier.
2.6 The rights provided under this paragraph 2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer.
3. ADDITIONAL AUTHORISED USERS
3.1 Subject to paragraphs 3.2 and 3.3, the Customer may, from time to time during the Subscription Term, purchase User Subscriptions for additional Authorised Users and the Supplier shall grant access to the Services and the Documentation in relation to such additional Authorised Users in accordance with the provisions of these Conditions.
3.2 If the Customer wishes to purchase the Services for additional Authorised Users, the Customer shall notify the Supplier in writing. The Supplier shall evaluate such request for additional Authorised Users and respond to the Customer with approval or rejection of the request. Where the Supplier approves the request, the Supplier shall activate the User Subscriptions for additional Authorised Users within 10 Business Days of its approval of the Customer’s request.
3.3 If the Supplier approves the Customer’s request to purchase User Subscriptions for additional Authorised Users, the Supplier shall increase the Charges by the relevant fees for User Subscriptions for such additional Authorised Users as agreed in writing between the Supplier and the Customer and, if User Subscriptions for such additional Authorised Users are purchased by the Customer part way through a calendar month during the Subscription Term, such fees shall be pro-rated from the date of activation by the Supplier for the remainder of the Subscription Term.
4. SERVICES
4.1 The Supplier shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of these Conditions.
4.2 The Supplier shall use commercially reasonable endeavours to make the Software available 24 hours a day, seven days a week, except for:
(a) planned maintenance which has been notified to the Supplier in advance; and
(b) unscheduled maintenance, although the Supplier shall use reasonable endeavours to give the Customer notice in advance.
4.3 The Support shall be provided by the Supplier by email, telephone and other electronic methods of communication such as Microsoft Teams provided that Support provided by telephone or Microsoft Teams will only be available:
(a) on Business Days between 09:00 and 17:00 (UK time); and
(b) on non-Business Days between 10:00 and 16:00 (UK time).
4.4 The Supplier shall make reasonable efforts to resolve Support requests promptly but does not guarantee resolution of all support requests within a specified time limit and shall not be held liable for any delays in resolving such requests.
5. CUSTOMER DATA
5.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
5.2 Subject to paragraph 5.3, and save as required in order to provide the Services, the Supplier shall not sell, license, provide access to or otherwise transfer the Customer Data to any third party including but not limited to competitors of the Customer.
5.3 The Customer grants to the Supplier a non-exclusive, irrevocable, indefinite, non-transferrable licence to use the Customer Data for the Permitted Use.
5.4 In the event of any loss or damage to Customer Data, the Customer’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its back-up policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
5.5 The Supplier shall, in providing the Services, comply with its privacy policy relating to the privacy and security of the Customer Data, as such document may be amended from time to time by the Supplier.
5.6 Both the Supplier and the Customer will comply with all applicable requirements of the Data Protection Legislation and the terms of the Appendix. This paragraph 5 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.
6. SUPPLIER’S OBLIGATIONS
6.1 The Supplier undertakes that the Services will be performed with reasonable skill and care.
6.2 The undertaking at paragraph 6.1 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to the Supplier’s instructions, or as a result of any modification or alteration of the Services by any party other than the Supplier or the Supplier’s duly authorised contractors or agents. If the Services do not conform with the foregoing undertaking, the Supplier will use all reasonable commercial endeavours to correct any such non-conformance, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer’s sole and exclusive remedy for any breach of the undertaking set out in paragraph 6.1.
6.3 The Supplier:
(a) does not warrant that the Customer’s use of the Services will be uninterrupted or error-free; and
(b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
These Conditions shall not prevent the Supplier from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under these Conditions.
7. CUSTOMER’S OBLIGATIONS
The Customer shall:
7.1 provide the Supplier with all necessary co-operation in relation to these Conditions and all necessary access to such information as may be required by the Supplier, in order to provide the Services, including but not limited to Customer Data, security access information and configuration services;
7.2 without affecting its other obligations under these Conditions, comply with all applicable laws and regulations with respect to its activities under these Conditions;
7.3 ensure that the Authorised Users use the Services and the Documentation in accordance with these Conditions and shall be responsible for any Authorised User’s breach of these Conditions;
7.4 ensure that its network and systems comply with the relevant specifications provided by the Supplier from time to time; and
7.5 to the extent permitted by law and except as otherwise expressly provided in these Conditions, be solely responsible for procuring, maintaining and securing its network connections and telecommunications links from its systems to the Supplier’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.
