Terms and Conditions for Software as a Service
Version 4.19 – Last updated 16th April 2026.
BACKGROUND
(A) The Supplier owns certain software and platforms which it makes available to subscribers via the internet on a subscription basis.
(B) The Customer wishes to use the Supplier’s service in its business operations.
(C) The Supplier has agreed to provide, and the Customer has agreed to take and pay for, the Supplier’s service subject to the terms and conditions of this Agreement.
Agreed terms
1. Interpretation
1.1 The definitions and rules of interpretation in this clause apply in this Agreement.
Additional Services: means any amendment or addition to the scope of the Services (including any additional functionality or capability of the Software) requested by the Customer and agreed to be provided by the Supplier in accordance with this Agreement.
Agreement: means (i) these terms and conditions and (ii) the Proposal between the Supplier and the Customer for the provision of the Services.
Applicable Data Protection Laws means:
a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data.
b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which either party is subject, which relates to the protection of personal data.
Applicable Law: means all applicable laws, statutes and regulations from time to time in force.
Authorised Users: means those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, including Regular Users and Occasional Users.
Business Day: means a day other than a Saturday, Sunday or public holiday in England.
Business Hours: means the period from 9.00 am to 5.30 pm on any Business Day from Monday until Thursday but the period from 9.00 am to 5:00pm on a Friday where it is a Business Day.
Change of Control: shall be as defined in section 1124 of the Corporation Tax Act 2010, and the expression change of control shall be interpreted accordingly.
Customer: means the customer set out in the Proposal.
Customer Cause: means any of the following causes:
(a) any improper use, misuse or unauthorised alteration of the Software by the Customer;
(b) any use of the Software by the Customer in a manner inconsistent with the then-current Documentation;
(c) the use by the Customer of any hardware or software which is not in accordance with the Supplier’s instructions (whether written or oral);
(d) any use other than in accordance with the Supplier’s instructions (whether oral or written);
(e) the use for any purpose other than provided;
(f) failure of Customer network;
(g) issues caused by third party software;
(h) issues with Open-Source Software; and
(i) failure by the Customer to comply with its obligations under this Agreement (including clause 9.5).
Customer Data: means the data inputted by the Customer, the Authorised Users, or the Supplier on behalf of the Customer into the Software (not including Inputted Personal Data).
Documentation: means the document(s) and other materials, made available to the Customer by the Supplier online via the Software, which set out a description of the Services and the user instructions for the Services.
Downloaded Content: means any content including ISMS.online Policies which have been downloaded from the Software by the Customer during the Subscription Term.
Effective Date: has the meaning as set out in clause 2.1.
EU GDPR: means the General Data Protection Regulation ((EU) 2016/679), as it has effect in EU law.
Go-Live Date: means the date the Customer will be able to access and use the Services and Documentation which shall be any date within 7 days of receipt by the Supplier of the Subscription Fees which the Customer is obligated to pay in accordance with clause 10.
Heightened Cybersecurity Requirements: means any laws, regulations, codes, guidance (from regulatory and advisory bodies, whether mandatory or not), international and national standards, industry schemes and sanctions, which are applicable to the Customer (but not the Supplier) relating to security of network and information systems and security breach and incident reporting requirements, which may include the cybersecurity Directive (EU) 2016/1148), Commission Implementing Regulation (EU) 2018/151), the Network and Information Systems Regulations 2018 (SI 506/2018), all as amended or updated from time to time.
Initial Subscription Term: means the initial term of this Agreement as set out in the Proposal.
Inputted Personal Data: means any and all personal data inputted by the Customer and, the Authorised Users or the Supplier on behalf of the Customer (which the Supplier shall process as a processor under and in accordance with the terms of this Agreement).
Intellectual Property Rights: means patents, rights to inventions, copyright and neighbouring and related rights, moral rights, trade marks and service marks, business names and domain names, rights in get-up, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted renewals or extensions of, or to claim priority from, those rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
ISMS.online Policies: means an optional service, including ‘head start’ policies and controls such as risk management, security incident and supplier management, along with other documentation including, risk bank content or related guidance for the Customer to use as part of its ISMS. These policies can either be adopted, adapted or added to depending on the Customer’s specific needs and circumstances. Where it is so indicated in the Proposal or as otherwise agreed to be provided as an Additional Service in accordance with the terms of this Agreement, the ISMS.online Policies shall form part of the Services.
Maintenance Events: means routine, planned maintenance of the Software that may require interruption of the Software and Services.
NIS Regulations: means the Network and Information Systems Regulations 2018.
Occasional User: means an Authorised User with restricted functionality who primarily needs to read ISMS.online Policies or who needs to receive security updates and messages sent via the Software who is identified as such by the Customer.
Open-Source Software: means any software licensed under any form of open-source licence meeting the Open-Source Initiative’s Open-Source Definition from time to time, which is included or used in, or in the development of, the Supplier Software, or with which the Supplier Software is compiled or to which it is linked (including, Apache Licence version 2.0, BSD 2-Clause License, BSD 3-Clause License, ISC and MIT licence further details of which can be provided by the Supplier to the Customer on request).
Order: means a written request from the Customer to the Supplier for the provision of the Services and Documentation.
Output: means all the output from the Software provided to the Customer including any reports, summaries, recommendations, data or other outputs (excluding the Downloaded Content).
Permitted Downtime: means Maintenance Events, Customer-Caused or third party-caused outages or disruptions (except to the extent that such outages or disruptions are caused by those duly authorised third parties sub-contracted by the Supplier to perform the Services), or outages or disruptions attributable in whole or in part to force majeure events within the meaning of clause 17.
Proposal: means a written proposal, signed by both parties, detailing:
(i) the description or specification for the Services and Software to be provided by the Supplier;
(ii) the Subscription Fees, and any other fees payable by the Customer;
(iii) any other commercial terms agreed by the parties relating to the Software & Services; and
(iv) any amendments to these terms as agreed by the Customer and Supplier.
Regular User: means an Authorised User who can create, administer and manage work on the Software and who is identified as such by the Customer.
Renewal Period: means the period described in clause 15.1.
