Version 2.8 Last updated 14th January 2019.
To see earlier versions of the ISMS.online Customer Licence Agreement click here.
This agreement (“Agreement”) is made as of the service commencement date stated on the accepted proposal Order Form or the first date that you access ISMS.online, if earlier, (the “Effective Date”) between Alliantist Limited, a company registered in England and Wales (company number: 4922343) (“Alliantist“) and your organisation specified on the proposal order form (“Customer”). Alliantist can be contacted at enquiries@ISMS.online and via post to Sussex Innovation Centre, Science Park Square, Brighton, BN1 9SB, United Kingdom.
“ISMS.online” is a powerful cloud software platform (“Platform”) owned and operated by Alliantist available with a range of core services and optional software extras. In addition, with ISMS.online Policies, Virtual Coach as content focused add-ons which are specified at the time of subscription or can be added during the term, together with the Platform are described as (“the Services”). The Services configuration depends on the business purpose of the customer (“the Purpose”) which is generally for the purpose of implementing, improving and managing an Information Security Management System (“ISMS”).
ISMS.online is accessible by Registered Users (as defined below) who have been added by the Customer in line with its allowed number of Registered Users (as defined on the Order Form). Customer wants to license ISMS.online and authorise Registered Users to use the Services for Customer led business activities that enable its organisation to achieve the Purpose subject to the terms and conditions of this Agreement.
The Services are offered for Customer acceptance, without modification (other than any Special Terms as defined below) agreed by the parties pursuant to the terms and conditions of this Agreement contained herein and all other operating rules, policies (including, without limitation, the privacy policy, support policy and any future modifications thereof, and procedures that may be published from time to time on the Platform or made available to you on or through the Services (collectively, the “Terms”). When accepted by Customer (as defined below), these Terms form a legally binding contract between you and Alliantist. You represent that you have the legal authority to bind the Customer. Once accepted, these Terms remain effective until terminated as provided for herein.
Alliantist does not normally offer trials. If however Alliantist offers a trial, paid or unpaid of the ISMS.online or the Services, the applicable provisions of these Terms will govern that trial. Alliantist reserves the right not to offer trials and may in its sole discretion choose to suspend a trial at any time for any reason.
PLEASE READ THESE TERMS CAREFULLY. BY ACCESSING, BROWSING, AND/OR OTHERWISE USING THE ISMS.ONLINE SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS, DO NOT ACCESS, BROWSE OR OTHERWISE USE THE PLATFORM OR THE ISMS.ONLINE SERVICES.
Alliantist reserves the right, to change, modify, add, or remove portions of the Terms at any time (except for any Special Terms as defined below) by posting such changes to the Customer at its nominated Lead User email address or through the Platform depending on the nature of the changes. Please check these Terms periodically for changes. Your continued use of the Services after such changes have been posted as provided above constitutes your binding acceptance of such changes. Such amended Terms will automatically be effective upon the earlier of your continued use of the Services, or 30 days from posting of such modified Terms on or through the Platform. Notwithstanding the foregoing, the resolution of any dispute that arises will be governed by the Terms in effect at the time such dispute arose.
| Customer Organisation | The ISMS.online organisation account to which Customer’s employees and representative Registered Users are associated. |
| Lead User | The Customer nominated name and email address that Alliantist has on file as the person I should engage with over Customer’s use of the Platform. Usually also the same person who has Customer system administration rights and participates in reviews with Alliantist from time to time and as such is the authorised person who will be notified by Alliantist in the event of a data breach. Customer can split these roles and nominate others. |
| Customer Users | Registered Users who are employees of the Customer or generally operating in a capacity as representatives for the Customer and have accepted the User Registration Terms. Each Customer User will have their own unique login email address and password. |
| Partner Organisation | An organisation added to ISMS.online by the Customer Organisation which can then be issued restricted user rights licences ‘Partner Users’ e.g. for where the Customer wishes to collaborate with the Partner Organisation for the Purpose (e.g. a supplier, partner or customer working on information security management together). |
| Partner Organisations have their own obligations. The first Partner User will accept the online click through Partner Registration Agreement on behalf of its organisation. If the Partner Organisation is already a Customer Organisation then no further terms apply and the organisations simply collaborate together on the Platform under their normal Agreement terms (and they may have their own Information Sharing Agreement in place). | |
| Partner Users | Registered Users who are employees or representatives of a Partner Organisation and require access to ISMS.online. Partner Users are associated with a Partner Organisation and may only use the platform for the Customer Organisation Purpose. Partner Users accept the User Registration Terms and have limited access to ISMS.online. They are able to collaborate fully in Initiatives created by a Customer User but are unable to create new work initiatives themselves. Each Partner User will have its own unique login and password. |
| Partner Registration Agreement | The terms of registration for all Partner Organisations using ISMS.online. |
| Registered User | A Customer User or Partner User registered in ISMS.online. |
