Terms & Conditions
Our Business Terms
- CYBSAFE LIMITED incorporated and registered in England and Wales with company number 9642350 whose registered office is at Windmill Hill Business Park, Whitehill Way, Swindon SN5 6QR (CybSafe); and
- the company, firm or organisation referred to as the Customer in the Agreed Terms (the Customer).
- CybSafe has developed a learning tool and associated software applications which it makes available to subscribers via the internet on a subscription basis for the purpose of developing a basic level of awareness of cyber security.
- The Customer wishes to use CybSafe’s service in its business operations.
- CybSafe has agreed to provide and the Customer has agreed to take and pay for CybSafe’s service subject to the terms and conditions of this agreement.
The definitions and rules of interpretation in this clause apply in this agreement..
the document attached to the front of this agreement containing the Customer’s details and the agreed commercial terms.
the data provided to the Customer via the Services and in accordance with the Documentation detailing the Authorised Users use of the Services.
those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation, as further described in clause 2.2(d).
a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.
The service commencement date is the date on which this agreement is signed. Access to the Cybsafe platform is granted from this date for the length of the subscription period.
a complaint or request relating to either party’s obligations under the Data Protection Laws relevant to this Agreement, including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;
information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 10.5.
6.00am to 9.00pm local UK time, each Business Day
the data inputted by the Customer, Authorised Users, or CybSafe on the Customer’s behalf for the purpose of using the Services or facilitating the Customer’s use of the Services.
has the meaning set out in the Data Protection Laws;
has the meaning given to that term (or to the term ‘processor’) in the Data Protection Laws;
Data Protection Laws
- the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426, and any laws or regulations implementing Directive 95/46/EC (Data Protection Directive) or Directive 2002/58/EC (ePrivacy Directive); and/or
- the General Data Protection Regulation (EU) 2016/679 (GDPR), once applicable, and/or any corresponding or equivalent United Kingdom national laws or regulations (Revised UK DP Law);
- and, in either case any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
has the meaning set out in the Data Protection Laws;
Data Subject Request
a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
the document made available to the Customer by CybSafe online via https://cybsafe.com or such other web address notified by CybSafe to the Customer from time to time which sets out a description of the Services and the user instructions for the Services.
in relation to a company, that company, any subsidiary or any holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company.
Initial Subscription Term:
the initial term of this agreement as set out in the Agreed Terms.
Normal Business Hours:
8.00 am to 6.00 pm local UK time, each Business Day.
has the meaning given to that term in the Data Protection Laws and relates only to personal data, or any part of such personal data, in respect of which the Customer is the Data Controller and in relation to which Cybsafe is providing services under this Agreement (but does not, in particular, include personal data provided by an Authorised User or the Customer to a third party acting in the capacity of a data controller);
Personal Data Breach
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Personal Data
the designated representatives of the Customer and CybSafe from time to time who have day-to-day responsibility for the performance of their appointor’s obligations under this agreement and act as the principal point of contact between the parties, as set out in the Agreed Terms as amended by the appointing party to the other in writing.
the period described in clause 7.1.
the subscription services provided by CybSafe to the Customer under this agreement via https://cybsafe.com or any other website notified to the Customer by CybSafe from time to time, as more particularly described in the Documentation.
Service Level Agreement:
the service level agreement set out in Schedule 1.
the online software applications provided by CybSafe as part of the Services.
the subscription fees payable by the Customer to CybSafe for the User Subscriptions, as set out in the Agreed Terms.
has the meaning given in clause 13.1 (being the Initial Subscription Term together with any subsequent Renewal Periods).
any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws
the user subscriptions purchased by the Customer pursuant to clause 8.1 which entitle Authorised Users to access and use the Services and the Documentation in accordance with this agreement.
any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.
1.1 Clause, schedule and paragraph headings shall not affect the interpretation of this agreement.
1.2 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person’s legal and personal representatives, successors or permitted assigns.
1.3 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.4 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
1.5 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
1.6 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
1.7 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this agreement.
1.8 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this agreement under that statute or statutory provision.
1.9 A reference to writing or written includes faxes but not email.
1.10 References to clauses and schedules are to the clauses and schedules of this agreement; references to paragraphs are to paragraphs of the relevant schedule to this agreement.
1.11 A reference to a holding company or a subsidiary means a holding company or a subsidiary (as the case may be) as defined in section 1159 of the Companies Act 2006. In the case of a limited liability partnership which is a subsidiary of a company or another limited liability partnership, section 1159 of the Companies Act 2006 shall be construed so that: (a) references in sections 1159(1)(a) and (c) to voting rights are to the members’ rights to vote on all or substantially all matters which are decided by a vote of the members of the limited liability partnership; and (b) the reference in section 1159(1)(b) to the right to appoint or remove a majority of its board of directors is to the right to appoint or remove members holding a majority of the voting rights.
