TERMS OF SERVICE
Terms of Service
This Terms of Service Agreement (“Agreement”) sets out the terms on which Cymplify Limited (company number 12366483) (“Supplier”) supplies Services (as defined below) to the Customer. The Supplier has developed certain software applications and platforms which it makes available to subscribers via the internet on a pay-per-use basis for the purpose of Cyber Risk Monitoring, Dark Web Breach Monitoring, Cyber Awareness Training, Simulated Phishing, Policy Management, Compliance Training and associated notifications. “Customer” shall refer to the business, firm, company, organisation or other entity who purchases user subscriptions for any of the Services. The Customer and the Supplier may be referred to in this Agreement individually as a “party” or jointly as the “parties”.
This Agreement governs all Services provided by the Supplier, and supersedes any other terms and conditions previously used by the Supplier in connection with the provision of Services to the Customer.
The Supplier may update or make changes to this Agreement from time to time by giving notice to the Customer and such changes shall take effect from the date notified by the Supplier.
1 Interpretation
1.1 The definitions and rules of interpretation in this clause apply in this Agreement.
Authorised Users: those employees, agents and independent contractors of the Customer who are authorised by the Customer to access and use the Services and the Documentation, and for whom the Customer has purchased the relevant Subscription.
Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
Confidential Information: information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information by either the Customer or Supplier or would otherwise be considered to be confidential by a reasonable business person.
Control: the beneficial ownership of more than 50% of the issued share capital of a company or the legal power to direct or cause the direction of the general management of the company.
Customer Data: all data, information, content and material which is provided by the Customer to the Supplier or inputted into or uploaded to the Software Platform by the Customer, the Authorised Users and/or the Supplier (acting on the Customer's behalf) for the purpose of accessing and using the Services or facilitating the Customer's access and use of the Services (as applicable).
Documentation: the user documentation (including operating guides) relating to the Software Platform and the Services which is made available by the Supplier from time to time.
Effective Date: the date of commencement of the Services, as set out on the Software Platform.
Initial Subscription Term: the period set out in the Quotation or on the Software Platform, which shall commence on the Effective Date.
Intellectual Property Rights: patents, rights to inventions, copyright and related rights, trade marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Normal Business Hours: 9.00 am to 5.00 pm on any Business Day.
Quotation: a quotation provided by the Supplier to the Customer, setting out details of the number of User Subscriptions, the Subscription Fees and the Initial Subscription Term.
Renewal Period: means, unless otherwise notified in writing by the Supplier, a period equivalent in duration to the Initial Subscription Term.
Services: the services provided by the Supplier to the Customer on a subscription basis for which the Customer has a subscription, including access to and use of the Software Platform and the Documentation.
Software Platform: the Cymplify Active Cyber Risk Management SaaS platform (including the modules available on such platform).
Software Updates: any update or patch to the Software Platform (or any part of it) which has been produced primarily to overcome any defect or error in the Software Platform.
Subscription Fees: the subscription fees payable by the Customer to the Supplier for the User Subscriptions, as set out in the Quotation.
Subscription Term: the Initial Subscription Term, together with any subsequent Renewal Periods.
Support Services: the support services provided by the Supplier in accordance with the procedure set out in Schedule 1.
User Subscriptions: the user subscriptions purchased by the Customer, as set out in the Quotation and such additional user subscriptions purchased by the Customer from time to time, which entitle Authorised Users to access and use the Services and the Documentation in accordance with this Agreement.
Virus: any thing or device (including any software, code, file or programme) which may prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
Website: the Supplier’s website at www.cymplify.co.uk
1.2 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement
1.3 A reference to a person includes an individual, trust, partnership, government entity, company, corporation or unincorporated body (whether or not having separate legal personality). A reference to a party includes that party’s personal representatives, successors and permitted assigns.
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
1.8 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
1.9 A reference to writing or written includes email.
1.10 References to clauses and Schedules are to the clauses and schedules of this Agreement; references to paragraphs are to paragraphs of the relevant Schedule to this Agreement.
