Important – the software products associated with this Agreement are licensed, not sold. This licence covers the provision of software, services and associated products from Elephants don’t forget Ltd a limited company incorporated and registered in Ireland, with Company Registration Number: 520381 whose registered address is Guinness Enterprise Centre, Taylors Lane, Dublin 8, Ireland (Licensor). Fees for licensed usage of these products may be payable by the user or funded in whole or part on behalf of the licensed user by a separate provider. All references in the following document apply to users and providers of funds alike, irrespective of the fee payment arrangements.
Terms & Conditions
1 Grant of licence
(a) In consideration of the Licence Fee, which is stated exclusive or Vat or any other applicable taxes, the Licensor hereby grants to the Licensee, who agrees to accept on the following terms and conditions a non-exclusive right to use the Software (defined in the Order Form), web tools, documentary output, and training materials (collectively hereinafter referred to as the “Materials”) (the “Licence”).
(b) The Licensee may use the Software on any IT equipment used by the Licensee or by web link to an approved site. The Licence is granted for the number of users specified at the time of the granting of this Licence Agreement and will be updated based on the number of active users, monthly thereafter; a fair use basis will be applied to Licence activation and Licensor reserves the right to terminate this Agreement with 30 days’ notice if in its reasonable opinion a fair use basis is not being operated by the Licensee. Active users will be calculated using active e-mail addresses within the Software. The Incremental Licence Activation Fee shall be charged for each Licence activated incrementally to any previous maximum volume of Licences activated. The Licensee may not transfer, assign or sub-licence its rights under this Agreement. The Licensor reserves the right to sell or otherwise dispose of its rights or to grant licences to use the Software & Materials to other persons or organisations. Question authoring quality and volume shall be subject to the content provided by Licensee. 10% of the delivered questions shall be provided without charge to allow for shrinkage or rejections. Shrinkage or rejections in excess of 10% shall not reduce the question authoring charge. Additional questions can be requested on the same basis at any time. The Licence Fee shall include standard reporting services as communicated to Licensee, enhanced or addition reporting requirements may incur additional charges.
2. Licensee – Commencement / Renewal / Termination of Licence
The Licence term shall commence on the Licence Commencement Date. Should the Licensee fail to make payment in full for the Materials within the Licensor’s terms, being annually in advance, for the Materials, the rights to the use of the Materials by the Licensee contained in this Agreement shall be suspended until such payment is accepted as received by the Licensor but all other provisions of this Agreement shall continue in full force and effect insofar as necessary to protect the Licensor’s proprietary rights.
The initial contract period of the Licence is for the Term shown on the Order Form. The Licences will be renewed for a further Term after the initial contract period and on subsequent renewals unless the Licensee provides written notice of intention to terminate the Software – such notice to be received at least 30 days before the end of any contract period. Billing for all Licences, as stated in the Order Form, will be on an annual in advance basis and payable within 14 days net. Failure to adhere to the stated payment terms may result in a suspension of services and a 10% of the annual Licence Fee reactivation charge. At the end of each 12 month term the actual volume of Licences used during the term shall be calculated and any overuse shall billed and paid by Licensee within 30 days net of the invoice date. Licensor shall remit the Customer Tusk Trust Donation together with an equal donation from Licensor, up to 1% of the Licence Fee, to the Tusk Trust charity, No: 803118.
In the event that a Licensee client/customer should cease trading, then Licensor shall refund any License Fees paid but unused for that client/customer.
3. Licensor’s Rights
The Licensee acknowledges that the Materials and copyright and other intellectual property rights in all parts of the Materials are the sole and exclusive property of the Licensor. By accepting the Licence, the Licensee does not acquire any proprietary rights in the Materials but does acquire the right to use all parts of the Materials in the course of its ordinary business activities strictly in accordance with the terms of this Agreement but not further or otherwise.
