Terms and Conditions

MASTER TERMS AND CONDITIONS
Effective as of 1 January 2023
Microsolv Systems Ltd (“Supplier”) provides a range of services which may include (by way of
example only) managed services and professional services and reselling of various cloud services
such as Microsoft cloud services, in accordance with these terms and conditions and the applicable
‘Associated Agreement’. The Supplier may amend or replace these terms and conditions on one
month’s written notice to the Customer at any time (for existing Contracts the terms and conditions
in place at the time that the Contract was made continue to apply for that Contract, unless the
Customer agrees otherwise in writing). By ordering services such as managed services, professional
services and/or cloud services from the Supplier, the Customer accepts the terms and conditions
that apply at that time. Any additional or different terms that the Customer includes in any
communication with the Supplier will not be binding on the Supplier or included in any Contract
unless expressly agreed upon in writing by the Supplier.
1 Definitions and interpretation
1.1 Definitions: In these terms and conditions:
“Associated Agreement” means:
(a) any agreement or statement of work or statement of supply that is entered into between
the parties which is made pursuant to these terms and conditions (for example by
referencing that it is made under these Master Terms and Conditions) and may include by
way of example only a ‘Managed Services Agreement’ or ‘Statement of Work – Managed
Services’, and/or ‘Cloud Supply Agreement’ or ‘Statement of Supply – Cloud Supply’; and
(b) any additional terms and conditions (including by way of example only the ‘Professional
Services Terms and Conditions’) together with:
i. the relevant order, proposal, statement of work or other document that is accepted and
agreed by the Customer in the manner required under those additional terms and
conditions; or
ii. a request by the Customer of a type which is anticipated and not out of scope in any
way under those terms and conditions and which is accepted by the Supplier in the
manner required under those additional terms and conditions (including a request that
is not required to be in writing where applicable under those additional terms and
conditions, such as a request that is a “Small Task” under the Professional Services
Terms and Conditions
which are expressed as being subject to these Master Terms and Conditions.
(c) any written proposal (in final form) for supply of Products, Services or Deliverables issued by
the Supplier to the Customer (including a proposal in an email or in a quote) which is
expressed as being subject to these Master Terms and Conditions and which is intended as
a proposal for acceptance by the Customer if the Customer wishes to proceed, for which
neither an agreement nor statement of work nor statement of supply under (a) of this
definition or additional terms and conditions under (b) of this definition apply, that is
accepted and agreed by the Customer in writing in the manner required by the Supplier and
within the timing (if any) specified in the relevant proposal.
3
“Confidential Information” means any information disclosed in confidence to one party by the
other party including without limitation the Customer Data, whether of a business, financial,
technical or non-technical nature or otherwise and whether existing in hard copy form,
electronically or otherwise but does not include any information which is:
(a) on receipt by the recipient party, in the public domain or which subsequently enters the
public domain without any breach of the Contract;
(b) on receipt by the recipient party, already known by that party (otherwise than as a result
of disclosure by the other party);
(c) at any time after the date of receipt by the recipient party, received in good faith by the
recipient party from a third party;
(d) required by law to be disclosed by the recipient party;
“Contract” means these terms and conditions and the GDPR Attachment, and the relevant
Associated Agreement;
“Customer Data” means the Customer’s data including all text, sound, video or image files and
the Customer’s software and includes Personal Data;
“Data Protection Laws” means the GDPR as incorporated into UK law by the UK Data Protection
Act 2018, and the UK Data Protection Act 2018 itself, and, to the extent applicable, the data
protection or privacy laws of any other country, and includes any statutory modification or reenactment of such laws for the time being in force;
“Force Majeure Event” means any war, riot, third party strike, pandemic, civil emergency, natural
disaster or other circumstance of a similar nature that is outside of the control of the affected
party;
“GDPR” means the EU General Data Protection Regulation 2016/679;
“Intellectual Property” means copyright, patents, designs, trademarks, trade names, goodwill
rights, trade secrets, confidential information and any other intellectual proprietary right or form
of intellectual property;
“Personal Data” means any information relating to an identified or identifiable natural person,
as defined in the Data Protection Laws;
“Personal Data Breach” has the meaning given to that term in the Data Protection Laws (and
includes unauthorised access to, unauthorised disclosure of, or loss of, Personal Data), in
respect of Personal Data that is Processed by the Supplier under a Contract);
“Processing” has the meaning given to that term in the Data Protection Laws, in respect of any
operation which is performed on Personal Data by the Supplier (whether or not by automated
means, and includes but is not limited to collection, recording or storage of the Personal Data), in
respect of and ‘Process’ and ‘Processed’ has/have a corresponding meaning;
“Products, Deliverables and Services” means the products (including without limitation Tangible
Products), deliverables, cloud services and/or services to be performed by the Supplier, provided
under an Associated Agreement, as described in the relevant Associated Agreement;
“Tangible Products” means physical products including but not limited to hardware and related
equipment;
4
“Working Day” means a day other than a Saturday, Sunday or public holiday in United Kingdom.
