Terms & Conditions

Last updated January 2024

1. Definitions

"Additional Charges" means such amounts charged by the Provider, as specified in the Proposal, for exceeding the Customer's allocated allowance for the Services;

"Account" means an account enabling a person to access and use the Hosted Services, including both administrator accounts and user accounts;

"Agreement" means the agreement between the parties for the supply of the Services in accordance with the Proposal, the Documentation and these Terms and Conditions (including any Schedules);

"Business Day" means any weekday other than a bank or public holiday in England;

"Business Hours" means the hours of 09:00 to 17:00 GMT/BST on a Business Day;

"Charges" means the following amounts plus the applicable rate of VAT:

(a) the amounts specified in the Proposal; and

(b) such amounts as may be agreed in writing by the parties from time to time;

"Confidential Information" means any confidential information disclosed by a party to the other party in connection with the Permitted Purpose during the Term (whether disclosed in writing, orally or otherwise) that at the time of disclosure was marked or described as "confidential" or should have been understood by the receiving party (acting reasonably) to be confidential;

"Customer" means the person or entity identified as such in the Proposal;

"Customer Data" means all data, works and materials: uploaded to or stored on the Platform by the Customer; transmitted by or to the Platform at the instigation of the Customer; supplied by the Customer to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Customer;

"Documentation" means the documentation for the Hosted Services produced by the Provider and delivered or made available by the Provider to the Customer from time to time;

"Effective Date" means the date upon which the parties execute a hard-copy Proposal; or, following the Customer completing and submitting the online Proposal published by the Provider on the Provider's website, the date upon which the Provider sends to the Customer an order confirmation;

"End Users" means those organisations or individuals for which a contractual agreement exists with the Customer for the provision of services by the Customer. For the avoidance of doubt this excludes all Intermediaries;

"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including, but not limited to, failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);

"Hosted Services" means the hosted services set out in the Proposal and as specified in the Hosted Services Specification, which will be made available by the Provider to the Customer as a service via the Platform in accordance with the Agreement;

"Hosted Services Specification" means the specification for the Platform and Hosted Services set out in the Proposal and in the Documentation;

"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these "intellectual property rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trademarks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);

"Intermediaries" means organisations or individuals that intend to pass on the Services to their End Users including but not limited to charities, printers, print managers and marketing agencies;

"Maintenance Services" means the general maintenance of the Platform and Hosted Services;

"Minimum Term" means the period set out in the Proposal beginning on the Effective Date;

"Permitted Purpose" means the provision and receipt of web to print marketing portals and services, document and artwork creation solutions and brand management systems to End Users;

"Platform" means the platform managed by the Provider and used by the Provider to provide the Hosted Services, including the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed;

"Provider" means RightMarket Limited, a company incorporated in England and Wales (registration number 06119277) having its registered office at The Station House, 15 Station Road, St Ives, Cambridgeshire, PE27 5BH and its permitted assignees;

"Proposal" means an online order published by the Provider in any format and completed and submitted by the Customer, or a hard-copy order form signed or otherwise agreed by or on behalf of each party, in each case incorporating these Terms and Conditions by reference;

"Services" means the Hosted Services, Maintenance Services, Set Up Services, Support Services and any services that the Provider provides to the Customer as specified in the Proposal, or has an obligation to provide to the Customer, under these Terms and Conditions;

"Set Up Services" means the configuration, implementation and integration of the Hosted Services in accordance with the Proposal;

"Support Services" means support in relation to the use of, and the identification and resolution of errors in, the Hosted Services, but shall not include any other service or the provision of training services;

"Suspension of Services" means a temporary staged suspension of Services in accordance with Clause 12.4, resulting in any or all of the following at the election of the Provider in its complete discretion as notified to the Customer in writing:

(a) "Support Suspension" - The Customer will not receive Support Services;

(b) "Partial Suspension" - The Customer will be unable to administrate the Hosted Services;

"Term" has the meaning given in Clause 3.1; and

"Terms and Conditions" means these terms and conditions (including any Schedules).

2. Interpretation

2.1 Unless expressly provided otherwise in the Agreement, a reference to legislation or a legislative provision:

(a) is a reference to it as amended, extended or re-enacted from time to time; and

(b) shall include all subordinate legislation made from time to time under that legislation or legislative provision.

3. Term

3.1 The Agreement shall come into force upon the Effective Date and shall continue, unless terminated earlier in accordance with Clause 20, for the Minimum Term and shall automatically extend on a rolling basis at the end of the Minimum Term ("Term").

4. Set Up Services

4.1 The Provider shall provide the Set Up Services to the Customer.

4.2 The Provider shall use reasonable endeavours to ensure that the Set Up Services are provided as soon as is reasonably practicable following the Effective Date.

4.3 The Customer acknowledges that a delay in the Customer performing its obligations in the Agreement may result in a delay in the performance and implementation of the Set Up Services and, subject to Clause 18.1, the Provider will not be liable to the Customer in respect of any such failure caused thereby or to meet any Set Up Services timetable to the extent that that failure is due to matters beyond the reasonable control of the Provider or arises from a delay in the Customer performing its obligations under the Agreement.

4.4 Subject to any written agreement of the parties to the contrary, any Intellectual Property Rights that may arise out of the performance of the Set Up Services by the Provider (excluding any Customer Data) shall be the exclusive property of the Provider.

5. Hosted Services

5.1 The Provider shall create an Account for the Customer and shall provide to the Customer login details for that Account on or as soon as is reasonably practicable following the Effective Date.

5.2 The Provider hereby grants to the Customer a non-exclusive licence to use the Hosted Services in accordance with the Agreement during the Term.