Services: means the subscription services provided by the Supplier to the Customer under this Agreement via the website notified to the Customer by the Supplier from time to time, as more particularly described in the Proposal Documentation.
Software: means the online software applications provided by the Supplier as part of the Services, including any Open-Source Software, for the purpose of implementing, improving and managing an Information Security Management System (“ISMS”) or similar management system.
Subscription Fees: means the subscription fees payable by the Customer to the Supplier for the Services, as set out in the Proposal, and any applicable fees for any Additional Services or any further or additional User Subscriptions purchased by the Customer or required to be purchased by the Customer from time to time.
Subscription Term: has the meaning given in clause 15.1 (being the Initial Subscription Term together with any subsequent Renewal Periods).
Supplier: means ALLIANTIST LIMITED incorporated and registered in England and Wales, with company number 04922343, whose registered office is at Nile House, Nile Street, Brighton, England, BN1 1HW.
UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.
User Personal Data: means the personal data collected by the Supplier from the Customer and under or in connection with this Agreement including where appliable to facilitate the use of the Software and Documentation, including usernames and email addresses of the Authorised Users which the Supplier shall process as a controller under and in accordance with the terms of this Agreement.
User Subscriptions: means the user subscriptions purchased by the Customer pursuant to clause 10.1 which entitle Authorised Users to access and use the Services and the Documentation in accordance with this Agreement.
Virus: means any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, malware, viruses and other similar things or devices.
Vulnerability: means a weakness in the computational logic (for example, code) found in software and hardware components that when exploited, results in a negative impact to the confidentiality, integrity, or availability of Customer Data or Inputted Personal Data / the Services, and the term Vulnerabilities shall be interpreted accordingly.
Year: means (i) the period from the Effective Date until the day immediately preceding the first anniversary of the Effective Date and (ii) each period of 12 months thereafter starting on the relevant anniversary of the Effective Date and expiring on the day immediately preceding the next anniversary of the Effective Date.
1.2 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.
1.3 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.
1.4 A reference to a company includes any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 Unless the context otherwise requires, words in the singular includes the plural and in the plural includes the singular.
1.6 Unless the context otherwise requires, a reference to one gender includes a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this Agreement.
1.8 A reference to a statute or statutory provision includes all subordinate legislation made as at the date of this Agreement under that statute or statutory provision.
1.9 A reference to writing or written includes email but not fax.
1.10 References to clauses and schedules are to the clauses and schedules of this Agreement; references to paragraphs are to paragraphs of the relevant schedule to this Agreement.
1.11 Any obligation on a party not to do something includes an obligation not to allow that thing to be done.
1.12 Any phrase introduced by the term “including”, “include”, “for example” or any similar expression shall be construed as illustrative and shall not limit the sense of the words to which those terms apply.
1.13 In the event of any conflict of inconsistency between the provisions of the main body of this Agreement and the Proposal, the Proposal shall take priority to the minimum extent necessary to resolve the relevant conflict or inconsistency.
2. Basis of Agreement
2.1 Once the Customer receives the Proposal, the Customer shall sign the Proposal at which point, and on which date the Agreement will come into existence (Effective Date).
2.2 Any Proposal or quotation given by the Supplier shall only be valid for a period of 30 days from the date of its issue.
3. Subscriptions
3.1 Subject to the Customer purchasing the Services in accordance with clause 4.2 and clause 10.1, and paying the Subscription Fees on time and in full, and complying with the restrictions set out in this clause 3 and the other terms and conditions of this Agreement, the Supplier hereby grants to the Customer a non-exclusive, worldwide, non-assignable, non-sublicensable, non-transferable right and licence, to permit the Authorised Users to access and use the Services and the Documentation from the Go-Live Date until the expiry of Subscription Term solely for the Customer’s internal business operations and subject to the terms of this Agreement and not, for the avoidance of doubt, for any commercial exploitation.
3.2 The Services entitles the Customer to a maximum number of Authorised Users for the Initial Subscription Term (and any Renewal Period), which is set out in the Proposal. If the number of Authorised Users exceeds the amount set out in the Proposal or the Customer wishes to purchase additional User Subscriptions in excess of the User Subscription limit set out in the Proposal, the Customer shall notify the Supplier in writing. The Supplier shall evaluate such request for additional User Subscriptions and respond to the Customer with approval or rejection of the request and either (i) notify the Customer of the additional User Subscription fees set out in the Proposal; or (ii) if no such additional User Subscription fee is set out in the Proposal, notify the Customer of any additional Subscription Fees payable in respect of the remainder of the Subscription Term and all such fees shall be payable in advance. Where the Supplier approves the request, the Supplier shall activate the additional User Subscriptions within 7 days of receipt of payment of the relevant Subscription Fees for the additional User Subscriptions which shall be payable by the Customer to the Supplier in accordance with the payment terms set out in the Proposal.
3.3 In relation to the use of the Services, the Customer undertakes that:
(a) the maximum number of Authorised Users that it authorises to access and use the Services, and the Documentation shall not exceed the number of User Subscriptions it has purchased from time to time;
(b) it will not allow or suffer any User Subscription to be used by more than one individual Authorised User unless it has been reassigned in its entirety to another individual Authorised User with the Supplier’s prior consent, in which case the prior Authorised User shall no longer have any right to access or use the Services and/or Documentation;
(c) each Authorised User shall keep a secure password for their use of the Services and Documentation, and that each Authorised User shall keep their password confidential;
(d) it shall permit the Supplier, or the Supplier’s designated auditor, to audit the Services in order to establish the Customer’s compliance with this Agreement. Each such audit may be conducted no more than twice per annum, at the Customer’s expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Customer’s normal conduct of business;
(e) if any of the audits referred to in clause 3.3(d) reveal that any user account has been provided to any individual who is not an Authorised User, then without prejudice to the Supplier’s other rights, the Customer shall promptly disable such user account;
(f) if any of the audits referred to in clause 3.3(d) reveal that the Customer has underpaid Subscription Fees to the Supplier, then without prejudice to the Supplier’s other rights, the Customer shall pay to the Supplier an amount equal to such underpayment as calculated in accordance with the prices set out in the Proposal within 10 Business Days of the date of the relevant audit. Interest on such underpayment shall accrue on a daily basis at an annual rate equal to 4% over the then current base lending rate of the Supplier’s bankers in the UK from time to time, commencing on the date the sum would have originally been due and continuing until fully paid, whether before or after judgment; and
(g) the Customer shall be responsible and liable for all acts and omissions of the Authorised Users as if they were the Customer’s own acts and omissions. Any obligation on the Customer to do or not do anything shall be deemed to include a corresponding obligation to prove that such thing is or is not due (as the case may be).