| Regular User | The default licence model for Registered Users which enables the User to access and engage in work on the Platform in accordance with the Purpose. |
| Occasional User | A supplementary lower cost licence model for Customers who want larger volumes of Registered Users (normally over fifty) but may only need those users to receive: a) notification emails from the Platform e.g. for information security updates and or b) occasionally access the Platform for demonstrating compliance to policies and controls as part of the policy pack add-on and infrequently engage in other work e.g. a discussion about a Legitimate Interest Assessment (LIA) or Data Protection Impact Assessment (DPIA). Occasional and infrequent typically means a limited log on in a period e.g. for understanding and showing compliance to their policies as they evolve. It has a reasonableness test against it to ensure that the Occasional User licence is not being misused when a Regular User licence may be more appropriate. |
| Initiatives | Specific work areas either pre-configured as part of the Platform scope or created by Customer Users in the course of achieving their Purpose. Examples include policies and controls projects, gap analysis projects, groups, supplier accounts, compliance policy packs and trackers such as those for managing security incidents, corrective actions etc. |
| Order Form | The information contained in the proposal order that sets out the scope, fees, number and type of Registered Users, the duration and start date for access to ISMS.online by the Customer along with the relevant features, initiative types and tools, ISMS.online Policies, Virtual Coach or related solutions being provisioned as well as any other contextual Platform information. |
| Customer Organisation Data | All business content entered into ISMS.online by Customer Users for the Purpose including Personal Data. |
| Partner Organisation Data | All business content entered into ISMS.online by Partner Users for the Purpose including Personal Data. |
| Data | Customer Organisation and Partner Organisation Data. |
| User Registration Terms | The terms of registration including the acceptable use policy set out by Alliantist for all Registered Users of ISMS.online. |
| Personal Data | Shall have the meaning as provided in the General Data Protection Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR). |
| Data Controller | The Customer Organisation or Partner Organisation that determines the purposes and means of the processing of Personal Data. |
| Data Processor | Alliantist, which processes Personal Data on behalf of the Data Controller as part of its provision of the Services under the lawful basis of a contractual obligation. Unless explicitly added by the Customer for coaching on the Platform, or for the purpose of bug & issue support, Alliantist and its named sub-processors do not access any Data. |
| Sub-processors | Suppliers selected by Alliantist to complement its own delivery of the Services as regards Personal Data related work in line with GDPR obligations. |
| Help Documentation | User guides and online tours for ISMS.online in electronic or printable form also made available in the ‘help’ section of ISMS.online and updated from time to time. |
| ISMS.online Policies | An optional extra including policies and controls, or related guidance for the Customer to use as part of its ISMS in the form of written notes documentation, files and other content presented in the ISMS.online system content. It is generally provided by Alliantist pre-configured with the Platform to help the Customer ‘adopt, adapt and add to’ very quickly and offer a head start in developing its ISMS. Examples include risk management methodologies, security incident, supplier management policies etc. Alliantist does not provide any warranties to the Customer as to their fitness for the Purpose given the specific goals of the Customer ISMS. Some clearly specified content added into the notes areas is reproduced with permission from the respective copyright holders such as the Information Commissioner’s Office in the United Kingdom and at the time of service commencement reflects that body’s guidance. Alliantist is under no obligation to keep any of the policies, controls or guidance up to date after the service commencement date. |
| Virtual Coach | An optional extra ISO 27001:2013 virtual coaching service delivered through the Platform that includes guides, checklists, videos and presentations to help organisations that are new to ISO 27001:2013 understand more about the standard and how they can implement it for their organisation. Alliantist does not provide any warranties to the Customer as to their fitness for the Purpose given the specific goals of the Customer ISMS. |
| Special Terms | Only available for organisations that require bespoke Platform development beyond the standard packaged services and invest at least £50,000 per annum excluding VAT. These are special terms added to the proposal Order Form or otherwise documented and agreed in written or electronic auditable form and added to the Agreement e.g. by email exchange and take precedent over the standard Agreement terms. |
| Minimum Fee | The first-year fee for access to the Services or a specific minimum payment for access to the Platform, the ISMS.online Policies, Help Documentation, Virtual Coach and other valuable learning provided within the Services. |
| Reseller Agreement | A separate agreement with Alliantist for specifically referring and reselling some of all of the Services. |
| Information Sharing Agreement: | Organisations that are collaborating on sensitive information sharing work may choose to have a separate Information Sharing Agreement between them that sets out any provisions for their information and data sharing on the Platform including data controller, processor and other activity between them. See clause 3. |
2.1) Subject to the terms of this Agreement, Alliantist grants, and Customer accepts, a non-exclusive, non-transferable, revocable, license, without the right to grant sublicenses, except to Partner Organisations added in line with the relevant scope and subscription payments outlined in the Order Form, to use the Services for the Purpose.