1.2 Interpretation
(a) In these terms and conditions, reference to the plural includes reference to
the singular, and vice versa.
(b) Headings inserted in these terms and conditions are for convenience of
reference only and do not affect the interpretation of these terms and
conditions.
2 Term
2.1 Each Contract will commence on the date specified in the relevant Associated
Agreement or if not specified will commence on the date that the Associated Agreement
is signed by both parties or, where signing by both parties is not required, on the date
that the Customer accepts in writing or signs the relevant Associated Agreement (as
applicable) .
2.2 Each Contract will, subject to the parties’ rights of earlier termination, continue:
(a) for the term specified in the relevant Associated Agreement; or
(b) if no term is specified, until terminated in accordance with the relevant
Associated Agreement or under the termination provisions in these terms and
conditions.
3 Order of precedence
3.1 If there is any conflict or inconsistency between these terms and conditions and an
Associated Agreement, the following order of precedence applies to the extent of that
conflict or inconsistency (listed below in order of high to low priority):
(a) the GDPR Attachment to these terms and conditions;
(b) each Associated Agreement (with the order of priority of the parts of each
Associated Agreement being as described in the relevant Associated
Agreement);
(c) these terms and conditions.
4 Products, Deliverables and Services
4.1 The Supplier will provide Products, Deliverables and Services (as applicable) to the
Customer:
(a) in accordance with each Associated Agreement;
(b) using reasonable care and skill;
(c) using people who have the necessary skills and experience; and
(d) in accordance with all applicable laws.
4.2 If the Customer requests services which are not covered by an existing Associated
Agreement, the Supplier will issue a draft of the relevant Associated Agreement to the
5
Customer for review and acceptance or signing (as applicable). Nothing in these terms
and conditions commits the Supplier to providing products or services unless an
applicable Associated Agreement is agreed and signed by both parties, or accepted by
the Customer in writing or signed by the Customer (as applicable).
4.3 The Customer will:
(a) only use the Products, Deliverables and Services, for lawful purposes and not
for fraudulent, illegal or destructive purposes;
(b) adhere to any specific requirements or restrictions in respect of the Products,
Deliverables and Services included or referenced in an Associated Agreement;
(c) not sell, re-sell, or otherwise provide the Products, Deliverables and Services
to any third party unless such selling, re-selling, or provision is expressly
permitted or anticipated in the relevant Associated Agreement;
(d) not allow the Products, Deliverables or Services to be affected by any virus or
destructive media, or use the Products, Deliverables or Services in any way
which is intended to be, or is, detrimental to:
i. the use of those Products, Deliverables or Services by other customers of
the Supplier or other users; or
ii. the systems utilised to provide the Products, Deliverables and Services.
5 Customer’s obligations
5.1 Without limiting the Customer’s obligations under any Associated Agreement, the
Customer will:
(a) where required to provide data to the Supplier, provide that data in a format
suitable for import and otherwise as reasonably requested by the Supplier;
(b) where the Supplier’s personnel will work on site at the Customer’s premises,
provide for the safety of the Supplier’s personnel while on site in accordance
with all applicable health and safety legislation;
(c) meet all of the Customer’s obligations as specified in these terms and
conditions and in each Associated Agreement;
(d) where applicable in light of the services provided under an Associated
Agreement, undertake frequent and adequate backups of the Customer’s
data, except and to the extent that the Supplier is providing relevant backup
services under an Associated Agreement or under another written agreement
between the parties. The Customer should ensure that backups are always
completed, as well as ensuring the backups are secure and checking that they
can be successfully restored;
(e) make available to the Supplier in a timely manner (and in accordance with any
timeframes which the Customer has agreed to) all assistance (including
availability of relevant personnel), permissions (including permissions from
any relevant third parties), information, facilities and access to systems
reasonably required by the Supplier; and
(f) follow the Supplier’s reasonable directions.