8. CHARGES AND PAYMENT
8.1 The Customer shall pay the Charges to the Supplier in accordance with this paragraph 8 and the Order Form.
8.2 The Customer shall complete payment in accordance with the Order Form. For any other Charges that may arise under these Conditions, such as pursuant to paragraphs 2.2 and 3.3 above, the Customer shall provide to the Supplier approved purchase order information acceptable to the Supplier and any other relevant valid, up-to-date and complete contact and billing details. The Supplier shall then invoice the Customer and the Customer shall pay each invoice by the due date outlined therein.
8.3 If the Supplier has not received payment within 30 days after the due date, and without prejudice to any other rights and remedies of the Supplier:
(a) the Supplier may, without liability to the Customer, disable the Customer’s password, account and access to all or part of the Services and the Supplier shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and
(b) interest shall accrue on a daily basis on such due amounts at an annual rate equal to 5% over the then current base lending rate of Barclays Bank from time to time, commencing on the due date for payment and continuing until fully paid, whether before or after judgment.
8.4 All amounts and fees stated or referred to in these Conditions:
(a) shall be payable in pounds sterling or Euros, as agreed between the Supplier and the Customer;
(b) are non-cancellable and non-refundable;
(c) are exclusive of value added tax, which shall be added to the Supplier’s invoice(s) at the appropriate rate.
8.5 The Supplier shall be entitled to increase the Charges and the fees payable in respect of the User Subscriptions for additional Authorised Users purchased pursuant to paragraph 3.3, provided that the Supplier receives agreement to such increase from the Customer. The Supplier shall invoice the Customer for these additional Charges and fees.
9. PROPRIETARY RIGHTS
9.1 The Customer acknowledges and agrees that the Supplier and/or its licensors own all intellectual property rights in the Services and the Documentation, other than the intellectual property rights in the reports produced by the Carbon Pricing Platform, which shall be owed by the Customer. Except as expressly stated herein, these Conditions do not grant the Customer any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Services or the Documentation.
9.2 The Supplier confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of these Conditions.
10. CONFIDENTIALITY
10.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under these Conditions. A party’s Confidential Information shall not be deemed to include information that:
(a) is or becomes publicly known other than through any act or omission of the receiving party;
(b) was in the other party’s lawful possession before the disclosure;
(c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or
(d) is independently developed by the receiving party, which independent development can be shown by written evidence.
10.2 Subject to paragraph 10.4 and without prejudice to any written non-disclosure or confidentiality agreement between the Supplier and the Customer, each party shall hold the other’s Confidential Information in confidence and not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of these Conditions.
10.3 Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of these Conditions.
10.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this paragraph 10.4, it takes into account the reasonable requests of the other party in relation to the content of such disclosure.
10.5 The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute the Supplier’s Confidential Information.
10.6 Notwithstanding the provisions in relation to Permitted Use, the Supplier acknowledges that the Customer Data is the Confidential Information of the Customer.
10.7 No party shall make, or permit any person to make, any public announcement concerning these Conditions without the prior written consent of the other parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
10.8 The above provisions of this paragraph 10 shall survive termination of these Conditions, however arising.
11. INDEMNITY
The Customer shall defend, indemnify and hold harmless the Supplier against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with any use of the Services and/or Documentation by the Customer which is not permitted by these Conditions.
12. LIMITATION OF LIABILITY
12.1 Except as expressly and specifically provided in these Conditions:
(a) the Customer assumes sole responsibility for outputs obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use. The Supplier shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to the Supplier by the Customer in connection with the Services, or any actions taken by the Supplier at the Customer’s direction;
(b) the Software does not and should not replace the Customer’s professional consulting and legal professionals;
(c) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from these Conditions; and
(d) the Services and the Documentation are provided to the Customer on an “as is” basis.
Nothing in these Conditions excludes the liability of the Supplier for any matters which cannot be excluded by law.
12.2 Subject to paragraph 12.1, the Supplier shall not be liable whether in delict or tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any and all losses, liabilities, damages, compensation, awards, costs (including reasonable legal and professional costs and expenses), charges, fines, penalties, expenses, actions, proceedings and claims in each case of any nature whatsoever including (but not limited to) any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption or leak of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under these Conditions or the provision of the Services.
