Revision Date: 3rd Feb 2022
Ciptex Ltd – Terms and Conditions
These Terms and Conditions are effective on 3rd February 2022 for all customers agreeing to these Terms and Conditions for the first time. If you have previously agreed to a version of our Terms and Conditions before 3rd February 2022, then we have sent you a notice that we have updated these Terms and Conditions, effective 3rd March 2022. Now that we have notified you (and except as otherwise stated in the notice), please be aware that by continuing to use our Services after 3rd March 2022, you are accepting these updated terms.
If you have a separate written agreement with Ciptex Ltd, then the updates to the Terms and Conditions will not apply to you. As part of these updates, we have not changed your ability to use our services. You may continue to access your customer account and use our services as you always have.
In these Terms and Conditions (hereafter “Agreement” or “Terms”), “we,” “us,” “our” or “Ciptex Ltd” will refer collectively to Ciptex Ltd, Chancery House, 30 St. Johns Road, Woking, Surrey, GU21 7SA (Registered address).
The terms “you,” “your”, and “Customer” will refer to you. To be eligible to register for a customer account to use the Services, you must review and accept these Terms by clicking on the “I Accept” or “Get Started” button or other mechanism provided. If you are registering for a customer account to use the Services on behalf of an organisation, then you are agreeing to these Terms for that organisation and promising to Ciptex Ltd that you have the authority to bind that organisation to these Terms (and, in which case, the terms “you” and “your” or “Customer” will refer to that organisation). The exception to this is if that organisation has a separate written agreement with Ciptex Ltd covering the use of the Services, in which case that agreement will govern such use.
Please review these terms carefully. Once accepted, these terms become a binding legal commitment between you and Ciptex Ltd. If you do not agree to be bound by these terms, you should not click the “I accept” or “get started” button, and you should not use the services.
When we refer to the “Services” in these Terms, we mean to include all products and services that Ciptex Ltd offers, and that you order under an Order Form or by using the Ciptex Ltd or One Payment Cloud customer account. This also includes our services provided to you on a trial basis or otherwise free of charge. Services may include products that provide both (a) the platform services, including access to any application programming interface (“API”) and (b) where applicable, connectivity services, that link the Services to the telecommunication providers’ networks via the Internet.
When we refer to the “Customer Application” we mean any software application or service that Customer makes available to End Users that interfaces with the Services.
When we refer to the “Ciptex Ltd API” we mean an application programming interface for the Services (or feature of the Services) provided to you by us.
When we refer to the “Documentation” we mean all of the API instruction manuals and guides, code samples, manuals, guides, on-line help files and technical documentation made publicly available by us for the Services, and as may be updated from time to time. This is available at https://support.ciptex.com.
These terms might change. If they do, we will send you an email and let you know before we make any significant changes that impact you or your use of our Services. If you keep using our Services after you receive notice from us that the terms have changed, then that means you have accepted those changes and they will be binding on you.
Prior notice of changes: Ciptex Ltd may update these Terms and Conditions from time to time by providing you with prior written notice by email of material updates at least thirty (30) days in advance of the effective date. Notice will be given via an email to the email address owner of your account. This notice will highlight the intended updates. Updates will be effective upon the effective date indicated on the notice subject to the paragraph below.
Your acceptance: Following such notice, your continued access or use of the Services on or after the effective date of the changes to the Terms constitutes your acceptance of any updates. If you do not agree to any updates, you should notify us immediately and explain the objection(s). We will discuss the objection(s) with you and attempt to reach an agreement, which we would confirm in writing as an amendment specific to you. If no agreement can be reached by the effective date of the changes, we would either agree in writing to continue under the existing terms, or you must stop using the Services within 30 days of being notified to do so.
Exceptions: Ciptex Ltd may not be able to provide at least thirty (30) days prior written notice of updates to these Terms that result from changes in the law or requirements from telecommunications providers. If you do not agree to the updates required as a result of these changes you must stop using the Services by the effective date of the changes.
If you want to use our Services, you need to create a customer account. To create an account, you need to give us some information about yourself. The information you provide must be true and kept up to date.
You are responsible for anything that happens under each of your accounts, including anything the users of your application do while using your application, and that means even if someone fraudulently uses your account, you are responsible for those fees.
2.1 To use the Services, you will be asked to create a customer account. As part of the account creation process, you will be asked to provide your email address and verify that you are a human being by providing a telephone number to which we will send you a verification code to enter into a form. Until you register for an account, your access to the Services will be limited to what is available to the general public. When registering for an account, you must provide true, accurate, current, and complete information about yourself as requested during the account creation process. You may also create sub-accounts within each account. You must keep that information true, accurate, current, and complete after you create each account.
2.2 You are solely responsible for all use (whether or not authorized) of the Services under your customer account(s) and any subaccount(s), including the quality and integrity of your Customer Data and each Customer Application (as defined below). You are also solely responsible for all acts and omissions of anyone who has access to or otherwise uses any Customer Application (“End Users”). You agree to take all reasonable precautions to prevent unauthorised access to or use of the Services and will notify us promptly of any unauthorised access or use. We will not be liable for any loss or damage arising from unauthorised use of your customer account(s). You will be solely responsible, at your own expense, for acquiring, installing, and maintaining all hardware, software and other equipment as may be necessary for you and each End User to connect to, access, and use the Services.
2.3 As part of the sign-up process Ciptex Ltd, may verify your personal and or company information with a third-party credit reference agency and other databases to verify your personal and company information to prevent fraud or money laundering. This will involve a soft search being placed on your credit file. We reserve the rights to carry out director credit checks if required. If the business is a start up with no credit history, we reserve the right to offer you amended terms which may include a deposit. We reserve the right to deny service in accordance with internal credit scoring criteria.
2.4 To use our One Payment Cloud service, you must read our Responsibilities Matrix which details which Requirements and Controls of the PCI-DSS regulations we are responsible for, and which remain your responsibility. Do not use the service if you do not accept the information contained within the Responsibilities Matrix.
We want to make our Services available for you to use 24/7, but things happen that occasionally make our Services unavailable. We offer service credits if our Services do not meet our Ciptex Ltd Service Level Agreement (SLA).
3.1 Provision of the Services. We will make the Services available to you in accordance with these Terms, the Documentation, and any applicable Order Forms. The Services will comply with this Service Level Agreement (“SLA”), which may be updated from time to time in accordance with clause 1. We will provide the Services in accordance with laws applicable to Ciptex Ltd.’s provision of the Services to its customers generally (i.e., without regard for your particular use of the Services), and subject to your use of the Services in accordance with these Terms, the Documentation and any applicable Order Form.
3.2 You may use the Services, on a non-exclusive basis, solely to: (a) use and make the Services available to End Users in connection with the use of each Customer Application in accordance with the Documentation and our Acceptable Use Policy; (b) use the Services solely in connection with and as necessary for your activities pursuant to these Terms; and (d) allow your affiliates to use the Services (subject to Section 8 (Affiliates)) pursuant to this Section 3.
Our Data Processing Agreement includes important terms about the use and disclosure of Customer Data, which is your Confidential Information. The Data Processing Agreement is attached and incorporated by reference into these Terms and governs our processing of Customer Data.
We might have to use or disclose your data for one or more of the reasons below:
If we make reference to ‘law’ or ‘laws’ in these terms, we mean laws in the traditional sense, namely statutes, ordinances, and regulations of England and Wales that are applicable to the services to be provided under this Agreement.
4.1 Use of Customer Data. “Customer Data” consists of data and other information made available to us by or for you through the use of the Services under these Terms. You instruct us to use and disclose Customer Data only in so far as is necessary to (a) provide the Services consistent with Ciptex Ltd.’s Data Processing Agreement, and this Section 4, including detecting, preventing, and investigating security incidents, fraud, spam, or unlawful use of the Services, and (b) respond to any technical problems or your queries and ensure the proper working of the Services. Should Ciptex Ltd act in breach of its obligations under this clause 4 and/or clause 12.1.4 and/or the Data Processing Agreement it shall indemnify you in respect of any claims or fines which may arise from that breach to the extent that Ciptex Ltd is responsible for the same up to a maximum amount of £1,000,000.