6
6 Pricing and payment
6.1 Each Associated Agreement will specify the basis of the Supplier’s charges for the
relevant supply of Products, Deliverables and Services and the Supplier will invoice the
Customer accordingly. All amounts specified in an Associated Agreement are exclusive
of any taxes unless expressly specified otherwise.
6.2 Unless otherwise specified in an Associated Agreement, all invoices issued by the
Supplier are due for payment by the Customer seven days following the date of the
invoice.
6.3 All reasonable accommodation, travel and other expenses incurred in providing
Products, Deliverables and Services to the Customer will be charged to the Customer
provided that such expenses are identified and agreed in advance. Expenses will be
invoiced on a monthly basis by the Supplier.
6.4 Subject to clause 6.5, the Customer must pay all invoices in full without off-set or
deduction of any kind.
6.5 If the Customer wishes to dispute an invoice, it must notify the Supplier in writing within
14 days of the date of the invoice and provide details of the dispute. The Customer may
withhold payment of the disputed part of an invoice only and must pay that part (or any
amount subsequently agreed or determined to be the correct amount owing) promptly
on resolution of the dispute.
6.6 Without limiting any other remedies available to the Supplier for late payment or failure
to pay any amount due, if any amount due is not paid by the Customer by the due date,
the Supplier may:
(a) charge the Customer interest calculated at 1.5% on the balance of the amount
due by the Customer from the due date until payment is received in full by the
Supplier; and/or
(b) charge the Customer all collection costs reasonably incurred by the Supplier in
collection of the amount outstanding (including solicitor and/or collection
agency fees); and/or
(c) on 5 Working Days’ notice in writing, suspend delivery of further Products,
Deliverables and Services under the relevant Contract and/or any other
Contract and/or may suspend delivery of services or deliverables under any
other agreement between the Supplier and the Customer until the
outstanding amount is paid in full.
6.7 Unless otherwise specified in the relevant Associated Agreement:
(a) the Supplier may increase its pricing from time to time but not more often
than once every 12 months;
(b) the Supplier will give the Customer one month’s notice in writing of any price
increase.
7 Taxes
7.1 In addition to the amounts due under clause 6, the Customer will pay the Supplier
amounts equal to any applicable government taxes or duties however designated,
7
based on the relevant Contract (or the Products, Deliverables and/or Services provided
under it), paid or payable by the Supplier in respect of the foregoing, exclusive however
of taxes based on the Supplier’s income.
8 Ownership and risk
8.1 Except as otherwise provided in the relevant Contract (and without limiting that
Contract) and subject to the Intellectual Property provisions in that Contract, ownership
of Tangible Products supplied or to be supplied to the Customer under a Contract for
sale and purchase of the Tangible Products will not pass to the Customer until the
Customer has paid in full for the Tangible Products and any other amounts owing to the
Supplier whether under that Contract or any other Contract.
8.2 Until ownership of the Tangible Products passes to the Customer, the Customer must
hold the Tangible Products on trust for the Supplier as bailee, not part with possession
of them and only use them in the ordinary course of business.
8.3 The risk of loss of or deterioration or damage to the Tangible Products passes to the
Customer on delivery of the Tangible Products to the Customer. If the Customer
considers that, on delivery, the Tangible Products are damaged, the Customer must
promptly notify the Supplier in writing. It is the Customer’s responsibility to insure the
Tangible Products as and from the date of delivery of the Tangible Products to the
Customer.
8.4 Without limiting any other remedies that the Supplier may have in respect of failure or
delay by the Customer to pay for the Tangible Products or any other Products,
Deliverables or Services, if the Customer fails to pay for the Tangible Products by the
due date(s) for payment, or if the Supplier considers that the Tangible Products are “at
risk”, the Supplier may (without limiting any other rights or remedies it may have) enter
the Customer’s premises at any time and without notice to take possession of the
Tangible Products without incurring any liability to the Customer or any other person.