5.3 The licence granted by the Provider to the Customer under Clause 5.2 is subject to the following limitation: the Hosted Services may only be used by the officers, employees and subcontractors of the Customer or its End Users. In the case of the Customer's subcontractors, these must be approved by the Provider in writing before carrying out any service for the Customer using the Hosted Services.

5.4 Notwithstanding any other provision of this Agreement, in respect of the licence granted by the Provider to the Customer under Clause 5.2, the Customer undertakes that it shall not:

(a) permit any unauthorised person to access or use the Hosted Services in contravention of the restriction set out in Clause 5.3;

(b) sub-license its right to access and/or use the Hosted Services to Intermediaries;

(d) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Platform and/or Documentation (as applicable) in any form or media or by any means;

(e) attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Platform; and

(f) access all or any part of the Platform and Documentation in order to build a product or service which competes with the Hosted Services and/or the Documentation.

The restrictions set out in Clauses 5.4(b) and 5.4(c) above are not to be imposed on End Users.

5.5 The Customer shall use reasonable endeavours, including reasonable security measures relating to Account access details to ensure that no unauthorised person may gain access to the Hosted Services whether by using an Account or howsoever.

5.6 The Customer and its End Users must comply with Schedule 1 (Acceptable Use Policy), and must ensure that all persons using the Hosted Services with the authority of the Customer or by means of an Account in accordance with Clause 5.5 comply therewith.

5.7 The parties acknowledge and agree that Schedule 2 (Availability SLA) shall govern the availability of the Hosted Services.

5.8 For the avoidance of doubt, the Customer and its End Users have no right to access the software code (including object code, intermediate code and source code) of the Platform, whether before, during or after the Term.

5.9 The provision of Hosted Services within this Clause 5 is subject to Suspension of Services.

6. Maintenance Services and Support Services

6.1 The Provider shall provide the Maintenance Services and Support Services to the Customer during the Term.

6.2 The Provider shall provide the Maintenance Services and Support Services with reasonable skill and care.

6.3 The Provider shall provide the Maintenance Services and Support Services in accordance with Schedule 3 (Maintenance SLA) and Schedule 4 (Support SLA), respectively.

7. Customer Obligations

7.1 Save to the extent that the parties have agreed otherwise in writing, the Customer must provide to the Provider, or procure for the Provider, such:

(a) co-operation, support and advice; and

(b) information and documentation,

as are reasonably necessary to enable the Provider to perform its obligations under the Agreement.

8. Customer Data

8.1 The Customer shall own all right, title and interest in and to all of the Customer Data that is not Personal Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of all such Customer Data.

8.2 The Customer hereby grants to the Provider a limited non-exclusive licence to copy, reproduce, store, distribute, publish, export, adapt, edit and translate the Customer Data to the extent reasonably required for the performance of the Provider's obligations and the exercise of the Provider's rights under the Agreement, together with the right to sub-license these rights to its hosting, connectivity and telecommunications service providers to the extent reasonably required for the performance of the Provider's obligations for the duration of the Agreement.

8.3 The Customer warrants to the Provider that the Customer Data will not infringe the Intellectual Property Rights or other legal rights of any person, and will not breach the provisions of any law, statute or regulation, in any jurisdiction and under any applicable law within which the Customer operates.

9. Intellectual Property Rights

9.1 The Customer acknowledges and agrees that the Provider and/or its licensors own all Intellectual Property Rights in the Platform, Services and the Documentation. Except as expressly stated herein, the Agreement does not grant the Customer any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Platform, Services or the Documentation.

9.2 The Provider confirms that it has all the rights in relation to the Platform, Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of the Agreement.

10. Representatives

10.1 The Customer shall ensure that all instructions given by the Customer in relation to the matters contemplated in the Agreement will be given by a Customer representative duly authorised to give the same on behalf of the Customer to a Provider representative duly authorised to give the same on behalf of the Provider, and the Provider:

(a) may treat all such instructions as the fully authorised instructions of the Customer; and

(b) may decline to comply with any other instructions in relation to that subject matter.

11. Charges

11.1 The Customer shall pay the Charges and Additional Charges to the Provider in accordance with the Agreement.

11.2 All amounts stated in or in relation to the Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider.

11.3 The Provider may elect to vary any element of the Charges on an annual basis by giving to the Customer not less than 30 days' written notice of the proposed variation.

12. Payments

12.1 The Provider shall issue invoices for the Charges and Additional Charges to the Customer during the Term as agreed in the Proposal.

12.2 The Customer must pay the Charges and Additional Charges to the Provider by the due date specified on the invoices and in default thereof within 30 days.

12.3 The Customer must pay the Charges and Additional Charges by direct debit (using such payment details as are notified by the Provider to the Customer from time to time).

12.4 If the Customer does not promptly pay any amount properly due to the Provider under the Agreement, the Provider may:

(a) immediately apply a Suspension of Services following 7 days written notice of any such suspension;

(b) claim interest and statutory compensation from the Customer pursuant to the Late Payment of Commercial Debts (Interest) Act 1998; and

(c) charge the Customer such administration fee as may be determined by the Provider should e.g., a new direct debit payment need to be set up.

12.5 The Customer will notify the Provider in writing within 14 days of receipt of an invoice if the Customer considers such invoice incorrect or invalid for any reason, failing which the Customer will raise no objection to any such invoice and shall make full payment in accordance with it.

13. Confidentiality Obligations

13.1 Each party must:

(a) keep the other party's Confidential Information strictly confidential;

(b) not disclose the other party's Confidential Information to any person without the other party's prior written consent, and then only under conditions of confidentiality approved in writing by the other party;

(c) use the same degree of care to protect the confidentiality of the other party's Confidential Information as the party uses to protect its own confidential information of a similar nature, being to at least a reasonable standard of care;

(d) at all times act in good faith in relation to the Confidential Information; and

(e) not use any of the Confidential Information for any purpose other than the Permitted Purpose.