2. USER SUBSCRIPTIONS
2.1 Subject to the Customer purchasing the User Subscriptions in accordance with clause 3.3 and clause 8.1, the restrictions set out in this clause 2 and the other terms and conditions of this agreement, CybSafe hereby grants to the Customer a non-exclusive, non-transferable right to permit the Authorised Users to use the Services and the Documentation during the Subscription Term solely for the Customer’s internal business operations.
2.2 In relation to the Authorised Users, the Customer undertakes that:
2.2.1 the maximum number of Authorised Users that it authorises to access and use the Services and the Documentation shall not exceed the number of User Subscriptions it has purchased from time to time
2.2.2 it will not allow or suffer any User Subscription to be used by more than one individual Authorised User;
2.2.3 each Authorised User shall keep a secure password for his use of the Services and Documentation, and that each Authorised User shall keep his password confidential;
2.2.4 it shall maintain a written, up to date list of current Authorised Users and provide such list to CybSafe within 5 Business Days of CybSafe’s written request at any time or times;
2.2.5 it shall permit CybSafe to audit the Services in order to establish the name and password of each Authorised User. Such audit may be conducted no more than once per quarter, at CybSafe’s expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Customer’s normal conduct of business;
2.2.6 if any of the audits referred to in clause 2.2(e) reveal that any password has been provided to any individual who is not an Authorised User, then without prejudice to CybSafe’s other rights, the Customer shall promptly disable such passwords and CybSafe shall not issue any new passwords to any such individual; and
2.2.7 if any of the audits referred to in clause 2.2(e) reveal that the Customer has underpaid Subscription Fees to CybSafe, then without prejudice to CybSafe’s other rights, the Customer shall pay to CybSafe an amount equal to such underpayment as calculated in accordance with the prices set out in the Agreed Terms within 10 Business Days of the date of the relevant audit.
2.3 The Customer shall not
2.3.1 except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties:
2.3.2 and except to the extent expressly permitted under this agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means; or
2.3.3 attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or
2.3.4 access all or any part of the Services and Documentation in order to build a product or service which competes with the Services and/or the Documentation; or
2.3.5 use the Services and/or Documentation to provide services to third parties; or
2.3.6 subject to clause 16.1, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party except the Authorised Users, or
2.3.7 attempt to obtain, or assist third parties in obtaining access to the Services and/or Documentation, other than as provided under this clause 2; and
2.4 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify CybSafe.
2.5 The rights provided under this clause 2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer unless the Agreed Terms specifies otherwise.
3. ADDITIONAL USER SUBSCRIPTIONS
3.1 Subject to clause 3.2 and clause 3.3, the Customer may, from time to time during any Subscription Term, purchase additional User Subscriptions in excess of the number set out in the Agreed Terms and CybSafe shall grant access to the Services and the Documentation to such additional Authorised Users in accordance with the provisions of this agreement.
3.2 If the Customer wishes to purchase additional User Subscriptions, the Customer shall notify CybSafe in writing. CybSafe shall evaluate such request for additional User Subscriptions and respond to the Customer with approval or rejection of the request (such approval not to be unreasonably withheld).
3.3 If CybSafe approves the Customer’s request to purchase additional User Subscriptions, such additional User Subscriptions will be activated and the additional users will become Authorised Users. The Customer shall then, within 30 days of the date of CybSafe’s invoice, pay to CybSafe the relevant fees for such additional User Subscriptions as set out in the Agreed Terms and, if such additional User Subscriptions are purchased by the Customer part way through the Initial Subscription Term or any Renewal Period (as applicable), such fees shall be pro-rated for the remainder of the Initial Subscription Term or then current Renewal Period (as applicable).
3.4 If CybSafe has not received payment within 30 days, and without prejudice to any other rights and remedies of CybSafe:
3.4.1 CybSafe may, without liability to the Customer, disable access for the Additional Authorised Users.
3.4.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of HSBC Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
4.1 CybSafe shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of this agreement.
4.2 CybSafe shall use commercially reasonable endeavours to provide the Services in accordance with the Service Level Agreement.
5. DATA PROTECTION
5.1 With respect to the rights and obligations under this written arrangement, the Customer and CybSafe (the Parties) acknowledge that they jointly process Personal Data as set out in schedule 2 to perform their obligations governed by this Agreement in respect of their respective roles, and the relationship between the Customer and Supplier is one of joint controllers.
5.2 The Parties shall comply at all times with and assist each other in complying with their respective responsibilities for compliance with the obligations of all Data Protection Laws in connection with the processing of Personal Data only as set out in Schedule 2 as updated in writing between the Parties from time to time, unless required to process the Personal Data for any other purpose by applicable Law in which case, where legally permitted, the Customer or Supplier must inform the other of this legal requirement before processing.