2.2) Customer shall display and retain Alliantist’s and/or its suppliers’ copyright, trademarks, proprietary, or confidentiality statement or legends and other notices in ISMS.online however it is used.
2.3) Customer acknowledges that Alliantist retains all right, title and interest in and to the original, and any copies, of ISMS.online, ISMS.online Policies and the Help Documentation, Virtual Coach and ownership of all patent, copyright, trade secret, trademarks and other intellectual property rights (whether registered or not) pertaining thereto, shall be and remain the sole property of Alliantist or the original copyright holders if expressed as different owners in the ISMS.online Policies or obvious from the nature of the frameworks, regulations or standards available. Frameworks, regulations and specialist standards copyright holders may charge licence fees for following their checklists/methods. Alliantist recommend that specific licences are purchased where required and Customer is responsible for obtaining and funding any specific licences from those copyright holders.
2.4) Notwithstanding that Customer may contribute to the cost of or participate in the making of derivative works, translations, customised versions, updates, error corrections, enhancements, modifications, or other versions of ISMS.online, Customer shall not be an owner of any copies or translations or versions of, nor have any interest in, ISMS.online, its Help Documentation or the Virtual Coach, but rather, is licensed, pursuant to and subject to the limitations in this Agreement, to use such copies solely for the Purpose stated in this Agreement.
2.5) Without limiting the generality of the foregoing, Customer receives no rights to, and agrees that it will not itself, or through any parent, subsidiary, affiliate, agent or other third party (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques, processes or algorithms of the Services or any portion thereof, or otherwise derive its source code; (ii) modify, port, translate, localise or create derivative works of the Services; (iii) sell, lease, license, sublicense, copy, market or distribute the Services, other than to Partners as set out in this Agreement; (iv) encumber or suffer to exist any lien or security interest on the Services; (v) disclose the results of any performance tests or qualitative analysis on the Services to any third party without the prior written consent of Alliantist; and (vi) use a total number of Registered Users in excess of those agreed in the Order Form.
2.6) If taken as an option on the Order Form the Customer is granted a limited, non-exclusive, revocable, non-transferable licence to access and use the ISMS.online Policies and Virtual Coach solely for the Purpose. They contain information and templates which constitute general guidance only in relation to the application of the relevant regulations or standards the Customer wishes to work towards. The Customer should take information security, legal or other appropriate professional advice to ensure the content and approach meets its specific Purpose.
2.7) Unless otherwise agreed as part of a Reseller Agreement Customer undertakes and agrees not to license, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Services including the Platform, Help Documentation, ISMS.online Policies or Virtual Coach in any way and shall notify Alliantist immediately if it becomes aware of any unauthorised use of them. This term shall survive termination of this Agreement.
2.8) Subject to the other terms of this Agreement, in particular 2.7 and 4.8.4, having paid its Minimum Fee for the Services, the Customer can continue to use the ISMS.online Policies content (not the technology tools inside the Platform) for its Purpose internally even if it chooses not to renew or continue with the Platform when the Services are due for renewal.
2.9) Each Registered User shall accept the User Registration Terms which include acceptable use terms and an authorised representative from a Partner Organisation accepts the ‘click through’ Partner Registration Agreement unless they already have a Customer Organisation Account with Alliantist.
3.1) Customer retains all right, title and interest to all Customer Organisation Data. Partner Organisation retains all right, title and interest to all Partner Organisation Data Subject except where:
3.1a) Customer has its own Information Sharing Agreement with any Partner Organisations it adds to the Platform about any Partner Organisation Data shared on the Platform. Alliantist will only act in accordance with the Customer instructions, not the Partner Organisation;
3.1b) the Partner Organisation is also a Customer of Alliantist in which case it would look to understand who owned the initiative in the Platform if there was any dispute and work collaboratively with the Customer and Partner Organisation in line with a relevant Information Sharing Agreement to help resolve any issues.