3.4 The Customer shall not access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that:
(a) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;
(b) facilitates illegal activity;
(c) depicts sexually explicit images;
(d) promotes unlawful violence;
(e) is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or
(f) is otherwise illegal or causes damage or injury to any person or property;
and the Supplier reserves the right, without liability or prejudice to its other rights to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause.
3.5 The Customer shall not:
(a) except as may be allowed by any Applicable Law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement:
(i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software, the Services and/or Documentation (as applicable) in any form or media or by any means save that the Customer may modify the Downloaded Content strictly in compliance with the licence set out in clause 3.7; or
(ii) attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software or the Services; or
(b) access all or any part of the Services and/or Documentation in order to build a product or service which competes with the Services and/or the Documentation; or
(c) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Documentation, other than as provided under this clause 3; or
(d) introduce or permit the introduction of any Virus or Vulnerability into the Services or the Supplier’s network and information systems.
3.6 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify the Supplier.
3.7 Subject to the Customer purchasing the Services in accordance with clause 4.2 and clause 10.1 and paying the Subscription Fees on time and in full, the Supplier hereby grants to the Customer a perpetual, non-exclusive, worldwide, non-assignable, non-sublicensable, non-transferable right and licence to permit the Authorised Users to use and modify the Downloaded Content solely for the Customer’s internal business operations and subject to the terms of this Agreement.
3.8 The Customer shall provide the Supplier, at no cost or expense, with any assistance or support requested by the Supplier from time to time in connection with its compliance with the NIS Regulations including:
(a) identifying and assisting and supporting the Supplier with taking appropriate and proportionate measures to manage the risks posed to the security of network and information systems on which it relies to provide the Services; and
(b) notifying the Supplier without undue delay (and in any event no later than 24 hours) after becoming aware of any incident having a substantial impact on the provision of Services provided by the Supplier under this Agreement and providing sufficient information and detail to enable the Supplier to determine the significance of such an incident).
4. Additional Services
4.1 Subject to clause 4.2, the Customer may, from time to time during any Subscription Term, purchase Additional Services in excess of the Services set out in the Proposal and the Supplier shall grant access to such Additional Services and any applicable Documentation relating to such Additional Services in accordance with the provisions of this Agreement.
4.2 If the Customer wishes to purchase Additional Services, the Customer shall notify the Supplier in writing. The Supplier shall evaluate such request for Additional Services and respond to the Customer with approval or rejection of the request and notify the Customer of any additional Subscription Fees payable in respect of the remainder of the Subscription Term and all such fees shall be payable in advance. Where the Supplier approves the request, the Supplier shall activate the Additional Services within 7 days of receipt of payment of the relevant Subscription Fees for the Additional Services.
5. Uptime Service Level
The Supplier shall use reasonable endeavours to provide at least a 99.5% uptime service availability level (Uptime Service Level) measured on a monthly basis. This availability commitment applies solely to the access point within the Supplier’s hosting provider’s network environment. It does not extend to any portion of the connection that lies outside that environment. The Customer is responsible for its own internet connectivity and any network components not managed by the Supplier and their hosting provider. The above Uptime Service Level shall not apply to any Permitted Downtime.
6. Data protection
6.1 For the purposes of this clause 6, the terms Commissioner, controller, data subject, personal data, personal data breach, processor and processing, shall have the meaning given to them in the UK GDPR.
6.2 Each party shall comply with all obligations, responsibilities and duties imposed on it by Applicable Data Protection Laws in respect of any personal data which it processes under or in connection with this Agreement. This clause 6 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.
6.3 The parties have determined that, for the purposes of Applicable Data Protection Laws:
(a) The Supplier shall act as processor in respect of the Inputted Personal Data.
(b) The Supplier shall act as controller of personal data in respect of the User Personal Data.
(c) The Customer shall act as a controller of any personal data provided to it by the Supplier under or in connection with this Agreement.
6.4 Where the parties are acting as a controller of personal data under clauses 6.3(b) and 6.3(c), and transfer such personal data to the other party whether before, on or after the Effective Date, the party providing personal data:
(a) warrants, represents and undertakes that it has obtained the necessary consents or is otherwise lawfully entitled to transfer the relevant personal data to the other party;
(b) shall comply with all duties, obligations and restrictions imposed on it by the Applicable Data Protection Laws in respect of the transfer of such personal data to the other party; and
(c) shall not, by any act or omission in respect of such personal data, cause the other to be in breach of or not be fully compliant with the Applicable Data Protection Laws.
6.5 Where the Supplier acts as a processor of personal data under this Agreement, paragraph 2 of Schedule One sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subjects.
6.6 Should the determination in clause 6.3 change, the parties shall use reasonable endeavours to make any changes that are necessary to this clause.
6.7 Without prejudice to clause 6.2, where the Supplier acts as a processor, it shall:
(a) process the Inputted Personal Data only on the Customer’s written instructions;
(b) implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against its accidental loss, damage or destruction, including inter alia as appropriate:
(i) the pseudonymisation and encryption of Inputted Personal Data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) the ability to restore the availability and access to Inputted Personal Data in a timely manner in the event of a physical or technical incident; and
(iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(c) in assessing the appropriate level of security the Supplier shall take into account, in particular, the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Inputted Personal Data transmitted, stored or otherwise processed.
