Please read these Terms and Conditions carefully before using this site
(1) CYBSAFE LIMITED incorporated and registered in England and Wales with company number 9642350 whose registered office is at Windmill Hill Business Park, Whitehill Way, Swindon SN5 6QR (CybSafe); and
(2) the company, firm or organisation referred to as the Customer in the Agreed Terms (the Customer).
(A) CybSafe has developed a learning tool and associated software applications which it makes available to subscribers via the internet on a subscription basis for the purpose of developing a basic level of awareness of cyber security.
(B) The Customer wishes to use CybSafe's service in its business operations.
(C) CybSafe has agreed to provide and the Customer has agreed to take and pay for CybSafe's service subject to the terms and conditions of this agreement.
1.1 The definitions and rules of interpretation in this clause apply in this agreement.
the document attached to the front of this agreement containing the Customer’s details and the agreed commercial terms.
the data provided to the Customer via the Services and in accordance with the Documentation detailing the Authorised Users use of the Services.
those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, as further described in clause 2.2(d).
a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
a complaint or request relating to either party’s obligations under Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;
information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 10.5.
6.00am to 9.00pm local UK time, each Business Day
the data inputted by the Customer, Authorised Users, or CybSafe on the Customer's behalf for the purpose of using the Services or facilitating the Customer's use of the Services.
has the meaning set out in the Data Protection Laws;
has the meaning given to that term (or to the term ‘processor’) in the Data Protection Laws;
Data Protection Laws
(a) the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or
(b) the General Data Protection Regulation (EU) 2016/679 (GDPR), once applicable, and/or any corresponding or equivalent United Kingdom national laws or regulations (Revised UK DP Law);
(c) and, in either case any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
has the meaning set out in the Data Protection Laws;
Data Subject Request
a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
the document made available to the Customer by CybSafe online via https://cybsafe.com or such other web address notified by CybSafe to the Customer from time to time which sets out a description of the Services and the user instructions for the Services.
the date referred to as such in the Agreed Terms.
in relation to a company, that company, any subsidiary or any holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company.
Initial Subscription Term:
the initial term of this agreement as set out in the Agreed Terms.
Normal Business Hours:
8.00 am to 6.00 pm local UK time, each Business Day.
has the meaning given to that term in the Data Protection Laws and relates only to personal data, or any part of such personal data, in respect of which the Customer is the Data Controller and in relation to which Cybsafe is providing services under this Agreement (but does not, in particular, include personal data provided by an Authorised User or the Customer to a third party acting in the capacity of a data controller);
Personal Data Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data
the designated representatives of the Customer and CybSafe from time to time who have day-to-day responsibility for the performance of their appointor's obligations under this agreement and act as the principal point of contact between the parties, as set out in the Agreed Terms as amended by the appointing party to the other in writing.
the period described in clause 13.1.
the subscription services provided by CybSafe to the Customer under this agreement via https://cybsafe.com or any other Our Business Terms
Service Level Agreement:
the service level agreement set out in Schedule 1.
the online software applications provided by CybSafe as part of the Services.
the subscription fees payable by the Customer to CybSafe for the User Subscriptions, as set out in the Agreed Terms.
has the meaning given in clause 13.1 (being the Initial Subscription Term together with any subsequent Renewal Periods).
any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws
the user subscriptions purchased by the Customer pursuant to clause 8.1 which entitle Authorised Users to access and use the Services and the Documentation in accordance with this agreement.
any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
1.2 Clause, schedule and paragraph headings shall not affect the interpretation of this agreement.
1.3 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person's legal and personal representatives, successors or permitted assigns.
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this agreement.
1.8 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this agreement under that statute or statutory provision.
1.9 A reference to writing or written includes faxes but not e-mail.
1.10 References to clauses and schedules are to the clauses and schedules of this agreement; references to paragraphs are to paragraphs of the relevant schedule to this agreement.
1.11 A reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006. In the case of a limited liability partnership which is a subsidiary of a company or another limited liability partnership, section 1159 of the Companies Act 2006 shall be construed so that: (a) references in sections 1159(1)(a) and (c) to voting rights are to the members' rights to vote on all or substantially all matters which are decided by a vote of the members of the limited liability partnership; and (b) the reference in section 1159(1)(b) to the right to appoint or remove a majority of its board of directors is to the right to appoint or remove members holding a majority of the voting rights.