Licensor shall have the right to collect, hold and use question and answer material where such content is not proprietary to the Licensee and where such use is of a depersonalised nature. Licensor shall have the right to collect and hold information and data in relation to the Licensee and its employees including their performance and feedback. Licensor and its academic partners shall have the right to use such information for the purposes of academic research and publication. All publicly released information shall be depersonalised in relation to the Licensee and its employees unless the express written consent is received from Licensee and on condition such use complies with the Data Protection Principles and the Licensor Data Protection Policy.
The Licensor shall have the right to embed a low volume of questions into the Licensee’s question sets for the purpose of Licensor academic research, product feedback or to enhance engagement. Licensor shall also have the right to issue e-learning content relevant to the Materials to Licensee management and team leaders.
Licensor shall have the right to reference Licensee as a customer of Licensor and to use Licensee’s company logo on marketing collateral.
4. Scope of Licence
(a) Unless specifically otherwise agreed in writing by the Parties, any additional software modules originated by the Licensor for which a Licence is purchased by the Licensee subsequent to this Agreement will be deemed to be subject to the terms and conditions of this Agreement.
(b) The Licensee undertakes not to itself or through any third party, copy, modify, alter, merge or adapt the software in any way, or transfer, rent, lease, loan or hire any part of the Materials in whole or in part except as expressly provided for in this Licence unless specifically otherwise agreed in writing by the Parties or as otherwise permitted by law. The Licensee will take all reasonable steps to protect all the Materials from unauthorised use and reproduction, publication, disclosure or distribution including in respect of intellectual copyright, such duty of care to continue following termination of this Agreement. The Licensee shall notify the Licensor immediately if the Licensee becomes aware of any unauthorised use of the whole or any part of the Software or Materials by any person.
5. Licensor – Termination of Licence
(a) The Licensor may terminate the Licence forthwith on giving notice in writing to the Licensee if:
(i) the Licensee commits any material breach of any term of this Agreement and (in the case of a breach capable of being remedied) shall have failed, within 30 days after the receipt of a request in writing from the Licensor to do so, to remedy such breach.
(ii) the Licensee shall have a receiver, administrator or administrative receiver appointed of it or over any parts of its undertaking or assets or shall pass any resolution for winding up (otherwise than for the purposes of a bona fide scheme of solvent amalgamation or reconstruction) or a court of competent jurisdiction shall make an order to that effect or if the Licensor shall enter into any voluntary arrangements with its creditors or shall become subject to an administration order or shall cease to carry on business.
(b) Forthwith upon termination of the Licence, the Licensee shall return to the Licensor the Materials and all copies of the whole or any part thereof or, if requested by the Licensor, shall destroy the same and certify in writing to the Licensor that they have been destroyed.
(c) Any termination of this Agreement (howsoever occasioned) shall not affect any accrued rights or liabilities of either party nor shall it affect any provision which is intended to come into or continue in force on or after such termination.
6. Limited Warranty
(a) The Licensor warrants the Materials to be free from all material operational defects that could affect the reliability of the Materials for a period of 60 days from the effective date of this Agreement when the Software is intended to be in normal use and service.
(b) The said warranty shall be subject to the Licensee complying with its obligations hereunder and to there having been no alterations to the Software made by any person other than the Licensor. When notifying a defect or error the Licensee shall use its reasonable endeavours to provide the Licensor with a documented example of such defect or error.
(c) The Licensor shall have no liability or obligation under the said warranties other than to remedy breaches thereof by the reasonable provision of materials and services within a reasonable time and without charge to the Licensee. If the Licensor shall fail to comply with such obligation its liability for such failure shall be limited as specified in Clause 7. The foregoing states the entire liability of the Licensor, whether in contract or tort, for defects and errors in the Materials.
(d) As all software is inherently complex, the Licensee acknowledges that the Materials may not be completely free of errors. The Licensor shall make reasonable endeavours to keep Software material errors to a minimum and to correct performance affecting errors within reasonable timescales.
(e) No other warranties, terms or conditions express or implied, including but not limited to implied warranties, terms or conditions of satisfactory quality, or fitness for purpose, or reasonable skill and care, and all such warranties, terms and conditions are expressly and specifically disclaimed. This paragraph shall not detract from any statutory rights which the Licensee may have.