13. TERM AND TERMINATION
13.1 These Conditions shall, unless otherwise terminated as provided in this paragraph 13, commence on the Effective Date and shall continue throughout the Subscription Term.
13.2 Without prejudice to paragraph 13.3 below, the Subscription Term is fixed, without a possibility of earlier termination. The Subscription Term will not be renewed automatically upon its expiration, unless agreed so in writing by the Supplier and the Customer.
13.3 Without affecting any other right or remedy available to it, either party may terminate these Conditions with immediate effect by giving written notice to the other party if the other party becomes insolvent, has an administrator or receiver appointed, is unable to pay its debts when they fall due, enters into an arrangement with its creditors or is subject of any action intended to wind up its business, other than as part of a solvent reconstruction where the resulting entity accepts all the obligations of this agreement (residual and future) of the previous entity.
13.4 On termination of these Conditions for any reason:
(a) all licences granted under these Conditions shall immediately terminate and the Customer shall immediately cease all use of the Services and/or the Documentation;
(b) each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
(c) the Supplier may destroy or otherwise dispose of any of the Customer Data in its possession unless the Supplier receives, no later than ten days after the effective date of the termination of these Conditions, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. The Supplier shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Supplier in returning or disposing of Customer Data; and
(d) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination (or which are expressly stated in these Conditions to apply following termination), including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination, shall not be affected or prejudiced.
14. FORCE MAJEURE
The Supplier shall have no liability to the Customer under these Conditions if it is prevented from or delayed in performing its obligations under these Conditions, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of the Supplier or any other party), failure of a utility service or transport or telecommunications network or service or a cyber attack or hacking, act of God, pandemics and epidemics (including any local or national restrictions imposed by Government as a result of such matters), war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors.
15. GENERAL
15.1 No failure or delay by a party to exercise any right or remedy provided under these Conditions or by law shall constitute a waiver of that or any other right or remedy.
15.2 These Conditions constitutes the entire agreement between the Supplier and the Customer.
15.3 The Customer may not assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under these Conditions without the Supplier’s prior written consent.
15.4 No variation of these Conditions shall be effective unless it is in writing and signed by the Supplier and the Customer.
15.5 Nothing in these Conditions is intended to or shall operate to create a partnership between the Supplier and the Customer, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
15.6 If any provision or part-provision of these Conditions is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these Conditions.
15.7 These Conditions does not confer any rights on any person or party (other than the Supplier and the Customer and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999 or otherwise.
16. NOTICES
16.1 Any notice required to be given under these Conditions shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address, or such other address as may have been notified by that party for such purposes, or sent by email to the other party’s email address as notified to the other party. The parties agree that the preference for notices is by email.
16.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first Business Day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by email shall be deemed to have been received at the time the email is sent provided that delivery or service shall not occur if the sender receives an automated message indicating that the email has not been delivered to the recipient.
17. GOVERNING LAW AND JURISDICTION
17.1 These Conditions and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
17.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Conditions or its subject matter or formation (including non-contractual disputes or claims).
APPENDIX
1. DEFINITIONS AND INTERPRETATION
The following definitions and rules of interpretation apply in this Appendix.
1.1 Definitions:
“Business Purposes” means the services to be provided by the Supplier to the Customer as described in these Conditions and any other purpose specifically identified in the Annex;
“Commissioner” means the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018);
“Controller” “Processor“, “Data Subject“, “Personal Data“, “Personal Data Breach” and “Processing” have the meanings given to them in the Data Protection Legislation;
“Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR, the Data Protection Act 2018 (and regulations made thereunder) (“DPA 2018“); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, and to the extent applicable, EU GDPR;
“EU GDPR” means the General Data Protection Regulation ((EU) 2016/679);
“Records” has the meaning given to it in paragraph 11 of this Appendix; and
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
1.2 References in this Appendix to paragraphs are to the paragraphs of this Appendix.
1.3 In the case of conflict or ambiguity between any provision contained this Appendix and any provision contained in the Conditions, the provision in this Appendix will prevail.
2. PERSONAL DATA TYPES AND PROCESSING PURPOSES
2.1 The Customer and the Supplier agree and acknowledge that for the purpose of the Data Protection Legislation:
(a) the Customer is the Controller and the Supplier is the Processor.
(b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Supplier.