2. USER SUBSCRIPTIONS
2.1 Subject to the Customer purchasing the User Subscriptions in accordance with clause 3.3 and clause 8.1, the restrictions set out in this clause 2 and the other terms and conditions of this agreement, CybSafe hereby grants to the Customer a non-exclusive, non-transferable right to permit the Authorised Users to use the Services and the Documentation during the Subscription Term solely for the Customer's internal business operations.
2.2 In relation to the Authorised Users, the Customer undertakes that:
(a) the maximum number of Authorised Users that it authorises to access and use the Services and the Documentation shall not exceed the number of User Subscriptions it has purchased from time to time;
(b) it will not allow or suffer any User Subscription to be used by more than one individual Authorised User;
(c) each Authorised User shall keep a secure password for his use of the Services and Documentation, and that each Authorised User shall keep his password confidential;
(d) it shall maintain a written, up to date list of current Authorised Users and provide such list to CybSafe within 5 Business Days of CybSafe's written request at any time or times;
(e) it shall permit CybSafe to audit the Services in order to establish the name and password of each Authorised User. Such audit may be conducted no more than once per quarter, at CybSafe's expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Customer's normal conduct of business;
(f) if any of the audits referred to in clause 2.2(e) reveal that any password has been provided to any individual who is not an Authorised User, then without prejudice to CybSafe's other rights, the Customer shall promptly disable such passwords and CybSafe shall not issue any new passwords to any such individual; and
(g) if any of the audits referred to in clause 2.2(e) reveal that the Customer has underpaid Subscription Fees to CybSafe, then without prejudice to CybSafe's other rights, the Customer shall pay to CybSafe an amount equal to such underpayment as calculated in accordance with the prices set out in the Agreed Terms within 10 Business Days of the date of the relevant audit.
2.3 The Customer shall not:
(a) except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:
(i) and except to the extent expressly permitted under this agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or website notified to the Customer by CybSafe from time to time, as more particularly described in the Documentation.
(ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or
(b) access all or any part of the Services and Documentation in order to build a product or service which competes with the Services and/or the Documentation; or
(c) use the Services and/or Documentation to provide services to third parties; or
(d) subject to clause 16.1, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party except the Authorised Users, or
(e) attempt to obtain, or assist third parties in obtaining, access to the Services and/or Documentation, other than as provided under this clause 2; and
2.4 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify CybSafe.
2.5 The rights provided under this clause 2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer unless the Agreed Terms specifies otherwise.
3. ADDITIONAL USER SUBSCRIPTIONS
3.1 Subject to clause 3.2 and clause 3.3, the Customer may, from time to time during any Subscription Term, purchase additional User Subscriptions in excess of the number set out in the Agreed Terms and CybSafe shall grant access to the Services and the Documentation to such additional Authorised Users in accordance with the provisions of this agreement.
3.2 If the Customer wishes to purchase additional User Subscriptions, the Customer shall notify CybSafe in writing. CybSafe shall evaluate such request for additional User Subscriptions and respond to the Customer with approval or rejection of the request (such approval not to be unreasonably withheld).
3.3 If CybSafe approves the Customer's request to purchase additional User Subscriptions, such additional User Subscriptions will be activated and the additional users will become Authorised Users. The Customer shall then, within 30 days of the date of CybSafe's invoice, pay to CybSafe the relevant fees for such additional User Subscriptions as set out in the Agreed Terms and, if such additional User Subscriptions are purchased by the Customer part way through the Initial Subscription Term or any Renewal Period (as applicable), such fees shall be pro-rated for the remainder of the Initial Subscription Term or then current Renewal Period (as applicable).
3.4 If CybSafe has not received payment within 30 days, and without prejudice to any other rights and remedies of CybSafe:
(a) CybSafe may, without liability to the Customer, disable access for the Additional Authorised Users.
(b) interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of HSBC Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
4.1 CybSafe shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of this agreement.
4.2 CybSafe shall use commercially reasonable endeavours to provide the Services in accordance with the Service Level Agreement.