3.2) If the Customer uploads Data to the Platform, such Data and any processing of it must be in compliance with these Terms along with all applicable laws and regulations. By uploading Data to the Platform, Customer authorises Alliantist to process the Data. The Customer is responsible for ensuring that:
3.2a) the Customer and any of the Registered Users associated with it do not create, transmit, display or make otherwise available any Data that violates these Terms, or in the sole opinion of Alliantist, the rights of Alliantist, other Customers, Partner Organisations or Users, persons or Organisations or is harmful (for example viruses, worms, malware and other destructive codes), offensive, threatening, abusive, harassing, tortuous, defamatory, vulgar, obscene, invasive of another’s privacy, defamatory, hateful or otherwise unlawful; and
3.2b) the Customer and all of the Registered Users associated with it including Partner Organisations added by the Customer have the necessary rights and lawful justifications to use the Data, including adding it onto the Platform and processing it thereafter. Customer shall have sole responsibility for the accuracy, quality, and legality of all Data including Personal Data and the means by which Customer acquired said Data including Personal Data.
3.3) Alliantist does not pre-screen, monitor or filter any Data or acts of its processing by the Customer in order to discover any unlawful nature therein and Customer understands that Alliantist does not in the normal course of operation see or understand what Data is held on the Platform.
For the purposes of Article 28 of Regulation (EU) 2016/679, these Terms constitute the data processing contract between the Customer as the Data Controller and Alliantist as the Data Processor. Customer hereby instructs Alliantist to process the data as described in these Terms.
| Data Controller | Customer. |
| Data Processor | Alliantist. |
| Subject matter of processing | Alliantist provides ISMS.online for the Customer to implement, improve and manage its ISMS as described in the Purpose. |
| Lawful bases for the Controller | The controller will be operating under one of either: a) consent , b) contract, c) legal obligation, d) vital interests, e) public interest, f) legitimate interests |
| Lawful basis for the Processor | Contractual obligation in line with this Agreement. |
| Duration for the processing | Alliantist will process the Data on behalf of the Customer for the term of the Agreement and for such time as is required thereafter if the Customer continues with the Services and pays fees when they become due. |
| Nature and purpose of the processing | Customer can collect, collaborate, coordinate, organise, share, record, store, amend, edit and delete information including appropriate personal data for that Purpose of implementing, improving and managing its ISMS. Alliantist will also process personal data as required to support and maintain the Services for the Customer. |
| Types of data held | Customer is only required to add personal data of Registered Users such as organisation email address and first name, surname for users to access the Platform. Registered Users can choose to add more details such as an avatar picture and telephone, mobile and work address if they want to in order to facilitate greater trust and collaboration between Registered Users. IP addresses are also held for the purpose of compliance with other legislation, protective monitoring, and delivery of support & maintenance. |
| Depending on the scope of the solution the Customer may also decide to hold relevant personal details of its staff e.g. during HR information security focused recruitment, induction, in-life management and exit. The Platform is not specifically designed nor encouraged to be used as an HR tool for the holding of significant sensitive or high volumes of personal data. Personal data details of suppliers, partners and customers to achieve the Purpose may also be held in areas such as the Accounts suite where it helps organisations manage business relationships better and demonstrate they are in control of their supply chain. This data includes email address, phone numbers, first name and surname. | |
| Information Security and Data Protection safeguards in place | Alliantist has a number of organisational and Platform related measures for the protection of all valuable information, not just personal data. |
| Organisational measures include: | |
| UKAS certified ISO 27001: 2013 at the organisation level, the software application ISMS.online, and the staff involved in the Services meet appropriate confidentiality, integrity and availability thresholds following a risk analysis. | |
| Supply chain is certified to at least the same standard or an acceptable equivalent for infrastructure critical services (data centre hosting, code mgt etc). | |
| Any smaller suppliers that work on the platform who don’t hold ISO certifications themselves follow Alliantist ISMS and are contracted on that basis. | |
| All staff (and relevant suppliers) involved are regularly trained on information security and privacy. They agree to comply with the policies and controls, including confidentiality, as part of their recruitment, induction, in-life monitoring, at least annually and if appropriate when undertaking change of role. | |
| Alliantist follows the Information Commissioner’s Office (ICO) model towards demonstrating GDPR compliance at least until a formal recognised GDPR certification is established. This includes considering and risk assessing against 120 activities, many of which dovetail into the UKAS certified ISO 27001 standard. | |
| Where appropriate data protection impact assessments, policy reviews and internal audits are undertaken regularly alongside management reviews in line with ISO 27001:2013. | |
| The software application is penetration tested annually or on significant change events, all independently CHECK tested. | |
| Data in transit between the end user and the service uses TLS. The SSL Certificate in use by the service uses a 2048 bit RSA Key with a SHA256 algorithm. The TLS terminator is configured to prefer more recent versions of protocols and more secure options first and is configured to not revert to an older standard after initial negotiation. Options in use are as recommended by Mozilla’s ‘Intermediate’ TLS configuration. | |