13.2 Notwithstanding Clause 13.1, each party may disclose the other party's Confidential Information to its officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Confidential Information for the performance of their work with respect to the Permitted Purpose and who are bound by a written agreement or professional obligation to protect the confidentiality of the Confidential Information.

13.3 This Clause 13 shall not apply to any Confidential Information that:

(a) the Provider uses in its case studies for business purposes with the Customer's consent;

(b) was available to the receiving party before disclosure under the Agreement and is not subject to any other obligation of confidentiality;

(d) the parties agree is not confidential or may be disclosed.

13.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of a party on any recognised stock exchange, provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of such disclosure as possible.

13.5 Upon the termination of the Agreement, each party must immediately cease to use the other party's Confidential Information.

13.6 The provisions of this Clause 13 shall continue in force for a period of 5 years following the termination of the Agreement, at the end of which period they will cease to have effect.

14. Data Protection

14.1 The parties hereby agree to comply with the terms of Schedule 5 in connection with the processing of any Personal Data (as defined in Schedule 5) under the Agreement.

15. Warranties

15.1 The Provider warrants to the Customer that:

(a) it has the full legal right and authority to enter into the Agreement and to perform its obligations under the Agreement;

(b) it will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider's rights and the fulfilment of the Provider's obligations under the Agreement or as otherwise required by law or recognised codes of practice;

(c) the Hosted Services, when used by the Customer in accordance with the Agreement, will not breach any applicable laws;

(d) the Hosted Services will substantially conform with all descriptions and the Hosted Services Specification; and

(e) it has all necessary licenses, consents, and permissions necessary to perform its obligations under the Agreement.

15.2 The Customer warrants to the Provider that:

(a) and shall procure that its End Users, shall not use the Hosted Services in any way that causes, or may cause, damage to the Hosted Services or Platform or impairment of the availability of the Hosted Services;

(b) and shall procure that its End Users, shall not use the Hosted Services in any way that it is unlawful, illegal, fraudulent or harmful;

(d) it will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider's rights and the fulfilment of the Provider's obligations under the Agreement or as otherwise required by law or recognised codes of practice.

15.3 All of the parties' warranties and representations in respect of the subject matter of the Agreement are expressly set out in these Terms and Conditions. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement or any related contract.

16. Acknowledgements and Warranty Limitations

16.1 The Customer acknowledges that complex software is never wholly free from defects, errors and bugs and subject to the other provisions of the Agreement, the Provider gives no warranty or representation that the Hosted Services will be wholly free from defects, errors and bugs.

16.2 The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of the Agreement, the Provider gives no warranty or representation that the Hosted Services will be entirely secure.

16.3 The Customer acknowledges that the Hosted Services are designed to be compatible only with the software and systems specified as compatible in the Documentation. The Provider does not warrant or represent that the Hosted Services will be compatible with any other software or systems.

16.4 The Customer acknowledges that the Provider will not provide any legal, financial, accountancy or taxation advice under the Agreement or in relation to the Hosted Services and, except to the extent expressly provided otherwise in the Agreement, the Provider does not warrant or represent that the Hosted Services or the use of the Hosted Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person.

17. Indemnities

17.1 Subject to clause 17.3, the Customer shall indemnify and shall keep the Provider fully indemnified against any and all liabilities, damages, losses, costs and expenses (including legal expenses and amounts reasonably paid in settlement of legal claims) suffered or incurred by the Provider and arising directly or indirectly out of or in connection with the any claim made against the Provider by a third party for actual or alleged infringement of the third party's intellectual property rights arising out of the Customer's use of the Services and/or Documentation not in accordance with this Agreement.

17.2 Subject to clause 17.3, the Provider shall indemnify the Customer, its officers, directors and employees against any claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) that the Customer's use of the Services or Documentation in accordance with this Agreement infringes any patent effective as of the Commencement Date, copyright, trade mark, database right or right of confidentiality, and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims.

17.3 If either party ("Indemnifying Party") is required to indemnify the other party ("Indemnified Party") under this clause 17, the Indemnified Party shall:

(a) notify the Indemnifying Party in writing of any claim against it in respect of which it wishes to rely on the indemnity at clause 17.1 or clause 17.2 (as applicable) ("Claim");

(b) not, without prior consultation with the Indemnifying Party, make any admission, or otherwise attempt to compromise or settle the Claim and shall provide reasonable co-operation to the Indemnifying Party in the defence and settlement of such Claim, at the Indemnifying Party's expense; and

18. Limitations and Exclusions of Liability

18.1 Nothing in the Agreement excludes or limits liability for:

(a) death or personal injury resulting from negligence;

(b) fraud or fraudulent misrepresentation;

(d) any liability not permitted under applicable law.

18.2 Subject to Clause 18.1, neither party shall be liable to the other:

(a) in respect of any losses arising out of a Force Majeure Event; or

(b) whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement.

18.3 Subject to Clauses 18.1 and 18.2, the aggregate liability of either party under the Agreement shall not exceed the amount paid or payable by the Customer under this Agreement in the last 12 months prior to the non-breaching party giving written notice to the breaching party of full details of any claim.

19. Force Majeure Event

19.1 If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under the Agreement (other than any obligation to make payment), that obligation will be suspended for the duration of the Force Majeure Event.

19.2 A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under the Agreement, must:

(a) promptly notify the other; and

(b) inform the other of the period for which it is estimated that such failure or delay will continue.