5. CUSTOMER DATA
5.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.
5.2 CybSafe shall follow its archiving procedures for Customer Data and the Analytical Data as set out in its Back-Up Policy available as part of the Platform Security Overview at https://cybsafe.com or such other website address as may be notified to the Customer from time to time, as such document may be amended by CybSafe in its sole discretion from time to time. In the event of any loss or damage to Customer Data or Analytical Data, the Customer's sole and exclusive remedy shall be for CybSafe to use reasonable commercial endeavours to restore the lost or damaged Customer Data or Analytical Data from the latest back-up of such Customer Data or Analytical Data maintained by CybSafe in accordance with the archiving procedure described in its Back-Up Policy. CybSafe shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by CybSafe to perform services related to Customer Data maintenance and back-up).
5.4 If CybSafe processes any Personal Data on the Customer's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and CybSafe shall be a data processor.
5.5 Cybsafe shall comply with all Data Protection Laws (which apply to it in its capacity as a data processor) in connection with the processing of Personal Data in respect of the delivery of the Services and the exercise and performance of its rights and obligations under this Agreement.
5.6 The Customer shall comply with all Data Protection Laws (which apply to it in its capacity as a data controller) in connection with the processing of Personal Data in respect of the exercise and performance of its rights and obligations under this Agreement, and to enable Cybsafe to deliver the Services.
5.7 Instructions and details of processing - Insofar as Cybsafe processes Personal Data on behalf of the Customer:
5.7.1 unless required to do otherwise by applicable laws, Cybsafe shall (and shall ensure each person acting under its authority shall) process the Personal Data only on and in accordance with the Customer’s documented instructions as set out in this clause 5 and Schedule 2 (Data Processing Details), and as updated from time to time by the written agreement of the parties (Processing Instructions); and
5.7.2 if any applicable laws require it to process Personal Data other than in accordance with the Processing Instructions, Cybsafe shall notify the Customer of any such requirement before processing the Personal Data (unless any of the applicable laws prohibit such information on important grounds of public interest).
5.8 Technical and organisational measures - Cybsafe shall implement and maintain, at its cost and expense (taking into account those factors which it is entitled to take into account pursuant to the Data Protection Laws) appropriate technical and organisational measures in relation to the processing of Personal Data by Cybsafe: Our Business Terms
(a) the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and Personal Data records concerned;
(b) the likely consequences of the Personal Data Breach; and
(c) any measures taken, or that Cybsafe recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,
5.8.1 so as to ensure a level of security in respect of the Personal Data processed by Cybsafe is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed; and
5.8.2 without prejudice to clause 5.11, insofar as is possible, to assist the Customer in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Personal Data.
5.9 Using staff and other processors - Cybsafe shall not engage another Data Processor for carrying out any processing activities specifically for the Customer in respect of the Personal Data without the Customer’s prior written consent.
5.10 Cybsafe shall ensure that all Cybsafe personnel processing Personal Data:
5.10.1 are subject to obligations of confidentiality which apply, generally or specifically, to the Personal Data; and
5.10.2 are reliable and have received appropriate training on compliance with the Data Protection Laws.
5.11 Assistance with Customer’s Compliance with Data Subject Rights - Cybsafe shall:
5.11.1 record and then refer all Data Subject Requests it receives to the Customer, without undue delay;
5.11.2 provide such assistance to the Customer as the Customer reasonably requests in relation to a Data Subject Request; and
5.11.3 not respond to any Data Subject Request or Complaint without the Customer’s prior written approval.
5.12 Without prejudice to clause 5.11 Cybsafe shall, at its cost and expense, provide such assistance to the Customer as the Customer reasonably requires (taking into account the nature of processing and the information available to Cybsafe) in ensuring compliance with such obligations as apply to the Customer under Data Protection Laws, with respect to
5.12.1 security of processing;
5.12.2 Data Protection Impact Assessments (as such term is defined in the Data Protection Laws;
5.12.3 prior consultation with a Supervisory Authority regarding high risk processing.