| For data at rest, the shared filesystem and database filesystem Is encrypted to AES-256 using HSM technology using the Amazon KMS service. Passwords are salted and hashed when stored. The database is not shared with other services nor is it publicly accessible – it is firewalled off in our private cloud and is only accessible by our application servers. | |
| All backups are encrypted/decrypted at source with AES256 level encryption and are encrypted in transit between the application and the backup data storage. | |
| All staff that are involved in the service delivery have been vetted, follow strict protocols and all the services they use are (where appropriate) enabled by 2 factor authentication, and other security controls such as password management services to ensure strong and suitable passwords. | |
| Alliantist follows Cyber Essentials to the IASME standard. | |
| ISMS.online has been rated A+ by independent checks using the Qualsys review process for the SSL inspection. | |
| Alliantist has strong permissions and controls management to ensure that only authorised users following strong security protocols can only access the relevant parts of the backend of the platform in the event of a support issue. All access is logged and if appropriate can be forensically analysed in the unlikely event it needs to be. | |
| Alliantist holds appropriate insurance cover for Professional Indemnity, Cyber Breach, Public Liability and Employment. | |
| Platform measures made available for Registered Users include: | |
| 2 factor authentication is included for all users – at no additional cost to the core service and implemented from within the User preferences area. Customer administrators can see who has and hasn’t implemented it. | |
| Strong passwords and other forced security measures that can be set at an organisation level e.g. timeouts, forced password change etc. | |
| Role based permissions and access control measures for different jobs / different Registered User requirements. | |
| Privacy controls and permissions management at Initiative levels, controlled by the team admin to prevent unauthorised access to Data. | |
| Administrator reports and measures to help monitor activity without breaching user privacy (and ensure Customer investments in Registered Users are optimised). | |
| Alliantist personnel or subcontractors acting in a coaching or support capacity inside the ISMS.online instance of the Customer are only added by the Customer for the time required and then removed by the Customer. | |
| The Customer is expected to take advantage of the Platform measures added for its benefit. Alliantist will not be responsible for any security incident or event that may occur because the Customer has failed to implement any or all of the Platform measures listed above. This includes Registered Users being responsible for maintaining the confidentiality and security of their password and login details and using the provided two factor authentication service. | |
| Sub-processors | Sub-processors are used for a range of jobs and managed according to their role and risk around the personal data. Sub-processors for core service delivery (e.g. hosting) in Alliantist role as Data Processor are all UK hosted so have no international transfers. |
| In Alliantist role managing customer support enablement (coaching, support issue tracking) and back-office delivery (e.g. customer finance management, customer communications) there are some international transfers which are covered with privacy shield and other international transfer agreements. | |
| Sub–processors used include: | |
| AWS (London primary and Dublin failover), Google, Jira, ZenDesk, Go To Meeting, Sujiivana, Taylor Baines, Xero, Fresh Financials, Ring Central, Word Press, Mailchimp. | |
| By agreeing to these Terms, Customer grants Alliantist a general authorisation in the meaning of Article 28 (2) of Regulation (EU) 2016/679 to engage processors for the purposes of providing the Services. Alliantist will inform the Customer of material changes in such sub-processors in accordance with the Agreement. | |
| Plan for the safe return of data or its destruction at the end of the Agreement | At any point Customer can remove its Data through a range of reports, exports and mechanisms on the Platform. Subject to the scope, style and nature of what it wants and in what format, Alliantist will also assist the Customer with its end of life exit activity including the relevant aspects of personal data portability and transfer if required. |
| On conclusion of the Agreement and payment for the Services, Alliantist operates a Customer exit process in line with ISO 27001:2013 where it ensures the Customer has, as Data Controller, removed what it wants from the Platform and then goes through the safe erasure and deletion of the Customer Data. This takes 30 days to conclude as the back-up information is erased and replaced during that cycle. Where the Customer is collaborating in Initiatives with other organisations on the Platform that remain Customers of Alliantist it acknowledges that some Customer Data may be retained on the Platform in Initiatives owned by other Customers and only erased when those Initiatives are erased. |
3.5) Alliantist as the Data Processor will assist the Customer as the Data Controller in meeting the Customer’s obligations under Regulation (EU) 2016/679 and allowing data subjects to exercise their rights under Regulation (EU) 2016/679. To that end Alliantist has a range of policies, procedures and approaches such as:
3.5a) Data Protection Officer (DPO) – Alliantist has nominated an appropriate DPO and they can be contacted at DPO@ISMS.online. Alliantist also has data protection, information security and a range of other Policies and Controls in line with ICO GDPR recommendations as well as ISO 27001:2013, to UKAS independent certification standards. 3.5b) Subject Access Request (SAR) and other Rights – contact support@ISMS.online. Alliantist will process the request in line with GDPR obligations and will only process valid SAR. Any information requests sent direct to Alliantist by external parties that should be for the Customer as Data Controller will be redirected back to originating party and alerted to the Customer. No information will be shared with any other party without that Customer first approving it in writing. Alliantist also operates lawful policies and processes for all individuals rights; right to be informed; right of access; right to rectification and data quality, right to erasure, retention and disposal, right to restrict processing; right to object; rights to data portability and rights related to automated decision making.