4.2 PCI DSS: Ciptex shall comply with the requirements of the PCI-DSS and attest to compliance annually as a Level 1 Service Provider. In line with our obligations under PCI-DSS Requirements 12.8.2 and 12.9 we shall take full responsibility for the security of payment card data whilst in our environment as shown in Appendix 3 – Data Flow Diagram showing the service data flows and service demarcation points. In addition, to maintain compliance to PCI-DSS 12.8.5, each party will be responsible for maintaining compliance to the PCI-DSS as set out in the Responsibilities Matrix.
4.3 Data Security. We shall be responsible for the security of the processing, storage, and transmission of your data that we undertake in accordance with the terms of this Agreement (including the Data Processing Agreement); We shall only process, store or transmit your data for the purpose of providing the Services and in accordance with your instructions (as set out in the Data Processing Agreement); Ciptex is registered with the Information Commissioners Office number ZA137273. We conduct regular testing of the systems and procedures outlined in this Agreement.
4.4 Data Retention. Details regarding how long your end-user personal information may be stored on Ciptex systems and how to delete, access, or exercise other choices about end-user data will depend on which Ciptex products and services you are using and how you are using them. For that reason, our API docs and product collateral for each of our products and services are the best place to find more detailed information about managing end-user data collected and stored in connection with your use of our products and services, as well as the particular data retention periods for your use case. If the Ciptex product or service you use enables you to store records of your usage on Ciptex, including personal information contained within those records, and you choose to do so, then Ciptex will retain these records for as long you instruct. In some cases, the use of extended storage may cost more. If you later instruct us to delete those records, we will do so. Please note that it may take up to 30 days for the data to be completely removed from all systems. In some cases, a copy of those records, including the personal information contained in them, may nonetheless be retained to carry out necessary functions like billing, invoice reconciliation, troubleshooting, and detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse. Sometimes legal matters arise that also require us to preserve records, including those containing personal information. These matters include litigation, law enforcement requests, or government investigations. If we have to do this, we will delete the impacted records when no longer legally obligated to retain them. We may, however, retain or use records after they have been anonymised if the law allows.
Some “dos and don’ts” to keep in mind when using the Services:
5.1 Your Responsibilities. You will: (a) be solely responsible for all use (whether or not authorized) of the Services under your account, including for the quality and integrity of Customer Data and each Customer Application; (b) use Services only in accordance with this Agreement, Documentation, Order Forms or other applicable terms relating to the use of the Services, and applicable laws; (c) be solely responsible for all acts, omissions and activities of your End Users, including their compliance with these Terms, and any Order Forms or other terms of sales of the Services; (d) do your best to prevent unauthorised access to or use of the Services and notify Ciptex Ltd promptly of any such unauthorised access or use; (e) provide reasonable cooperation regarding information requests from law enforcement, regulators, or telecommunications providers; and (f) comply with the representations and warranties you make in Section 12 (Representations and Warranties) below.
5.2 Services Usage Restrictions. With regard to the Services, you agree that: (a) except to make the Services available to your End Users in connection with the use of each Customer Application as permitted herein, you will not transfer, resell, lease, license or otherwise make available the Services to third parties or offer them on a standalone basis, other than permitted by clause 8; (b) you will not attempt to use the Services to access or allow access to Emergency Services (meaning, an official government-sponsored emergency telephone number (such as 999 in the United Kingdom or 112 in the European Union and other locations worldwide) which is used to dispatch professional emergency responders) unless the Service is expressly approved for Emergency Services; (c) you will ensure that the Services are used in accordance with all applicable law; (d) you will ensure that we are entitled to use your Customer Data, as needed to provide the Services; (e) you will not use the Services in any manner that violates any applicable law; (f) You will not use the Services to create, train, or improve (directly or indirectly) a substantially similar product or service, including any other machine translation engine; (g) you will not create multiple Customer Applications or Service accounts to simulate or act as a single Customer Application or Service account (respectively) or otherwise access the Service in a manner intended to avoid incurring fees; (h) except as allowed by applicable law, you will not reverse engineer, decompile, disassemble or otherwise create, attempt to create or derive, or permit or assist anyone else to create or derive the source code of any software provided in connection with the Services.
5.3 Suspension of Services. In addition to suspension of the Services for non-payment of fees as described in Section 10.3 (Suspension for Non-Payment), we may also suspend the Services immediately upon notice for cause if: (a) you violate (or give us a reasonable reason to believe you have violated) any material provision of these Terms, (b) there is reason to believe the traffic created from your use of the Services or your use of the Services is fraudulent or negatively impacting the operating capability of the Services; (c) we determine, in our sole discretion, that providing the Services is prohibited by applicable law, or it has become impractical or unfeasible for any legal or regulatory reason to provide the Services; or (d) subject to applicable law, upon your liquidation, commencement of dissolution proceedings, disposal of your assets or change of control, a failure to continue business, assignment for the benefit of creditors, or if you become the subject of bankruptcy or similar proceeding, or (e) there is any use of the Services by Customer or End Users that in Ciptex Ltd.’s judgment threatens the security, integrity or availability of the Services. However, Ciptex Ltd will use commercially reasonable efforts under the circumstances to (x) provide you with notice and an opportunity to remedy such violation or threat prior to any such suspension; (y) where practicable limit the suspension based on the circumstances leading to the suspension (e.g., to certain phone numbers, sub-accounts or other subset of traffic); and (z) remove the suspension as quickly as reasonably practicable after the circumstances leading to the suspension have been resolved.
We are always looking to innovate and make our services better, so our APIs and SLA may change over time. We will let you know in advance if any API changes are not backwards-compatible.
The features and functions of the Services, including the Ciptex Ltd API and our SLA may change over time. It is your responsibility to ensure that calls or requests you make to the Services are compatible with our then-current Services. Although we try to avoid making changes to the Services that are not backwards compatible, if any such changes become necessary, we will use reasonable efforts to let you know at least sixty (60) days prior to implementing those changes.
You have the choice to use our Beta Offerings. But you do not have to. These are not generally available, and they may have bugs or defects. Also, we do not consider these to be “Services” under these Terms. So, we have no responsibility if something goes amiss. You understand that we do not make any promises that Beta Offerings will not have problems.
You understand that we will not be liable for any damages from your use of Beta Offerings.
From time to time, Ciptex Ltd may make Beta Offerings available to you at no charge. You may choose to try such Beta Offerings or not in your sole discretion. Ciptex Ltd may discontinue Beta Offerings at any time in our sole discretion and may decide not to make a Beta Offering generally available. For avoidance of doubt, such Beta Offerings are not “Services” under these Terms. “Beta Offerings” means services that are identified as alpha, beta, non-GA, limited release, developer preview, or any such similarly designated services, products, features, and Documentation offered by Ciptex Ltd.
Your affiliates (namely a parent company or a subsidiary that your own company controls) can use our Services, and you and your affiliates will both be responsible for everything that your affiliates do when they are using our Services. That includes any violations of these Terms and Conditions. If your affiliate wants to bring a claim against Ciptex Ltd, then only you may bring that claim on your affiliate’s behalf. Of course, your affiliates can also accept our Terms and order their own Services.
Your affiliates mean any entity or person that controls you, is controlled by you, or under common control with you, such as a subsidiary, parent company, or employee. The term “control” means more than 50% ownership. Similarly, if we refer to our affiliates, we mean an entity or person that controls us, is controlled by us, or is under common control with us. If your affiliates use the Services under these Terms, then you and those affiliates will be jointly and severally responsible for the acts and omissions of your affiliates, including, but not limited to, their breach of these Terms. Any claim from any of your affiliates that use the Services pursuant to these Terms may only be brought against us by you on your affiliates’ behalf.