5.13 International Data Transfer
5.13.1 Subject to clause 5.13.2, Cybsafe shall not engage another Data Processor (Sub Processor) for carrying out any processing activities in respect of the Personal Data without the Client’s prior written consent;
5.13.2 Subject to clause 5.13.3, and without prejudice to the generality of clause 5.13.1, the Customer consents to the appointment of Sub Processors in connection with certain tools used by Cybsafe to deliver the Services, and for the purpose of some web hosting undertaken for Cybsafe in connection with the Services and to the processing of Personal Data by each of such Sub Processors in accordance with the Data Processing Instructions.
5.13.3 Cybsafe may only transfer the Personal Data to the Sub Processors and permit the processing of Personal Data outside the EU under the following conditions:
(a) the Personal Data is being processed in a territory which is subject to a current finding by the European Commission under the Data Protection Laws that the territory provides adequate protection for the privacy rights of individuals; or
(b) Cybsafe participates in a valid cross-border transfer mechanism under the Data Protection Laws, and has entered into an agreement with each Sub Processor which includes the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries, as set out in the Annex to Commission Decision 2010/87/EU
5.14 Records, Information and Audit - Cybsafe shall maintain complete, accurate and up to date written records of all categories of processing activities carried out on behalf of the Customer being:
5.14.1 the name and contact details of the Data Processor(s) and (subject to the Customer providing such information) of each Data Controller on behalf of which the Data Processor is acting, and of Cybsafe’s representative and data protection officer (if any);
5.14.2 the categories of processing carried out on behalf of each Data Controller;
5.14.3 where applicable, details of transfers of Personal Data to an International Recipient; and
5.14.4 where possible, a general description of the technical and organisational security measures referred to in clause 5.8.
5.15 Cybsafe shall make available to the Customer on request in a timely manner copies of the records under clause 5.14.
5.16 Subject to clause 5.22 Cybsafe shall allow for and contribute to audits, including inspections, conducted by the Customers or another auditor mandated by the Customer, for the purpose of demonstrating compliance by Cybsafe with its obligations under Data Protection Laws and under this clause 5.
5.17 Breach notification - In respect of any Personal Data Breach, Cybsafe shall:
5.17.1 notify the Customer of the Personal Data Breach without undue delay; and
5.17.2 provide the Customer without undue delay with such details as the Customer reasonably requires regarding:
provided that, (without prejudice to the above obligations) if Cybsafe cannot provide all these details without undue delay it shall provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.
5.18 Each party shall promptly inform the other party if it receives a Complaint and provide the Customer with full details of such Complaint.
5.19 Deletion or return of Personal Data and copies - Cybsafe shall without delay, at the Customer’s written request, either securely delete or securely return all the Personal Data to the Customer after the end of the provision of the relevant Services related to processing unless:
5.19.1 storage of any data is required by applicable laws and, if so, Cybsafe shall inform the Customer of any such requirement); or Our Business Terms
5.19.2 Cybsafe requires storage of any data for the establishment, exercise or defence of legal claims.
5.20 The Customer acknowledges that Cybsafe is reliant on the Customer for direction as to the extent to which Cybsafe is entitled to use and process the Personal Data. Consequently, Cybsafe will not be liable for any claim brought by a Data Subject arising from any action or omission by Cybsafe to the extent that such action or omission resulted from the Customer’s instructions or from the Customer’s failure to comply with Data Protection Laws or its obligations under this Agreement.
5.21 Without prejudice to clause 5.5 the Customer shall:
5.21.1 establish the legal basis under Data Protection Laws for the processing of the Personal Data by Cybsafe and any third parties for the delivery of the Services (including, in the absence of any other legal basis, all necessary consents);
5.21.2 provide Cybsafe with details of such legal basis.
5.22 Each audit and inspection referred to in clause 5.16 shall be carried out:
5.22.1 during normal business hours on at least 20 Business Days’ prior written notice to Cybsafe and shall take no longer than two Business Days;
5.22.2 not more than once in any twelve month period;
5.22.3 in a manner that is limited to that which is reasonably required to demonstrate compliance with Cybsafe’s obligations under the Data Protection Laws and this clause 5, without access to Cybsafe confidential information unrelated to this Agreement (including information relating to other customers of Cybsafe; and
5.22.4 in so far as reasonably possible, in a manner that minimises disruption to Cybsafe’s business and the delivery of the Services.
6. CYBSAFE’S OBLIGATIONS
6.1 CybSafe undertakes that the Services will be performed substantially in accordance with the Documentation and with reasonable skill and care.
6.2 The undertaking at clause 6.1 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to CybSafe's instructions, or modification or alteration of the Services by any party other than CybSafe or CybSafe's duly authorised contractors or agents. If the Services do not conform with the foregoing undertaking, CybSafe will, at its expense, use all reasonable commercial endeavours to correct any such non-conformance promptly, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer's sole and exclusive remedy for any breach of the undertaking set out in clause 6.1. Notwithstanding the foregoing, CybSafe:
(a) does not warrant that the Customer's use of the Services will be uninterrupted or error-free; or that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer's requirements; and
(b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
6.3 This agreement shall not prevent CybSafe from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this agreement.
6.4 CybSafe warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.
7. CUSTOMER'S OBLIGATIONS
7.1 The Customer shall:
(a) provide CybSafe with:
(i) all necessary co-operation in relation to this agreement; and
(ii) all necessary access to such information as may be required by CybSafe;
in order to provide the Services, including but not limited to Customer Data, security access information and configuration services;
(b) comply with all applicable laws and regulations with respect to its activities under this agreement;
(c) carry out all other Customer responsibilities set out in this agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, CybSafe may adjust any agreed timetable or delivery schedule as reasonably necessary;
(d) ensure that the Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this agreement and shall be responsible for any Authorised User's breach of this agreement;
(e) obtain and shall maintain all necessary licences, consents, and permissions necessary for CybSafe, its contractors and agents to perform their obligations under this agreement, including without limitation the Services;
(f) ensure that its network and systems comply with the relevant specifications provided by CybSafe from time to time; and
(g) be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to CybSafe's data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer's network connections or telecommunications links or caused by the internet.
8. CHARGES AND PAYMENT
8.1 The Customer shall pay the Subscription Fees to CybSafe for the User Subscriptions in accordance with this clause 8 and the Agreed Terms.
8.2 The Customer shall prior to the Effective Date provide to CybSafe approved purchase order information acceptable to CybSafe and any other relevant valid, up-to-date and complete contact and billing details and CybSafe shall invoice the Customer:
(a) for the Subscription Fees payable in respect of the Initial Subscription Term; and
(b) subject to clause 13.1, at least 30 days prior to each anniversary of the Effective Date for the Subscription Fees payable in respect of the next Renewal Period,
The Customer shall pay each invoice within 30 days of receipt.
8.3 If CybSafe has not received payment within 30 days of receipt of the invoice, and without prejudice to any other rights and remedies of CybSafe:
(a) CybSafe may, without liability to the Customer, disable the Customer's password, account and access to all or part of the Services and CybSafe shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and
(b) interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of HSBC Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
8.4 All amounts and fees stated or referred to in this agreement:
(a) shall be payable in pounds sterling;
(b) are, subject to clause 12.4(b), non-cancellable and non-refundable;
(c) are exclusive of value added tax, which shall be added to CybSafe's invoice(s) at the appropriate rate.
8.5 CybSafe shall be entitled to increase the Subscription Fees, the fees payable in respect of the additional User Subscriptions purchased pursuant to clause 3.3 at the start of each Renewal Period upon 90 days' prior notice to the Customer and the Agreed Terms shall be deemed to have been amended accordingly.
9. PROPRIETARY RIGHTS
9.1 The Customer acknowledges and agrees that CybSafe and/or its licensors own all intellectual property rights in the Services and the Documentation. Except as expressly stated herein, this agreement does not grant the Customer any rights to, or in, patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Services or the Documentation.
9.2 CybSafe confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this agreement.
10.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this agreement. A party's Confidential Information shall not be deemed to include information that:
(a) is or becomes publicly known other than through any act or omission of the receiving party;
(b) was in the other party's lawful possession before the disclosure;
(c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure;
(d) is independently developed by the receiving party, which independent development can be shown by written evidence; or
(e) is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
10.2 Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this agreement.
10.3 Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this agreement.
10.4 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.
10.5 The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute CybSafe's Confidential Information.
10.6 CybSafe acknowledges that the Customer Data is the Confidential Information of the Customer.
10.7 This clause 10 shall survive termination of this agreement, however arising.
10.8 No party shall make, or permit any person to make, any public announcement concerning this agreement without the prior written consent of the other parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
11.1 CybSafe shall defend the Customer, its officers, directors and employees against any claim that the Services or Documentation infringes any United Kingdom patent effective as of the Effective Date, copyright, trade mark, database right or right of confidentiality, and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims, provided that:
(a) CybSafe is given prompt notice of any such claim;
(b) the Customer provides reasonable co-operation to CybSafe in the defence and settlement of such claim, at CybSafe's expense; and
(c) CybSafe is given sole authority to defend or settle the claim.
11.2 In the defence or settlement of any claim, CybSafe may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing or, if such remedies are not reasonably available, terminate this agreement on 2 Business Days' notice to the Customer without any additional liability or obligation to pay liquidated damages or other additional costs to the Customer.
11.3 In no event shall CybSafe, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:
(a) a modification of the Services or Documentation by anyone other than CybSafe; or
(b) the Customer's use of the Services or Documentation in a manner contrary to the instructions given to the Customer by CybSafe; or
(c) the Customer's use of the Services or Documentation after notice of the alleged or actual infringement from CybSafe or any appropriate authority.
11.4 The foregoing states the Customer's sole and exclusive rights and remedies, and CybSafe's (including CybSafe's employees', agents' and sub-contractors') entire obligations and liability, for infringement of any patent, copyright, trade mark, database right or right of confidentiality.
12. LIMITATION OF LIABILITY
12.1 This clause 12 sets out the entire financial liability of CybSafe (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Customer:
(a) arising under or in connection with this agreement;
(b) in respect of any use made by the Customer of the Services and Documentation or any part of them; and
(c) in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this agreement.
12.2 Except as expressly and specifically provided in this agreement:
(a) the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use;
(b) all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this agreement; and
(c) the Services and the Documentation are provided to the Customer on an "as is" basis.
12.3 Nothing in this agreement excludes the liability of CybSafe:
(a) for death or personal injury caused by CybSafe's negligence; or
(b) for fraud or fraudulent misrepresentation.
12.4 Subject to clause 12.2 and clause 12.3:
(a) CybSafe shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and
(b) CybSafe's total aggregate liability in contract tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the total Subscription Fees paid for the User Subscriptions during the 12 months immediately preceding the date on which the claim arose.
13. TERM AND TERMINATION
13.1 This agreement shall, unless otherwise terminated as provided in this clause 13, commence on the Effective Date and shall continue for the Initial Subscription Term and, thereafter, this agreement shall be automatically renewed for successive periods of 12 months (each a Renewal Period), unless:
(a) either party notifies the other party of termination, in writing, at least 60 days before the end of the Initial Subscription Term or any Renewal Period, in which case this agreement shall terminate upon the expiry of the applicable Initial Subscription Term or Renewal Period; or
(b) otherwise terminated in accordance with the provisions of this agreement;
and the Initial Subscription Term together with any subsequent Renewal Periods shall constitute the Subscription Term.
13.2 Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other party if:
(a) the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than 20 days after being notified in writing to make such payment;
(b) the other party commits a material breach of any other term of this agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;
(c) the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(d) a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
(e) an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;
(f) the holder of a qualifying floating charge over the assets of that other party has become entitled to appoint or has appointed an administrative receiver;
(g) a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
(h) a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party's assets and such attachment or process is not discharged within 14 days;
(i) any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 13.2(c) to clause 13.2(h) (inclusive).
13.3 On termination of this agreement for any reason:
(a) all licences granted under this agreement shall immediately terminate;
(b) CybSafe may terminate any licence granted to Authorised Users in connection with the use of a mobile application as part of the Services;
(c) each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
(d) CybSafe may destroy or otherwise dispose of any of the Customer Data and the Analytical Data in its possession unless CybSafe receives, no later than ten days after the effective date of the termination of this agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data and Analytical Data. CybSafe shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by CybSafe in returning or disposing of Customer Data and Analytical Data or providing the Customer with a back-up copy of such data; and
(e) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.
14. FORCE MAJEURE
CybSafe shall have no liability to the Customer under this agreement if it is prevented from or delayed in performing its obligations under this agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of CybSafe or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Customer is notified of such an event and its expected duration.
15.1 Conflict. If there is an inconsistency between any of the provisions in the Agreed Terms, the main body of this agreement and the Schedule, the provisions shall take precedence in the order stated in this clause 15.1.
15.2 Variation. No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
15.3 Waiver. No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
15.4 Rights and Remedies. Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
15.5 Severance. If any provision (or part of a provision) of this agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
15.6 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.
15.7 Entire Agreement. This agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
15.8 Each of the parties acknowledges and agrees that in entering into this agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this agreement or not) relating to the subject matter of this agreement, other than as expressly set out in this agreement.
15.9 No Partnership or Agency. Nothing in this agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
15.10 Third Party Rights. This agreement does not confer any rights on any person or party (other than the parties to this agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
16.1 The Customer shall not, without the prior written consent of CybSafe (which shall not be unreasonable withheld or delayed), assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
16.2 CybSafe may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
17.1 Any notice required to be given under this agreement shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this agreement, or such other address as may have been notified by that party for such purposes, or sent by fax to the other party's fax number as set out in this agreement.
17.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by fax shall be deemed to have been received at the time of transmission (as shown by the timed printout obtained by the sender).
18. GOVERNING LAW AND JURISDICTION
18.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
18.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
Schedule 1 – Service Level Agreement
Schedule 2 - Data Protection – Data Processing Details
THIS AGREEMENT has been entered into on the date stated at the beginning of it.
END OF TERMS – SEE SCHEDULES BELOW
The following definitions and rules of interpretation apply in this schedule.
Commercially Reasonable Efforts:
the same degree of priority and diligence with which Cybsafe meets the support needs of its other similar customers.
any of the following causes:
(a) any improper use, misuse or unauthorised alteration of the Software or Services by the Customer;
(b) any use of the Software or Services by the Customer in a manner inconsistent with the then-current Documents; and
(c) outages or disruptions to the Service caused by the Customer.
any failure of the Services to operate in all material respects in accordance with the Documentation, including any failure or error referred to in the Service Level Table.
Help Desk Support:
any support provided by help desk technicians sufficiently qualified and experienced to identify and resolve most support issues relating to the Services.
the agreement to which this schedule relates.
any services provided by Cybsafe in connection with any apparent problem regarding the Services reasonably determined by Cybsafe not to have been caused by a Fault, but rather by a Customer Cause or a cause outside Cybsafe's control (including any investigational work resulting in such a determination).
the service level responses and response times referred to in the Service Level Table.
Service Level Table:
the table set out in paragraph 5.2.
either of the following outcomes:
(a) correction of a Fault; or
(b) a workaround in relation to a Fault (including a reversal of any changes to the Software and/or Services if deemed appropriate by Cybsafe) that is reasonably acceptable to the Customer.
request made by the Customer in accordance with this schedule for support in relation to the Services, including correction of a Fault.
Maintenance of the Software and providing Help Desk Support but excluding any Out-of-scope Services.
1.2 All initial capitalised terms in this schedule shall have the meaning given to them in the Main Agreement.
2. SUPPORT SERVICES
2.1 During the Subscription Term Cybsafe shall perform the Support Services during the Normal Working Hours in accordance with the Service Levels.
2.2 As part of the Support Services, Cybsafe shall:
(a) provide Help Desk Support by means of the following e-mail address firstname.lastname@example.org and by means of the help desk support page;
(b) use Commercially Reasonable Efforts to correct all Faults notified under paragraph (a); and
(c) provide technical support for the Software and the Services in accordance with the Service Levels.
2.3 Cybsafe shall carry out planned maintenance outside of the Core Hours; and
2.4 Cybsafe may reasonably determine that any services are Out-of-scope Services. If Cybsafe makes any such determination, it shall promptly notify the Customer of that determination.