3.5c) Security Incidents and breach notifications – outbound: Alliantist operates a security incident process that also complies with Annex A 16 of ISO 27001. In the event that Alliantist suffers a breach that has a potential impact on the rights and freedoms of data subjects it will notify the Customer’s Lead User within 24 hours of the breach or as soon as it becomes aware and work with the Customer to address the consequences including its legal obligations and those as a responsible supplier.
3.5d) Security Incidents and breach notifications – inbound: Customer will report any Platform security incidents, events or weaknesses within 24 hours or as soon as it becomes aware of them to security@ISMS.online and Alliantist processes in line with Annex A 16 will also commence. Alliantist will not be liable for any loss or damage arising from Customer’s failure to comply with these requirements
3.6d) Alliantist undertakes to make available to Customer information necessary to demonstrate compliance with these obligations including, subject to the confidentiality obligations in this Agreement and that the Customer, or the Customer’s representative, is not a competitor of Alliantist, sharing results of relevant audits, independent certifications and standards obtained.
3.6e) Alliantist will assist Customer if requested with reasonable cooperation, taking into account the cost of the Services, to fulfil its obligation to carry out a data protection impact assessment related to Customer’s use of the Services.
3.7f) Alliantist is registered to the UK Supervisory Authority (ICO) as a Data Processor (and a data Controller for its own business).
4.1) Fees for Customer license to the Services are set out in the Order Form. Fees include access to the Services as described and include Platform maintenance with appropriate technical support for the Customer Lead User and authorised administrators. The fees also include automatic access to relevant Platform releases and enhancements for the functionality in scope on the Order Form. Registered User support is covered in the fees through the Help Documentation and includes tours, videos and other support materials on the Platform.
4.2) Unless otherwise stated on the Order Form this Agreement shall last for the minimum term of one year or as set out in the Order Form and shall be the Minimum Fee. First year fees, discounted for annual advance payment are due before service commences unless a valid Purchase Order is agreed instead. Monthly and quarterly payment in advance models are also available.
4.3) After the first year, the Services will automatically continue until such time as Customer or Alliantist gives the other at least 30 days’ notice to terminate. Fees for the ongoing service can be paid monthly, quarterly or annually in advance with discounts/increases reflective of the ongoing commitment made. Alliantist does not provide refunds so after the first year or payment of the Minimum Fee the Customer may choose a shorter rolling payment term for ongoing service delivery, or continue with the Services until such time as any of its prepayments align with the notice to terminate.
4.4) Additional users or increases to the Services scope e.g. adding an optional extra such as policy packs or supply chain accounts can be done at any time subject to the relevant fee payment as set out in the Order Form or the price as quoted at the time of request. Registered User numbers are reviewed quarterly or at other intervals as needed and paid pro rata for any period added then aligned with the usual payment period thereafter. After payment of the Minimum Fee any of the Services can be adjusted accordingly and fee changes reflect the ongoing change in use.
4.5) All fees assume a fair and acceptable use of the Services. In the event that the use of the Platform or the Services by the Customer exceeds fair and acceptable use Alliantist will alert Customer to the issues in writing and give the Customer the opportunity of easing use or paying for the extra service requirements.
4.6) All fees exclude VAT and other government taxes.