(d) ensure, and procure that that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;
(e) not amend any Inputted Personal Data without the prior written consent of the Customer;
(f) promptly assist the Customer in responding to any request from a data subject and in ensuring compliance with the Customer’s obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators and, in particular, the Supplier shall promptly notify the Customer if it receives any complaint, notice or communication (whether from the Commissioner, any data subject, supervisory authority or other third party) which relates to processing of Inputted Personal Data;
(g) notify the Customer within 48 hours after becoming aware of a personal data breach and on suspecting the same, the Supplier shall promptly conduct an initial assessment to determine, with a reasonable degree of certainty, whether the event or incident qualifies for notification to the Customer under this clause 6.7(g) and shall provide a copy of this initial assessment along with such notification;
(h) at the written direction of the Customer, delete or return to the Customer all Inputted Personal Data on termination or expiry of the Agreement unless the Supplier is required by Applicable Law to continue to process that Inputted Personal Data, in which case the Supplier shall promptly notify the Customer, in writing, of what that Applicable Law is and shall only be permitted to process that Inputted Personal Data for the specific purpose so-notified, and all other requirements set out in this clause 6 shall continue to apply to such Inputted Personal Data notwithstanding the termination or expiry of this Agreement for as long as such Inputted Personal Data is processed by the Supplier. For the purposes of this clause 6.7(h), the obligation to delete Personal Data excludes the obligation to delete data (including any personal data) from the Software or the Supplier’s back-up systems (and such data shall be deleted from the Software or the Supplier’s back-up systems following a period of 60 days after termination or expiry of this Agreement); and
(i) maintain adequate records, and, on the Customer’s request, make available such information as the Customer may reasonably request, and allow for and submit its premises and operations to audits, including inspections, by the Customer or the Customer’s designated auditor, to demonstrate its compliance with Applicable Data Protection Laws and this clause 6.
6.8 The Supplier shall not, without the prior written consent of the Customer appoint or replace any other processor or sub-processor in relation to Inputted Personal Data or transfer any Inputted Personal Data to the same. The Customer hereby consents to the Supplier appointing the sub-processors listed in Schedule 1 in relation to Inputted Personal Data.
6.9 The Supplier shall store personal data transferred to it by the Customer for a period of 60 days after termination or expiry of this Agreement. The Customer hereby warrants, represents and undertakes that it has obtained the necessary consents to enable the Supplier to store such personal data for this time period.
6.10 The Supplier shall assist the Customer in responding to any request from a data subject and in ensuring compliance with the Customer’s obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with the Commissioner, supervisory authorities or other regulators.
6.11 The Customer shall at all times during and after termination of this Agreement, indemnify, keep indemnified and hold harmless the Supplier on demand against all liabilities, claims, costs, expenses, demands, actions, proceedings, fines and any damages or losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) suffered or incurred by the Supplier arising out of or in connection with any breach or alleged breach by the Customer of its obligations under this clause 6 and/or, by the Customer, of any Applicable Data Protection Laws.
7. Third party providers
The Customer acknowledges that the Services may enable or assist it to access the website content of, correspond with, and purchase products and services from, third parties via third-party websites and that it does so solely at its own risk. The Supplier makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer with any such third party. Any contract entered into and any transaction completed via any third-party website is between the Customer and the relevant third party, and not the Supplier. The Supplier recommends that the Customer refers to the third party’s website terms and conditions and privacy policy prior to using the relevant third-party website. The Supplier does not endorse or approve any third-party website nor the content of any of the third-party website made available via the Services.
8. Supplier’s obligations
8.1 The Supplier shall perform the Services substantially in accordance with the Documentation and with reasonable skill and care.
8.2 The Supplier’s obligations at clause 8.1 shall not apply (and the Supplier shall not be responsible or liable for any failure to correct any such non-conformance under clause 8.3) to the extent that any non-conformance is, either directly or indirectly, attributable to (in whole or in part) any Permitted Downtime or modification or alteration of the Services by any party other than the Supplier or the Supplier’s duly authorised contractors or agents.
8.3 Subject to clause 8.2, if the Services do not conform with the terms of clause 8.1, the Supplier will, at its own expense, use reasonable commercial endeavours to correct any such non-conformance promptly. Such correction constitutes the Customer’s sole and exclusive remedy for any breach of the undertaking set out in clause 8.1.
8.4 The Supplier:
(a) does not warrant that:
(i) the Customer’s use of the Services will be uninterrupted or error-free;
(ii) that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer’s requirements or be fit for any purpose and achieve any particular result or outcome;
(iii) the Software or the Services will be free from Vulnerabilities or Viruses; or
(iv) the Software, Documentation or Services will comply with any Heightened Cybersecurity Requirements.
9. Customer’s obligations
9.1 The Customer shall:
(a) without affecting its other obligations under this Agreement, comply with all Applicable Law, including sanctions laws and regulations, with respect to its activities under this Agreement;
(b) carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer’s provision of such assistance as agreed by the parties, the Supplier may adjust any agreed timetable or delivery schedule as reasonably necessary and the Supplier shall not be liable for any failure to deliver any or all of the Services to the extent caused by Customer’s delay;
(c) ensure that the Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this Agreement and shall be responsible for any Authorised User’s breach of this Agreement;
(d) obtain and shall maintain all necessary licences, consents, and permissions necessary for the Supplier, its contractors and agents to perform their obligations under this Agreement, including without limitation the Services; and
(e) ensure that its network and systems comply with the relevant specifications provided by the Supplier from time to time.
9.2 The Customer shall own all rights, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.
9.3 Any Open-Source Software provided by the Supplier shall be used by the Customer according to the terms and conditions of the specific licence under which the relevant Open-Source Software is distributed but is provided "as is" and expressly subject to the disclaimer in clause 8.4.
9.4 The Customer warrants and represents that, where Open-Source Software is provided by the Supplier under or in connection with this Agreement, it will comply with any third party licences or terms and conditions which are applicable to the use of such Open-Source Software.
9.5 The Customer is solely responsible for (i) maintaining a secure internet connection whilst using the Services and (ii) ensuring that it and its Authorised Users use a modern internet browser when accessing the Services, and the Supplier shall not be responsible or liable for the Customer’s failure to comply with its obligations under this clause 9.5.