19.3 A party whose performance of its obligations under the Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event.

20. Termination

20.1 Either party may give written notice to the other party, no later than 6 months before the end of the Minimum Term to terminate this Agreement at the end of the Minimum Term. Following the Minimum Term, either party may terminate this Agreement at any time by providing 6 months' written notice to the other party.

20.2 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:

(a) the other party commits any material breach of the Agreement and the breach is not remediable;

(b) the other party commits a material breach of the Agreement, and the breach is remediable but the other party fails to remedy the breach within the period of 30 days following the giving of a written notice to the other party requiring the breach to be remedied;

(c) the other party persistently breaches the Agreement (irrespective of whether such breaches collectively constitute a material breach);

(d) the other party:

(i) is dissolved;

(ii) ceases to conduct all (or substantially all) of its business;

(iii) is or becomes unable to pay its debts as they fall due;

(iv) is or becomes insolvent or is declared insolvent; or

(v) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;

(e) an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;

(f) an order is made for the winding up of the other party, or the other party passes a resolution for its winding up (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under the Agreement); or

(g) if that other party is an individual:

(i) that other party dies;

(ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or

(iii) that other party is the subject of a bankruptcy petition or order.

20.3 The Provider may terminate the Agreement immediately by giving written notice to the Customer:

(a) if any amount due to be paid by the Customer to the Provider under the Agreement is unpaid by the due date and remains unpaid upon the date that that written notice of termination is given and the Provider has given to the Customer at least 30 days' written notice, following the failure to pay, of its intention to terminate the Agreement in accordance with this Clause; or

(b) if for any reason the Provider believes that either Clause 15.2 (a) or Clause 15.2 (b) is being infringed.

21. Effects of Termination

21.1 Upon the termination of the Agreement for any reason:

(a) the Customer's licence granted under Clause 5.2 shall immediately terminate;

(b) the Customer must pay to the Provider, within 30 days following the date of termination of the Agreement, any Charges and Additional Charges in respect of Services provided to the Customer before the termination of the Agreement and during any notice period thereafter.

(c) each party must, within 30 Business Days of the date of termination of the Agreement, destroy or return to the other party (at the other party's option) all media containing the other party's Confidential Information, and must irrevocably delete the other party's Confidential Information from its computer systems; and

(d) any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Agreement which existed at or before the date of termination shall not be affected or prejudiced.

21.2 In the case of conflict or inconsistency between any of the provisions of the Agreement, the following order of precedence shall apply:

(a) any provisions of the SCCs incorporated into this Data Processing Schedule;

(b) the Data Processing Schedule;

(d) the Terms and Conditions; and

(e) the terms of any accompanying order form, invoices or other documents annexed to the Agreement.

22. Non-Solicitation of Personnel

22.1 The Customer must not, without the prior written consent of the Provider, either during the Term or within the period of 6 months following the end of the Term, engage, employ or solicit for engagement or employment any employee or subcontractor of the Provider who has been involved in any way in the negotiation or performance of the Agreement.

22.2 The Provider must not, without the prior written consent of the Customer, either during the Term or within the period of 6 months following the end of the Term, engage, employ or solicit for engagement or employment any employee or subcontractor of the Customer who has been involved in any way in the negotiation or performance of the Agreement.

23. Notices

23.1 Any notice given to a party under the Agreement must be in writing and must be:

(a) sent by courier to its registered office (if a company) or its principle place of business (in any other case);

(b) sent by pre-paid first class post or other next working day delivery service at its registered office (if a company) or its principle place of business (in any other case); or

23.2 Any notice shall be deemed to have been received:

(a) if delivered by courier, at the time the notice is left at the proper address;

(b) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; or

(c) if sent by email, at the time of transmission, or, if this time falls outside Business Hours in the place of receipt, when Business Hours resume.

23.3 The addressee and contact details set out in the Proposal may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 23.

24. Subcontracting

24.1 The Provider may subcontract any of its obligations under the Agreement.

24.2 The Provider shall remain responsible to the Customer for the performance of any subcontracted obligations.

24.3 Notwithstanding any other provision of the Agreement, the Customer acknowledges and agrees that the Provider may subcontract to any reputable third party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform.

25. Assignment

25.1 The Customer may not assign or otherwise transfer its rights, duties and obligations under the terms of this Agreement whether wholly or in part without the prior written approval of the Provider. The Provider may at any time upon at least 15 days' notice assign or otherwise transfer the benefit (but not the burden) of this Agreement either wholly or in part to any parent, subsidiary or associated company or to any other company in the same group of companies.

26. No Waivers

26.1 No breach of any provision of the Agreement will be waived except with the express written consent of the party not in breach.

26.2 No waiver of any breach of any provision of the Agreement shall be construed as a further or continuing waiver of any other breach of that provision or any breach of any other provision of the Agreement.

27. Severability

27.1 If a provision of the Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions will continue in effect.

27.2 If any unlawful and/or unenforceable provision of the Agreement would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect.

28. Third Party Rights

28.1 The Agreement is for the benefit of the parties, and is not intended to benefit or be enforceable by any third party.

28.2 The exercise of the parties' rights under the Agreement is not subject to the consent of any third party.

29. Variation

29.1 From time to time, the Provider may make reasonable modifications to the Agreement by giving to the customer no less than 30 days' written notice. Any such variations will take effect immediately upon expiry of that notice and shall not apply retroactively.

30. Entire Agreement

30.1 The Agreement shall constitute the entire agreement between the parties and shall supersede all previous agreements, arrangements and understandings between the parties in respect of its subject matter.

30.2 Neither party will have any remedy in respect of any misrepresentation (whether written or oral) made to it upon which it relied in entering into the Agreement.