5.3 Each Party agrees to their respective responsibilities and duties regarding processing as set out in Schedule 2 including:
5.3.1 comply with data protection by design and data protection by default obligations under Data Protection Law, including, where required, legitimate interest assessments and data protection impact assessments and associated consultation with data subjects, other Parties involved with the processing and any applicable supervisory authority, to ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects;
5.3.2 observe the principles of Data Protection Law, including not retaining any of Personal Data for longer than is necessary to perform its obligations under this Agreement and upon the other Party’s reasonable request, securely destroy (unless applicable Laws require continued storage of Personal Data) or return such Personal Data;
5.3.3 only transfer any Personal Data outside of the European Economic Area (the “EEA”) relying on Adequacy Decisions by the EU Commission or on appropriate standard contractual clauses (“Standard Contractual Clauses”) between the Parties. In the event that the Adequacy Decision granted in respect of the Standard Contractual Clauses is invalidated or suspended, or any supervisory authority requires transfers of personal information pursuant to such Standard Contractual Clauses to be suspended, then the Parties may require to:
22.214.171.124 cease data transfers forthwith, and implement an alternative adequacy mechanism (as agreed in writing by the Parties); or
126.96.36.199 return all Personal Data previously transferred and ensure that a senior officer or director of the Customer or Supplier certifies to the other that this has been done.
5.4 Monitor for, investigate and manage any actual or suspected personal data breach regarding processing activities undertaken by them, to inform the other Party of such personal data breaches without undue delay, and the other Party’s sole and exclusive remedy shall be for the first Party to use reasonable commercial endeavours to resolve the personal data breach;
5.5 Comply with and provide information notices to data subjects regarding processing activities undertaken by them, including personal data breaches – such notices being available at [firstParty.com] or such other website address as may be notified to the other Party from time to time, as such document may be amended from time to time by the first Party in its sole discretion;
5.6 Notify any applicable law enforcement authority (including any applicable supervisory authority) regarding personal data breaches where required relating to processing activities undertaken by them;
5.7 Fulfil any data subject rights request pertaining to their Personal Data or assist the other Party in doing so – such requests to be passed to the other Party within two working days in order to fulfil that request;
5.8 Notify the other Party without undue delay in writing if it receives from any applicable law enforcement authorities (including any applicable regulators) where permitted to do so:
5.8.1 any communication seeking to exercise rights conferred on the data subject by Data Protection Law;
5.8.2 any complaint or any claim for compensation arising from or relating to the processing of Personal Data as set out in Schedule 2
5.8.3 any communication from any applicable law enforcement authorities (including any applicable regulators);
5.9 Provide such information and such assistance to the other Party as they may reasonably require, and within the timescales reasonably specified by the Parties, to allow the other Party to comply with their data protection by design and data protection by default obligations under Data Protection Law, including, where required, consultation regarding legitimate interest assessments and data protection impct assessments, to ensure appropriate technical and organisational measures, including appropriate data protection governance and audit compliance, are implemented to safeguard the rights and freedoms of data subjects, including such full and prompt information and assistance to the other Party and any applicable law enforcement authorities (including any applicable regulators) in relation to a personal data breach.
5.10 Each Party shall designate a contact point for data subjects.
5.11 The Parties agree that they shall at no additional cost, keep or cause to be kept such information as is necessary to demonstrate compliance with their respective obligations under this clause (Data Protection} regarding the joint processing of Personal Data as set out in Schedule 2 carried out by the Parties in writing and in electronic form, and shall, upon reasonable notice, make available to the other Party or grant to the other Party and its auditors and agents, and any applicable law enforcement authority (including any applicable supervisory authority), a right of access to, and to take copies of, any information or records kept by the other Party pursuant to this clause (Data Protection) – this information to contain no less than:
5.11.1 their name and contact details, including those of its Companies, and, where applicable, of their representative, and their data protection officer;
5.11.2 the details regarding their respective processing set out in schedule 2
5.11.3 a general description of the appropriate technical and organisational measures to protect Personal Data against accidental or unlawful processing, loss, destruction, damage, alteration, or unauthorised disclosure or access, including so as to allow the Parties to comply with their obligations under Data Protection Law – in particular:
188.8.131.52 to safeguard against the specific offences:
184.108.40.206 for a person knowingly or recklessly to re-identify Personal Data that is de-identified Personal Data without the consent of the controller responsible for de-identifying the personal data.
220.127.116.11 to alter, deface, block, erase, destroy or conceal Personal Data with the intention of preventing disclosure of all or part of the Personal Data that the person making the request would have been entitled to receive.
5.11.4 where transferring Personal Data to a third country or an international organisation, the identification of that third country or international organisation and, in the case of ex-EEA transfers without adequacy, binding corporate rules, code of conduct, data protection seals, or standard contractual clauses, the documentation of appropriate safeguards such as:
18.104.22.168 explicit consent from affected data subjects, or
22.214.171.124 evidence that the transfer is required for the performance or conclusion of the performance of a contract with said data subjects.
5.11.5 ensure that any staff or personnel (including contractors) authorised to process Personal Data shall be subject to a binding duty of confidentiality in respect of such data.
5.12 The Parties agree to notify each other immediately if, in the opinion of the other Party, the written arrangement for the processing of Personal Data given by the Customer or Supplier violates any provision of Data Protection Law.
5.13 Neither Party must not perform their obligations under this Agreement in such a way as to cause the other Party to violate any of their obligations under Data Protection Law.