(f) Licensee warrants its rights under the Data Protection Act to use the employee information provided by Licensee in conjunction with the Licensor Software and Services and shall indemnify and hold harmless Licensor in respect of any breaches of such rights.
(g) Licensee warrants and undertakes its right to use and provide Licensor with the training and question content provided by Licensee and shall indemnify and hold harmless Licensor in respect of any breaches of such rights.
(h) Licensee warrants and undertakes its right in respect of the General Data Protection Regulations to engage its employees with the Materials and shall indemnify and hold harmless Licensor in respect of any breaches of such rights. Licensee shall be responsible as the data controller for all data protection queries and requests from its employees.
7 Liability
Save in respect of claims for death or personal injury arising from a Party’s negligence or any other liability which cannot be excluded or limited as a matter of law, neither Party shall be liable for any damages resulting from loss of use, loss of profits, loss of anticipated savings, loss of goodwill, nor for any damages that are an indirect, consequential or special loss or damage.
8 Confidential Information
(a) Both parties to this Agreement undertake, except as provided below, to treat as confidential and keep secret all information marked ‘confidential’ or which may reasonably be supposed to be confidential, including, without limitation, information contained or embodied in the Software or Materials, the Specification and other information supplied by the Licensee or Licensor (in this Agreement collectively referred to as ‘the Information’) with the same degree of care as it employs with regard to its own confidential information of a like nature and in any event in accordance with best current commercial security practices, provided that, this clause shall not extend to any information which was rightfully in the possession of either party prior to the commencement of the negotiations leading to this Agreement or which is already public knowledge or becomes so at a future date (otherwise than as a result of a breach of this clause).
(b) Both parties shall not without the prior written consent of the other party divulge any part of the Information to any person except:
– to their own employees and then only to those employees who need to know the same;
– to either party’s auditors, an officer of HM Revenue and Customs, a court of competent jurisdiction, governmental body or applicable regulatory authority and any other persons or bodies having a right, duty or obligation to know the business of the other party and then only in pursuance of such right, duty or obligation;
– any person who is for the time being appointed by either party to maintain the Equipment on which the Licensed Programs are for the time being used (in accordance with the terms of the Licence) and then only to the extent necessary to enable such person to properly maintain the Equipment.
(c) Both parties undertake to ensure that persons and bodies referred to in clause 8(b) are made aware before the disclosure of any part of the Information that the same is confidential and that they owe a duty of confidence to the other party.
(d) Each party to this Agreement shall promptly notify the other party if it becomes aware of any breach of confidence by any person to whom it divulges all or any part of the Information and shall give the other party all reasonable assistance in connection with any proceedings which the other party may institute against such person for breach of confidence.
(e) The foregoing obligations as to confidentiality shall remain in full force and effect notwithstanding any termination of the Licence or this Agreement.
9 Data Protection
The following words and expressions have the following meanings unless the context otherwise requires:
a) “Agreement Purposes” means for the purposes of the Licensor providing the Services as contemplated by this Agreement and for such other purposes as the parties may agree in writing from time to time;
b) Data Protection Laws” means all data protection and privacy laws enacted in England from time to time and any subordinate legislation thereof;
c) “Licensee Personal Data” means any Personal Data supplied by or on behalf of Licensee to the Licensor or accessed by the Licensor in connection with this Agreement;
d) “GDPR” means the General Data Protection Regulation 2016/679, to the extent that and in the form that it is a requirement of English law” from time to time;
e) “Personal Data” shall have the meaning specified in the Data Protection Laws
9.1 Each party undertakes to the other that it will at all times pursuant to this Agreement comply with all applicable legislation, regulations, and other rules having equivalent force (including but not limited to the Data Protection Laws) and any subordinate or associated regulations.
9.2 In relation to the Data Protection Laws the parties shall in addition to the general obligations under Clause 9.1 and without prejudice to any other provisions of this Agreement:
9.2.1. notify all relevant details of any processing of Personal Data to the Information Commissioner as set out in the Data Protection Laws and only process such Personal Data in accordance with the terms of its registration under the Data Protection Laws; and
9.2.2. comply with the rights of the individuals to whom the provision of the Services relates as set out in the Data Protection Laws.