10. Charges and payment
10.1 The Customer shall pay the Subscription Fees to the Supplier in accordance with this clause 10.
10.2 Unless stated otherwise in the Proposal, the Supplier shall invoice the Customer in advance for the Subscription Fees in accordance with the schedule set out in the Proposal. If no schedule is specified, the Supplier shall invoice the Customer in advance for the Subscription Fees on the Effective Date for Services to be performed in the first Year and shall invoice the Customer on each anniversary of the Effective Date for each remaining Year of this Agreement.
10.3 The Subscription Fees shall be payable in advance and due within 14 days of the invoice date to a bank account nominated in writing by the Supplier from time to time.
10.4 If the Supplier has not received payment by the due date, and without prejudice to any of its other rights and remedies, the Supplier may charge the Customer interest on such overdue amounts which shall accrue on a daily basis on such amounts at an annual rate equal to 4% over the then current base lending rate of the Supplier’s bankers in the UK from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
10.5 All amounts and fees stated or referred to in this Agreement:
(a) are exclusive of VAT and the Customer shall, in addition, pay an amount equal to any VAT chargeable on those sums on delivery of a VAT invoice;
(b) are, save as expressly stated otherwise in this Agreement, non-cancellable and non-refundable;
(c) shall be paid in full without set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
10.6 The Supplier may, at its sole and absolute discretion, increase the Subscription Fees on each anniversary of the Effective Date. Any increase shall be up to an amount equivalent to 5% of the then current Subscription Fees plus the percentage increase in the Retail Price Index (RPI) for either (a) the 12-month period immediately preceding the date of the assessment or (b) the calendar year prior to the date of the assessment (whichever is the higher). By way of example, if the percentage increase in the RPI for the relevant period is 3%, the Subscription Fees may increase by an amount up to 8% of the then current Subscription Fees.
11. Proprietary rights
11.1 The Customer acknowledges and agrees that the Supplier and/or its licensors own all Intellectual Property Rights in the Services, Documentation, Output and the Downloaded Content. Except as expressly stated herein, this Agreement does not grant the Customer any rights to, under or in, any Intellectual Property Rights or any other rights or licences in respect of the Services, Documentation, Output and the Downloaded Content.
11.2 The Supplier confirms that it has all the rights in relation to the Services, Documentation, Output and the Downloaded Content that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this Agreement.
11.3 Subject to payment of the Subscription Fees, the Supplier grants to the Customer a non-exclusive, non-transferrable, non-assignable, non-sub-licensable, royalty free, revocable licence during the Subscription Term to access and use the Output.
11.4 In respect of the Output:
(a) the Customer must not amend, create derivative works from, or vary the Output;
(b) the Customer may only use the Output for internal business purposes and not for any commercial exploitation.
11.5 The Supplier is an independent entity registered in England and Wales under company number 04922343. The Customer hereby acknowledges and agrees that the Supplier is not affiliated with, endorsed by, or a representative of the International Organization for Standardization (ISO) and (i) the provision by the Supplier of the Services hereunder or (ii) the use by the Supplier of its trade marks, branding or trading name during the course of its business does not, in each case (i) and (ii), imply any endorsement, sponsorship, or partnership with the ISO. The Supplier’s products and services (including the Services provided hereunder) are uniquely offered by it and the Supplier does not claim to represent or act on behalf of the ISO.
12. Confidentiality
12.1 Each party undertakes that it shall not, at any time whether before, during or after the termination or expiry of this Agreement, disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 12.2.
12.2 Each party may disclose the other party’s confidential information:
(a) to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of exercising the party’s rights or carrying out its obligations under or in connection with this Agreement. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party’s confidential information comply with this clause 12; and
(b) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
12.3 No party may use any other party’s confidential information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Agreement.
13. Indemnity
The Customer shall defend, indemnify and hold harmless the Supplier against all liabilities, costs, expenses, claims, demands, actions, proceedings, fines and any damages or losses (including but not limited to any direct, indirect or consequential losses, loss of profit, loss of reputation and all interest, penalties and legal costs (calculated on a full indemnity basis) and all other professional costs and expenses) arising out of or in connection with the Customer’s use of the Services and/or Documentation.
14. Limitation of liability
14.1 Any reference to liability in this clause 14 means every kind of liability arising under or in connection with this Agreement including but not limited to liability in contract, tort (including negligence), misrepresentation, under an indemnity, in restitution or otherwise.
14.2 Except as expressly and specifically provided in this Agreement:
(a) the Customer assumes sole responsibility for results obtained from the use of the Services, Documentation and the Output by the Customer, and for conclusions drawn from such use. The Supplier shall have no liability for any damage caused by errors or omissions in any Customer Data, information, instructions or scripts provided to the Supplier by the Customer in connection with the Services, or any actions taken by the Supplier at the Customer’s direction;
(b) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by Applicable Law, excluded from this Agreement; and
(c) the Services and the Documentation are provided to the Customer on an "as is" basis.
14.3 Nothing in this Agreement excludes the liability of either party:
(a) for death or personal injury caused by the Supplier’s negligence; or
(b) for fraud or fraudulent misrepresentation;
(c) any other liability which cannot be lawfully limited.
14.4 Subject to clause 14.2 and clause 14.3:
(a) the Supplier shall have no liability for any:
(i) loss of profits,
(ii) loss of anticipated profits;
(iii) loss of contract,
(iv) loss of opportunity,
(v) loss of business,
(vi) wasted expenditure,
(vii) depletion of goodwill, reputation and/or similar losses,
(viii) loss or corruption of data or information, or
(ix) any special, indirect or consequential losses, costs, damages, charges or expenses; and
(b) the Supplier’s total aggregate liability to the Customer in each Year for any and all claims or series of connected claims arising in that Year (for the purposes of this clause, a claim or series of connected claims arises when the first event giving rise to the relevant claim or series of connected claims arises, and any claim arising after termination of this Agreement shall be deemed to arise on the last day prior to termination) shall not exceed the total value of the Subscription Fees payable by the Customer to the Supplier in the relevant Year.