1.11 Any words following the terms other, including, include, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2 User Subscriptions
2.1 The Quotation sets out details of the User Subscriptions purchased by the Customer. Each Quotation shall be governed by the terms of this Agreement. In accepting the Quotation (whether by confirming such acceptance in writing to the Supplier, submitting a purchase order to the Supplier, receiving and paying the Supplier’s invoice or using the Services, whichever is earlier), the Customer confirms its acceptance of the terms of this Agreement, to the exclusion of any terms and conditions which the Customer purports to apply under any purchase order or similar document or which are implied by trade, custom, practice or course of dealing. Any such terms and conditions shall not apply to the Quotation and shall not form part of this Agreement.
2.2 Subject to the Customer paying the Subscription Fees and complying with the terms and conditions of this Agreement, the Supplier hereby grants to the Customer a non-exclusive, non-transferable, non-sublicensable right, during the Subscription Term, to permit the Authorised Users to access and use the Services solely for Customer's internal business operations.
2.2 The Customer undertakes that the maximum number of Authorised Users that it authorises to access and use the Services shall not exceed the number of User Subscriptions purchased by the Customer from time to time.
3 Additional Subscriptions
3.1 The Customer may purchase from the Supplier additional Licence Subscriptions during the Subscription Term by contacting the Supplier. The fees for such Subscriptions shall be set out in a Quotation.
4 Services
4.1 The Supplier shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms and conditions set out in this Agreement.
4.2 The Supplier shall use commercially reasonable endeavours to make the Services available 24 hours a day, except for planned or emergency maintenance which the Supplier shall use reasonable endeavours to notify the Customer of in advance.
4.3 The Supplier will, as part of the Services, use reasonable endeavours to provide the Support Services during Normal Business Hours.
4.4 The Supplier will use reasonable endeavours to respond to service-related incidents and/or requests submitted by customer in-line with support documentation listed on the website in the “support” section.
4.5 The Supplier shall:
(a) provide the Services and the Support Services using reasonable care and skill; and
(b) provide the Services in accordance with all applicable laws.
4.6 The Supplier shall be entitled to make any changes, modifications or additions to the Services, and may implement any Software Updates, from time to time in its sole discretion.
4.7 This Agreement shall not prevent the Supplier from entering into similar agreements with third parties, or from independently developing, using, selling or licensing any documentation, products and/or services which are similar to those provided under this Agreement.
4.8 The Supplier warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.
5 Customer Data
5.1 The Customer shall own all right, title and interest in and to the Customer Data and shall be fully responsible for the legality, reliability, integrity, accuracy and quality of the Customer Data.
5.2 The Supplier shall back-up the Customer Data at regular intervals. The Customer may download a copy of the Customer Data stored on the Software Platform at any time during the Subscription Term. Following termination or expiry of this Agreement, the Supplier may delete all Customer Data without liability to the Customer.
5.3 If the Supplier processes any Personal Data (as defined in Schedule 2) on behalf of the Customer when performing the Services or otherwise in connection with this Agreement, the parties shall comply with the provisions of Schedule 2.
5.4 The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
6 Customer's obligations
6.1 The Customer shall, and shall procure that all Authorised Users shall:
(a) provide the Supplier with: (i) all necessary co-operation and access to such information as may be required by the Supplier in order to provide the Services (including Customer Data, security access information and systems and technical information) and shall ensure that such information is accurate and complete;
(b) comply with all applicable laws and regulations with respect to its activities under this Agreement;
(c) carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, the Supplier may adjust any agreed timetable or delivery schedule as reasonably necessary;
(d) use the Services in accordance with the terms and conditions of this Agreement and the Customer shall be responsible for any Authorised User's breach of this Agreement;
(e) obtain and shall maintain all necessary licences, consents, and permissions necessary to use the Services; and
(f) ensure that it has all necessary internet and network connections, and that its computer equipment, systems, network and browser meet the relevant minimum technical specifications provided by the Supplier.
6.2 In relation to the Authorised Users, the Customer undertakes that:
(a) each Authorised User shall keep a secure password for accessing the Services, which the Authorised User shall keep confidential at all times; and
(b) it shall disable any Authorised User’s access to the Services promptly upon termination or suspension of such Authorised User’s employment or services contract with the Customer.