31. Law and Jurisdiction

31.1 The Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

31.2 Each party irrevocably agrees that any disputes or claims relating to the Agreement or its subject matter or formation (including non-contractual disputes or claims) shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Schedule 1 (Acceptable Use Policy)

1. Introduction

1.1 This acceptable use policy (the "Policy") sets out the rules governing:

(a) the use of the system and any successor system (the "Services"); and

(b) the transmission, storage and processing of content by you, or by any person on your behalf, using the Services ("Content").

1.2 References in this Policy to "you" are to any customer for the Services and any individual user of the Services (and "your" should be construed accordingly); and references in this Policy to "us" are to the Provider (and "we" and "our" should be construed accordingly).

1.3 By using the Services, you agree to the rules set out in this Policy.

1.4 You must be at least 18 years of age to use the Services; and by using the Services, you warrant and represent to us that you are at least 18 years of age.

2. General Usage Rules

2.1 You must not use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services.

2.2 You must not use the Services:

(a) in any way that is unlawful, illegal, fraudulent or harmful; or

(b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity.

2.3 You must ensure that all Content complies with the provisions of this Policy.

3. Unlawful Content

3.1 Content must not be illegal or unlawful, must not infringe any person's legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any applicable law where the Customer operates).

3.2 Content must not:

(a) be libellous or maliciously false;

(b) be obscene or indecent;

(c) infringe any copyright, moral right, database right, trade mark right, design right, right in passing off, or other intellectual property right;

(d) infringe any right of confidence, right of privacy or right under data protection legislation;

(e) constitute negligent advice or contain any negligent statement;

(f) constitute an incitement to commit a crime, instructions for the commission of a crime or the promotion of criminal activity;

(g) be in contempt of any court, or in breach of any court order;

(h) constitute a breach of racial or religious hatred or discrimination legislation;

(i) constitute a breach of any contractual obligation owed to any person.

3.3 You must ensure that content is not and has never been the subject of any threatened or actual legal proceedings or other similar complaint.

4. Graphic Material

4.1 Content must be appropriate for all persons who have access to or are likely to access the Content in question.

4.2 Content must not depict violence.

4.3 Content must not be pornographic.

5. Etiquette

5.1 Content must not be offensive, deceptive, threatening, abusive, harassing, menacing, hateful, discriminatory or inflammatory or likely to lead to a breach of national security.

5.2 Content must not be liable to cause annoyance, inconvenience or needless anxiety.

5.3 You must not use the Services to communicate with groups or organisations involved in potential national security issues or send any hostile communication or any communication intended to insult, including such communications directed at a particular person or group of people.

5.4 You must not use the Services for the purpose of deliberately upsetting or offending others.

6. Marketing and Spam

6.1 Content must not constitute or contain spam, and you must not use the Services to store or transmit spam - which for these purposes shall include all unlawful marketing communications.

6.2 You must not send any spam to any person using any email address or other contact details made available through the Services or that you find using the Services.

6.3 You must not use the Services to promote or operate any chain letters, Ponzi schemes, pyramid schemes, matrix programs, "get rich quick" schemes or similar letters, schemes or programs reasonably considered by the Provider to be undesirable.

7. Monitoring

7.1 You acknowledge that we do not actively monitor the Content or the use of the Services for which you accept sole responsibility.

8. Data Mining

8.1 You must not conduct any systematic or automated data scraping, data mining, data extraction or data harvesting, or other systematic or automated data collection activity, by means of or in relation to the Services.

9. Hyperlinks

9.1 You must not link to any material using or by means of the Services that would, if it were made available through the Services, breach the provisions of this Policy.

10. Harmful Software

10.1 The Content must not contain or consist of, and you must not promote or distribute by means of the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies.

10.2 The Content must not contain or consist of, and you must not promote or distribute by means of the Services, any software, programs, routines, applications or technologies that will or may have a material negative effect upon the performance of a computer or introduce material security risks to a computer.

Schedule 2 (Availability SLA)

1. Introduction to availability SLA

1.1 This Schedule 2 sets out the Provider's availability commitments relating to the Hosted Services.

1.2 In this Schedule 2, "uptime" means the percentage of time during a single calendar month when the Hosted Services are available at the gateway between public internet and the network of the hosting services provider for the Hosted Services.

1.3 Any downtime as a result of the Maintenance Services shall be disregarded when calculating the uptime of the Hosted Services.

2. Availability

2.1 The Provider shall use reasonable endeavours to ensure that the uptime for the Hosted Services is at least 99% during each calendar month.

2.2 The Provider shall be responsible for measuring uptime, and shall do so using any reasonable methodology.

3. Service Credits

In this Clause "Billing Cycle" means: the period beginning the date of any invoice issued by the Provider to the Customer and ending at the close of business 30 days thereafter.

In this Clause "Service Credit" means: the amount credited on invoices as a percentage of the amount payable by the Customer for the Billing Cycle in which the Customer raised the claim.

3.1 Service Credits are calculated as a percentage of the total monthly Charges paid by the Customer for the Hosted Services (excluding one-time payments) for the month in which the issue occurred.

3.2 In respect of each calendar month during which the Hosted Services uptime is less than the commitment specified in Paragraph 2.1, the Customer may request Service Credits from the Provider in accordance with the provisions of this Clause 3.

3.3 The Service Credits earned by the Customer shall be as follows:

(a) 10% Service Credit if the uptime for any calendar month is between 99% and 97.0%

(b) 20% Service Credit if the uptime for any calendar month is less than 97.0%

3.4 The Provider shall deduct an amount equal to the Service Credits due to the Customer under this Part 3 from amounts invoiced in the next following Billing Cycle after the claim is accepted by the Provider in respect of the Charges for the Hosted Services. All remaining Service Credits shall be deducted from each subsequent Billing Cycle, until such time as the Service Credits are exhausted.