The Customer is not permitted to revoke the permission granted in this clause. In the
event that the Supplier takes possession of the Tangible Products under this clause, the
Supplier will:
(a) copy the Customer Data (if any) that is on the relevant Products excluding any
Customer Data that is stored in cloud-based services(in the format reasonably
determined by the Supplier at its discretion) (‘Copy of Customer Data’); and
(b) make the Copy of Customer Data available to the Customer and notify the
Customer accordingly, provided that the Supplier has no obligation to retain
the Copy of Customer Data for more than 14 days after making it available to
the Customer;
(c) after creating the Copy of Customer Data, delete the Customer Data from the
Products, Deliverables and Services.
Nothing in this clause operates to transfer ownership of Customer Data to the Supplier.
9 Customer Data
9.1 Subject to clause 9.2, the Supplier will access the Customer Data only as required in the
performance of the relevant Contract.
8
9.2 Without limiting clause 10 or clause 11.2, the Supplier will only access the Customer
Data and disclose the Customer Data to law enforcement or government authorities to
the extent required by law. If a request for Customer Data is made by a law enforcement
agency or government authority, the Supplier will redirect the request to the Customer
or if redirection is not permitted or feasible in the available time frame and unless legally
prohibited from doing so, the Supplier will notify the Customer of the request as soon
as practically possible.
9.3 Nothing in a Contract transfers ownership of the Customer Data to the Supplier.
10 Personal Data and Data Protection
10.1 The Customer consents to the Processing of Personal Data by the Supplier for the
purposes of each Contract, in accordance with these terms and conditions including in
particular the GDPR Attachment. Before providing Personal Data to the Supplier, the
Customer will obtain all required consents from third parties (including Customer’s
contacts, partners, distributors, administrators, and employees) under applicable Data
Protection Laws.
10.2 To the extent permitted by applicable law and subject to applicable contractual rights
and obligations, including the rights and obligations in the GDPR Attachment, Personal
Data collected by the Supplier under these terms and conditions may be transferred,
stored and processed in the United Kingdom and/or any other country (or countries) in
which the Supplier maintains facilities or any other country in which the Supplier’s
contractors or service providers (including for example Microsoft and other third party
vendors) maintain facilities.
10.3 In the event of any Personal Data Breach, the Supplier will comply with its obligations,
including notification obligations, (if any), under applicable Data Protection Laws.
11 Confidential Information
11.1 Each party agrees to:
(a) hold in confidence all Confidential Information disclosed to it by the other
party and disclose that information to its directors, employees and contractors
only to the extent required in the performance of the Contract;
(b) ensure that all Confidential Information is protected at all times from
unauthorised access or use by, or disclosure to, any third party or misuse,
damage or destruction by any person.
11.2 A party may disclose the other party’s Confidential Information if and to the extent
required by law if it first notifies the other party of the obligation to disclose the
Confidential Information, provided that a party is not required to notify the other
party under this clause if it is not legally permitted to do so or if the timing within
which the party is required by law to disclose the Confidential Information does not
permit notification to the other party.
12 Intellectual property
12.1 The Supplier or its licensors own the Intellectual Property in the means, methods,
processes and know-how used by the Supplier to provide the Products, Deliverables
9
and Services and to otherwise perform the Supplier’s obligations under the Associated
Agreements.
12.2 The provisions relating to Intellectual Property ownership in relation to particular
Products, Deliverables and Services are included in the relevant Associated Agreement.
13 Warranties
13.1 Each party warrants that it has all requisite right, power and authority to enter into each
Contract.
13.2 Except as provided under clause 13.1 and in any express warranties contained in an
Associated Agreement, to the extent permitted by law, all warranties, terms and
conditions (including without limitation, warranties and conditions as to fitness for
purpose and merchantability) implied by legislation or otherwise, are excluded by the
Supplier.
14 Termination of Contracts
14.1 Except where a Contract has a fixed term (being a term with a specified time period) or
where otherwise provided under a Contract, either party may terminate a Contract at
any time without cause on giving sixty days’ notice in writing to the other party.
14.2 Either party may terminate a Contract immediately (or with effect from any later date
that it may nominate) by written notice to the other party if:
(a) one or more Insolvency Events occurs in relation to that other party. For the
purposes of this clause, ‘Insolvency Event’ means, in respect of a party (other
than for the purpose of solvent reconstruction or amalgamation):
i. a receiver, manager or liquidator is appointed over the party’s undertaking
or assets or the party enters into any assignment, composition or
arrangement with its creditors; or
ii. the party is unable to pay its debts when due or is deemed unable to pay
its debts under any law or suspends payment to its creditors.