6.3 The Customer shall not, and shall procure that the Authorised Users shall not:
(a) use any of the Services in any way that breaches any applicable law or regulation;
(b) use any of the Services to transmit, upload, disseminate or otherwise distribute any material that:
(i) is unlawful, harmful, threatening, defamatory, obscene, indecent, infringing, harassing, racially, religiously or ethnically offensive, or otherwise objectionable;
(ii) infringes any Intellectual Property Rights, rights of privacy, personality or publicity or other third party rights;
(iii) contains unsolicited or unauthorised advertising or promotional content;
(iv) facilitates or promotes illegal activity;
(v) threatens the security and/or confidentiality of the Services; and/or
(vi) causes damage to injury to any person or property;
(c) store, distribute or transmit any Viruses (or attempt to do the same) during the course of its use of the Services, or attack the Software Platform via a denial-of-service attack or a distributed denial-of-service attack;
(d) use any of the Services or data or information provided as part of the Services to commit any fraud or fraudulent activity;
(e) except as expressly permitted by this Agreement and as may be allowed by any applicable law which cannot be excluded, attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form, all or any part of the Software Platform, or copy, modify, translate, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any part of the Services in any form or media or by any means (including by using any robot, spider or other automated device or manual process);
(f) access any part of the Services in order to build a product or service which competes with any of the Services; or
(g) license, sell, rent, lease, transfer, assign, distribute, display, disclose or otherwise commercially exploit, or otherwise make any of the Services available to any third party except the Authorised Users, or use any of the Services to process data on behalf of third parties.
6.4 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and, in the event of becoming aware of any such unauthorised access or use, shall immediately notify the Supplier and shall provide to the Supplier all assistance that it reasonably requires to prevent such unauthorised access or use.
7 Subscription Fees and payment
7.1 The Supplier shall invoice the Customer for the Subscription Fees in the manner specified in the Quotation, typically either:
(a) annually in advance
(b) monthly in advance
unless otherwise stated in the Quotation or otherwise notified by the Supplier in writing. The Customer shall pay each invoice in full and cleared funds within 30 days of the date of the invoice by bank transfer to the bank account specified on the invoice, or credit/debit card payment online via Stripe, or by Direct Debit.
7.2 The Subscription Fees are payable in pounds sterling and are exclusive of VAT which shall be payable by the Customer in addition at the then prevailing rate.
7.3 If the Supplier has not received payment within 30 days after the due date for payment, the Supplier may, without prejudice to any other rights and remedies it may have, without liability, on providing written notice to the Customer:
(a) disable and suspend the Customer’s access to and/or use of all or part of the Services during such time as the invoice(s) concerned remain unpaid; and
(b) charge the Customer interest on a daily basis in respect of the overdue amount at an annual rate equal to 3% over the Bank of England base rate from time to time, commencing on the due date and continuing until payment of the overdue amount is received in full by the Supplier, whether before or after judgment.
7.4 All sums payable under this Agreement shall be paid in full without any deduction, discount, set off or abatement, except as required by law.
8 Intellectual Property Rights
8.1 The Customer acknowledges and agrees that the Supplier and/or its licensors own all Intellectual Property Rights in and to the Services, and any modifications and enhancements made thereto. Except as expressly stated herein, this Agreement, does not grant the Customer any right, title, licence or interest in or to any Intellectual Property Rights of the Supplier or its licensors.
8.2 The Customer acknowledges that, in respect of any third party Intellectual Property Rights, the use by the Customer of any such Intellectual Property Rights is conditional on the Supplier obtaining a written licence from the relevant licensor on such terms as will entitle the Supplier to license such rights to the Customer.
8.3 The Supplier acknowledges and agrees that the Customer owns the Customer Data. The Customer hereby grants a royalty-free, worldwide licence to the Supplier to use the Customer Data (and any Intellectual Property Rights subsisting therein), and where required the Customer’s name and logo, during the Subscription Term for the sole purpose of providing the Services to the Customer. The Customer grants the Supplier the right to use the Customer’s name and logo on the Supplier’s website and in any marketing and promotional material (including press releases).
9 Confidentiality
9.1 Each party may access or receive the other party’s Confidential Information in order to perform its obligations under this Agreement or otherwise in connection with this Agreement.