5.14 Whereas neither Party shall be responsible for accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, by the other party, both parties shall be liable where the data subject may exercise his or her rights under Data Protection Laws.
5.15 For the purposes of this clause (Data Protection), “controller”, “joint controller”, “processor”, “data subject”, “personal data”, “processing”, “personal data breach” and “appropriate technical and organisational measures” will be interpreted in accordance with Data Protection Law.
5.16 Schedule 2 includes “ in particular the role of each Party, the subject-matter, nature, scope, context (including duration of the processing) and purpose of the processing, the type of personal data and categories of data subjects.
6. CYBSAFE’S OBLIGATIONS
6.1 CybSafe undertakes that the Services will be performed substantially in accordance with the Documentation and with reasonable skill and care.
6.2 The undertaking at clause 6.1 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to CybSafe’s instructions, or modification or alteration of the Services by any party other than CybSafe or CybSafe’s duly authorised contractors or agents. If the Services do not conform with the foregoing undertaking, CybSafe will, at its expense, use all reasonable commercial endeavours to correct any such non-conformance promptly, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer’s sole and exclusive remedy for any breach of the undertaking set out in clause 6.1. Notwithstanding the foregoing, CybSafe:
6.2.1 does not warrant that the Customer’s use of the Services will be uninterrupted or error-free; or that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer’s requirements; and
6.2.2 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities.
6.3 This agreement shall not prevent CybSafe from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this agreement.
6.4 CybSafe warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.
7. CUSTOMER’S OBLIGATIONS
7.1 The Customer shall:
7.1.1 provide CybSafe with:
126.96.36.199 all necessary cooperation in relation to this agreement; and
188.8.131.52 all necessary access to such information as may be required by CybSafe in order to provide the Services, including but not limited to Customer Data, security access information and configuration services;
7.1.2 comply with all applicable laws and regulations with respect to its activities under this agreement;
7.1.3 carry out all other Customer responsibilities set out in this agreement in a timely and efficient manner. In the event of any delays in the Customer’s provision of such assistance as agreed by the parties, CybSafe may adjust any agreed timetable or delivery schedule as reasonably necessary
7.1.4 ensure that the Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this agreement and shall be responsible for any Authorised User’s breach of this agreement;
7.1.5 obtain and shall maintain all necessary licences, consents, and permissions necessary for CybSafe, its contractors and agents to perform their obligations under this agreement, including without limitation the Services;
7.1.6 ensure that its network and systems comply with the relevant specifications provided by CybSafe from time to time; and
7.1.7 be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to CybSafe’s data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer’s network connections or telecommunications links or caused by the internet.
8. CHARGES AND PAYMENT
8.1 The Customer shall pay the Subscription Fees to CybSafe for the User Subscriptions in accordance with this clause 8 and the Agreed Terms
8.2 The Customer shall complete Schedule 3 (invoicing details) or prior to the Commencement Date provide to CybSafe approved purchase order information acceptable to CybSafe and any other relevant valid, up-to-date and complete contact and billing details and CybSafe shall invoice the Customer:
8.2.1 for the Subscription Fees payable in respect of the Initial Subscription Term; and
8.2.2 subject to clause 13.1, at least 30 days prior to each anniversary of the Commencement Date for the Subscription Fees payable in respect of the next Renewal Period,
8.2.3 The Customer shall pay each invoice within 30 days of receipt.
8.3 If CybSafe has not received payment within 30 days of receipt of the invoice, and without prejudice to any other rights and remedies of CybSafe
8.3.1 CybSafe may, without liability to the Customer, disable the Customer’s password, account and access to all or part of the Services and CybSafe shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and
8.3.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 3% over the then current base lending rate of HSBC Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.
8.4 All amounts and fees stated or referred to in this agreement:
8.4.1 shall be payable in pounds sterling;
8.4.2 are, subject to clause 12.4(b), non-cancellable and non-refundable
8.4.3 are exclusive of value added tax, which shall be added to CybSafe’s invoice(s) at the appropriate rate.
8.5 CybSafe shall be entitled to increase the Subscription Fees, the fees payable in respect of the additional User Subscriptions purchased pursuant to clause 3.3 at the start of each Renewal Period upon 90 days’ prior notice to the Customer and the Agreed Terms shall be deemed to have been amended accordingly.
9. PROPRIETARY RIGHTS
9.1 The Customer acknowledges and agrees that CybSafe and/or its licensors own all intellectual property rights in the Services and the Documentation. Except as expressly stated herein, this agreement does not grant the Customer any rights to, or in, patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Services or the Documentation.
9.2 CybSafe confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this agreement.
10.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this agreement. A party’s Confidential Information shall not be deemed to include information that:
10.1.1 is or becomes publicly known other than through any act or omission of the receiving party;
10.1.2 was in the other party’s lawful possession before the disclosure;
10.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure;
10.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence; or
10.1.5 is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
10.2 Each party shall hold the other’s Confidential Information in confidence and, unless required by law, not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this agreement.