15. Term and termination
15.1 This Agreement shall commence on the Effective Date and shall, unless otherwise terminated as provided in this clause 15 or under clause 16 (where applicable), continue for the Initial Subscription Term and, thereafter, this Agreement shall be automatically renewed for successive periods of 12 months (each a Renewal Period), unless:
(a) subject to clause 15.2, either party notifies the other of termination, in writing, at least 30 days prior to the end of any Year of the Initial Subscription Term; or
(b) otherwise terminated in accordance with the provisions of this Agreement;
and the Initial Subscription Term together with any subsequent Renewal Periods shall constitute the Subscription Term.
15.2 If the Customer exercises its right to terminate this Agreement early in accordance with clause 15.1(a) or clause 16 (where applicable), the Customer shall immediately pay to the Supplier (i) any and all outstanding Subscription Fees payable for the current Year and (ii) any and all Subscription Fees payable by the Customer for the remainder of the Initial Subscription Term. The parties hereby confirm and agree that the payment of the amount set out under this clause 15.2 is not unreasonable or unconscionable and represents a reasonable amount based on the losses the Supplier would incur as a result of early termination of this Agreement. The Customer confirms that it has considered and taken advice on the payment of the amount set out under this clause 15.2 and warrants that it will not seek to challenge the validity or enforceability of such payment on the basis of or utilising any arguments that it represents an unenforceable penalty. The Customer hereby perpetually waives absolutely and unconditionally any right to challenge the enforceability of the payment under this clause on the basis of or utilizing any arguments that it represents an unenforceable penalty.
15.3 Either party may terminate Agreement by providing 30 days written notice to expire at the end of any Renewal Period.
15.4 Without affecting any other right or remedy available to it, the Supplier may terminate this Agreement with immediate effect by giving written notice to the Customer if:
(a) the Customer fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than 7 days after being notified in writing to make such payment; or
(b) there is a change of control of the Customer (within the meaning of section 1124 of the Corporation Tax Act 2010); or
(c) the Customer, engages in any act or omission that causes any detriment to the Supplier’s goodwill or reputation.
15.5 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any other term of this Agreement and (if such breach is remediable) fails to remedy that breach within a period of 7 days after being notified in writing to do so;
(b) the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 as if the words "it is proved to the satisfaction of the court" did not appear in sections 123(1)(e) or 123(2) of the Insolvency Act 1986;
(c) the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(d) the other party applies to court for, or obtains, a moratorium under Part A1 of the Insolvency Act 1986;
(e) a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(f) an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party (being a company, partnership or limited liability partnership);
(g) the holder of a qualifying floating charge over the assets of that other party (being a company or limited liability partnership) has become entitled to appoint or has appointed an administrative receiver;
(h) a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
(i) a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party’s assets and such attachment or process is not discharged within 14 days;
(j) any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 15.5(b) to clause 15.5(i) (inclusive);
(k) the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business;
(l) the other party’s financial position deteriorates so far as to reasonably justify the opinion that its ability to give effect to the terms of this Agreement is in jeopardy.
15.6 Without prejudice to any other rights or remedies available to it, the Supplier may suspend the licences granted to the Customer under clause 3.1, clause 3.7 and clause 11.3 of this Agreement and the Supplier may suspend such licences immediately on notice to the Customer if the Customer fails to pay any Subscription Fees or any other amounts due under this Agreement by the relevant due date until such failure is properly rectified. The Customer hereby acknowledges and agrees that any such period of suspension described under this clause 15.6 shall not affect and shall have no bearing on the Customer’s obligation to pay the Subscription Fees which shall remain fully payable under and in accordance with the terms of this Agreement.
15.7 On termination of this Agreement for any reason:
(a) save as set out in clause 3.7, all licences granted under this Agreement shall immediately terminate;
(b) the Customer shall immediately cease all use of the Services, the Documentation and/or the Output;
(c) each party shall return and make no further use of any equipment, property, Documentation, Output and other items (and all copies of them) belonging to the other party, excluding any Downloaded Content;
(d) without prejudice to clause 16 (where applicable), the Supplier may destroy or otherwise dispose of any of the Customer Data or Inputted Personal Data in its possession unless the Supplier receives, no later than ten days after the effective date of termination or expiry of this Agreement, a written request from the Customer to extract the Customer Data or Inputted Personal Data from the Software. Upon receipt of such request from the Customer to extract the Customer Data or Inputted Personal Data, the Supplier shall allow the Customer reasonable access to the Software to the extent necessary for the Customer to extract the Customer Data or Inputted Personal Data from the Software and shall provide the Customer with reasonable assistance in extracting such Customer Data or Inputted Personal Data from the Software. The extraction of any Customer Data or Inputted Personal Data under this clause 15.7(d) shall be (i) completed no earlier than 60 days from and including the date of termination or expiry of this Agreement and (ii) subject to the Customer having, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination or expiry of this Agreement). Subject to clause 16 (where applicable), the Customer shall pay all reasonable expenses incurred by the Supplier in returning or disposing of Customer Data or Inputted Personal Data;
(e) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced;
(f) the Customer must immediately pay any outstanding invoices, and the Supplier may raise an invoice payable immediately in respect of Services provided for which no invoice was given and for any amounts payable under clause 15.2; and
(g) any provision of this Agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this Agreement shall remain in full force and effect, including clauses 3.7, 6, 11, 12, 13, 14, 20, 19, 22, 25, 27, 28 and 29.
16. Switching Providers
This clause 16 only applies where the Customer will be accessing the Services in a Member State of the European Union.
16.1 For the purposes of this clause 16, the following definitions shall apply:
Data Processing Services: shall have the meaning set out in Article 2(8) of the EU Data Act 2023/2854 and, for the avoidance of doubt, shall include the delivery of a Software as a Service (SaaS) model.
Destination Provider: means the provider of Data Processing Services to which the Customer Switches.
Digital Assets: has the meaning set out in Article 2(32) EU Data Act 2023/2854.
Exportable Data: has the meaning set out in Article 2 (38) of the EU Data Act 2023/2854.
Switching: has the meaning set out in Article 2(34) of the EU Data Act 2023/2854 and the term “Switching Process” and “Switch” shall be interpreted accordingly.