9.2 A party's Confidential Information shall not be deemed to include any information that:
(a) is or becomes publicly known other than through any act or omission of the receiving party;
(b) was in the receiving party's lawful possession before the disclosure;
(c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure;
(d) is independently developed by the receiving party, which independent development can be shown by written evidence; or
(e) is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
9.3 Each party shall hold the other party's Confidential Information in strict confidence and, unless required by law, not make the other party's Confidential Information available to any third party or use the other party's Confidential Information for any purpose other than the performance of its obligations under this Agreement.
9.4 Each party shall take all reasonable steps to ensure that the other party's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
9.5 Neither party shall be responsible for any loss, destruction, alteration or disclosure of the other party’s Confidential Information caused by any third party (other than its employees or agents or sub-contractors).
9.6 The Customer acknowledges and agrees that all information relating to the Services (including the results of any performance tests of the Services) constitutes the Supplier's Confidential Information, and the Supplier acknowledges and agrees that the Customer Data is the Confidential Information of the Customer.
9.7 No party shall make, or permit any person to make, any public announcement concerning this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
9.8 The above provisions of this clause 9 shall survive termination of this Agreement, however arising.
10 Indemnity
10.1 The Customer shall defend, indemnify and hold harmless the Supplier against all claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Supplier’s use of the Customer Data or Customer’s intellectual property in accordance with clause 8.3 or a breach by the Customer and/or any Authorised User of the obligations set out in clause 6.
10.2 The Supplier shall defend the Customer against any claim that the Customer’s use of the Services in accordance with this Agreement infringes any registered Intellectual Property Rights of a third party (IP Claim), and shall indemnify the Customer for any losses, damages, expenses and costs (including court costs and reasonable legal fees) which are awarded against the Customer or which the Customer is required to pay by a court in respect of any such IP Claim. Liability under this indemnity is conditional upon the indemnified party discharging the following obligations. If any third party makes a claim, or notifies an intention to make a claim, against the Customer which may reasonably be considered likely to give rise to a liability under the indemnity (a Claim), the Customer shall:
(a) as soon as reasonably practicable, give written notice of the Claim to the Supplier specifying the nature of the Claim in reasonable detail;
(b) not make any public statement, admission of liability, agreement and/or compromise in relation to the Claim without the prior written consent of the Supplier;
(c) provide to the Supplier and its professional advisers all reasonable assistance and co-operation in the defence and settlement of the Claim, at the Supplier’s cost; and
(d) be deemed to have given to the Supplier (to the fullest extent possible) sole authority and conduct to avoid, dispute, compromise and/or defend the Claim.
10.3 In the defence or settlement of any IP Claim, the Supplier may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing (without adversely affecting the functionality of the Services) or, if such remedies are not reasonably available, terminate this Agreement, without liability, on providing written notice to the Customer, in which case, the Supplier shall (where applicable) refund any Subscription Fees paid in advance by the Customer in respect of the unexpired term of the Subscription Term calculated on a pro rata basis.
10.4 In no event shall the Supplier be liable to the Customer under the indemnity contained in clause 10.2 to the extent that the IP Claim arises as a result of:
(a) a modification to the Services by any person other than the Supplier; or
(b) the Customer's use of the Services other than in accordance with this Agreement and any instructions given to the Customer by the Supplier from time to time; or
(c) the Customer’s use of the Services after it has given notice of the alleged or actual infringement to the Supplier under clause 10.3(a).
10.5 This clause 10 sets out the Supplier's entire obligations and liability in respect of any IP Claim.
11 Limitation of liability
11.1 This clause 11 sets out the entire financial liability of the Supplier (including any liability for the acts or omissions of its employees, agents and subcontractors) to the Customer:
arising under or in connection with this Agreement;
in respect of any use made by the Customer of the Services and Documentation or any part of them; and
in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.