You may permit a third party supplier of outsourcing or facility management services and/or a third party provider of services to you to receive the benefit of and use the Services provided by us to you for the purpose of providing services to you provided that (i) You are responsible for ensuring that any such third party supplier complies with the terms of this Agreement as they relate to the use of the Services on the same basis as applies to you; and (ii) you shall remain fully liable for any and all acts or omissions by such third party supplier related to this Agreement.
This agreement does not constitute, a partnership between us. Neither of us has the right to commit the other to any obligation under this agreement.
9.1 Relationship. You and Ciptex Ltd are independent contractors in the performance of each and every part of these Terms. Nothing in these Terms is intended to create or shall be construed as creating an employer-employee relationship or a partnership, agency, joint venture, or franchise. You and Ciptex Ltd will be solely responsible for all of our respective employees and agents and our respective labour costs and expenses arising in connection with our respective employees and agents. You and Ciptex Ltd will also be solely responsible for any and all claims, liabilities or damages or debts of any type that may arise on account of each of our respective activities, or those of each of our respective employees or agents, in the performance of these Terms. Neither you nor Ciptex Ltd has the authority to commit the other of us in any way and will not attempt to do so or imply that it has the right to do so.
9.2 You and Ciptex Ltd acknowledge and agree that the provision of or cessation of all or part of the Services at any time and any arrangements contemplated by this Agreement are not intended to constitute a relevant transfer for the purposes of the TUPE Regulations.
9.3 You and Ciptex Ltd agree that for the period of this agreement and for 12 calendar months following its termination it will not directly or indirectly induce or attempt to induce any employee of the other party who has been involved with this Contract to leave the employment of the other party. This does not prohibit the employment of any person recruited through an employment agency, if neither party nor any person connected with them has encouraged that agency to approach the relevant individual. nor the placing of a public advertisement for a post available to members of the public generally or the employment of any person who answers such an advertisement. Ciptex estimates the impact of a breach of this clause 9.3 would be one times the current gross annual salary of the personnel concerned. You accept that this is a reasonable estimate of the loss and agree to pay the same upon demand in the event of a breach. You may demand, and Ciptex Ltd may pay similar damages in the event of a breach by Ciptex Ltd. Nothing in this Clause 9.3 shall prejudice the right of the non-breaching party to seek injunctive relief.
You agree to pay the fees generated under your account(s). If you use our Services in violation of these terms and cause us to be fined or penalized, we will automatically bill you for it. You also agree to pay all applicable taxes. If you are exempt from paying any taxes, please let us know and send us proof.
You will pay us for any Services you use. If you pay by credit card, then you must make sure that you have topped your Ciptex Ltd account(s) up with sufficient funds to cover your monthly fees. If you do not have sufficient funds in your Ciptex Ltd account(s) to cover your monthly fees, then we may suspend our services.
If we approve you for invoicing, you agree to setting up a Direct Debit mandate and to pay all fees that you owe to Ciptex Ltd in UK Pounds (GBP), unless we agree to another currency in writing, no later than 14 days after the date of the invoice or other terms as may be set out in the Order Form. You will be required to provide a returnable security deposit equal to an estimate of the likely monthly charges. We reserve the right to amend the deposit amount if the actual monthly costs differ by more than 10% from the estimated costs.
If you do not pay on time, then we may send you a late notice & we may suspend our services. Please pay us on time. If we suspend our services to you for your non-payment, then we are not responsible for anything bad that might happen as a result.
If you ever think that we charged you the wrong amount and you want to dispute it, then let us know, in writing, within 60 days of billing date for the charge in question. You have to be reasonable when disputing an invoice. You must be acting in good faith and cooperating with us to resolve the problem.
10.1 Fees. You agree to pay fees in accordance with the rates listed on Our Site unless otherwise set forth in an order form or order confirmation between the parties (an “Order Form”).
Additionally, we will charge you, and you shall pay, in accordance with Section 10.3, any and all additional costs, fines, or penalties we incur from a governmental or regulatory body or telecommunication provider as a result of your use of the Services.
We also reserve the right to pass on any fees, surcharges or other fees incurred by Ciptex as a result of Malformed or Missing Caller Ids provisioned by you (in the case of Wholesale Access Services and/or P-Asserted-Identity headers) as set forth in the UK and NI Ofcom Wholesale Voice Markets Review 2021-26.
10.2 Taxes. Unless otherwise stated in an Order Form, you shall be responsible for and shall pay all Taxes imposed on or with respect to the Services that are the subject of this Agreement. For purposes of this Section 10.2, Taxes do not include any Taxes that are imposed on or measured by our net income, property tax, or payroll taxes. If you are exempt from any such Taxes for any reason, we will exempt you from such Taxes on a going-forward basis once you deliver a duly executed and dated valid exemption certificate to our tax department and our tax department has approved such exemption certificate. Such exemptions should be sent directly to accounts@ciptex.com. If you are exempt from VAT or GST, then it is your responsibility to provide your VAT or GST registration number to us. If you provide us an exemption certificate or your VAT or GST number after you have paid Taxes, then we will provide, upon your written request, a credit to your customer account for Taxes previously paid for up to a period of three (3) months from the date of receipt of your written request. If for any reason a taxing jurisdiction determines that you are not exempt from any such exempted Taxes and then assesses us such Taxes, you agree to promptly pay to us such Taxes, plus any applicable interest or penalties assessed.
Should you be required by applicable law to withhold any tax from any payment owed to us, then you may provide us with an exemption certificate or similar document to reduce or eliminate any such withholding. Upon receipt of such certificate or document, you shall thereafter reduce or eliminate, as the case may be, such withholding. You shall provide us with documents evidencing your payment of any such withheld Tax to applicable tax authorities.
10.3 Payment Terms. You will make all of the payments due hereunder in accordance with the following applicable payment method:
10.3.1 Credit Card Payment Terms. If you elect to pay via credit card, then you are responsible for either (a) enabling auto-recharge on your customer account(s) or (b) ensuring that your customer account(s) has a sufficient positive balance to cover all fees due. If, for any reason, you have a negative balance on your customer account(s), then we reserve the right to suspend the Services.
10.3.2 Direct Debit Invoicing Payment Terms. If you elect to pay via direct debit, receive invoices and pay in arrears and we approve you for the same, then invoices will be sent to you via email as a PDF on a monthly basis. Payment will be requested via the direct debit mandate and payment collected on all of the undisputed fees hereunder within fourteen (14) days of the date of the invoice. Unless you and Ciptex Ltd agree otherwise in writing, all undisputed fees due pursuant to these Terms are payable in GBP, unless otherwise agreed to between the parties in writing. Payment obligations cannot be cancelled, and fees paid are non-refundable. If you are overdue on any payment of undisputed fees and fail to pay within ten (10) business days of a written notice of your overdue payment, then we may assess, and you must pay a late fee. The late fee will be either 1.5% per month, or the maximum amount allowable by applicable law, whichever is less. Following the notice of non-payment, we may also suspend the Services until you pay the undisputed fees due plus any late fees.
10.3.3 Security Deposit. Immediately upon creation of a Customer Account, you will be required to provide a refundable security deposit equal to an estimate of your average monthly spend. This deposit will be calculated based on a 40 hour working week, applied to time based services as itemised on the Order Form. The Security Deposit will be reviewed and adjusted if required every 3 months based on actual invoicing in the preceding period. If an increase is required, we will provide 14 days’ notice and request the balance via direct debit. If a decrease is required, we will notify you and transfer the excess balance to a bank account of your choice. Upon termination of this agreement, the security deposit will be returned to you, less any outstanding balance due under the terms of this agreement.
10.3.4 Suspension for Non-Payment. If we suspend the Services pursuant to this Section 10.3, then we will have no liability for any damage, liabilities, losses (including any loss of data or profits) or any other consequences that you may incur in connection with any such suspension.
10.4 Fee Disputes. If you are disputing any fees or Taxes, you must act reasonably and in good faith and you must cooperate diligently with Ciptex Ltd to resolve the dispute. You must notify us in writing if you dispute any portion of any fees paid or payable by you pursuant to these Terms. You must provide that written notice to us within sixty (60) days of the date we bill you for the charge you want to dispute, and we will work together with you to resolve the dispute promptly.
11.1 General. As between you and Ciptex Ltd, we exclusively own and reserve all right, title and interest in and to the Services, Documentation, our Confidential Information and all anonymized or aggregated data resulting from use and operation of the Services (such as but not limited to volumes, frequencies, or bounce rates) and that do not identify a natural person or organisation or company as the source of the information. As between you and Ciptex Ltd, you exclusively own and reserve all right, title and interest in and to each Customer Application, Customer Data, and your Confidential Information.
11.2 To the extent that you and/or your End Users make a suggestion or recommendation (a “Contribution”) as to how the functionality of the Service could be changed or improved, and Ciptex Ltd implements such a Contribution, Ciptex Ltd shall exclusively own and reserve all right, title and interest in the change(s) made to the Service.
11.3 Use of Marks. Subject to your prior written consent, you grant Ciptex Ltd the right to use your name, logo, and a description of your use case to refer to you on Ciptex Ltd.’s website, marketing, or promotional materials, subject to your standard trademark usage guidelines that you provide to us from time-to-time.
11.4 Confidentiality. 11.4.1 “Confidential Information” means any information or data, regardless of whether it is in tangible form, disclosed by either party that is marked or otherwise designated as confidential or proprietary or that should otherwise be reasonably understood to be confidential given the nature of the information and the circumstances surrounding disclosure. Confidential Information does not include any information which: (a) is publicly available through no fault of the receiving party; (b) was properly known to the receiving party, without restriction, prior to disclosure by the disclosing party; (c) was properly disclosed to the receiving party, without restriction, by another person without violation of the disclosing party’s rights; or (d) is independently developed by the receiving party without use of or reference to the Confidential Information of the disclosing party.
11.4.2 Use and Disclosure. The Receiving Party will use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but not less than reasonable care) to (i) not use any Confidential Information of the Disclosing Party for any purpose outside the scope of this Agreement and (ii) except as otherwise authorized by the Disclosing Party in writing, limit access to Confidential Information of the Disclosing Party to those of its and its affiliates’ employees and contractors who need that access for the purposes of this Agreement and who are legally bound to keep such information confidential consistent with the terms of this Section 11. Each party may disclose the terms of any Order Form or other purchase of Services to its affiliates, legal counsel and accountants without the other’s prior written consent, and will remain responsible for its affiliate’s, legal counsel’s or accountant’s compliance with this Section 11 (Confidentiality). Notwithstanding the foregoing, (x) Each party may disclose the terms of this Agreement and any applicable purchase transaction to a subcontractor to the extent necessary to perform its obligations under this Agreement, and (y) Ciptex Ltd may use and disclose your Confidential Information as necessary to provide the Services, subject to the Data Processing Agreement and in each case of (x) and (y) under terms of confidentiality materially as protective as set forth herein. The Customer may disclose such information pursuant to any disclosure process, procedure or obligation under United States securities laws, or the listing rules of the New York Stock Exchange or any other securities exchange on which the capital stock of the Customer and/or any of its Affiliates may be listed from time to time
11.4.3 Compelled Disclosure. Either party may disclose the other’s Confidential Information if so required, pursuant to a regulation, law, or court order. The relevant party will give the other notice of the compelled disclosure (to the extent legally permitted). Each party will cover the other’s reasonable legal fees for preparation of witnesses, deposition and testimony to the extent such compelled disclosure is in connection with a lawsuit or legal proceeding to which the other is a party or to the extent fees are incurred in connection with reasonable assistance provided in connection with efforts to contest disclosure.
11.5 Injunctive Relief. The parties expressly acknowledge and agree that no adequate remedy may exist at law for an actual or threatened breach of this Section 11 and that, in the event of an actual or threatened breach of the provisions of this Section 11, the non-breaching party will be entitled to seek immediate injunctive and other equitable relief, without waiving any other rights or remedies available to it.
12.1 Representations and Warranties.
12.1.1 Recordings and Communications Monitoring. You represent and warrant that if you record or monitor telephone calls, SMS messages, or other communications using the Services, then you will comply with all applicable laws prior to doing so and will secure all required prior consents to record or monitor communications using the Services. We make no representations or warranties with respect to recording or monitoring of telephone calls, SMS messages, or other communications. You acknowledge that these representations, warranties, and obligations are essential to our ability to provide you with access to recording and monitoring features that are part of the Services, and you further agree to indemnify us and our affiliates in accordance with the terms of Section 13 (Mutual Indemnification) for claims arising out of or related to your acts or omissions in connection with providing notice and obtaining consents regarding such recording or monitoring of telephone calls, SMS messages, or other communications using the Services.
12.1.2 Customer Data. You represent and warrant that you have provided (and will continue to provide) adequate notices and have obtained (and will continue to obtain) the necessary permissions and consents to provide Customer Data to us for use and disclosure pursuant to Section 4 (Our Use of Customer Data).
12.1.3 Services. We represent and warrant that the Services will perform materially in accordance with the applicable Documentation. Ciptex Ltd.’s sole obligation, and your sole and exclusive remedy, in the event of any failure by Ciptex Ltd to comply with this Section 12.1.3 will be for Ciptex Ltd to, at Ciptex Ltd.’s option, re-perform the affected Services or refund to you the fees you actually paid for the affected Services.
12.1.4 PCI-DSS. We warrant that our One Payment Cloud service is compliant with PCI-DSS Service Provider requirements and that we will maintain compliance for the duration of the Agreement. We will supply a copy of our PCI Attestation of Compliance to you annually on request. If our external auditors deem that our service is no longer compliant, we will advise you of this change in status within 24 hours and you have the right to suspend the service with immediate effect and the opportunity to cancel the service if compliance is not re-established with 5 working days.
12.2 Disclaimers. Without limiting a party’s express warranties and obligations hereunder, and except as expressly provided herein, the services are provided “as is,” and Ciptex Ltd makes no warranty of any kind, whether express, implied, statutory or otherwise, and Ciptex Ltd specifically disclaims all implied warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, to the fullest extent permitted by law. Ciptex Ltd additionally disclaims all warranties related to third party telecommunications providers. Beta offerings are provided “as is” and “as available” with no warranties whatsoever, and Ciptex Ltd shall have no liability whatsoever for any harm or damage arising out of or in connection with a beta offering.
If we think our Services may violate someone else’s intellectual property rights, then we may try to obtain the right for you to continue to use our Services or modify our Services, so they are no longer infringing. If we are unable to do either, then we may terminate these Terms and close your Ciptex Ltd account(s) and refund you any unused fees.
There are limits on what we indemnify you for. Ciptex Ltd will not pay for any bills, damages, costs, etc. for (1) a claim that was filed because you violated these terms and (2) any intellectual property infringement claim that arises from your use of our Services with other applications, products, or services, or (3) if you did not pay us for the Services and they were free of charge.
13.1 Indemnification by Ciptex Ltd. We will defend you from and against all claims, demands, suits or proceedings made or brought against you by a third party alleging that the Services infringe or misappropriate such third party’s intellectual property rights (“Infringement Claim”), and will indemnify you from any damages, attorney fees, and costs finally awarded against you as a result of, or for amounts you pay to settle an Infringement Claim under a settlement for which Ciptex Ltd has given its written approval.
13.2 Infringement Options If your use of the Services has become, or in Ciptex Ltd.’s opinion is likely to become, the subject of any Infringement Claim, Ciptex Ltd may at its option and expense: (a) procure for you the right to continue using the Services as set forth herein; (b) modify the Services to make them non-infringing; or (c) if the foregoing options are not reasonably practicable, terminate these Terms and refund you any unused pre-paid fees. This Section 13 states your exclusive remedy for any Infringement Claim by a third party.