3.5 Service Credits shall be the sole remedy of the Customer in relation to any failure by the Provider to meet the uptime guarantee in Paragraph 2.1.

3.6 The Customer must raise all claims for Service Credits using the helpdesk (outlined in Schedule 4). To be eligible, the claim must be received by the Provider by the end of the second Billing Cycle after the unavailability occurred, after which time the Customer may not claim service credits for the unavailability of the Hosted Service.

3.7 Service Credits are non-transferable and may not be applied to any other service or party.

3.8 Upon the termination of the Agreement, the Customer's entitlement to service credits shall immediately cease, save that available service credits earned by the Customer (as determined in this Clause 3) shall be offset against any amounts invoiced by the Provider in respect of Hosted Services following such termination.

4. Exceptions

4.1 Downtime caused directly or indirectly by any of the following shall not be considered when calculating whether the Provider has met the uptime guarantee given in Paragraph 2.1:

(a) a Force Majeure Event;

(b) a fault or failure of the internet or any public telecommunications network;

(d) any breach by the Customer of the terms of the Agreement; or

(e) scheduled maintenance carried out in accordance with the Agreement.

Schedule 3 (Maintenance SLA)

1. Introduction

1.1 This Schedule 3 sets out the service levels applicable to the Maintenance Services.

2. Scheduled Maintenance Services

2.1 The Provider reserves the right to provide Scheduled Maintenance Services from 21:00 GMT/BST which may affect the availability of the Hosted Services.

2.2 The Provider shall where practicable give to the Customer at least 10 Business Days' prior written notice of any additional Scheduled Maintenance Services not mentioned in 2.1 that are likely to affect the availability of the Hosted Services or are likely to have a material negative impact upon the Hosted Services, without prejudice to the Provider's other notice obligations under this Schedule 3.

Schedule 4 (Support SLA)

1. Introduction

1.1 This Schedule 4 sets out the service levels applicable to the Support Services.

2. Helpdesk

2.1 The Provider shall make available to the Customer a helpdesk in accordance with the provisions of this Schedule 4.

2.2 The Customer may use the helpdesk for the purposes of requesting and, where applicable, receiving the Support Services; and the Customer must not use the helpdesk for any other purpose.

2.3 The Provider shall ensure that the helpdesk is accessible by using the Provider's web-based ticketing system.

2.4 The Provider shall ensure that the helpdesk is operational and adequately staffed during Business Hours during the Term.

2.5 The Customer shall ensure that all requests for Support Services that it may make from time to time shall be made through the helpdesk.

3. Response and Resolution

3.1 The Provider shall determine, in its reasonable discretion, the priority of any issue raised through the helpdesk.

3.2 The Provider shall use its reasonable endeavours to respond to requests for Support Services within 1 Business Day.

3.3 The Provider shall ensure that its response to a request for Support Services shall include the following information (to the extent such information is relevant to the request): an acknowledgement of receipt of the request and where practicable an initial diagnosis in relation to any reported error.

3.4 The Provider shall use reasonable endeavours to resolve issues raised through the Support Services as soon as is reasonably practicable. The customer acknowledges that not all issues submitted to the helpdesk will be resolvable.

4. Provision of Support Services

4.1 The Support Services shall be provided remotely, save to the extent that the parties agree otherwise in writing.

5. Limitations on Support Services

5.1 The Provider shall have no obligation to provide Support Services, or may in its discretion vary their scope in respect of any issue caused by:

(a) the improper use (as defined in the Documentation) of the Hosted Services by the Customer; or

(b) any alteration to the Hosted Services made without the prior written consent of the Provider; or

(c) the use of deprecated or other versions of software supplied by the Provider to the Customer (as defined in the Documentation) for the purposes of supplying the Hosted Services;

(d) resulting from any failure to comply with the Acceptable Use Policy (as determined in the sole discretion by the Provider); or

(e) configuration in any third party system which the Provider may or may not provide the Customer integrations to.

5.2 The Provider may suspend the provision of the Support Services if any amount due to be paid by the Customer to the Provider under the Agreement is overdue, and the Provider has given to the Customer at least 7 days' written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis.

Schedule 5 (Data Processing)

This Data Processing Schedule ("Data Processing Schedule") forms part of the Agreement (which includes the Terms and Conditions) and sets out the terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Agreement.

This Data Processing Schedule contains the mandatory Clauses required by Article 28(3) of the UK GDPR for contracts between controllers and processors.

This Data Processing Schedule contains the SCCs (incorporated by reference into the appendices).

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Data Processing Schedule.

1.1 Definitions:

"Business Purposes" means the services described in the Terms and Conditions or any other purpose specifically identified in the appendices.

“Controller”, “Processor”, "Data Subject", "Personal Data", "Processing, processes and process", "Personal Data Breach" and "Supervisory Authority" are as defined in the Data Protection Legislation.

"Data Protection Legislation" means the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

"Standard Contractual Clauses (SCC)" means, together, the European Commission's Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2021/914/EU ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").

"UK Data Protection Legislation" means all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679) (“GDPR”); the GDPR as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018; the Data Protection Act 2018 ("DPA 2018"); the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

1.2 This Data Processing Schedule forms part of the Agreement between the Provider and the Customer, which includes the Terms and Conditions. Interpretations and defined terms set forth in the Terms and Conditions apply to the interpretation of this Data Processing Schedule.

1.3 The appendices form part of this Data Processing Schedule and will have effect as if set out in full in the body of this Data Processing Schedule. Any reference to this Data Processing Schedule includes the appendices.

2. Personal Data Types and Processing Purposes

2.1 The Customer and the Provider acknowledge that for the purpose of the Data Protection Legislation, the Customer is the Controller and the Provider is the Processor.

2.2 The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.3 The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

2.4 The appendices describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Provider may process to fulfil the Business Purposes. If the Parties have agreed to modify the Business Purposes during the life of the Agreement, then the appendices may be updated by the Provider from time to time (and such updates will immediately bind the Customer) to reflect any changes in the Business Purposes and is available at: https://contracts.rightmarket.com/managed-service/subprocessors.

3. The Provider's Obligations

3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Data Processing Schedule or the Data Protection Legislation. The Provider must immediately notify the Customer if, in its opinion, the Customer's instruction would not comply with the Data Protection Legislation.

3.2 The Provider must promptly comply with any Customer request or instruction requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 The Provider will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Customer or the Agreement specifically authorises the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires the Provider to process or disclose Personal Data, the Provider must first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 The Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.

3.5 The Provider must promptly notify the Customer of any changes to Data Protection Legislation that may adversely affect the Provider’s performance of the Agreement.

4. The Provider's Employees

4.1 The Provider will ensure that all employees:

(a) are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

(b) who have reasonable need to access personal data, have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

(c) are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Data Processing Schedule.

5. Security

5.1 The Provider must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Appendix A. Appendix A may be updated by the Provider from time to time (and such updates will apply with immediate effect) to reflect any changes in its organisational and security measures and is available at: https://contracts.rightmarket.com/managed-service/security-measures. The Provider must document those measures on its website or otherwise in writing and periodically review them to ensure they remain current and complete, at least annually.

5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d) a process for regularly testing, assessing and evaluating the effectiveness of security measures.

6. Personal Data Breach

6.1 The Provider will promptly and without undue delay notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Data at its own expense.

6.2 The Provider will promptly and without undue delay notify the Customer if it becomes aware of:

(a) any accidental, unauthorised or unlawful processing of the Personal Data; or

(b) any Personal Data Breach.

6.3 Where the Provider becomes aware of an event within the scope of Clause 6.2, it shall promptly and without undue delay, also provide the Customer with the following information:

(a) a description of the nature of such event, including the categories and approximate number of both Data Subjects and Personal Data records concerned;

(b) the likely consequences of the event; and

(c) a description of the measures taken or proposed to be taken to address such event, including measures to mitigate its possible adverse effects.

6.4 Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Customer in the Customer's handling of the matter, including:

(a) assisting with any investigation;

(b) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(c) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or unlawful Personal Data processing.

6.5 The Provider will not inform any third party of any Personal Data Breach without first obtaining the Customer's prior written consent, except when required to do so by law. This term does not affect the Customer’s ability to report any Personal Data Breach to a third party.

6.6 The Provider agrees that the Customer has the sole right to determine:

(a) whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and

(b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.7 The Provider will cover all reasonable expenses associated with the performance of its obligations under Clause 1.1 and Clause 7.4 unless the matter arose from the Customer's specific instructions, negligence, wilful default or breach of this Data Processing Schedule, in which case the Customer will cover all reasonable expenses of both parties.

7. Cross-Border Transfers Of Personal Data

7.1 If an adequate protection measure for the international transfer of Personal Data is required under applicable data protection legislation (and has not otherwise been arranged by the parties) the SCCs shall be incorporated into this Data Processing Schedule at the appendices as if they had been set out in full.

7.2 The Customer consents to the Provider (and its subprocessors) transferring Personal Data outside the UK and European Economic Area ("EEA"). Provided that where such Processing occurs, the Provider:

(a) is processing Personal Data in a territory which is subject to a current finding by the Information Commissioner's Office (in the case of transfers made under the UK GDPR) or European Commission (in the case of transfers made under the EU GDPR) under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

(b) participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Provider (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the GDPR. The Provider must identify in the appendices the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Provider must immediately inform the Customer of any change to that status; or

8. Subprocessors

8.1 The Provider may only authorise a third party (subprocessor) to process the Personal Data if:

(a) the Customer is provided with an opportunity to object to (but not prevent) the appointment of each subprocessor within 10 days after the Provider supplies the Customer with full details regarding such subprocessor;

(b) the Provider enters into a written contract with the subprocessor that contains terms similar to those set out in this Data Processing Schedule, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request and at the Customer’s expense, provides the Customer with copies of such contracts (subject to redaction of any confidential information);

(d) the subprocessor will cease processing any Personal Data as a subprocessor for the Customer on termination of this Data Processing Schedule for any reason.

8.2 The Customer authorises the Provider to use subprocessors in the general categories of data storage, hosting (including data centres and providers of virtual software environments) and IT support. The subprocessors falling within these generally approved categories as well as any other subprocessors in use by the Provider as at the commencement of this Data Processing Schedule are as set out in the appendices.

8.3 Where the subprocessor fails to fulfil its obligations under such written agreement, the Provider remains fully liable to the Customer for the subprocessor’s performance of its Agreement obligations.

9. Complaints, Data Subject Requests and Third-Party Rights

9.1 The Provider must, at no additional cost, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a) the rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase Personal Data, object to the Processing and automated Processing of Personal Data, and restrict the Processing of Personal Data; and

(b) information or assessment notices served on the Customer by any Supervisory Authority under the Data Protection Legislation.

9.2 The Provider must notify the Customer immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 The Provider must notify the Customer without undue delay if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

9.4 The Provider will give the Customer its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 The Provider must not disclose the Personal Data to any Data Subject or to a third party other than at the Customer's request or instruction, as provided for in this Data Processing Schedule or as required by law.

10. Term and Termination

10.1 This Data Processing Schedule will remain in full force and effect so long as:

(a) the Agreement remains in effect; or

(b) the Provider retains any Personal Data related to the Agreement in its possession or control ("Term").

10.2 Any provision of this Data Processing Schedule that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.

10.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its obligations under the Agreement, the parties will suspend the processing of Personal Data until that processing complies with the new requirements.

11. Data Return and Destruction

11.1 At the Customer's request, the Provider will give the Customer a copy of all of the Customer's Personal Data in its possession or control in a commonly accessible and electronic format determined by the Provider.

11.2 On termination of the Agreement for any reason or expiry of its term, the Provider will, within 30 days, securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Data related to this Data Processing Schedule in its possession or control. This requirement shall not apply to Personal Data which the Provider has archived on its backup systems which are not reasonably accessible, provided that such Personal Data is deleted promptly in the event such backups become reasonably accessible (such as by the Provider using those backups to restore its systems).

11.3 Clause 11.2 shall not apply to the extent any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy.

12. Records

12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for the Customer, including but not limited to, the access, control and security of the Personal Data, approved subprocessors and affiliates, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures referred to in paragraph 6.1 of this Schedule 5 ("Records").

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Data Processing Schedule and the Provider will provide the Customer with copies of the Records upon request.

13. Audit

13.1 No more than once during any consecutive 12 month period, on request from the Customer, the Provider will carry out an audit (whether by itself or its third-party representatives) to audit its compliance with this Data Processing Schedule and provide the results to the Customer. The Customer shall be entitled to ask questions of the Provider related to compliance with Data Protection Legislation in advance of the audit, which the Provider shall use its reasonable endeavours to respond to adequately when providing the audit results.

13.2 On the Customer's written request and at the Customer’s cost, the Provider will exercise relevant audit rights it has in connection with its subprocessors' compliance with their obligations regarding the Customer's Personal Data and provide the Customer with the audit results.

13.3 The audit rights set out at Clauses 13.1 to 13.2 are the Customer’s only contractual rights (and the Provider’s only obligations) in connection with the auditing of the Provider’s Processing of Personal Data. Save that nothing in this Data Processing Schedule shall prevent or is intended to undermine the rights and powers granted to Data Subjects or Supervisory Authorities, and accordingly the Provider shall submit to any audits required by a Supervisory Authority or Data Protection Law.

14. Variation

14.1 From time to time, the Provider may modify the Terms and Conditions and Schedules where reasonably necessary to comply with updated Data Protection Legislation and guidance. Any such variations will take effect immediately upon expiry of that notice and may apply retroactively.

Appendix A – EU SCCs

1. Incorporation of the EU SCCs

1.1 To the extent paragraph 8.1 of Schedule 5 applies and the transfer is made pursuant to the GDPR, this Appendix A and the following terms shall apply: Module 2 of the EU SCCs, and no other optional Clauses unless explicitly specified, are incorporated into this Appendix A as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection.

2. Clarifications to the EU SCCs

2.1 Deletion of data. For the purposes of Clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.

2.2 Auditing. The parties acknowledge that the importer complies with its obligations under Clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.

2.3 Sub-Processors. For the purposes of Clause 9 of the EU SCCs (Use of sub-processors), the parties agree that the process for appointing sub-processors set out in paragraph 9.1 of Schedule 5 applies.

2.4 International Transfer Assessments. For the purposes of Clause 14(c) of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer's obligations pursuant to Clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.

2.5 Best Efforts Obligations. For the purposes of Clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the parties agree that "best efforts" and the obligations of the importer under Clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.

2.6 Competent Supervisory Authority. For the purposes of Clause 13 of the EU SCCs, the competent Supervisory Authority shall be:

2.6.1 if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;

2.6.2 where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent Supervisory Authority; and

2.6.3 where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

2.7 Governing Law & Jurisdiction. For the purposes of Clauses 17 and 18 of the EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply.

3. Processing Particulars for the EU SCCs

The Parties

3.1 Exporter (Controller): Customer

3.2 Importer (Processor): Provider

Description Of Data Processing

3.3 Categories of data subjects: Volunteers, supporters, employees and others involved in the Customer’s projects who may use the platform.

3.4 Categories of personal data transferred: Names and email addresses, along with other Personal Data our Customers may choose to add to the platform such as phone numbers, addresses and other contact details.

3.5 Sensitive data transferred: None.

3.6 Frequency of the transfer: Continuous.

3.7 Nature of the processing: Storage, hosting and use.

3.8 Purpose of the processing: Provision of the services under the Agreement.

3.9 Duration of the processing: For the duration of the Term.

3.10 Sub-Processor Transfers: As set out at paragraph 9.1 of Schedule 5.

3.11 Competent Supervisory Authority: As set out at paragraph 2.6 of this Appendix A.

3.12 Technical and Organisational Measures: Details of the Provider’s security measures are made available and kept updated at: https://contracts.rightmarket.com/managed-service/security-measures.

Appendix B - UK Addendum

1. Parties

As set out in Appendix A.

2. Selected SCCs, Modules and Clauses

Module 2 of the EU SCCs and no other optional Clauses unless explicitly specified, and as amended by the clarifications in Appendix A, paragraph 2, but subject to any further amendments detailed in this Appendix B.

3. Appendix Information

The processing details required by the UK Addendum are as set out in Appendix A, paragraph 3.

4. Termination of the UK Addendum

In the event the template UK Addendum issued by the Information Commissioner's Office and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section ‎18 is amended, either party may terminate this Appendix B on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.

Last updated 1 month ago