4.7) Either party may terminate this Agreement and any Order Form immediately upon written notice if the other: (i) commits a material breach of the Agreement and which (in the case of a breach capable of remedy) shall not have been remedied within 30 days. A material breach includes (i) a failure by Customer to make payment in accordance with this Agreement; or (ii) the other party has a liquidator, receiver, administrator or administrative receiver appointed in respect of the whole or any part of its undertaking or assets; or (iii) the other party ceases or threatens to cease to carry on business; or (iv) a data breach that increases risks to the rights and freedoms of data subjects’ information held on the Platform.
4.8 On termination for any reason:
4.8.1) All rights granted to the Customer under this Agreement including without limitation the license to use the Services shall cease and the Customer shall cease all activities authorised by this Agreement;
4.8.2) The Customer shall immediately pay to Alliantist any sums due to Alliantist under this Agreement, except where any sum of money shall be recoverable from or payable by Alliantist, the Customer may deduct same from any sum then due to Alliantist under this Agreement;
4.8.3) Having paid the Minimum Fee and any other outstanding fees due Customers can remove Customer Organisation Data from the Platform at no cost at any time. At Customer’s request, Alliantist will work with Customer in a professional capacity to manage Customer’s exit from the Platform, including making available copies of Customer Organisation Data, (beyond any personal data legal obligation) provided that Customer will pay reasonable fees to Alliantist for providing any support service beyond the standard exit process, such fees to be mutually agreed in writing prior to termination support work commencing.
4.8.4). Having paid the Minimum Fee and paid any other outstanding fees, Customer shall be able to continue using the ISMS.online Policies content (not the technology tools or the Platform) on an ongoing basis purely for their own Purpose in line with 2.7 and 2.8 above.
5.1) Alliantist warrants that the Platform shall perform substantially in accordance with the specifications set out in the Order Form, Help Documentation and reflect the features and services expressed from the ISMS.online website.
5.2) Customer hereby acknowledges and agrees that Alliantist (including officers, associates, resellers, referrers, agents and directors of Alliantist) has not made or granted any express warranties concerning the Services except for the warranty in section 5.1 above. Customer is not authorised to (and shall not) create any warranty obligations on behalf of Alliantist with its Partners or Partner Users.
5.3) Except with respect to Alliantist’s express obligations under this Agreement to confidentiality, its breach of applicable Data Protection laws, and the liability that it does assume under sections 5.8 and 5.11, to the maximum extent permitted by applicable law, Alliantist shall have no liability whatsoever to anyone for any claim, loss or damage of any kind whatsoever in relation to any Data or any use to which it is put.
5.4) The warranties set forth in section 5 above are limited to ISMS.online and do not apply to any third-party software or technology. Excepting the warranty set forth in section 5.1, Alliantist hereby disclaims and Customer hereby waives all warranties, express or implied, including but not limited to all implied warranties of fitness for a particular purpose (even where disclosed by the Customer), all implied warranties of merchantability and all implied warranties arising by usage of trade, course of dealing or course of performance. Any ISMS.online Policies, Help Documentation, Virtual Coach or data provided by Alliantist is provided “AS IS” without warranty of any kind. Alliantist does not guarantee or warrant the accuracy, completeness or usefulness of the data, nor the merchantability or fitness for any particular purpose. Alliantist does not make any warranty and Customer hereby waives any and all warranties as to the results obtained from ISMS.online or as to the accuracy or reliability of the data. Alliantist shall not be liable under any circumstances for harm or damages resulting from or arising out of Customer’s inability to use ISMS.online or to access ISMS.online.
5.5) Customer hereby acknowledges and agrees that access to the Services may be affected by local network telecommunications activity; government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software. Alliantist hereby disclaims and Customer hereby waives any and all Alliantist responsibility for any failures in connection with local market network telecommunication activity, government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software.
5.6) Alliantist shall not be liable for any failure to perform its obligations under this Agreement because of circumstances beyond its control which such circumstances shall include (without limitation) natural disaster, terrorism, labour disputes, war, declarations of governments, transportation delays, telecommunications failure and misuse of the Services by Customer.
5.7) Customer agrees to indemnify Alliantist, and its subsidiaries, affiliates, officers, agents, and employees and other ISMS.online licensees from and against any third-party claim arising from or in any way related to Customer’s use of ISMS.online, against all claims, demands, suits, liabilities, costs, expenses (including reasonably incurred legal fees), damages and losses suffered or incurred. In such a case, Alliantist will provide Customer with written notice of such claim, suit or action.