11.2 Subject to clause 11.3, and save as expressly and specifically provided in this Agreement:
(a) the Customer assumes sole responsibility for results obtained and conclusions drawn from the use of the Services by the Customer, and for assessing whether the Services meets its requirements. The Supplier gives no warranty or representation that the Services will meet the Customer’s requirements. The Supplier shall have no liability for any damage caused by errors or omissions in any information or instructions provided by the Customer to the Supplier in connection with the Services, or any actions taken by the Supplier at the Customer's direction;
(b) the Supplier gives no warranty or representation that the use of the Software Platform will be uninterrupted, available or error free. The Software Platform is provided on a “as is” basis and all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement, including the implied conditions, warranties or other terms as to satisfactory quality and fitness for purpose;
(c) the Supplier shall have no liability for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities; and
(d) the Supplier shall have no liability or responsibility for any fault, failure or unavailability of the Software Platform caused by the Customer’s system, any third party software, or as a result of any fault, failure, unavailability, speed or limitations of the Customer’s internet and network communications, computer equipment and/or web browser.
11.3 Nothing in this Agreement excludes the liability of the Supplier:
(a) for death or personal injury caused by the Supplier's negligence; or
(b) for fraud or fraudulent misrepresentation; or
(c) for any other liability that cannot be limited or excluded by law.
11.4 Subject to clause 11.3, the Supplier shall not be liable whether in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise for any: loss of profits; loss of sales or business; loss of agreements or contracts; loss of anticipated savings; loss of opportunity; loss of goodwill; loss of use or corruption of software, data or information; or any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses howsoever arising under this Agreement.
11.5 Subject to clause 11.3, the Supplier’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance of this Agreement, including under any indemnity, in any year, shall not exceed the total Subscription Fees paid by the Customer to the Supplier during the previous year.
12 Term and termination
12.1 The Subscription Term will begin on Effective Date.
12.2 This Agreement shall, unless terminated earlier in accordance with its terms, continue for the Initial Subscription Term and thereafter shall renew for a Renewal Period, subject to the Customer paying the Subscription Fees for the Renewal Period at the Supplier’s then current rates, and unless either party gives at least 30 days’ notice in writing to the other party prior to the expiry of the Initial Subscription Term or the then current Renewal Period (as applicable).
12.3 Without affecting any other right or remedy available to it, the Supplier may terminate this Agreement with immediate effect by giving written notice to the Customer if: (a) the Customer fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than 30 days after being notified in writing by the Supplier to make such payment; or (b) the Customer commits a breach of clause 6.3; or (c) there is a change of Control of the Customer.
12.4 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 14 days after being notified in writing to do so;
(b) the other party repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement;
(c) the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;
(d) the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(e) a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of the other party other than for the sole purpose of a scheme for a solvent amalgamation of the other party with one or more other companies or the solvent reconstruction of the other party;
(f) application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;
(g) the holder of a qualifying floating charge over the assets of the other party has become entitled to appoint or has appointed an administrative receiver;
(h) a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
(i) a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced upon or sued against, the whole or any part of the other party's assets and such attachment or process is not discharged within 7 days;
(j) the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business.
12.4 On termination of this Agreement for any reason:
(a) all licences granted under this Agreement shall immediately terminate, the Supplier shall disable the Customer’s access to the Services, and the Customer shall immediately cease using the Services;
(b) each party shall return and make no further use of any equipment, property, Confidential Information, Documentation and other items (and all copies of them) belonging to the other party; and
(d) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination, and the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.
12.5 Following termination of this Agreement, the Supplier may delete all Customer Data without liability to the Customer. The Customer may download a copy of the Customer Data from the Software Platform at any time during the Agreement, At the Customer’s request, the Supplier will assist the Customer in downloading such Customer Data from the Software Platform and may charge the Customer for such assistance.
13 Force majeure
The Supplier shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by any act, event, omission or accident beyond its reasonable control, including: strikes, lock-outs or other industrial disputes (whether involving the workforce of the Supplier or any other party); failure of a utility service or transport or telecommunications network; act of God; war, threat of or preparation for war or armed conflict; riot, civil commotion, terrorist attack or malicious damage; imposition of sanctions, embargo, breaking off of diplomatic relations or similar actions; compliance with any law or governmental order, rule, regulation or direction; collapse of building structures, accident, breakdown of plant or machinery; flood, storm, earthquake or other adverse weather conditions or natural disaster; fire or explosion; epidemic or pandemic; nuclear, chemical or biological contamination; sonic boom; or default of suppliers or subcontractors.