9.3 Where the Licensor is acting as a data processor (as defined by the Data Protection Laws) processing Licensee Personal Data, it shall provide such support and information as requested by Licensee from time to time to enable Licensee to (a) respond to any request from a data subject to exercise any of its rights under the Data Protection Laws, (b) comply with its obligations under the Data Protection Laws and (c) to demonstrate compliance with Article 28(3) of GDPR. The Licensor shall also, in compliance with the requirements of Article 28(3) of GDPR inform Licensee immediately in the event that any instructions from Licensee infringes the GDPR or any other relevant data protection laws.
9.4 Each party warrants that it has in place and undertakes to maintain throughout the duration of this Agreement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to or disclosure of Licensee Personal Data.
9.5 The Licensor shall not process any Licensee Personal Data other than as necessary for the Agreement Purposes, and shall not without the prior written consent of Licensee export or process any Licensee Personal Data outside the United Kingdom or Ireland. For the avoidance of doubt, Licensee instructs the Suppler to process Licensee Personal Data for the Agreement Purposes.
9.6. To the extent that the Licensor engages a data processor, as contemplated by Article 28(4) of GDPR then, it shall, prior to making any Licensee Personal Data available to the data processor, obtain Licensee approval in writing and enter into a written agreement with the data processor and ensure that such agreement imposes on the data processor, the same data protection obligations and restrictions as imposed on the Licensor by this Agreement.
9.7 The Licensor warrants to Licensee that whilst this Agreement remains in force (and without prejudice to the provisions of Confidentiality under this Agreement and Clause 9.5 above) it will have and keep in place any information security measure which the Licensor has indicated to Licensee (either in its response to a Security Questionnaire, or otherwise in writing) that it has or will have in place;
9.8 At Licensee’s request or, if no request is made during the continuance of the Agreement, upon completion of this Agreement, the Licensor shall (at Licensee’s option) delete or return to Licensee all Licensee Personal Data and shall not, unless required by law, retain a copy.
9.9 The Licensor shall have in place and maintain appropriate processes and procedures to ensure that any data security breach involving Licensee Personal Data (a “Security Incident”) is detected in a timely manner. In the event of a Security Incident, the Licensor shall notify Licensee within 12 hours of becoming aware of it and provide to Licensee (within such timescales as Licensee requires) all support and information, necessary to enable Licensee to manage the Security Incident, mitigate the impact of the Security Incident and comply with its notification obligations set out in the Data Protection Laws.
9.10 If, pursuant to Article 82(4) GDPR, one party (the “Paying Party”) has been held liable to pay compensation to a data subject for damage caused (in whole or part) by the other party (“Other Party”), the Paying Party shall, as envisaged under Article 82(5) GDPR, be entitled to recover from the Other Party (as a debt) any part of such compensation corresponding to damage for which the Other Party was responsible. Any limitations and exclusions of liability in this Agreement shall not apply to the Other Party’s obligation to pay any sum due to the Paying Party under this clause 9.12.
9.11. Following receipt of a claim (or notification of an intention to make a claim) from a data subject to which Article 82(4) GDPR may apply:
9.11.1. The party in receipt of the claim shall promptly notify the other party of the claim;
9.11.2. Neither party shall make any admission of liability, settlement or payment in respect of such claim, other than a payment made pursuant to a court order, without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed); and
9.11.3. Each party shall provide such cooperation and assistance as is reasonably required by the other party in connection with the claim.
10 Breach of Terms
If the Licensee breaches the terms of this Licence, the Licensor reserves the right to recover any loss or be compensated for any damage occasioned by reason of the breach. Either party’s failure or delay in enforcing any provisions hereof will not waive that party’s rights if any provision of this Agreement is found invalid or unenforceable.
11 Illegality and Severance
If any term or provision of this Agreement shall be held to be illegal or unenforceable, in whole or in part, under any enactment or rule of law, such term or provision or part shall to that extent be deemed not to form part of this Agreement but the validity and enforceability of the remainder of this Agreement shall not be affected.