Switching Charges: means the costs incurred by the Supplier which directly result from the Switching Process concerned (including the Switching Services).
Switching Services: means the switching services described in clause 16.7.
16.2 If the Customer intends to Switch SaaS providers such that it no longer wishes to receive the Services from the Supplier but instead intends to Switch, the Customer shall provide the Supplier with 2 months’ notice of its intention to Switch (Maximum Notice Period) which shall specify its decision to perform one or more of the following actions:
(a) Switch to a different provider of Data Processing Services, in which case the Customer shall provide the necessary details of that Destination Provider;
(b) Switch to an on-premises ICT infrastructure; and/or
(c) erase its Exportable Data and Digital Assets.
16.3 As soon as reasonably practical following the expiry of the Maximum Notice Period, the Supplier shall, without undue delay, commence the Switching Services which shall, subject to clause 16.4, continue for a period of thirty (30) days (Transition Period).
16.4 Where the Supplier, acting reasonably, considers that it would be technically unfeasible to complete the Switching Services within the Transition Period, the Supplier shall notify the Customer within 14 working days of the making of the Customer’s Switching request referred to in clause 16.2 and the Supplier shall duly justify the technical unfeasibility to the Customer and notify the Customer of an extension to the Transition Period, which shall not exceed seven (7) months. For the avoidance of doubt (i) this Agreement shall continue to apply and (ii) the Supplier shall ensure that the Services continue and remain unaffected, in each case of (i) and (ii), throughout the Transition Period (or any extension thereof).
16.5 Without prejudice to clause 16.3, the Customer may extend the Transition Period for a period which the Customer, acting reasonably and in good faith, considers to be more appropriate for its own purposes.
16.6 The Customer may only exercise its right to extend the Transition Period once and such right must be exercised by the Customer within 14 days from and including termination of the Maximum Notice Period. If the Customer fails to exercise its right to extend the Transition Period within 14 days from and including termination of the Maximum Notice Period, the Customer hereby acknowledges and agrees that its right to extend the Transition Period shall automatically and immediately cease.
16.7 The Supplier shall, throughout the Transition Period:
(a) provide reasonable assistance to the Customer and third parties authorised by the Customer in the Switching Process;
(b) act with due care to maintain business continuity, and continue the provision of the Services during the Switching Process;
(c) provide clear information to the Customer concerning known risks to continuity of the provision of the Services during the Switching Process;
(d) ensure that a high level of security is maintained throughout the Switching Process, in particular the security of the data (including Customer Data, Inputted Personal Data and Exportable Data) during their transfer and the continued security of the data (including Customer Data, Inputted Personal Data and Exportable Data) during the retrieval period specified in clause 16.11 in accordance with applicable Union or national law;
(e) support the Customer’s exit strategy relevant to the Services, including by providing all relevant information;
(f) where relevant, provide information to the Customer regarding any Switch, requested by the Customer under clause 16.2, which is highly complex or costly or for which it is impossible to Switch without significant interference in the data, Digital Assets or service architecture.
16.8 The Supplier has:
(a) provided the Customer with an exhaustive specification of all categories of data and Digital Assets that can be ported during the Switching Process, including, at a minimum, all Exportable Data as set out in the Proposal; and
(b) provided, in the Proposal, an exhaustive specification of categories of data specific to the internal functioning of the Software that are to be exempted from the Exportable Data under clause 16.8(a), where a risk of breach of trade secrets of the Supplier exists, provided that such exemptions do not impede or delay the Switching Process;
16.9 The Supplier shall provide the Customer with:
(a) information on available procedures for switching and porting the Services, including information on available switching and porting methods and formats as well as restrictions and technical limitations which are known to the Supplier;
(b) a reference to an up-to-date online register hosted by Supplier, with details of all the data structures and data formats as well as the relevant standards and open interoperability specifications, in which the exportable data referred to in this clause 16, are available.
16.10 Each party shall cooperate in good faith to make the Switch effective, enable the timely transfer of data and maintain the continuity of the Services.
16.11 The Supplier shall allow the Customer or the Destination Provider, for a period of 30 days from and including the date of termination or expiry of the Transition Period, to retrieve all data (including Customer Data, Inputted Personal Data and Exportable Data) to facilitate and affect the Switch.
16.12 After (i) the expiry of the retrieval period referred to in clause 16.11, or (ii) the expiry of an alternative agreed period at a date later than the date of expiry of the retrieval period referred to in clause 16.11, the Supplier shall fully erase all Exportable Data and Digital Assets which are either generated directly by the Customer or relating to the Customer directly, provided that, in each case (i) and (ii), the Switching Process has been completed successfully.
16.13 This Agreement shall, subject to clause 15.2, automatically and immediately terminate upon the occurrence of one of the following events:
(a) successful completion of the Switching Process; or
(b) at the end of the Transition Period, where the Customer does not wish to Switch but to erase its Exportable Data and Digital Assets from the Software upon termination of the Services.
16.14 In consideration of the provision of the Switching Services by the Supplier, the Customer shall pay the Switching Charges in accordance with clause 16.15.
16.15 As soon as reasonably practical following termination or expiry of the Transition Period, the Supplier shall, without prejudice to clause 15.2, invoice the Customer for the Switching Charges and the Customer shall pay such invoice within 30 days from the date of the invoice.
16.16 For the avoidance of doubt, the Subscription Fees shall continue to apply throughout the duration of the Transition Period.
17. Force majeure
Neither party shall be in breach of this Agreement or otherwise liable for any delay or failure in the performance of its obligations for so long as, and to the extent that, such delay or failure results from events, circumstances or causes beyond its reasonable control. If the period of delay or non-performance continues for 60 days, the party not affected may terminate this Agreement by giving not less than 14 days’ written notice to the affected party.
18. Variation
No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
19. Waiver
19.1 A waiver of any right or remedy is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy.
19.2 A delay or failure to exercise, or the single or partial exercise of, any right or remedy does not waive that or any other right or remedy, nor does it prevent or restrict the further exercise of that or any other right or remedy.
20. Rights and remedies
Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
21. Severance
21.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.
21.2 If any provision or part-provision of this Agreement is deemed deleted under clause 21.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.
22. Entire agreement
22.1 This Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes and extinguishes all previous and contemporaneous agreements, promises, assurances and understandings between them, whether written or oral, relating to its subject matter.
22.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
22.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.
22.4 Nothing in this clause shall limit or exclude any liability for fraud.
23. Assignment
23.1 The Customer shall not, without the prior written consent of the Supplier, assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under this Agreement.
23.2 The Supplier may at any time assign, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under this Agreement.
24. No partnership or agency
Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name, or on behalf of, or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability, and the exercise of any right or power).
25. Third party rights
This Agreement does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.
26. Counterparts
26.1 This Agreement may be executed in any number of counterparts, each of which shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.
26.2 Transmission of an executed counterpart of this Agreement (but for the avoidance of doubt not just a signature page) by email (in PDF, JPEG or other agreed format) takes effect as the transmission of an executed "wet-ink" counterpart of this Agreement.
26.3 No counterpart shall be effective until each party has provided to the other at least one executed counterpart.
27. Notices
27.1 Any notice given to a party under or in connection with this Agreement shall be in writing and shall be sent by email to the address as set out in the Proposal or any such email address notified by the Supplier to the Customer from time to time.
27.2 Any notice shall be deemed to have been received at the time of transmission, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume.
27.3 This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
28. Governing law
This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and interpreted in accordance with the law of England and Wales.
29. Jurisdiction
Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
Schedule One – Processing, Personal Data and Data Subjects
| Data Controller | Customer |
| Data Processor | Alliantist LTD |
| Subject matter of processing | Alliantist provides ISMS.online to enable the Customer to implement and operate a management system, which involves the hosting of Data input by the Customer on Alliantist’s servers. |
| Lawful bases for the Controller | The controller warrants that it has a lawful basis for processing the Data. |
| Lawful basis of the Processor | Contractual obligation in line with this Agreement. |
| Duration for the processing | Alliantist will process the Data on behalf of the Customer for the term of the Agreement and for such time as is required thereafter if the Customer continues with the Services. |
| Nature and purpose of the processing | Customer will collect, collaborate, coordinate, organise, share, record, store, amend, edit, and delete information including appropriate Personal Data for the purpose of implementing, improving, and managing its Platform. Alliantist will also process Personal Data as required to support and maintain the Services for the Customer. As a processor, Alliantist will only process Personal Data in line with these instructions or amended instructions provided by the Customer. |
| Types of data held | Customer is only required to add Personal Data of Registered Users such as organisation email address and first name, surname for users to access the Platform. Registered Users can choose to add more details such as an avatar picture and telephone, mobile and work address if they want to in order to facilitate greater trust and collaboration between Registered Users. IP addresses are also held for the purpose of compliance with other legislation, protective monitoring, and delivery of support & maintenance. Depending on the scope of the solution the Customer may also choose to hold relevant personal details of its staff e.g., during HR information security focused recruitment, induction, in-life management, and exit. The Platform is not specifically designed nor encouraged to be used as an HR tool for the holding of significant sensitive or high volumes of Personal Data and the Customer does so at their own risk. Personal Data details of suppliers, partners and customers may also be held in areas such as the Accounts suite where it helps organisations manage business relationships better and demonstrate they are in control of their supply chain. This data includes email address, phone numbers, first name and surname. |
| Information Security and Data Protection safeguards in place | Alliantist has a number of organisational and technical related measures for the protection of all valuable information, not just Personal Data. Organisational and technical measures include:
Other technical and Platform measures made available for Registered Users include:
Customer is expected to take advantage of the Platform measures added for its benefit. Alliantist will not be responsible for any security incident or event that may occur because the Customer has failed to implement any or all of the Platform measures listed above. This includes Registered Users being responsible for maintaining the confidentiality and security of their password and login details and using the provided two factor authentication service. |
| Sub-processors | Sub-processors are used for a range of jobs and managed according to their role and risk around the Personal Data. Sub-processors for our role as Data Processor For customers using our UK data centre: The UK is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated at an AWS data centre in Ireland, and a further encrypted backup with Akamai (formerly known as Linode) UK to the same technical and organisational standards. For customers using our EU data centre: Germany is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated at an AWS data centre in Sweden, and a further encrypted backup with Akamai (formerly known as Linode) Germany to the same technical and organisational standards. For customers using our APAC data centre: Australia is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated at a second AWS data centre in Australia, and a further encrypted backup with Akamai (formerly known as Linode) Australia to the same technical and organisational standards. For customers using our US data centre: The US is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated to a second AWS data centre within the US. A further encrypted backup is stored within Akamai (formerly known as Linode) US to the same technical and organisational standards. By agreeing to this Agreement, Customer grants Alliantist a general authorisation in the meaning of Article 28 (2) of GDPR to engage sub processors for the purposes of providing the Services. Alliantist will inform the Customer of material changes in such sub-processors in accordance with the Agreement and in line with Section 8.1, thereby giving the opportunity to object to such changes. As the Controller, if the Customer wishes to exercise their right to object, they shall notify Alliantist in writing within 15 calendar days upon receipt of our notice. If the Customer does not object during this period, the new Sub-processor shall be deemed accepted. Alliantist shall make reasonable efforts to address or resolve any reasonable Controller’s objection. If this is not possible the Customer may terminate the agreement by providing written notice thereof within a further 30 days or choose to consent to the addition of the Sub-processor. |
| Plan for the safe return of data or its destruction at the end of the Agreement | At any point Customer can remove its Data through a range of reports, exports, and mechanisms on the Platform. Subject to the scope, style, and nature of what it wants and in what format, Alliantist will also assist the Customer with its end of life exit activity including the relevant aspects of Personal Data portability and transfer if required. On conclusion of the Agreement and payment for the Services, Alliantist operates a Customer exit process in line with our IMS Controls where it ensures the Customer has, as Data Controller, removed what it wants from the Platform and then goes through the safe erasure and deletion of the Customer’s Data. This takes place 30 days after contract termination and then takes 30 days to conclude as the back-up information is erased and replaced during that cycle. |
To access our previous Terms and Conditions click here