2.5 The Customer acknowledges that Cybsafe is not obliged to provide Out-of-scope Services.
3.1 The provision of Support Services on a remote (via email), off-site basis within the Subscription Term shall be included in the Subscription Fees.
3.2 The provision of Support Services outside the Subscription Term or at the Customer’s premises or the provision of Out-of-scope Services shall be charged at the time and materials rates agreed between the parties when the Out-of-Scope Services are requested.
4. SUBMITTING SUPPORT REQUESTS AND ACCESS
4.1 The Customer may request Support Services by way of a Support Request made via email by completing the support request form on the help desk support page.
4.2 Each Support Request shall include a description of the problem and the start time of the incident.
4.3 The Customer shall provide Cybsafe with:
(a) prompt notice of any Faults; and
(b) such output and other data, documents, information, assistance and (subject to compliance with all Customer's security and encryption requirements notified to Cybsafe in writing) remote access to the Customer System, as are reasonably necessary to assist Cybsafe to reproduce operating conditions similar to those present when the Customer detected the relevant Fault and to respond to the relevant Support Request.
4.4 All Support Services shall be provided remotely by Cybsafe.
5. SERVICE LEVELS
Service Availability and Maintenance
5.1 Cybsafe shall use commercially reasonable endeavours to make the Services available 97% of the time during the Core Hours, except for unscheduled maintenance performed during the Core Hours, provided that Cybsafe has used reasonable endeavours to give the Customer at least 3 Core Hours’ notice in advance.
5.2 Cybsafe shall:
(a) prioritise all Support Requests based on its reasonable assessment of the severity level of the problem reported; and
(b) respond to all Support Requests within the response times specified in the table set out below by acknowledging receipt of the Support Request and commencing Commercially Reasonable Efforts to achieve a Solution:
Severity level of Fault
Service Level response time*
Fatal: An error in, or failure of, the Services such that the Services are unavailable to all Authorised Users
4 Normal Working Hours
Severe: An error in, or failure of, the Services with more than 25% of Authorised Users or critical functions affected but which is not a Fatal Fault. Use of Services is intermittent.
12 Normal Working Hours
Medium: An error in, or failure of, the Services:
a) that affects between more than 10% number of Authorised Users but which is not a Fatal or Severe Fault; and/or
b) that affects a limited number of functions; but the Services can still be used.
24 Normal Working Hours
Minor: An error in, or failure of, the Services that affects less than 10% of Authorised Users. The Service can still be used.
3 Business Days
5.3 The parties may, on a case-by-case basis, agree in writing to a reasonable extension of the Service Level response times.
5.4 Cybsafe shall give the Customer regular updates of the nature and status of its efforts to correct any Fault.
5.5 All Support Requests shall be received and responded to in English.
6.1 If the Customer is not satisfied with the response or the response time, the Customer may escalate the Support Request to the parties' respective Relationship Managers.
7.1 In addition to the mechanisms for giving notice specified in clause 17 of the Main Agreement, the parties may communicate in respect of any matter referred to in this by e-mail (unless specified otherwise).
END OF SCHEDULE
Subject matter of processing
Cybsafe is providing the Services to the Customer through a unified cyber awareness platform which educates Authorised Users via a range of modules designed to optimise behavioural change.
Duration of Processing
Personal Data will be processed for the duration of this Agreement
Nature and Purpose of Processing
Cybsafe will process the Personal Data in order to identify and authenticate Authorised Users, give the Customer and Authorised Users access to the learning modules, analyse the levels of understanding and improvements in behaviour of Authorised Users in relation to cyber security and provide analyses to the Customer.
Cybsafe will anonymise the Personal Data for use as comparative and statistical information.
Types of Personal Data to be Processed
Data of Authorised Users to be processed will be:
• Business e-mail address
• Personal e-mail address (if shared),
Categories of Data Subjects
The Data Subjects will be employees, agents and independent contractors of the Customer authorised to use the Services.
Transfers of Personal Data to a country outside EU/international organisation
Some third party tools - such as Google Analytics - used by Cybsafe to deliver the Services involve personal data being processed in the USA. This is only done under the legally binding personal data protection terms of EU-US Privacy Shield Agreement.
END OF SCHEDULE