10.3 Each party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this agreement.
10.4 Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.
10.5 The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute CybSafe’s Confidential Information.
10.6 CybSafe acknowledges that the Customer Data is the Confidential Information of the Customer.
10.7 This clause 10 shall survive termination of this agreement, however arising.
10.8 Customer acknowledges that and provides consent that CybSafe may make, any public announcement concerning this agreement without the prior written consent of the other parties, except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction.
11.1 CybSafe shall defend the Customer, its officers, directors and employees against any claim that the Services or Documentation infringes any United Kingdom patent effective as of the Commencement Date, copyright, trademark, database right or right of confidentiality, and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims, provided that:
11.1.1 CybSafe is given prompt notice of any such claim;
11.1.2 the Customer provides reasonable co-operation to CybSafe in the defence and settlement of such claim, at CybSafe’s expense; and
11.1.3 CybSafe is given sole authority to defend or settle the claim.
11.2 In the defence or settlement of any claim, CybSafe may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing or, if such remedies are not reasonably available, terminate this agreement on 2 Business Days’ notice to the Customer without any additional liability or obligation to pay liquidated damages or other additional costs to the Customer.
11.3 In no event shall CybSafe, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:
11.3.1 a modification of the Services or Documentation by anyone other than CybSafe; or
11.3.2 the Customer’s use of the Services or Documentation in a manner contrary to the instructions given to the Customer by CybSafe; or
11.3.3 the Customer’s use of the Services or Documentation after notice of the alleged or actual infringement from CybSafe or any appropriate authority.
11.4 The foregoing states the Customer’s sole and exclusive rights and remedies, and CybSafe’s (including CybSafe’s employees’, agents’ and sub-contractors’) entire obligations and liability, for infringement of any patent, copyright, trademark, database right or right of confidentiality.
12. LIMITATION OF LIABILITY
12.1 This clause 12 sets out the entire financial liability of CybSafe (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Customer:
12.1.1 arising under or in connection with this agreement;
12.1.2 in respect of any use made by the Customer of the Services and Documentation or any part of them;
12.1.3 in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this agreement.
12.2 Except as expressly and specifically provided in this agreement:
12.2.1 the Customer assumes sole responsibility for results obtained from the use of the Services and the Documentation by the Customer, and for conclusions drawn from such use;
12.2.2 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this agreement; and
12.2.3 the Services and the Documentation are provided to the Customer on an “as is” basis.
12.3 Nothing in this agreement excludes the liability of CybSafe:
12.3.1 for death or personal injury caused by CybSafe’s negligence; or
12.3.2 for fraud or fraudulent misrepresentation.
12.4 Subject to clause 12.2 and clause 12.3:
12.4.1 CybSafe shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this agreement; and
12.4.2 CybSafe’s total aggregate liability in contract tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement shall be limited to the total Subscription Fees paid for the User Subscriptions during the 12 months immediately preceding the date on which the claim arose.
13. TERM AND TERMINATION
13.1 This agreement shall, unless otherwise terminated as provided in this clause 13, commence on the Commencement Date and shall continue for the Initial Subscription Term and, thereafter, this agreement shall be automatically renewed for successive periods of 12 months (each a Renewal Period ), unless:
13.1.1 either party notifies the other party of termination, in writing, at least 60 days before the end of the Initial Subscription Term or any Renewal Period, in which case this agreement shall terminate upon the expiry of the applicable Initial Subscription Term or Renewal Period; or
13.1.2 otherwise terminated in accordance with the provisions of this agreement; and the Initial Subscription Term together with any subsequent Renewal Periods shall constitute the Subscription Term.
13.2 Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other party if:
13.2.1 the other party fails to pay any amount due under this agreement on the due date for payment and remains in default not less than 20 days after being notified in writing to make such payment;
13.2.2 the other party commits a material breach of any other term of this agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;
13.2.3 the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
13.2.4 a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;
13.2.5 an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;
13.2.6 the holder of a qualifying floating charge over the assets of that other party has become entitled to appoint or has appointed an administrative receiver;
13.2.7 a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;
13.2.8 a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other such process is levied or enforced on or sued against, the whole or any part of the other party’s assets and such attachment or process is not discharged within 14 days;
13.2.9 any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 13.2(c) to clause 13.2(h) (inclusive).
13.3 On termination of this agreement for any reason:
13.3.1 all licences granted under this agreement shall immediately terminate;
13.3.2 CybSafe may terminate any licence granted to Authorised Users in connection with the use of a mobile application as part of the Services;
13.3.3 each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;
13.3.4 CybSafe may destroy or otherwise dispose of any of the Customer Data and the Analytical Data in its possession unless CybSafe receives, no later than ten days after the Commencement date of the termination of this agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data and Analytical Data. CybSafe shall use reasonable commercial endeavours to deliver the back-up to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by CybSafe in returning or disposing of Customer Data and Analytical Data or providing the Customer with a back-up copy of such data; and
13.3.5 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.
14. FORCE MAJEURE
14.1 CybSafe shall have no liability to the Customer under this agreement if it is prevented from or delayed in performing its obligations under this agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of CybSafe or any other party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Customer is notified of such an event and its expected duration.
15.1 Conflict. If there is an inconsistency between any of the provisions in the Agreed Terms, the main body of this agreement and the Schedule, the provisions shall take precedence in the order stated in this clause 15.1.
15.2 Variation. No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
15.3 Waiver. No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
15.4 Rights and Remedies. Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
15.5 Severance. If any provision (or part of a provision) of this agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
15.6 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.
15.7 Entire Agreement. This agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
15.8 Each of the parties acknowledges and agrees that in entering into this agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this agreement or not) relating to the subject matter of this agreement, other than as expressly set out in this agreement.
15.9 No Partnership or Agency. Nothing in this agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).
15.10 Third Party Rights. This agreement does not confer any rights on any person or party (other than the parties to this agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.
16.1 The Customer shall not, without the prior written consent of CybSafe (which shall not be unreasonable withheld or delayed), assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
16.2 CybSafe may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this agreement.
17.1 Any notice required to be given under this agreement shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this agreement, or such other address as may have been notified by that party for such purposes, or sent by fax to the other party’s fax number as set out in this agreement.
17.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by fax shall be deemed to have been received at the time of transmission (as shown by the timed printout obtained by the sender)
18. GOVERNING LAW AND JURISDICTION
18.1 This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
18.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims)
Schedule 1 – Service Level Agreement
Schedule 2 – Data Protection
Schedule 3 – Data Privacy Notice
Schedule 4 – Invoicing Details
THIS AGREEMENT has been entered into on the date stated at the beginning of it.
END OF TERMS – SEE SCHEDULES OVER THE PAGE
SCHEDULE 1 – SERVICE LEVEL AGREEMENT
The following definitions and rules of interpretation apply in this schedule.
1.1 Definitions :
1.1.1 Commercially Reasonable Effort the same degree of priority and diligence with which Cybsafe meets the support needs of its other similar customers.
1.1.2 Customer Cause any of the following causes
184.108.40.206 any improper use, misuse or unauthorised alteration of the Software or Services by the Customer;
220.127.116.11 any use of the Software or Services by the Customer in a manner inconsistent with the then-current Documents; and
18.104.22.168 outages or disruptions to the Service caused by the Customer.
1.1.3 Fault: any failure of the Services to operate in all material respects in accordance with the Documentation, including any failure or error referred to in the Service Level Table.
1.1.4 Help Desk Support: any support provided by help desk technicians sufficiently qualified and experienced to identify and resolve most support issues relating to the Services.
1.1.5 Main Agreement: the agreement to which this schedule relates.
1.1.6 Out-of-scope Services: any services provided by Cybsafe in connection with any apparent problem regarding the Services reasonably determined by Cybsafe not to have been caused by a Fault, but rather by a Customer Cause or a cause outside Cybsafe’s control (including any investigational work resulting in such a determination).
1.1.7 Service Levels: the service level responses and response times referred to in the Service Level Table.
1.1.8 Service Level Table: the table set out in paragraph 6
1.1.9 Solution: either of the following outcomes:
22.214.171.124 correction of a Fault; or
126.96.36.199 a workaround in relation to a Fault (including a reversal of any changes to the Software and/or Services if deemed appropriate by Cybsafe) that is reasonably acceptable to the Customer
1.1.10 Support Request: request made by the Customer in accordance with this schedule for support in relation to the Services, including correction of a Fault
1.1.11 Support Services: Maintenance of the Software and providing Help Desk Support but excluding any Out-of-scope Services.
1.1.12 All initial capitalised terms in this schedule shall have the meaning given to them in the Main Agreement.
2. SUPPORT SERVICES
2.1 During the Subscription Term Cybsafe shall perform the Support Services during the Normal Working Hours in accordance with the Service Levels.
2.2 As part of the Support Services, Cybsafe shall:
2.2.1 provide Help Desk Support by means of the following e-mail address email@example.com and by means of the help desk support page;
2.2.2 use Commercially Reasonable Efforts to correct all Faults notified under paragraph (a); and
2.2.3 provide technical support for the Software and the Services in accordance with the Service Levels.
2.3 Cybsafe shall carry out planned maintenance outside of the Core Hours; and
2.4 Cybsafe may reasonably determine that any services are Out-of-scope Services. If Cybsafe makes any such determination, it shall promptly notify the Customer of that determination.
2.5 The Customer acknowledges that Cybsafe is not obliged to provide Out-of-scope Services.
3.1 The provision of Support Services on a remote (via email), off-site basis within the Subscription Term shall be included in the Subscription Fees.
3.2 The provision of Support Services outside the Subscription Term or at the Customer’s premises or the provision of Out-of-scope Services shall be charged at the time and materials rates agreed between the parties when the Out-of-Scope Services are requested.
4. SUBMITTING SUPPORT REQUESTS AND ACCESS
4.1 The Customer may request Support Services by way of a Support Request made via email by completing the support request form on the help desk support page.