14 Conflict
If there is an inconsistency between any of the provisions in the main body of this Agreement and the Schedules, the provisions in the main body of this Agreement shall prevail.
15 Variation
No variation of this Agreement shall be effective unless it is in writing and signed by the parties or their authorised representatives (including by electronic signature).
16 Waiver
No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
17 Rights and remedies
Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
18 Severance
18.1 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
18.2 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.
19 Entire agreement
19.1 This Agreement, and any documents referred to in it, constitutes the whole agreement between the parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
19.2 Each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.
20 Assignment
20.1 The Customer shall not, without the prior written consent of the Supplier, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement. The Supplier may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
21 No partnership or agency
Nothing in this Agreement is intended to or shall operate to create a partnership between the parties or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
22 Third party rights
This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
23 Notices
Any notice, including notice of termination, required to be given to a party under this Agreement shall be in writing via email to: (i) the Customer at the nominated contact set out in the Software Platform; and (ii) the Supplier at hello@cymplify.co.uk, or other contact whose details have been provided by that party for the purpose of receiving notices under this Agreement. Notices shall be deemed to have been delivered one Business Day after transmission in the case of email (provided that no delivery failure notification is received by the sender). This clause 23 does not apply to the service of any proceedings or other documents in any legal action.
24 Governing law
This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England.
25 Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
Schedule 1 - Data Processing Agreement
This Data Processing Agreement (“DPA“) forms part of this Agreement. This DPA applies in respect of any personal data processed by the Supplier on behalf of the Customer in the performance of this Agreement
1. Definitions and Interpretation
1.1. Unless expressly stated otherwise, the capitalised terms used in this DPA shall have the meanings set out in the main body of this Agreement unless otherwise defined herein, and the rules of interpretation set out in clauses 1.2 – 1.10 (inclusive) of the main body of this Agreement shall apply to this DPA.
1.2. In this DPA, the following words shall have the following meanings:
“Customer Personal Data” means any Customer Data which is personal data, and which is processed by the Supplier on behalf of the Customer in the performance of the Services.
“Data Protection Laws” means all applicable privacy and data protection laws in force from time to time in the UK, including the UK GDPR, the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, in each case as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and 2020 and as may be further amended, replaced or superseded from time to time.
“UK GDPR” has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.
The terms, “controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “processing” and “supervisory authority” shall have the meanings given to them in the Data Protection Laws.
2. General
2.1. The parties acknowledge and agree that the Customer shall be the controller in respect of the Customer Personal Data and the Supplier shall be acting as a processor in processing the Customer Personal Data on behalf of the Customer for the purpose of providing the Services in accordance with this Agreement.
2.2. Both parties shall comply with their respective obligations under the Data Protection Laws and the provisions of this DPA in respect of all Customer Personal Data processed in connection with this Agreement.
3. Customer’s obligations
3.1. As a controller, it shall be the Customer’s responsibility to ensure that it is entitled to, and has a lawful basis under the Data Protection Laws to authorise the Supplier to process the Customer Personal Data for the purposes of providing the Services to the Customer in accordance with the Agreement.
3.2. The Customer shall be responsible for the provision of all necessary fair processing information to data subjects regarding the processing of Customer Personal Data for the purposes set out in this Agreement in accordance with the Data Protection Laws. The Customer shall ensure that such fair processing notices are accurate and complete and comply with all requirements of the Data Protection Laws.
4. Processing of Customer Personal Data by the Supplier
4.1. In respect of the Customer Personal Data processed by the Supplier under this Agreement as a processor on the Customer’s behalf, the Supplier shall process that Customer Personal Data to the extent necessary to perform the Supplier’s obligations under this Agreement, in accordance with the Customer’s documented instructions as set out in Annex A to this DPA, unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body.
4.2. The Supplier shall maintain records and information regarding its processing activities in relation to Customer Personal Data.
4.3. The Supplier shall notify the Customer promptly if any instructions of the Customer relating to the processing of Personal Data are unlawful.