(b) the other party commits a material breach of any of its obligations under the
Contract and fails to remedy that breach within 30 days of prior written notice
of such breach. For the purposes of this clause 14.2 (b), non-payment by the
Customer for a period of 30 days or more after due date of any undisputed
invoice constitutes a material breach by the Customer.
14.3 Additional rights of termination that apply to individual Associated Agreements may be
included in each of those agreements.
15 Consequences of termination
15.1 On termination of a Contract, in addition to any other consequences of termination
included in the relevant Associated Agreement, and unless otherwise agreed in writing
in the relevant Associated Agreement, and without limiting either party’s rights or
remedies:
(a) each party will, on request, return the other’s Confidential Information in its
possession or control in respect of that Contract except for copies that it may
be required to hold for compliance, audit or legal reasons;
10
(b) all amounts owed to the Supplier under the Contract which accrued before
termination will be due and payable in accordance with the payment terms in
that Contract;
(c) the Supplier will deliver to the Customer all Deliverables for which the
Customer has paid in full.
15.2 On any termination of a Contract, all clauses which by their nature survive termination,
will survive the termination.
16 Liability and indemnity
16.1 The Supplier’s liability under a Contract is limited to direct loss only, to the amount paid
to the Supplier under that Contract in the twelve month period preceding the event
giving rise to the loss.
16.2 To the extent permitted by law, in no event is the Supplier liable for any indirect loss or
for any loss of profits, lost savings, loss of data, business interruption, incidental or
special damages, or for any consequential loss. In addition, the Supplier is not liable for
any damages claimed by the Customer based on any third party claim, including, but not
limited to, any claim in negligence. In no event is the Supplier liable for any damages
caused (whether directly or indirectly) by the Customer not accepting or not acting on
a recommendation made to the Customer in writing by the Supplier or the Customer’s
failure to perform its responsibilities under the Contract.
16.3 The Customer indemnifies the Supplier against any costs (including legal costs on a
solicitor and own client basis, all and any court costs and witness fees and related legal
expenses), expenses, claims, demands or liability whether direct, indirect or otherwise,
and whether arising in contract, tort (including negligence), equity or otherwise, arising
out of, and must at the Supplier’s request, and subject to clause 16.4 and any reasonable
conditions imposed at the Supplier’s discretion, at the Customer’s own cost defend or
settle, any claim, action or proceedings brought against the Supplier in connection with:
(a) any software, services, documents or materials issued, provided or made
available by the Customer to the Supplier for use or access by the Supplier in
the performance by the Supplier of a Contract where that use or access
infringes or is alleged to infringe the intellectual property rights of any third
party; or
(b) a breach by the customer of a Contract.
16.4 If the Supplier wishes to rely on an indemnity under clause 16.3, the Supplier:
(a) must ensure that the Customer is notified promptly in writing of the relevant
claim, action or proceedings (“Claim”) once it becomes aware of the Claim;
(b) will make no admission of liability regarding the Claim nor any offers of
settlement regarding the Claim without the Customer’s written approval;
(c) may, at its discretion, grant control of the defence or settlement to the
Customer;
(d) will, where the Supplier has granted control of the defence or settlement
negotiations to the Customer:
11
i. co-operate reasonably with the Customer in defending or settling the Claim
and make its employees available to give statements, advice and evidence,
as the Customer may reasonably request, all at the expense of the
Customer; and
ii. give the Customer sufficient authority and relevant information in its
possession or control in order to assist the Customer to conduct the
defence of the Claim and all negotiations for its settlement or compromise.
17 Dispute Resolution
17.1 In the event of any dispute arising between the parties in relation to a Contract, no party
may commence any proceedings relating to the dispute (except where the party seeks
urgent interlocutory relief) unless that party has complied with the procedures in this
clause 17.
17.2 The party initiating the dispute (“the first party”) must provide written notice of the
dispute to the other party (“the other party”) and nominate in that notice the first
party’s representative for the negotiations. The other party must within fourteen days
of receipt of the notice, give written notice to the first party naming its representative
for the negotiations (“Other Party’s Notice”). Each nominated representative will have
authority to settle or resolve the dispute. The parties will co-operate with each other
and endeavour to resolve the dispute through discussion and negotiation.