5.8) Alliantist agrees, subject to the limit of its insurance cover, to indemnify Customer against all claims, demands, suits, liabilities, costs, expenses (including reasonably incurred legal fees), damages and losses suffered or incurred by Customer arising out of a third-party claim against Customer in respect of infringement of a third party’s intellectual property rights arising out of Customer’s use of ISMS.online. This indemnity shall not apply to the extent that a claim under it results from Customer’s negligence, willful misconduct, or modification from the specification. It is subject to Customer immediately notifying Alliantist of any claim and in any event within 3 months; Customer not admitting any fault or offer to settle and Alliantist having sole control of the claim with reasonable assistance as required from the Customer.
If Customer is prevented from using the Platform thereafter Alliantist will at its sole discretion and cost either: source the rights to continue use; replace the disputed intellectual property and modify ISMS.online such that the Purpose is still served; or terminate the Agreement and refund Customer any unused but prepaid fees.
5.9) Other than to the extent prohibited by law, or liability in relation to clause 5.8, in no event shall the total aggregate liability of Alliantist exceed the annual Platform fees paid in the previous year by the Customer.
5.10) In no event will either party have any liability to the other for lost revenues or profits, consequential losses, incidental losses, goodwill or other indirect losses.
5.11) Nothing in this Agreement limits either party’s liability in the case of death or personal injury caused by the other party’s negligence.
6.1) ISMS.online, ISMS.online Policies, Virtual Coach and the Help Documentation are proprietary to Alliantist and contain valuable trade secrets. The Customer shall at all times keep the software, policies, documentation, technical or commercial information, inventions or processes and any and all information concerning Alliantist’s business or products and which have been disclosed to the Customer by Alliantist and which are of a confidential nature in strict confidence and shall not permit the same to be used, copied, disclosed or disposed of except in accordance with this Agreement.
6.2) The Proposal and Order Form along with any Special Terms of this Agreement are confidential and may not be disclosed by either party without the prior written consent of the other party.
6.3) The receiving party may disclose information of a confidential nature to such of its employees as need to know the same for the purpose of discharging the receiving party’s obligations under this Agreement and shall ensure that such employees are subject to obligations of confidentiality corresponding to those set out in this Agreement.
6.4) The provisions of this section 6 shall: (i) not apply to information which is already public knowledge or becomes so at a future date (other than by breach of this Agreement); (ii) not apply to information which is known without restriction to the receiving party at the time of disclosure without breach of any obligation of confidentiality; (iii) not apply to information which is shown to the reasonable satisfaction of the originating party to have been generated independently by the receiving party; (iv) remain in full force and effect notwithstanding termination of this Agreement for any reason.
The Platform may contain links to other third-party web sites. Alliantist is not responsible for the privacy practices or the content of these other web sites. Registered Users will need to check the policy statement of these other web site Alliantist’s support policy available in the footer of the Platform.s to understand their policies. Registered Users who access a linked site may be disclosing their private information. It is the responsibility of the Registered User to keep such information private and confidential
Unless otherwise specified in the Order Form, service and support shall be provided subject to the terms set out in the support policy available in the footer of the Platform and on the website.
The parties will act solely as independent contractors. These Terms shall not be construed as creating an agency, partnership, joint venture, fiduciary duty, or any other form of legal association between the Customer and Alliantist regardless of any joint promotion or marketing communications undertaken together. The Customer shall not represent to the contrary, whether expressly, by implication, appearance or otherwise.
The failure of Alliantist to exercise or enforce any right or provision of the Agreement shall not constitute a waiver of such right or provision. If any provision of the Agreement is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavour to give effect to the parties’ intentions as reflected in the provision, and the other provisions of the Agreement remain in full force and effect.
These terms will be governed by and construed in accordance with English Law, without giving effect to its conflict of law provisions or Customer’s actual state or country of residence. Any claims, legal proceeding or litigation arising in connection with ISMS Online will be brought solely in England, and Customer consents to the exclusive jurisdiction of such courts provided that each party shall have the right to enforce a judgment of the English Courts in a jurisdiction in which the other party is incorporated or in which any assets of the other party may be situated.
The section headings in the terms are for convenience only and have no legal or contractual effect.
A person who is not a party to this Agreement may not rely upon or enforce any rights pursuant to the Contracts (Rights of Third Parties) Act 1999.
This Agreement including the Order Form, privacy policy and support policy constitutes the entire agreement between Customer and Alliantist.
Any questions or issues should in the first instance be dealt with using the normal ISMS.online support channels support@ISMS.online and then escalated if required thereafter.