5. Supplier Personnel
5.1. The Supplier shall take reasonable steps to ensure the reliability of its employees, agents or sub-contractors who have access to the Customer Personal Data, for the purposes of performing the Supplier’s obligations under this Agreement. The Supplier shall ensure that all such persons are bound by legally binding obligations of confidentiality in relation to the Customer Personal Data
6. Security
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Customer Personal Data, as well as the harm that might result from the unauthorised or unlawful processing of, or accidental loss or destruction of, or damage to, the Customer Personal Data, the Supplier shall in relation to the Customer Personal Data implement appropriate technical and organisational measures to protect against the unauthorised or unlawful processing of, or accidental loss or destruction of, or damage to, the Customer Personal Data.
6.2. In assessing the appropriate level of security, the Supplier shall take account the risks that are presented by the processing of the Customer Personal Data.
7. Sub-processing
7.1. The Customer consents to the Supplier appointing the third party processors, as listed in Annex A, in respect of the Customer Personal Data.
7.2. The Supplier may make changes to its sub-processors and will provide an updated list on its website. If the Customer has not objected to any such changes within a period of 14 days of the date of notification of the changes (by way of updating the list of sub-processors on the Supplier’s website), the Customer shall be deemed to have accepted such changes.
7.3. The Supplier shall ensure that obligations equivalent to the obligations set out in this DPA are included in all contracts between the Supplier and appointed sub-processors who will be processing Customer Personal Data.
8. Data Subject Rights
8.1. The Supplier shall provide reasonable assistance to the Customer, at the Customer’s request, in responding to any request from a data subject, where the Customer does not itself have access to such information via the Software Platform to be able to respond to the request.
8.2. The Supplier shall:
8.2.1. Promptly notify the Customer if it receives a request from a data subject under the Data Protection Laws in respect of the Customer Personal Data; and
8.2.2. Not respond to that request except on the documented instructions of the Customer or as required by applicable law, in which case the Supplier shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before the Supplier responds to the request.
9. Personal Data Breach
9.1. The Supplier shall notify the Customer without undue delay upon becoming aware of a personal data breach affecting its processing of the Customer Personal Data, and shall, at the Customer’s request, provide the Customer with reasonable assistance and information to allow the Customer to meet any obligations under the Data Protection Laws to report or inform data subjects or any supervisory authority of the personal data breach.
10. Data Protection Impact Assessments
10.1. The Supplier shall, at the Customer’s request, provide reasonable assistance to the Customer in connection with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which the Customer reasonably considers to be required by the Data Protection Laws, in each case solely in relation to the processing of Customer Personal Data by the Supplier.
11. Audit rights
11.1. Subject to paragraph 11.2, the Supplier shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits by the Customer or the Customer’s designated auditor of the Supplier’s procedures relevant to the processing of Customer Personal Data.
11.2. In the case of any audit by the Customer pursuant to paragraph 11.1, the Customer shall:
11.2.1. Comply with any reasonable requirements or security restrictions that the Supplier may impose to safeguard the Supplier’s systems, data held on the Supplier’s systems, and the Supplier’s own confidential or commercially sensitive information and to avoid unreasonable disruption to the Supplier’s business and operations; and
11.2.2. Reimburse the Supplier for time it expends in respect of such audit, at the Supplier’s then current professional services rates, which costs shall be reasonable, taking into account the resources expended by the Supplier, and before the commencement of any audit, the parties shall mutually agree on the scope, timing and duration of the audit
12. Data Transfers
12.1. The Customer consents to the Supplier transferring Customer Personal Data outside the UK, as listed in Annex A, in connection with its provision of the Services.
12.2. The Supplier shall comply with the provisions of the Data Protection Laws in respect of all such data transfers, ensuring the appropriate safeguards are in place.
13. End of Engagement
13.1. Upon expiry or termination of this Agreement, at the choice of the Customer, delete securely or return all Customer Personal Data to the Customer and delete all existing copies of the Customer Personal Data unless and to the extent that the Supplier is required to retain copies of the Customer Personal Data in accordance with applicable laws in which case the Supplier shall notify the Customer in writing of the applicable laws which require the Customer Personal Data to be retained.
Annex A – Data Processing Activities: