Version 4.2 Last updated 11th October 2021.
|Lead User||The Customer nominated name and email address that Alliantist has on file as for the person it Alliantist should engage with over Customer’s use of the Platform. It is usually the same person who has Customer system administration rights and participates in reviews with Alliantist from time to time and as such is the authorised person who will be notified by Alliantist in the event of a data breach. Customer can split these roles and nominate others as and when relevant.|
|Registered Users||Users who are permitted by the Customer to make use of the Platform, each Registered User will have their own unique login email address and password.|
|Regular User||A Registered User who can create, administer and manage work on the Platform.|
|Occasional User||A Registered User who is going to infrequently access the system to benefit from work done on the Platform by Regular Users. This is a supplementary lower cost model for those Occasional Users to receive e.g. a) notification emails from the Platform e.g. for information security updates and/or b) occasionally access the Platform for demonstrating compliance to policies and controls as part of the policy pack add-on and c) infrequently engage in other work e.g. a discussion about a Legitimate Interest Assessment or Data Protection Impact Assessment.|
|Proposal||The order form, which will generally be called ‘Proposal’, is the quote that the Customer will have agreed to that contains information regarding the Services scope and fees, and any additional agreed terms. The terms entered on the Proposal will form part of the contract between the Customer and Alliantist, and in the event of any conflict will take precedence over the terms and conditions set out in this Agreement.|
|Customer Organisation Data or Data||All business content entered into ISMS.online by Registered Users including Personal Data.|
|Personal Data||Shall have the meaning as provided in the General Data Protection Regulations (EU) 2016/679 (GDPR).|
|Data Controller||The person that determines the purposes and means of the processing of Personal Data which in every case shall be the Customer.|
|Data Processor||Alliantist, which processes Personal Data on behalf of the Data Controller as part of its provision of the Services under the lawful basis of a contractual obligation. Unless explicitly added by the Customer for coaching on the Platform, or for the purpose of bug & issue support, Alliantist and its named sub-processors do not access any Data.|
|Sub-processors||Suppliers selected by Alliantist to complement its own delivery of the Services as regards Personal Data related work in line with UK GDPR obligations.|
|Help Material||Registered User guides and online tours for ISMS.online in electronic or printable form also made available in the ‘help’ section of ISMS.online and updated from time to time.|
|ISMS.online Policies||An optional extra that may be confirmed via the Proposal, including ‘head start’ policies and controls such as risk management, security incident and supplier management, along with other documentation e.g. risk bank content or related guidance for the Customer to use as part of its ISMS. It can either be adopted, adapted or added to depending on the Customer’s specific needs and circumstances.|
|Virtual Coach||An optional extra virtual coaching service delivered through the Platform that includes guides, checklists, videos and presentations to help organisations that are new to ISO 27001 understand more about the standard and how they can implement and maintain it for their organisation.|
|Services||The products, license and services that Alliantist has agreed to provide to Customer, and Customer has agreed to pay for as set out in the Proposal.|
|Minimum Fee||The first-year fee for access to the Services or a specific minimum payment (subject to the detail set out in the Proposal).|
|ISMS.online or the Platform||The cloud software platform with optional feature extras, owned and operated by Alliantist for the purpose of implementing, improving and managing an Information Security Management System (“ISMS”) or similar management system and licensed to Customer under the Proposal and this Agreement.|
|Specialist Assistance||Any additional advisory or other specialist fees paid that are detailed in the Proposal.|
2.1) Subject to the terms of this Agreement, Alliantist grants, and Customer accepts, a non-exclusive, non-transferable, revocable, license, without the right to grant sublicenses to use the Services.
2.2) Customer shall display and retain Alliantist’s and/or its suppliers’ copyright, trademarks, proprietary, or confidentiality statement or legends and other notices in ISMS.online.
2.3) Customer acknowledges that Alliantist retains all right, title and interest in and to the original, and any copies, of ISMS.online, ISMS.online Policies and the Help Documentation, Virtual Coach (and any other component of the Services) and ownership of all patent, copyright, trade secret, trademarks and other intellectual property rights (whether registered or not) pertaining thereto, shall be and remain the sole property of Alliantist (subject to the rights of any third party copyright holder that may be identified).
2.4) Without limiting the generality of the foregoing, Customer receives no rights to, and agrees that it will not itself, or through any parent, subsidiary, affiliate, agent or other third party (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques, processes or algorithms of the Services or any portion thereof, or otherwise derive its source code; (ii) modify, port, translate, localise or create derivative works of the Services; (iii) sell, lease, license, sublicense, copy, market or distribute the Services; (iv) encumber or suffer to exist any lien or security interest on the Services; (v) disclose the results of any performance tests or qualitative analysis on the Services to any third party without the prior written consent of Alliantist.
2.5) If taken as an option on the Proposal the Customer is granted a limited, non-exclusive, revocable, non-transferable licence to access and use the ISMS.online Policies and Virtual Coach.
2.6) Customer undertakes and agrees not to license, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party any aspect or component of the Services and shall notify Alliantist immediately if it becomes aware of any unauthorised disclosure or use of the Services by a third party.
2.7) On condition that Customer is not in breach of any terms of this Agreement (or the Proposal), the Customer can continue to use the ISMS.online Policies (not the technology tools inside the Platform) internally even if it chooses not to renew or continue with the Platform when the Services are due for renewal.
3.1) Customer retains all right, title and interest to all Customer Organisation Data.
3.2) Data uploaded to the Platform and any processing of it must be in compliance with these Terms along with all applicable laws and regulations. By uploading Data to the Platform, Customer authorises Alliantist to process the Data pursuant to 3.4 and 3.5 below. The Customer is responsible for ensuring that:
3.3) Alliantist does not (in the normal course of operation) see or understand the Data held on the Platform.
3.4) Personal Data Processing
For the purposes of Article 28 of GDPR (and any equivalent domestic law requirement) we set out below the terms of our data processing agreement.
|Subject matter of processing||Alliantist provides ISMS.online to enable the Customer to implement and operate a management system.|
|Lawful bases for the Controller||The controller warrants that it has a lawful basis for processing the Data.|
|Lawful basis of the Processor||Contractual obligation in line with this Agreement.|
|Duration for the processing||Alliantist will process the Data on behalf of the Customer for the term of the Agreement and for such time as is required thereafter if the Customer continues with the Services.|
|Nature and purpose of the processing||Customer will collect, collaborate, coordinate, organise, share, record, store, amend, edit and delete information including appropriate personal data for the purpose of implementing, improving and managing its ISMS. Alliantist will also process personal data as required to support and maintain the Services for the Customer.|
|Types of data held||Customer is only required to add personal data of Registered Users such as organisation email address and first name, surname for users to access the Platform. Registered Users can choose to add more details such as an avatar picture and telephone, mobile and work address if they want to in order to facilitate greater trust and collaboration between Registered Users. IP addresses are also held for the purpose of compliance with other legislation, protective monitoring, and delivery of support & maintenance.
Depending on the scope of the solution the Customer may also choose to hold relevant personal details of its staff e.g. during HR information security focused recruitment, induction, in-life management and exit. The Platform is not specifically designed nor encouraged to be used as an HR tool for the holding of significant sensitive or high volumes of personal data. Personal data details of suppliers, partners and customers to achieve the Purpose may also be held in areas such as the Accounts suite where it helps organisations manage business relationships better and demonstrate they are in control of their supply chain. This data includes email address, phone numbers, first name and surname.
|Information Security and Data Protection safeguards in place||Alliantist has a number of organisational and technical related measures for the protection of all valuable information, not just Personal Data.
Organisational and technical measures include:
1. UKAS certified ISO 27001: 2013 at the organisation level, the software application ISMS.online, and the staff involved in the Services meet appropriate confidentiality, integrity and availability thresholds following a risk analysis.
2. Supply chain is certified to at least the same standard or an acceptable equivalent for infrastructure critical services (data centre hosting, code mgt etc).
3. Any smaller suppliers that work on the platform who don’t hold ISO certifications themselves follow Alliantist ISMS and are contracted on that basis.
4. All staff (and relevant suppliers) involved are regularly trained on information security and privacy. They agree to comply with the policies and controls, including confidentiality, as part of their recruitment, induction, in-life monitoring, at least annually and if appropriate when undertaking change of role.
5. Alliantist follows the Information Commissioner’s Office (ICO) model for demonstrating GDPR compliance and compliance of ISO 27701. This includes risk assessing security and data protection activities, many of which dovetail into the UKAS certified ISO 27001 standard also held.
6. Where appropriate data protection impact assessments, policy reviews and internal audits are undertaken regularly alongside management reviews in line with ISO 27001.
7. The software application is penetration tested annually or on significant change events.
8. Data in transit between the end user and the service uses TLS. The SSL Certificate in use by the service uses a 2048 bit RSA Key with a SHA256 algorithm. The TLS terminator is configured to prefer more recent versions of protocols and more secure options first and is configured to not revert to an older standard after initial negotiation. The minimum version of the TLS protocol supported is TLS1.2. Options in use are as recommended by Mozilla’s ‘Intermediate’ TLS configuration.
9. For data at rest, the shared filesystem and database filesystem Is encrypted to AES-256 using HSM technology using the Amazon KMS service. Passwords are salted and hashed when stored. The database is not shared with other services nor is it publicly accessible – it is firewalled off in our private cloud and is only accessible by our application servers.
10. All backups are encrypted/decrypted at source with AES256 level encryption and are encrypted in transit between the application and the backup data storage.
11. All staff that are involved in the service delivery have been vetted, follow strict protocols and all the services they use are (where appropriate) enabled by 2 factor authentication, and other security controls such as Single Sign On (SSO), and password management services to ensure strong and suitable passwords.
12. Alliantist follows Cyber Essentials to the IASME standard.
13. ISMS.online has been rated A+ by independent checks using the Qualsys review process for the SSL inspection.
14. Alliantist has strong permissions and controls management to ensure that only authorised Users following strong security protocols can access the relevant parts of the backend of the platform in the event of a support issue. All access is logged and if appropriate can be forensically analysed in the unlikely event it needs to be.
15. Alliantist holds appropriate insurance cover for Professional Indemnity, Cyber Breach, Public Liability and Employment.
Other technical and Platform measures made available for Registered Users include:
16. 2 factor authentication is included for all users – at no additional cost to the core service and implemented from within the User preferences area. Customer administrators can see who has and hasn’t implemented it.
17. Strong passwords, SSO and other forced security measures that can be set at an organisation level e.g. timeouts, forced password change etc.
18. Role based permissions and access control measures for different jobs / different Registered User requirements.
19. Privacy controls and permissions management in workspaces, controlled by the team admin to prevent unauthorised access to Data.
20. Administrator reports and measures to help monitor activity without breaching user privacy (and ensure Customer investments in Registered Users are optimised).
21. Alliantist personnel or subcontractors acting in a coaching or support capacity inside the ISMS.online instance of the Customer are only added by the Customer for the time required and then removed by the Customer.
Customer is expected to take advantage of the Platform measures added for its benefit. Alliantist will not be responsible for any security incident or event that may occur because the Customer has failed to implement any or all of the Platform measures listed above. This includes Registered Users being responsible for maintaining the confidentiality and security of their password and login details and using the provided two factor authentication service.
|Sub-processors||Sub-processors are used for a range of jobs and managed according to their role and risk around the personal data.
The UK is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated at an AWS data center in Ireland, and a further encrypted backup with Linode UK to the same technical and organisational standards.
Where Personal Data is transferred outside the UK, it will only be transferred to countries that have been identified as providing adequate protection for UK data or to a third party where we have approved transfer mechanisms in place to protect Personal Data such as the European Commission’s Standard Contractual Clauses.
In Aliantist’s customer support role and back-office delivery (e.g. customer finance management, customer communications) there are some international transfers which are covered with international transfer agreements (EU Standard Terms). In our role as Data Controller the sub-processors used include:
AWS (London primary and Dublin failover), Linode, Google, Jira, FreshWorks, SalesMate, Zoom, Taylor Baines, Xero, Fresh Financials, RingCentral, WordPress, MailChimp, HubSpot, We Have A Meeting.
By agreeing to these Terms, Customer grants Alliantist a general authorisation in the meaning of Article 28 (2) of GDPR to engage sub processors for the purposes of providing the Services. Alliantist will inform the Customer of material changes in such sub-processors in accordance with the Agreement and in line with Clause 7.1.
|Plan for the safe return of data or its destruction at the end of the Agreement||At any point Customer can remove its Data through a range of reports, exports and mechanisms on the Platform. Subject to the scope, style and nature of what it wants and in what format, Alliantist will also assist the Customer with its end of life exit activity including the relevant aspects of personal data portability and transfer if required.
On conclusion of the Agreement and payment for the Services, Alliantist operates a Customer exit process in line with ISO 27001:2013 where it ensures the Customer has, as Data Controller, removed what it wants from the Platform and then goes through the safe erasure and deletion of the Customer Data. This takes 30 days to conclude as the back-up information is erased and replaced during that cycle.
3.5) Alliantist as the Data Processor will assist the Customer as the Data Controller in meeting the Customer’s obligations under Regulation (EU) 2016/679 and allowing data subjects to exercise their rights under Regulation (EU) 2016/679. To that end Alliantist has a range of policies, procedures and approaches such as:
4.1) Fees for Customer license to the Services are set out in the Proposal. Fees include access to the Services as described and include Platform maintenance with appropriate technical support for the Customer Lead User and authorised administrators. The fees also include automatic access to relevant Platform releases and enhancements for the functionality in scope on the Proposal. Registered User support is covered in the fees through the Help Documentation and includes tours, videos and other support materials on the Platform.
4.2) Unless otherwise stated in the Proposal this Agreement shall last for the minimum term of one year and shall be the Minimum Fee. First year fees, discounted for annual advance payment are due before service commences unless a valid Purchase Order is agreed instead. Monthly and quarterly payment in advance models are also available.
4.3) After the first year, the Services will automatically continue until such time as Customer or Alliantist gives the other at least 30 days’ notice to terminate. Fees for the ongoing service can be paid monthly, quarterly or annually in advance with discounts/increases reflective of the ongoing commitment made. Alliantist does not provide refunds so after the first year or payment of the Minimum Fee the Customer may choose a shorter rolling payment term for ongoing service delivery, or continue with the Services until such time as any of its prepayments align with the notice to terminate.
4.4) Additional Registered Users or increases to the Services scope e.g. adding an optional extra such as policy packs or supply chain accounts can be done at any time subject to the relevant fee payment as set out in the Proposal or the price as quoted at the time of request. Registered User numbers are reviewed quarterly or at other intervals as needed and paid pro rata for any period added then aligned with the usual payment period thereafter. After payment of the Minimum Fee any of the Services can be adjusted accordingly and fee changes reflect the ongoing change in use.
4.5) All fees assume a fair and acceptable use of the Services. In the event that the use of the Platform or the Services by the Customer exceeds fair and acceptable use Alliantist will alert Customer to the issues in writing and give the Customer the opportunity of easing use or paying for the extra service requirements.
4.6) All fees exclude VAT and other government taxes.
4.7) Either party may terminate this Agreement and any Proposal immediately upon written notice if the other: (i) commits a material breach of the Agreement and which (in the case of a breach capable of remedy) shall not have been remedied within 30 days. A material breach includes (i) a failure by Customer to make payment in accordance with this Agreement; or (ii) the other party has a liquidator, receiver, administrator or administrative receiver appointed in respect of the whole or any part of its undertaking or assets; or (iii) the other party ceases or threatens to cease to carry on business; or (iv) a data breach that increases risks to the rights and freedoms of data subjects’ information held on the Platform.
4.8) On termination for any reason:
4.8.1) All rights granted to the Customer under this Agreement including without limitation the license to use the Services shall cease and the Customer shall cease all activities authorised by this Agreement;
4.8.2) The Customer shall immediately pay to Alliantist any sums due to Alliantist under this Agreement, except where any sum of money shall be recoverable from or payable by Alliantist, the Customer may deduct same from any sum then due to Alliantist under this Agreement;
4.8.3) Customers can remove Customer Organisation Data from the Platform at any time.
5.1) Alliantist warrants that the Platform shall perform substantially in accordance with the specifications set out in the Proposal, Help Documentation and will reflect the features and services expressed from the ISMS.online website.
5.2) Customer hereby acknowledges and agrees that access to the Services may be affected by local network telecommunications activity; government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software. Alliantist hereby disclaims and Customer hereby waives any and all Alliantist responsibility for any failures in connection with local market network telecommunication activity, government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software.
5.3) Alliantist shall not be liable for any failure to perform its obligations under this Agreement because of circumstances beyond its control which such circumstances shall include (without limitation) natural disaster (including widespread infectious disease, including epidemics and pandemics), terrorism, labour disputes, war, declarations of governments, transportation delays, telecommunications failure and misuse of the Services by Customer.