4.2 Each Support Request shall include a description of the problem and the start time of the incident.
4.3 The Customer shall provide Cybsafe with:
4.3.1 prompt notice of any Faults; and
4.3.2 such output and other data, documents, information, assistance and (subject to compliance with all Customer’s security and encryption requirements notified to Cybsafe in writing) remote access to the Customer System, as are reasonably necessary to assist Cybsafe to reproduce operating conditions similar to those present when the Customer detected the relevant Fault and to respond to the relevant Support Request.
4.4 All Support Services shall be provided remotely by Cybsafe.
5. SERVICE LEVELS
5.1 Service Availability and Maintenance
5.1.1 Cybsafe shall use commercially reasonable endeavours to make the Services available 97% of the time during the Core Hours, except for unscheduled maintenance performed during the Core Hours, provided that Cybsafe has used reasonable endeavours to give the Customer at least 3 Core Hours’ notice in advance.
6.1 Cybsafe shall:
6.1.1 prioritise all Support Requests based on its reasonable assessment of the severity level of the problem reported; and
6.1.2 respond to all Support Requests within the response times specified in the table set out below by acknowledging receipt of the Support Request and commencing Commercially Reasonable Efforts to achieve a Solution:
|Severity level of Fault||Definition||Service Level response time*|
|1||Fatal: An error in, or failure of, the Services such that the Services are unavailable to all Authorised Users||4 Normal Working Hours|
|2||Severe: An error in, or failure of, the Services with more than 25% of Authorised Users or critical functions affected but which is not a Fatal Fault. Use of Services is intermittent.||12 Normal Working Hours|
Medium: An error in, or failure of, the Services:
a) that affects between more than 10% number of Authorised Users but which is not a Fatal or Severe Fault; and/or
b) that affects a limited number of functions; but the Services can still be used.
|24 Normal Working Hours|
|4||Minor: An error in, or failure of, the Services that affects less than 10% of Authorised Users. The Service can still be used.||3 Business Days|
*For the purposes of this table, where a Support Request is received outside Normal Working Hours, it shall be deemed to have been received upon the commencement of the next Normal Working Hour.
6.2 The parties may, on a case-by-case basis, agree in writing to a reasonable extension of the Service Level response times.
6.3 Cybsafe shall give the Customer regular updates of the nature and status of its efforts to correct any Fault.
6.4 All Support Requests shall be received and responded to in English.
7.1 If the Customer is not satisfied with the response or the response time, the Customer may escalate the Support Request to the parties’ respective Relationship Managers.
8.1 In addition to the mechanisms for giving notice specified in clause 17 of the Main Agreement, the parties may communicate in respect of any matter referred to in this by e-mail (unless specified otherwise).
END OF SCHEDULE
SCHEDULE 2 – DATA PROTECTION
CybSafe provides an intelligent cyber security Awareness, Behaviour and Culture platform, for the Customer to actively manage human cyber risk by improving the online behaviours of personnel (the Service). The platform is delivered as a single online cloud-based Software as a Service (SaaS), which reveals and responds to reliable metrics and data-driven insights to actively manage human cyber risk and resilience. Ultimately, the platform allows the Customer to stop paying lip-service to the human side of the equation, meaningfully reduce human cyber risk, and use a tool that gets more efficient and effective over time – whilst providing the Customer with the data to prove it, thereby putting an end to the reliance on tick-box security awareness training and meaningless phishing simulation statistics.
The standard components of the platform are:
● Security Awareness Training
● Intelligent Phishing Simulation
● Risk Reduction Metrics
● Insider Threat Risk Mitigation
● Compliance & Risk: The Human Factor
● Cyber Security Behaviour and Culture
1 It is the role of the Customer to determine:
1.1 The aims of using the Service to:
1.1.1 more effectively manage their cyber risk profile,
1.1.2 leverage ease of administration and reporting capabilities of the Service to streamline business processes including billing for the Service,
1.1.3 facilitate inclusive functions and features to improve the online behaviours of personnel, and
1.1.4 generate reports to enhance the Service, including the necessity to process personnel Personal Data with the intended effect on such personnel being to improve their performance and choices such that all Parties benefit through statistical information to make decisions;
2 That all the following personnel shall use the Service (users) to improve their online behaviours:
2.1 administrators in the HR department, that shall exclusively also have administration rights and access permissions to initiate all users and generate reports regarding their own and team members’ performance,
2.2 managers from across the business, that shall also have access to People tab and generate reports regarding their own and team members’ performance, and
2.3 members of staff, including contractors, that shall also have the ability to generate reports regarding their own performance; and
3 That the following features and functions of the Service shall be utilised:
3.1 Administration – administrators shall source the email addresses and contact details for all users to input on the platform to facilitate the configuration and use of, as well as rights and access permissions to, the Service by users,