17.3 If the dispute is not resolved within one month following the date of the Other Party’s
Notice (or such longer period as may be agreed upon in writing by the parties), either
party may utilise any other legal remedies available to it in seeking to resolve the
dispute.
18 Non-Solicitation
18.1 Neither party will, without the written consent of the other party, solicit, employ, or
otherwise engage the services of, the other party’s personnel (including employees and
contractors). This clause will apply from commencement of the first Contract between
the parties and will continue until there has been no Contract between the parties for a
continuous period of six months (and if there is subsequently a Contract between the
parties the non-solicitation period will re-commence).
18.2 A party may as a condition of granting its consent under clause 18.1 above, require the
other party to pay to it a fee of 30% of the person’s gross annual remuneration to cover
the cost of replacing the employee or contractor.
19 Notices
19.1 Any notice or other communication in connection with a Contract must be:
(a) marked for the attention of the primary contact person and delivered or sent
to the address of the other party by prepaid post or email, as set out in the
relevant Associated Agreement.
19.2 Notices or other communications are deemed received:
(a) if delivered by hand, on delivery;
(b) if delivered by post:
12
i. on the fifth Working Day following posting if sent and received within
United Kingdom; and
ii. on the tenth day following posting if posted internationally; or
(c) if sent by email, on sending the email provided that no email is successfully
sent if the sender receives any type of delivery notification failure, and
provided further that the onus is on the sender to ensure that the email has
been successfully received by the recipient.
20 Force majeure
20.1 Either party may suspend its obligations to perform under a Contract if it is unable to
perform as a direct result of a Force Majeure Event. Any such suspension of
performance must be limited to the period during which the Force Majeure Event
continues.
20.2 Where a party’s obligations have been suspended pursuant to clause 20.1 for a period
of 30 days or more, the other party may immediately terminate the Contract by giving
notice in writing to the other party.
21 General
21.1 Assignment:
(a) Subject to clause 21.1(b), neither the Customer nor the Supplier may assign its
rights under a Contract without the prior written consent of the other party.
(b) The Supplier may, without the consent of the Customer, assign it rights under
a Contract to an assignee that it reasonably considers has the personnel, skills,
experience and resources to perform the Contract. The Supplier will notify the
Customer of any assignment made pursuant to this clause 21.1(b) prior to the
assignment unless it is not permitted to do so in which case it will notify the
Customer as soon as practical following the assignment.
21.2 Contractors: The Supplier may perform its obligations under a Contract by the use of
the Supplier-selected independent contractors.
21.3 Other agreements: Subject to clauses 11 and 12, nothing in these terms and conditions
prevents the Supplier from entering into similar agreements with others that are the
same or similar to any Contract entered into with the Customer or from providing
products, deliverables or services which are the same or similar to the Products,
Deliverables or Services provided under a Contract.
21.4 Entire agreement: Each Contract constitutes the complete and exclusive statement of
the agreement between the parties, superseding all proposals or prior agreements, oral
or written, and all other communications between the parties relating to the subject
matter of that Contract.
21.5 Third parties: No person who is not a party to a Contract has any right to enforce its
terms and shall have no right under the Contracts (Rights of Third Parties) Act 1999.
21.6 Further assurances: The parties must each do all such further acts (and sign any
documents), as may be necessary or desirable for effecting the transactions
contemplated by the Contract.
13
21.7 Amendments: Except as specifically provided in a Contract, no amendment to a Contract
will be effective unless:
(a) the amendment is in writing and signed by both parties (if the relevant
Associated Agreement was signed by both parties); or
(b) the amendment is in writing and signed by the Customer (if the relevant
Associated Agreement was such that only the Customer needed to sign the
Associated Agreement; or
(c) the amendment is in writing and accepted in the same manner that, in
accordance with the Associated Agreement, the Associated Agreement was
made.
21.8 Waiver: No exercise or failure to exercise or delay in exercising any right or remedy by
a party will constitute a waiver by that party of that or any other available right or
remedy.