13.3 Limitations Ciptex Ltd will have no liability or obligation with respect to any Infringement Claim and a court award of damages (a) arising out of your use of the Services in breach of these Terms, (b) arising out of the combination, operation, or use of the Services with other applications, portions of applications, products, or services where the Services would not by themselves, and without modification, be infringing, or (c) arising from Services for which there is no charge.
13.4 Indemnification by You. You will defend Ciptex Ltd, from and against any claim, demand, suit or proceeding made or brought against Ciptex Ltd by a third party alleging that the Customer Date infringes or misappropriate such third party’s intellectual property rights (collectively, “Customer Indemnifiable Claims”) and will indemnify Ciptex Ltd from any damages, attorney fees, and costs finally awarded against Ciptex Ltd as a result of, or for amounts paid by Ciptex Ltd to settle a Customer Indemnifiable Claim under a settlement for which you have given your written approval.
If either you or Ciptex Ltd wants to be indemnified by the other for a particular claim, then the party requesting indemnification needs to do certain things — namely given notice of the claim, cooperate, and let the party providing the indemnification handle the defence or settlement of the claim. If these things are not done, then the other party may not have to provide the requested indemnification. See the legal language for what is required.
13.5 Conditions of Indemnification. As a condition of the foregoing indemnification obligations: (a) the indemnified party (“Indemnified Party”) will promptly notify the indemnifying party (“Indemnifying Party”) of any Infringement Claim or Customer Indemnifiable Claim, as applicable (collectively referred to as a “Claim”), provided, however, that the failure to give such prompt notice shall not relieve the Indemnifying Party of its obligations hereunder except to the extent that the Indemnifying Party was actually and materially prejudiced by such failure; (b) the Indemnifying Party will have the sole and exclusive authority to defend or settle any such Claim (provided that, the Indemnifying Party will obtain the Indemnified Party’s consent in connection with any act or forbearance required by the Indemnified Party, which consent will not be unreasonably withheld); and (c) the Indemnified Party will reasonably cooperate with the Indemnifying Party in connection with the Indemnifying Party’s activities hereunder, at the Indemnifying Party’s expense. The Indemnified Party reserves the right, at its own expense, to participate in the defence of a Claim. Notwithstanding anything herein to the contrary, the Indemnifying Party will not settle any Claims for which it has an obligation to indemnify pursuant to this Section 13 admitting liability or fault on behalf of the Indemnified Party, nor create any obligation on behalf of the Indemnified Party without the Indemnified Party’s prior written consent.
Generally speaking, neither of us owes each other for any bad things that might indirectly result from our services not working as intended.
Subject to clause 14.2, any direct damages we might owe each other cannot be more than the amount you have paid (or should have paid) in the previous 12-months for the given Services giving rise to the claims. However, direct damages will not be limited if they result from satisfying our mutual indemnification obligations.
We have special products and a special agreement that covers connecting to emergency services. If you do not have that agreement with us, you may not use our services to connect to emergency services (like 999). If something bad happens because you or someone using our services under your Ciptex Ltd account(s) tries but is unable to reach emergency services, then Ciptex Ltd is not and cannot be held responsible.
14.1 Indirect consequential and related damages. In no event will either party or its affiliates have any liability arising out of or related to this agreement for any revenues, goodwill, or indirect, special, incidental, consequential, cover, business interruption or punitive damages, whether an action is in contract or tort and regardless of the theory of liability, even if a party or its affiliates have been advised of the possibility of such damages or if a party’s or its affiliates’ remedy otherwise fails of its essential purpose. The foregoing disclaimer will not apply to the extent prohibited by law.
14.2 Limitation of liability. Except for amounts payable under a party’s indemnification obligations under section 4 (data protection) and 13 (mutual indemnification) of these terms, in no event will the aggregate liability of each party arising out of or related to these terms exceed the higher of £50,000 or the amounts paid or payable by customer hereunder for the services giving rise to the liability during the twelve (12) month period preceding the first incident out of which the liability arose. The foregoing limitation will apply whether an action is in contract or tort, and regardless of the theory of liability, but will not limit your payment obligations under section 10 (fees, payment terms, taxes) above.
14.3 Emergency services disclaimer. Neither Ciptex Ltd nor its representatives will be liable under any legal or equitable theory for any claim, damage, or loss (and customer will hold Ciptex ltd harmless against any and all such claims) arising from or relating to the inability to use the services to contact emergency services, as defined in section 5.2(b), above. Ciptex Ltd.’s outbound communications services should not be used for contacting emergency services unless the Service is expressly approved for this purpose and you and Ciptex Ltd have entered an Emergency Services Addendum in connection with your use of the approved product.
14.4 In relation to the limitation of liability: Nothing in this Agreement shall exclude or limit the liability of either party for (i) gross negligence or intentional misconduct of such party, (ii) death or personal injury caused by that party’s negligence or (iii) fraud or fraudulent misrepresentation or (iv) any other liability to the extent that the same may not be excluded or limited as a matter of applicable law. Should Ciptex Ltd be required to update these Terms and Conditions as a result of changes in the law or requirements from telecommunications providers, it shall provide you with 30 days prior written notice of the same, or such time period as it is reasonably able to do and where you reject such changes you will be able to terminate these Terms and Conditions immediately without incurring any liability.
The provisions of this section 14 allocate the risks pursuant to these terms between the parties, and the parties have relied on the limitations set forth herein in determining whether to enter into these terms.
These terms become effective on the day you click “I Accept” or when you or someone else starts using our services under your customer account.
Either we or you may terminate these terms and close your Ciptex Ltd account(s) for any reason 30 days after one of us tells the other in writing. However, if there are any order forms in effect, then these terms will not terminate until all order forms have expired or been terminated.
If you significantly breach these terms, and do not fix the breach within five (5) days of us telling you about the breach, then we may terminate these terms and close your Ciptex Ltd account(s). Similarly, if we significantly breach these terms, and do not fix the breach within five (5) days of you telling us, then you may terminate these terms.
We may offer certain equipment or Services with an Initial Commitment Term. Any equipment or Services subject to an Initial Commitment Term will be itemised on the Order Form.
15.1 Term. These Terms will commence on the date they are accepted by you and continue until terminated in accordance with Section 15.2 (Termination) below (“Term”).
15.2 Either party may terminate these Terms and close your customer account(s) by providing at least thirty (30) days written notice to the other party. The notice must expire at the end of the initial term, as specified in the Order Form, or on any subsequent anniversary of the initial term. If no notice of termination is received, the contract will automatically renew for an additional twelve (12) months. Ciptex Ltd, at its sole discretion, may terminate these Terms and close your customer account(s) in the event you commit any material breach of these Terms and fail to remedy that breach within five (5) business days after Ciptex Ltd provides written notice of that breach to you. You may also terminate these Terms in the event we commit a material breach of these Terms and fail to remedy that breach within five (5) days after providing written notice of that breach to us.
Either we or you may terminate these terms and close your Ciptex Ltd account(s) with at least 30 days written notice, effective at the end of the initial term as specified in the Order Form, or any anniversary of it. If no notice is given, the contract will automatically renew for 12 months. If any Order Forms are in effect, these terms will not terminate until all Order Forms have expired or been terminated.
17.1 Compliance with Laws. Both parties will comply with the applicable law relating to your respective activities pursuant to these Terms. Ciptex Ltd will provide the Services in accordance with laws applicable to Ciptex Ltd.’s provision of the Services as set out at clause 3.1, and subject to Customer’s use of the Services in accordance with this Agreement, the Documentation and applicable Order Form (if any).
17.2 No Waiver, Order of Precedence. Either party’s failure to enforce at any time any provision of these Terms, our Acceptable Use Policy, or any other of the other party’s obligations does not waive such party’s right to do so later. And, if such party does expressly waive any provision of these Terms, our Acceptable Use Policy, or any of either party’s other obligations, that does not mean it is waived for all time in the future. Any waiver must be in writing and signed by you and us to be legally binding. In the event of any conflict or inconsistency among the following documents, the order of precedence shall be (except as otherwise expressly set forth in an applicable Order Form): (1) product-specific terms set out in the Order Form, (2) the Terms and Conditions and (3) the Documentation.
17.3 Assignment. The parties will not assign or otherwise transfer these Terms, in whole or in part, without our prior written consent. The parties may however (without the further prior written consent of the other) assign any of its rights under this Agreement (including any right of action against each other) to any of their Affiliates. Further, the parties shall not unreasonably refuse any request from the other to novate this Agreement to an Affiliate. Any attempt by to assign, delegate, or transfer these Terms other than as provided for in this Agreement will be void. Subject to this Section 17.3, these Terms will be binding on both you and Ciptex Ltd and each of our successors and assigns.
17.4 Severability. I f any provision of these Terms is held by a court or other tribunal of competent jurisdiction to be unenforceable, that provision will be limited or eliminated to the minimum extent necessary to make it enforceable and, in any event, the rest of these Terms will continue in full force and effect.
17.5 Notices. Any notice required or permitted to be given hereunder will be given in writing to the party at the address specified in this Agreement by personal delivery, certified mail, return receipt requested, overnight delivery by a nationally recognized carrier or by email. Billing-related notices to Customer will be addressed to the relevant billing contact designated by Customer in its account.
17.6 Force Majeure. No failure, delay or default in performance of any obligation of a party shall constitute an event of default or breach of these Terms to the extent that such failure to perform, delay or default arises out of a cause, existing or future, that is beyond the control and without negligence of such party, including action or inaction of governmental, civil or military authority; fire; strike, lockout or other labour dispute; flood, terrorist act; war; riot; theft; pandemic; earthquake and other natural disaster. The party affected by such cause shall take all reasonable actions to minimize the consequences of any such cause.
17.7 Government Terms. We provide the Services, including related software and technology, for government end use in accordance with these Terms. If you (or any of your End Users) are an agency, department, or other entity of any government, the use, duplication, reproduction, release, modification, disclosure, or transfer of the Services, or any related documentation of any kind, including technical data, software, and manuals, is restricted by these Terms. All other use is prohibited and no rights other than those provided in these Terms are conferred.
17.8 Governing Law. This Agreement shall be governed by and construed in accordance with English Law. In relation to any legal action or proceedings to enforce this Agreement or arising out of or relating to this Agreement (“proceedings”) each of the parties irrevocably submits to the exclusive jurisdiction of the English courts and waives any objection to proceedings in such courts on the grounds of venue or in the grounds that the proceedings have been brought in an inconvenient forum.
17.9 Entire Agreement. Except as provided in these Terms and any exhibits or addenda or other terms incorporated by reference into these Terms, these Terms supersede all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written. No oral or written information or advice given by Ciptex Ltd, its agents or employees will create a warranty or in any way increase the scope of the warranties or obligations under these Terms. Any purchase order document or similar document provided by you shall be construed solely as evidence of your internal business processes, and the terms and conditions contained thereon shall be void and have no effect with regard to these Terms between you and Ciptex Ltd and be non-binding against Ciptex Ltd even if signed by Ciptex Ltd after the date you accept these Terms.
Data Processing Agreement
This document concerns the processing of Personal Data (as defined below) in relation to the delivery of Services provided by the Supplier, as further specified in the Agreement between the Supplier and Company.
1.1 The terms used in this Data Processing Agreement shall have the meanings set forth herein. Capitalised terms not otherwise defined herein shall have the meaning given in the Agreement.
1.2 In this Data Processing Agreement, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Company” The purchaser of the Services from the Supplier
“Company Affiliate” means Company’s holding company and ultimate holding company and each of its subsidiary companies and its holding company’s and ultimate holding company’s subsidiary companies from time to time (with “holding company” and “subsidiary” having the meanings given to them in section 1159 of the Companies Act 2006) and any employee, officer, or contractor of Company or Company Affiliate;
“Data Flow Diagram” means the diagrammatic representation of the data flow necessary to deliver the Service, naming Controller, Processor and all required Sub-processor organisations (Appendix 3).
“DPA – 2018” means the UK Data Protection Act 2018
“Data Protection Laws “ means EU Directive 95/46/EC, as transposed into domesticlegislation of each Member State and, as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR; including but not limited to Data Protection Act 2018; and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003);
“GDPR” means General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or of a part of the United Kingdom from time to time
“Personal Data” means any information that:
(i) relates to an identified person or identifiable natural person, who can be identified, directly or indirectly, by reference to that information; or
(ii) would be considered personal information as such term or concept is defined by Data Protection Laws;
“Restricted Transfer” means an onward transfer of Personal Data from Supplier to a Sub processor where such transfer would be prohibited by the EU Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of the EU Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under clause 12;
“Standard Contractual means the contractual clauses set out in Schedule A, as
Clauses” amended as indicated (in square brackets and italics) in that schedule and under the Agreement.
“Services” means the services to be provided by the Supplier to the Company as set out in the Terms and Conditions and any Order Form
“Supplier” Ciptex Ltd
1.3 References in this Data Processing Agreement to any terms defined in the Data Protection Laws (including without limitation Data Controller, Data-Processor , personal data breach and Sub-Processor) have the meanings as defined in the Act and currently meeting EU adequacy provisions to EU Data Protection Laws.
2.1 Supplier shall at all times, comply with Data Protection Laws in the processing of Personal Data for the purposes of provision of Services and not process Personal Data other than on the Company’s documented written instructions unless processing is required by applicable laws to which Supplier is subject, in which case Supplier shall to the extent permitted by applicable laws inform the Company of that legal requirement before the relevant processing of that Personal Data. For clarity, any documented instructions from the Company Affiliate who has provided those specific instructions shall be deemed for the purpose of this Data Processing Agreement the Company Affiliates’ documented instructions and will only apply to that specific Company Affiliate.
2.2 Company instructs Supplier to process Personal Data as reasonably necessary for the provision of Services and consistent with the Agreement. The processing activities will involve:
Categories of Personal Data: Personal Data may include, among other information:
(a) personal information such as title, name, address, telephone or mobile number, email address, and business contact details;
(b) information concerning health, family, lifestyle, and social circumstances including age, date of birth, nationality, marital status, and dependents;
(c) financial information such as national insurance number, tax code, and bank account details.
Categories of Data Subjects: Data subjects include the Company’s customers, and any other identifiable person whose Personal Data is being processed.
2.3 During the term of the Agreement, the Company may provide written instructions to Supplier in addition to those specified in the Agreement with regard to the processing of Personal Data. Supplier shall comply with all such instructions without additional charge to the extent necessary for Supplier to comply with Data Protection Laws as a data processor.
2.4 Collection. Supplier shall only collect, store, transmit, disclose, process, destroy, or otherwise use any Personal Data in accordance with the Company’s instruction and never in a manner that contravenes Data Protection Laws or fails to meet the requirements set forth in this Data Processing Agreement. Supplier shall not distribute, sell, license, lease, transfer, or otherwise convey Personal Data for Supplier’s own purposes or for the benefit of any other party other than Company, without Company’s prior written consent.
2.5 Collection.
(a) To the extent that Supplier collects Personal Data on Company’s behalf, Supplier shall only collect that Personal Data necessary to perform Services under the Agreement or to otherwise fulfil Company’s instructions on collection.
(b) Supplier shall notify Company about the methods of operation and data collection capabilities for any cookie, JavaScript, pixel, beacon, statistical ID, probabilistic ID, UIDI, similar tracking mechanisms, or other method of monitoring a user or device across web and/or app locations or properties (Tracking Technologies) Supplier intends to use and shall not use Tracking Technologies without Company’s prior written consent. Supplier shall never use Tracking Technologies that: (i) use Flash local shared objects; (ii) fail to provide users with an opportunity to control the use of such Tracking Technologies; (iii) are deployed on behalf of other parties (so-called “fourth-party” tracking or “piggy-backing”); or (iv) circumvent user preferences as designated in Web browser privacy controls.
2.6 Data location.
Unless otherwise agreed upon by the parties in writing, Supplier shall use Personal Data only in (i) the jurisdiction in which the data subject resides (predominantly the UK); or (ii) the European Economic Area (EEA) if the data subject resides anywhere within the EEA. Supplier shall obtain the written consent of Company prior to the transfer of Personal Data from the EEA to a country outside the EEA. As at the date of this Agreement the Parties acknowledge that the Supplier shall process Personal Data in the UK, the EEA and (where necessary for the purposes of business continuity) US jurisdictions and the parties shall comply with the provisions of clause 12 in respect of such processing.
2.7 Data Flow Diagram
Appendix 3 contains the Data Flow Diagram. No changes will be made to the Service as represented in the Data Flow Diagram, without the written consent of both parties.
3.1 Supplier shall keep all Personal Data confidential and only disclose such information strictly in relation to its processing activities under this Data Processing Agreement to its employees on a need to know basis.
3.2 Supplier shall take reasonable steps to ensure the reliability of any employee who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to Supplier, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Supplier shall put in place all appropriate technical and organisational measures to enable Company to comply with its obligations to respond to requests from data subjects to exercise their rights in respect of Personal Data, including but not limited to the right to access the Personal Data processed by Supplier and to request the rectification of inaccurate Personal Data. Supplier shall not respond to any such request from a data subject without receiving the prior written consent of Company.
6.1 Supplier shall notify Company without undue delay upon Supplier or any Sub processor (as the case may be) becoming aware of a personal data breach affecting Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform data subjects of the personal data breach under the Data Protection Laws. Such notification shall as a minimum:
(a) describe the nature of the personal data breach, the categories, and numbers of data
subjects concerned, and the categories and numbers of personal data records concerned;
(b) communicate the name and contact details of Supplier’s data protection officer or other relevant contact from whom more information may be obtained;
(c) describe the likely consequences of the personal data breach; and
(d) describe the measures taken or proposed to be taken to address the personal data breach.
6.2 Supplier shall cooperate with Company and take such reasonable steps as are directed by Company to assist in the investigation, mitigation, and remediation of each such personal data breach.
Consistent with the size and complexity of its organisation, Supplier shall maintain its own privacy process that manages its handling of personal information and includes a documented data breach response. Supplier will appoint (or have appointed) a leader to oversee this privacy process. Where necessary, Supplier shall assist Company in completing privacy impact assessments and in consultations with the relevant supervisory authorities.
Supplier shall fully comply with all applicable governmental, legal, regulatory, and professional requirements, relating to privacy including Data Protection Laws. For the purposes of Data Protection Laws, Supplier is considered a data processor in relation to the Personal Data it accesses under the Agreement and the Company the data controller.
9.1 Supplier shall implement and maintain compliance with appropriate technical and organisational security measures (including the measures set out below) to process and protect Personal Data.
9.2 Compliance with industry standards. Supplier shall use organisational, administrative, physical, and technical policies, standards, and controls to protect Personal Data against the unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, Personal Data. Such measures shall be consistent with current accepted industry standards (e.g., the NIST Cyber Security Framework, ISO 27001/27002, etc.) and comply at all times with all Data Protection Laws concerning the protection and securing of information.
9.3 Assessment and review. Supplier shall implement a process for regularly testing, assessing, and evaluating the effectiveness of the security measures it puts in place to ensure the security of Personal Data.
9.4 Encryption. Supplier shall not store Personal Data on any portable device or media (e.g., laptop, flash drive, Smartphone) that does not use industry standard, full disk (where possible) encryption. All Personal Data shall be encrypted when in transit and at rest consistent with accepted industry encryption standards.
9.5 Web-enabled applications. All internet facing websites accessed by Company employees must have industry standard tuned Web Application Firewall (WAF) and must be scanned and remediated using accepted industry standard for security vulnerabilities (e.g., Open Web Application Security Project and Open Web Application Security Project Top 10). Scans and remediation must first be completed prior to application launch. Post launch, Company shall conduct scans at a frequency that is appropriate for the relevant application, technology, and data risk. Websites shall implement and maintain accepted industry standard account and password management controls, including:
(a) lockout after no more than ten unsuccessful login attempts;
(b) prohibiting user IDs, passwords, and Personal Data from being displayed in a URL;
(c) storing user passwords and reset or forgotten security questions in an encrypted manner;
(d) re-authentication is required after no more than 30 minutes of inactivity; and
(e) prohibiting the storage of passwords or Personal Data in persistent local storage (caches, etc.) or in any cookies, JavaScript, or other web tracking technology.
9.6 Awareness and training. Supplier shall provide information security awareness training to all its employees with access to Personal Data or Company systems or networks that materially addresses the security requirement in this Data Processing Agreement.
9.7 Hosted systems. Supplier shall notify Company in writing when it hosts Personal Data in a shared or cloud environment. Supplier shall protect (or if applicable cause its Sub processor to protect) the Personal Data in this cloud environment using controls consistent with accepted industry standards (e.g., Cloud Security Alliance Cloud Controls Matrix). Supplier shall collaborate in good faith to identify an alternative to such hosting should Company so request.
9.8 Records and continuity. Supplier shall maintain a records retention process and a business continuity plan for all Personal Data in its control or custody.
9.9 Disposal. Supplier shall destroy Personal Data using a secure means of disposal (e.g., incineration or cross-cut shredding) when such data is no longer required (either for the supply of Software and provision of services or to be retained by law). Hardware containing Personal Data must be physically destroyed or securely overwritten prior to disposal or use for another purpose.
9.10 Device management. Supplier shall use only securely configured, corporate-owned devices (i.e., non-BYOD or hybrid or work personal use devices) to connect Company networks and systems or to access or store Personal Data.
10.1 On expiration or termination of the Agreement, Supplier shall promptly and in any event within 30 days of the date of termination or expiration:
(a) return a complete copy of all Personal Data to Company or a third party nominated by Company by secure file transfer in such format as is reasonably notified by Company to Supplier; and
(b) delete and procure the deletion of all other copies of Personal Data.
Supplier may retain Personal Data to the extent required by Data Protection Laws and only to the extent and for such period as required by such Data Protection Laws and always provided that Supplier shall ensure the confidentiality of all such Personal Data and shall ensure that such data is only processed as necessary for the purposes specified in the Data Protection Laws requiring its storage and for no other purpose.
10.2 Supplier shall provide written certification to Company that it has fully complied with this clause 10 within five days of the date of deletion.
11.1 Supplier shall make available to Company on request all information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and contribute to audits, including inspections, by Company or an auditor appointed by Company in relation to the processing of Personal Data by Supplier.
11.2 Information and audit rights of Company only arise under clause 11.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 23(3)(h) of the GDPR).
12.1 Company (as “data exporter”) and Supplier (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Company to Supplier.
12.2 The Standard Contractual Clauses shall come into effect under clause 12.1 on the later of:
(a) the data exporter becoming a party to them;
(b) the data importer becoming a party to them; and
(c) commencement of the relevant Restricted Transfer.
12.3 Clause 12.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from data subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable EU Data Protection Laws
13.1 Duration. This Data Processing Agreement shall remain in force for so long as Supplier has Personal Data in its control or custody.
13.2 Order of precedence. This Data Processing Agreement is subject to the terms of the Agreement. In the event of any conflict between the terms of the Agreement and the terms of this Data Processing Agreement, the terms of the Data Processing Agreement shall prevail.
13.3 Materiality. If Supplier fails to comply with any of the terms in this Data Processing Agreement, then Company shall have the right to either suspend Supplier’s performance under the Agreement or terminate the Agreement with immediate effect, without any penalty, liability, or further obligation.
Schedule A
[These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the EU Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those EU Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the EU Data Protection Laws); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another EU Data Protection Laws (otherwise).]
[If these Clauses are not governed by the law of a Member State, the terms “Member State” and “State” are replaced, throughout, by the word “jurisdiction”.]
Standard Contractual Clauses for Personal Data (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. [This opening recital is deleted if these Clauses are not governed by the law of a member state of the EEA.]
Name of the data exporting organisation:
Address:
(the “data exporter”);
And
Name of the data importing organisation: Ciptex Limited (“CIPTEX”)
Address: Chancery House, 30 St. Johns Road, Woking, Surrey, GU21 7SA
(the “data importer”);
each a “party”, together the “parties”;
HAVE AGREED on the following Contractual clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in the Data Processing Agreement.
1 Definitions
For the purposes of the Clauses:
1.1 ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’, and ‘Commissioner’ shall have the same meaning as in the UK GDPR;
1.2 ‘the data exporter’ means the controller who transfers the personal data;
1.3 ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;
1.4 ‘the Sub processor’ means any processor engaged by the data importer or by any other Sub processor of the data importer who agrees to receive from the data importer or from any other Sub processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
1.5 ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the UK;
1.6 ‘technical and organisational measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
2 Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 of the Data Processing Agreement which forms an integral part of the Clauses.
3 Third/party beneficiary clause
3.1 The data subject can enforce against the data exporter in this Clause, Clause 4.2 to 4.9, Clause 5.1 to 5.5, and 5.7 to 5.10, Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
3.2 The data subject can enforce against the data importer in this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.3 The data subject can enforce against the Sub processor in this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2) and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
4 Obligations of the data exporter
The data exporter agrees and warrants:
4.1 that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the member State where the data exporter is established) and does not violate the relevant provisions of that State;
4.2 that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
4.3 that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
4.4 that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental los, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
4.5 that it will ensure compliance with the security measures;
4.6 that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not covered by adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 Data Protection Act 2018;
4.7 to forward any notification received from the data importer or any Sub processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
4.8 to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for Sub processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
4.9 that, in the event of Sub processing, the processing activity is carried out in accordance with clause 11 by a Sub processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
4.10 that it will ensure compliance with Clause 4.1 to 4.9.
5 Obligations of the data importer
The data importer agrees and warrants:
5.1 to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.2 that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.3 that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
5.4 that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
5.5 to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
5.6 at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter, or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
5.7 to make available to the data subject upon request a copy of the Clauses, or any existing contract for Sub processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
5.8 that, in the event of Sub processing, it has previously informed the data exporter and obtained its prior written consent;
5.9 that the processing services by the Sub processor will be carried out in accordance with Clause 11;
5.10 to send promptly a copy of any Sub processor agreement it concludes under the Clauses to the data exporter.
6 Liability
6.1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Sub processor is entitled to receive compensation from the data exporter for the damage suffered.
6.2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his Sub processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
6.3 The data importer may not rely on a breach by a Sub processor of its obligations in order to avoid its own liabilities.
6.4 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and,2 arising out of a breach by the Sub processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the Sub processor agrees that the data subject may issue a claim against the data Sub processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the Sub processor shall be limited to its own processing operations under the Clauses.
7 Mediation and jurisdiction
7.1 The data importer agrees that if the data subject invokes third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner;
(b) to refer the dispute to the UK courts.
7.2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
8 Cooperation with supervisory authorities
8.1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
8.2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any Sub processor, which has the same scope and it subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
8.3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any Sub processor preventing the conduct of an audit of the data importer, or any Sub processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
9 Governing law
The Clauses shall be governed by the law of the country of the United Kingdom in which the data exporter is established, namely England.
10 Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018; or (ii) adding clauses on business related issues where required as long as they do not contradict the Clause.
11 Sub processing
11.1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the Sub processor which imposes the same obligations on the Sub processor as are imposed on the data importer under the Clauses. Where the Sub processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub processor’s obligations under such agreement.
11.2 The prior written contract between the data importer and the Sub processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the Sub processor shall be limited to its own processing operations under the Clauses.
11.3 The provisions relating to data protection aspects for Sub processing of the contract referred to in paragraph 1 shall be governed by the laws of the country of the UK where the exporter is established.
11.4 The data exporter shall keep a list of Sub processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5.10 which shall be updated at least once a year. The list shall be available to the Commissioner.
12 Obligation after the termination of personal data processing services
12.1 The parties agree that on the termination of the provision of data processing services, the data importer and the Sub processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done do, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
12.2 The data importer and the Sub processor warrant that upon request of the data exporter and/or the Commissioner, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 – to the Standard Contractual Clauses
Data Exporter
The data exporter is a UK-based supplier of residential property services and is contracting with the importer for it to provide a software solution for taking card payments over telephone calls. The data exporter is using the personal data which is being transferred to identify the caller.
Data Importer
The data importer is a is a UK based provider of call handling services and card payment processing. The data importer uses a US based sub processor to process telephone calls in the event of failure of primary processing facilities in the UK and EEA.
Appendix 2 – to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4.4 and 5.3 (or document/legislation attached):
https://www.twilio.com/legal/binding-corporate-rules (Processor)
ILLUSTRATIVE INDEMNIFICATION CLAUSE (OPTIONAL)
Liability
The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.
Indemnification is contingent upon:
(a) | the data exporter promptly notifying the data importer of a claim; and |
(b) | the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim1. |
1 Paragraph on liabilities is optional.
Appendix 3 – Data Flow Diagram
Attach relevant Data Flow Diagram here
Service Level Agreement (SLA)
Services are supplied within the scope of our Quality Management System in compliance with ISO 9001, and our Information Security Management System in compliance with ISO 27001. Our Business Continuity Management Systems is designed to comply with ISO 22301.
This Support Schedule forms part of a Master Services Agreement (Agreement) entered into between Ciptex Limited (Supplier) and the Customer whose details are set out in the Agreement. In the event of any conflict between this Support Schedule and the Agreement, the terms of the Agreement shall prevail.
Defined terms shall have the meaning given in the Agreement unless otherwise defined herein.
1.1 The following definitions shall have the following meanings in this Support Schedule.
Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks are open for business.
Ciptex Service APIs: means the application programming interfaces branded as “Ciptex”.
Downtime: shall have the meaning given in paragraph 6.1.
Excluded Downtime: shall have the meaning given in paragraph 6.2.
Extended Support: shall have the meaning given in paragraph 5.1.
Incident: a reproducible error or fault with the Ciptex Service APIs or Twilio Service APIs.
Support Hours: the hours during which support is provided, set out in section 5 of this Support Schedule.
Supported APIs: the Ciptex Service APIs and Twilio Service APIs.
Twilio Service APIs: means the application programming interfaces branded as “Twilio”.
Target Availability Percentage: shall have the meaning given in section 6.1 below.
The Supplier shall categorise the Incident in accordance with the priority levels set out in the table below:
Category | Definition |
URGENT (P1) Business Critical | Only available for production applications. Represents a complete loss of service or a significant feature that is completely unavailable, and no workaround exists. Does not include development issues or problems in staging environments. |
HIGH (P2) Degraded service | Includes intermittent issues and reduced quality of service. A workaround may be available. Does not include development issues or problems in staging environments. |
NORMAL (P3) General issue | Includes product questions, feature requests and development issues |
LOW (P4) Information request | Request for documentation or advice on service operation |
The Supplier shall use reasonable endeavours to respond to an Incident logged by the Customer in accordance with the following Response Times, by reference to the categorisation of the priority of the Incident.
Category | Response Time^ |
URGENT (P1) | 2 hours (within Support Hours, unless Extended Support purchased) |
HIGH (P2) | 4 hours (within Support Hours) |
NORMAL (P3) | 8 hours (within Support Hours) |
LOW (P4) | 16 hours (within Support Hours) |
Response time is measured from the time that an Incident is logged by the Supplier and the first response by the Supplier to the Customer, in each case during Support Hours, except in the case of a P1 Incident where the Customer has purchased Extended Support.
C% = (A – B) / A x 100
where:
“C%” = Target Availability Percentage;
“A” = the number of minutes in the relevant calendar month (Uptime)
“B” = the number of minutes in the relevant calendar month during which the Services APIs were unavailable for use (excluding any Excluded Downtime, as defined below) (Downtime)
<<END>>