3.2 Report generation – reports rely upon further inputs from users on the intuitive, easy-to-use platform, such inputs being systematically monitored and tracked using first and third party cookies and other similar technologies relating to the contact details, IP Addresses and responses of users, which may include special categories of Personal Data entered into free-text fields, utilising data analytics, artificial intelligence (AI) and machine learning techniques on an ongoing basis to identify, match, combine and analyse such available inputs as well as derived profiles from AI-curated content, targeted learning, virtual cyber assistance, personalised ‘nudge’ interventions, simulated social engineering attacks, and practical assessments relating to the users to score their individual ratings regarding their current online performance and previous historic differentials against a set of cyber risk criteria compiled in automatically generated reports to compare results individually and across all users that all scientifically address human cyber security risk on a single system underpinned by psychology and behavioural science, which supports users at the right time, in the right way, and in a way much more likely to influence behaviours and attitudes, and that makes it easy to track impact, progress, areas for improvement, and return on investment, such risk metrics, measurements, indicators, insights and advanced reporting being used for the following purposes:
3.2.1 profiling of users to quantify and demonstrably reduce the Customer’s human cyber risk vis-a-vis their online behaviours, choices and performance are adequately understood and improving, as determined by the Customer, the retention period being determined by the Agreement and whilst the Customer administrator has authorised their access to the Service,
3.2.2 anonymised statistical output for billing, as determined by both Parties, the retention period to generate such bills from available usage being 7 years in case of handling enquiries and complaints,
3.2.3 platform usage regarding security, load balancing and other performance management, as well as Service development and innovation, as determined by the Supplier, the retention period to generate such insight being 1 year, And that such available inputs are in addition disclosed to and processed by other Parties, also joint controllers, within and outside the European Economic Area (EEA) subject to appropriate safeguards including adequacy, binding corporate rules, code of conduct, data protection seals, or standard contractual clauses.
4 It is the role of the Supplier through the provision of the SaaS platform to determine:
4.1 The aim of the Service to:
4.1.1 more effectively manage the cyber risk profile of the Customer by facilitating the functions and features to improve the online behaviours of Customer personnel,
4.1.2 leverage ease of administration and reporting capabilities of the Service to streamline business processes including billing for the Service, and
4.1.3 monitor and optimise the platform performance and security, including generating reports to enhance the Service, Including the necessity to process personnel Personal Data with the intended effect on such personnel being to improve their performance and choices such that the all Parties benefit through statistical information to make decisions;
5 The means to most effectively provide rights and access permissions to the following:
5.1 administrators in the HR department, that shall exclusively also have administration rights and access permissions to initiate all users and generate reports regarding their own and team members’ performance,
5.2 managers from across the business, that shall also have access to People tab and generate reports regarding their own and team members’ performance, and
5.3 members of staff, including contractors, that shall also have the ability to generate reports regarding their own performance; and
6 The means to most effectively manage the processing of personnel Personal Data with regards to the following features and functions:
6.1 Administration – allowing administrators to input sourced email addresses and contact details for all users onto the
platform and to facilitate the configuration and use of, as well as rights and access permissions to, the Service by users,
6.2 Report generation – to allow all users to generate reports relying upon further inputs from users on the intuitive, easy-to-use platform, such inputs being systematically monitored and tracked using first and third party cookies and other similar technologies relating to the contact details, IP Addresses and responses of users, which may include special categories of Personal Data entered into free-text fields, utilising data analytics, artificial intelligence (AI) and machine learning techniques on an ongoing basis to identify, match, combine and analyse such available inputs as well as derived profiles from AI-curated content, targeted learning, virtual cyber assistance, personalised ‘nudge’ interventions, simulated social engineering attacks, and practical assessments relating to the users to score their individual ratings regarding their current online performance and previous historic differentials against a set of cyber risk criteria compiled in automatically generated reports to compare results individually and across all users that all scientifically address human cyber security risk on a single system underpinned by psychology and behavioural science, which supports users at the right time, in the right way, and in a way much more likely to influence behaviours and attitudes, and that makes it easy to track impact, progress, areas for improvement, and return on investment, such risk metrics, measurements, indicators, insights and advanced reporting being used for the following purposes:
6.2.1 profiling of users to demonstrate that their online behaviours, choices and performance are adequately understood and improving, as determined by the Customer, the retention period being determined by the Agreement and whilst the Customer administrator has authorised their access to the Service, such Personal Data being secured deleted or returned as determined by the Agreement,
6.2.2 anonymised statistical output for billing, as determined by both Parties, the retention period to generate such bills from available usage being 7 years in case of handling enquiries and complaints, such Personal Data being secured deleted or returned as determined by the Agreement, and
6.2.3 platform usage regarding security, load balancing and other performance management, as well as Service development and innovation, as determined by the Supplier, the retention period to generate such insight being 1 year, such Personal Data being secured deleted or returned as determined by the Agreement,
And that such available inputs are in addition disclosed to and processed by other Parties, also joint controllers, within and outside the European Economic Area (EEA) subject to appropriate safeguards including adequacy, binding corporate rules, code of conduct, data protection seals, or standard contractual clause.
END OF SCHEDULE