12 Authorities and Approvals
Unless otherwise provided above, any amendment or variation of this Agreement shall not be effective unless evidenced in writing by a duly authorised representative of the Licensor and the duly authorised representative of the Licensee.
13 Governing Law
This Licence Agreement is governed by and interpreted in accordance with the Laws of England and the Licensee agrees to submit to the exclusive jurisdiction of the English Courts.
14 Notices
All notices which are required to be given hereunder shall be in writing and shall be sent to the address of the recipient set out in this Agreement or other such address as the recipient may designate by notice given in accordance with the provisions of this Clause.
15 Whole Agreement
The Licensee acknowledges that he has read this Agreement, understands it, and agrees to be bound by its terms and conditions. The Licensee further agrees that it is the complete and exclusive statement of the agreement with the Licensor for the licensing of the Software & Materials by the Licensor for use by the Licensee which supersedes any other previous proposal or agreement whether oral or written. No employee of the Licensor has authority to make any warranty, statement or promise concerning the Software or Materials except in writing and signed by a duly authorised officer. Nothing in this Clause is intended to, or shall operate as, exclusion of liability for the wilful default or fraudulent misrepresentation of either party. Subject to any determination of the Courts to the contrary the remainder of this Agreement shall remain valid and enforceable according to its terms.
16 Third Parties
A person who is not a party to the Agreement shall not have any rights under or in connection with it.
17 Personal Data
1.The provisions governing personal data and information security requirements are set out in Schedules 1 , 2 and 3. In the event of any conflict between the terms and conditions set out above and the Schedules, the said Schedules shall take precedence.
2. The Licensor agrees to indemnify and keep indemnified and defend at its own expense the Licensee against all claims, demands, costs, expenses, liabilities and damages (including legal and other professional costs) which the Licensee may or shall suffer or incur or for which the Licensee may become liable arising out of or in connection with or due to any failure by the Licensor or its employees, agents or subcontractors to comply with any of its obligations under the said Schedule.
Schedule 1
Personal Data
Controller to processor clauses – EEA restricted only
Licensor Obligations:
1.1 Licensee and the Licensor acknowledge that for the purposes of the Data Protection Legislation, Licensee is the Data Controller and the Licensor is the data processor of any Personal Data. The details of the Processing carried out by the Licensor on behalf of Licensee are set out in Schedule 2 which forms part of this Agreement.
1.2 The Licensor warrants and undertakes to Licensee that the Due Diligence is accurate and will remain accurate for the duration of this Agreement. The Licensor will notify Licensee of any changes to its security or data processing activities which affect any answers given in the Due Diligence. If Licensee reasonably believes that as a result of the change, the protection given to Licensee Personal Data is decreased, the Licensor will make any changes reasonably required by Licensee, to make the security and processes no lower than the standards of the original Due Diligence.
1.3 The Licensor warrants and undertakes to Licensee that:
1.3.1 it shall only Process Licensee Personal Data in accordance with the instructions of Licensee which are set out in Schedule 2 of this Agreement, or as provided in writing by Licensee to the Licensor from time to time;
1.3.2 it shall comply with its obligations under the Data Protection Legislation when Processing Licensee Personal Data;
1.3.3 it shall assist and fully co-operate with Licensee as requested by Licensee from time to time to ensure Licensee‘s compliance with its obligations under the Data Protection Legislation which shall include, but not be limited to:
1.3.3.1 completing and reviewing data protection impact assessments;
1.3.3.2 implementing measures to mitigate against any data protection risks;
1.3.3.3 implementing such technical and organisational measures to enable Licensee to respond to requests from Data Subjects exercising their rights under the Data Protection Legislation which shall include but not be limited to:
1.3.3.3.1 providing Licensee Personal Data and details of the processing of Licensee Personal Data to Licensee in response to a subject access request; and
1.3.3.3.2 deleting and/or rectifying Licensee Personal Data in response to a request on behalf of a Data Subject.
1.3.3.4 assisting with any enquiries from Regulators.
1.4 The Licensor shall notify Licensee promptly (but in any event within 24 hours) should it:
1.4.1 receive notice of any complaint made to a Regulator relating to Licensee Personal Data or any relevant finding by a Regulator in relation to its Processing of Personal Data, whether it is Licensee Personal Data or otherwise;
1.4.2 be under a legal obligation to process Licensee Personal Data, other than under the instructions of Licensee. In which case it shall inform Licensee of the legal obligation, unless the law prohibits such information being shared on important grounds of public interest;
1.4.3 be under a legal obligation to process Licensee Personal Data, other than under the instructions of Licensee. In which case it shall inform Licensee of the legal obligation, unless the law prohibits such information being shared on important grounds of public interest;
1.4.4 become aware that in following the instructions of Licensee, it shall be breaching Data Protection Legislation;
1.4.5 become aware of any circumstance which may cause the Licensor to breach this clause 1.4 or which may cause either party to breach the Data Protection Legislation
1.5 The Licensor shall only transfer the any Personal Data Processed under this agreement outside the European Economic Area (“EEA”) with Licensee‘s prior written consent.
1.6 When Processing Licensee Personal Data under this Agreement it shall take all necessary technical and organisational precautions and measures to preserve the confidentiality and integrity of Licensee Personal Data and prevent any unlawful processing or disclosure taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. These shall include, but not be limited to:
1.6.1 maintaining data centre ISO27001 accreditation;
1.6.2 Encrypting Licensee Personal Data stored on any mobile media or transmitted over public or wireless networks;
1.6.3 Implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures to ensure:
1.6.3.1 the confidentiality, integrity, availability and resilience of processing systems and services; and
1.6.3.2 the availability and access to Licensee Personal Data in a timely manner in the event of a physical or technical incident
1.6.4 Ensuring that all employees and contractors who are involved in the Processing of Licensee Personal Data are trained in the policies and procedures set out in Clause 1.6.3 and are under contractual or statutory obligations of confidentiality concerning Licensee Personal Data;
1.6.5 Pseudonymise Licensee Personal Data on request by Licensee;
Schedule 2
Data processing activities
The details of the Processing taking place under this agreement is set out below.
Data Subjects
Licensee employees
Categories of data
Employee Name, email address, hierarchical position in the company, knowledge and engagement scores
Categories of sensitive personal data
None
Processing purposes
Employee workplace knowledge retention and improvement thorough the use of spaced learning, self-testing and repetition
Nature of processing
Use of artificial intelligence to interact with employees daily on the aspects of their role that they require the most knowledge and competency support. Emails sent to individuals daily where knowledge interactions take place and reporting is provided to both the employee and the employer.
Duration of the processing
Data is processed and retained for 2 full years plus the current calendar year.
Schedule 3
Information Security Requirements
“Information” is all data and information irrespective of its format being collected and processed by the Licensor on behalf of Licensee.
General
The Licensor shall implement administrative, physical and technical safeguards to protect Licensee Information that are no less rigorous than accepted industry practices including specifically IS27001 and any other applicable industry standards for information security and information handling.
At a minimum, Licensor’s safeguards for the protection of Information shall include:
a) securing business facilities, data centres, paper files, servers, back-up systems and computing equipment, including, but not limited to, all mobile devices and other equipment with information storage capability;
b) implementing network, device application, database and platform security;
c) securing information transmission, storage and disposal;
d) limiting hard copy and system access to those employees who require such access in relation to the provision of the Services, have an authorised need-to-know and who have the relevant security clearance to view such information
e) implementing authentication and access controls within media, applications, operating systems and equipment;
f) encrypting Information stored on any mobile media;
g) strictly segregating Licensee Services Information from information of Licensor or its other customers so that Information is not commingled with any other types of information.
The Licensor will ensure that Information is kept in accordance with good industry practice and relevant legislation, for the duration of the contract or for an extended period as requested by the Licensee.
The Licensor shall ensure, throughout the duration of the contract, that all risks identified by the Licensor that could affect the confidentiality, integrity or availability of the Licensee’s information, data, systems and infrastructure or data assets will be reported immediately to the Contract Manager.
Personnel Security
The Licensor will implement appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks consistent with applicable law.
The Licensor shall ensure that all its employees providing the services in accordance with the contract are aware of their individual responsibilities in relation to the provision of the Services.
The Licensor will provide appropriate privacy and information security training to Licensor’s employees.
The Licensor will be liable at all times for all acts or omissions of Licensor Personnel, so that any act or omission of a member of any Licensor Personnel which results in a Default shall be a Default by the Licensor.
The Licensor personnel shall be given restricted access to the Licensee systems commensurate with that required for the delivery of the Services.
Access Management
The Licensor will restrict access to information based on a need to know basis. Assigning to its employees only those system access rights that they require in relation to the provision of the Services based on the principle of ‘least privileges’.
The Licensor shall maintain a record of all Licensor employees who will have access to view, process, and store or transmit the Licensee’s information. These records will be made available to the Licensee to retain.
The Licensor will review access levels at least quarterly to ensure that they remain appropriate and operate on the principle of least privilege. In the event of a security incident, a review must be undertaken immediately.
Operational Security
In relation to the delivery of the Services the Licensor will deploy proven and reliable hardware and software which meets the Licensee’s security requirements.
Environmental and Physical Security
The Licensor shall physically protect the Licensee’s information by protecting any of its locations used against unauthorised physical access and criminal or terrorist attack.
The Licensor shall protect the physical location used to provide services against fire, flood, environmental and other natural hazards.
The Licensor shall protect the IT environment and infrastructure against power outages.
The Licensor will restrict physical access to information and will store it securely in both electronic and paper form.
Information Sharing and Disclosure
The Licensor shall not share the information with a third party unless explicitly required as part of this agreement without the prior written permission of the Licensee.
The Licensor shall provide a secure and auditable mechanism for transferring the Licensee’s Customer data between the Licensee and the Licensor’s organisations.
The electronic transfer of information by the Licensor across public networks, such as the internet, shall be performed using either encrypted communications or encrypted file formats.
Use of Sub-Contractors
In relation to the provision of the Services the Licensor shall ensure the Licensee has formally approved any intention by the Licensor to engage with a third party Licensor and that the Licensor ensures the following:
a) Services will only be procured from third parties capable of providing security controls in line with these Specification Schedules, and will mandate these controls via documented agreements;
b) Ensure that connections to the Licensee’s IT environment from third parties will be uniquely identified and subjected to a risk analysis; and
c) Agreements with third parties contain terms and conditions, which are no less onerous than those that exist between the Licensor and The Licensee.
Security Incident Management
The Licensor shall notify Licensee promptly (and in any event no later than 24 hours of discovery) if it becomes aware of any actual, suspected or threatened unauthorised exposure, access, disclosure, processing, use, communication, deletion, revision, encryption, reproduction or transmission of any component of the Licensee Information , unauthorised access or attempted access or apparent attempted access (physical or otherwise or any loss of, damage to, corruption of or destruction of such Information (“Security Incident”);
The notification shall include:
a) The nature of the breach, including the categories of information and details of the loss.
b) The contact at the Licensor who will liaise with Licensee concerning the breach;
c) The remediation measures being taken to mitigate and contain the breach.
In the event of a Security Incident, Licensee shall at its sole discretion determine whether to provide notification to any individual, any third party or Regulator and the Licensor shall not notify any individual, any third party or Regulator unless such disclosure by the Licensor is required by law or is otherwise approved by Licensee. Licensee shall approve all notifications which it determines are required or appropriate.
The Licensor shall immediately remedy any Security Breach and prevent any further Security Breach at Licensor’s expense in accordance with applicable privacy rights, laws, regulations and standards.
In the event of any Security Breach, the Licensor shall promptly use its best efforts to prevent a recurrence of any such Security Breach.
Audit
At least once per calendar year, Licensor shall conduct audits of the information technology and information security controls for all facilities used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on the recognised industry best practices.
Return of Information Assets
Upon termination of the contract, the Licensor shall return all such information to the Licensee in line with applicable international standards relating to the secure handling and destruction of information.