(c) The Annex describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Supplier may process the Personal Data to fulfil the Business Purposes.
3. SUPPLIER’S OBLIGATIONS
3.1 The Supplier will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes. The Supplier will not process the Personal Data for any other purpose or in a way that does not comply with this Appendix or the Data Protection Legislation.
3.2 The Supplier will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Appendix specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner).
3.3 The Supplier will reasonably assist the Customer, at the cost of the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Supplier’s processing and the information available to the Supplier, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.
4. SUPPLIER’S EMPLOYEES
4.1 The Supplier will ensure that all of its employees:
(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
(b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
(c) are aware both of the Supplier’s duties and their personal duties and obligations under the Data Protection Legislation and these Conditions.
5. SECURITY
5.1 The Supplier must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.
5.2 The Supplier must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
(d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.
6. PERSONAL DATA BREACH
6.1 The Supplier will within forty-eight (48) hours and in any event without undue delay notify the Customer in writing if it becomes aware of:
(a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;
(b) any accidental, unauthorised or unlawful processing of the Personal Data; or
(c) any Personal Data Breach.
6.2 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter.
7. CROSS-BORDER TRANSFERS OF PERSONAL DATA
The Supplier (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or the EEA without obtaining the Customer’s prior written consent.
8. SUBCONTRACTORS
8.1 The Supplier may only authorise a third-party (subcontractor) to process the Personal Data if:
(a) the Customer is provided with an opportunity to object to the appointment of each subcontractor within five (5) Business Days after the Supplier supplies the Customer with full details in writing regarding such subcontractor;
(b) the Supplier enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Appendix, in particular, in relation to requiring appropriate technical and organisational data security measures; and
(c) the Supplier maintains control over all of the Personal Data it entrusts to the subcontractor.
8.2 Where the subcontractor fails to fulfil its obligations under the written agreement with the Supplier which contains terms substantially the same as those set out in this Appendix, the Supplier remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.
9. COMPLAINTS, DATA SUBJECT REQUESTS AND THIRD-PARTY RIGHTS
9.1 The Supplier must take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as may be reasonably require, to enable the Customer to comply with:
(a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
(b) information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.
9.2 The Supplier must notify the Customer without undue delay if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
9.3 The Supplier must notify the Customer within three (3) days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.
9.4 The Supplier will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
9.5 The Supplier must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic law.
10. DATA RETURN AND DESTRUCTION
10.1 At the Customer’s request, the Supplier will give the Customer a copy of or access to all or part of the Personal Data in its possession or control.
10.2 On termination of these Conditions for any reason or expiry of its Subscription Term, the Supplier will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to these Conditions in its possession or control.
10.3 If any law, regulation, or government or regulatory body requires the Supplier to retain any documents, materials or Personal Data that the Supplier would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
10.4 The Supplier will certify in writing to the Customer that it has deleted or destroyed the Personal Data within ten (10) days after it completes the deletion or destruction.
11. RECORDS
11.1 The Supplier will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in paragraph 5.1 (the “Records“).
11.2 The Supplier will ensure that the Records are sufficient to enable the Customer to verify the Supplier’s compliance with its obligations under this Appendix and the Data Protection Legislation and the Supplier will provide the Customer with copies of the Records upon request.
11.3 The Customer and the Supplier must review the information listed in the Annex to these Conditions at least once a year to confirm its current accuracy and update it when required to reflect current practices.
12. AUDIT
The Supplier will permit the Customer to audit the Supplier’s compliance with its Appendix obligations, on at least thirty (30) days’ notice, during the Subscription Term. The Supplier will give the Customer all reasonable assistance to conduct such audits at the cost of the Customer.
ANNEX
Personal Data processing purposes and details
Subject matter of processing: Pursuant to the terms of these Conditions.
Duration of Processing: Until the termination of these Conditions, unless the Data Protection Legislation otherwise requires.
Nature and purpose of Processing: Collecting, organising, structuring, storing, modifying, consulting, using, combining, erasing, and destroying data in order for the Supplier to perform the obligations under these Conditions and provide the Services to the Customer.
Personal Data Categories: Names, professional roles, professional addresses, professional phone numbers, and any user-uploaded images of employees, directors, consultants, agents, independent contractors, and/or suppliers of the Customer.
Data Subject Types: Employees, directors, consultants, agents, independent contractors, and/or suppliers of the Customer.