5.4) Alliantist agrees, subject to the limit of its insurance cover to indemnify Customer against all claims, demands, suits, liabilities, costs, expenses (including reasonably incurred legal fees), damages and losses suffered or incurred by Customer arising out of a third-party claim against Customer in respect of infringement of a third party’s intellectual property rights arising out of Customer’s use of ISMS.online. This indemnity shall not apply to the extent that a claim under it results from Customer’s negligence, wilful misconduct, or modification from the specification. It is subject to Customer immediately notifying Alliantist of any claim and in any event within 3 months; Customer not admitting any fault or making any offer to settle and Alliantist having sole control of the claim with reasonable assistance as required from the Customer.
If Customer is prevented from using the Platform thereafter Alliantist will at its sole discretion and cost either: source the rights to continue use; replace the disputed intellectual property and modify ISMS.online such that the purpose is still served; or terminate the Agreement and refund Customer any unused but prepaid fees.
5.5) Other than to the extent prohibited by law, or liability in relation to clause 5.4, in no event shall the total aggregate liability of Alliantist exceed the annual Platform fees paid in the previous year by the Customer.
6.1) ISMS.online, ISMS.online Policies, Virtual Coach and the Help Documentation are proprietary to Alliantist and contain valuable trade secrets. The Customer shall at all times keep the software, policies, documentation, technical or commercial information, inventions or processes and any and all information concerning Alliantist’s business or products and which have been disclosed to the Customer by Alliantist and which are of a confidential nature in strict confidence and shall not permit the same to be used, copied, disclosed or disposed of except in accordance with this Agreement.
6.2) The Proposal of this Agreement is confidential and may not be disclosed by either party without the prior written consent of the other party.
6.3) Where Customer discloses confidential information to Alliantist, Alliantist agrees to protect the Customers confidential information with the same standards and integrity as it uses in respect of its own confidential information.
6.4) The receiving party (whether Customer or Alliantist) may disclose information of a confidential nature to such of its employees as need to know the same for the purpose of discharging the receiving party’s obligations or rights under this Agreement and shall ensure that such employees are subject to obligations of confidentiality corresponding to those set out in this Agreement.
6.5) The provisions of this section 6 shall: (i) not apply to information which is already public knowledge or becomes so at a future date (other than by breach of this Agreement); (ii) not apply to information which is known without restriction to the receiving party at the time of disclosure without breach of any obligation of confidentiality; (iii) not apply to information which is shown to the reasonable satisfaction of the originating party to have been generated independently by the receiving party; (iv) remain in full force and effect notwithstanding termination of this Agreement for any reason.
7.1) As is common for all SaaS (‘software as a service’) vendors, Alliantist may from time to time need to alter the terms of this Agreement in light of changes in market and regulatory conditions. Therefore, we reserve the right to alter this Agreement at any time by posting such changes to the Customer at its nominated Lead User email address and through the Platform. If these changes may have an adverse effect on Customer’s business where it may want to object to such change, please discuss it with your customer success manager in the first instance.
Your continued use of the Services after such changes have been posted constitutes your binding acceptance of such changes. Such amended Agreement will become effective upon the earlier of your continued use of the Services, or 30 days from notification of the changes.
7.2) The Platform may contain links to other third-party web sites. Alliantist is not responsible for the privacy practices or the content of these other web sites. Registered Users will need to check the policy statement of these other web sites to understand their policies. Registered Users who access a linked site may be disclosing their private information. It is the responsibility of the Registered User to keep such information private and confidential
7.3) Unless otherwise specified in the Proposal, service and support shall be provided subject to the terms set out in the support policy available in the footer of the Platform and on the website.
7.4) These terms will be governed by and construed in accordance with English Law, without giving effect to its conflict of law provisions or Customer’s actual state or country of residence. Any claims, legal proceeding or litigation arising in connection with ISMS.online will be brought solely in England, and Customer consents to the exclusive jurisdiction of such courts provided that each party shall have the right to enforce a judgment of the English Courts in a jurisdiction in which the other party is incorporated or in which any assets of the other party may be situated.
7.5) A person who is not a party to this Agreement may not rely upon or enforce any rights pursuant to the Contracts (Rights of Third Parties) Act 1999.
Any questions or issues should in the first instance be dealt with using the normal ISMS.online support channels support@ISMS.online or with your customer success manager then escalated if required thereafter.