21.9 Partial invalidity: If any provision of a Contract or its application to any party or
circumstance is or becomes invalid or unenforceable to any extent, the remainder of
the Contract and its application will not be affected and will remain enforceable to the
greatest extent permitted by law.
21.10 Relationship of the Parties: The parties agree that the Supplier is an independent
contractor to the Customer and that nothing in these terms and conditions or any
Contract constitutes a partnership, joint venture or relationship of employer and
employee between the parties. Neither party may:
(a) act or hold itself out as an agent or representative of the other party; or
(b) assume or create any obligations on behalf of the other party.
22 Governing Law
22.1 Each Contract is governed by the laws of England and Wales. The parties hereby submit
to the non-exclusive jurisdiction of the courts of the United Kingdom.

14
GDPR ATTACHMENT
Under each Contract, the Customer engages the Supplier to provide the Services and in providing
the Services, the Supplier will or may be required to Process Personal Data on behalf of the
Customer. To the extent of that Processing of Personal Data and for the purposes of these terms
and conditions, the Customer is a ‘Controller’ and the Supplier is a ‘Processor’ for the purposes of
the GDPR. As such, Article 28 of the GDPR requires that the details in this attachment are included
in the contract between the Customer and the Supplier.
The parties must set out the subject matter and duration of the Processing, the nature and
purpose of the Processing, the type of Personal Data and categories of data subjects – see
Appendix 1 to this attachment. If the Supplier determines the purposes and means of Processing,
the Supplier is considered a ‘Controller’ in respect of that Processing in which case the Supplier
needs to consider and address the different and additional provisions of the GDPR that apply.
The terms used in this attachment have the meanings given to them in the main definition section
of these terms and conditions or in clause 13 of this attachment, or in the GDPR if not defined in
these terms and conditions or in this attachment.
1 Processing of Personal Data
1.1 The Supplier will:
(a) Instructions from Customer: in providing Services under a Contract, Process
Personal Data only on the Customer’s documented instructions (as provided
in clause 2 and in Appendix 1 to this attachment or otherwise in writing) unless
required to do so by the Data Protection Laws in which case the Supplier will
inform the Customer of that legal requirement before Processing unless the
Supplier is prohibited from informing the Customer by that law;
(b) Confidentiality: ensure that the Supplier’s personnel who are authorised to
Process the Personal Data have obligations of confidentiality to the Supplier
(including as required in clause 3 below) in respect of the Personal Data or are
under an appropriate statutory obligation of confidentiality;
(c) Security: comply with the security obligations in clause 4 below;
(d) Subprocessors: comply with the provisions relating to Subprocessors in clause
5 below;
(e) Data subjects’ rights: provide assistance to the Customer with responding to
data subjects’ rights in accordance with clause 6 below;
(f) Assist Customer: comply with its obligations to assist the Customer in relation
to security of Personal Data and data protection impact assessments and prior
consultation in accordance with clause 7 below;
(g) Deleting and returning data: after the provision of Services related to
Processing of Personal Data has ended, at the choice of the Customer either
delete or return to the Customer all of that Personal Data and delete existing
copies unless the Data Protection Laws require storage of Personal Data in
accordance with clause 8 below; and
15
(h) Compliance and audits: make available to the Customer all information
necessary to demonstrate compliance with Article 28 of the GDPR and allow
for and contribute to audits including inspections conducted by the Customer
or another auditor mandated from time to time, in accordance with clause 9
below. The Supplier will immediately inform the Customer if, in its opinion, an
instruction received from the Customer in relation to an audit under this
clause 1.1(h) infringes the Data Protection Laws.
2 Instructions from Customer
2.1 The Customer instructs the Supplier (and authorises the Supplier to instruct each
Subprocessor) to:
(a) Process Personal Data; and
(b) in particular, transfer Personal Data to any country or territory,
as reasonably necessary for the provision of the Services and consistent with and in
compliance with the relevant Contract.
2.2 The Customer warrants and represents that it is and will at all relevant times remain
duly and effectively authorised to give the instruction set out in clause 2.1 on behalf of
the Customer.
3 Confidentiality
3.1 The Supplier will take reasonable steps to ensure the reliability of its employees, agents
or contractors who may have access to Personal Data, ensuring in each case that access
is limited to those individuals who need to know or need to access the relevant Personal
Data, as necessary for the purposes of the relevant Contract, and to comply with
applicable laws in the context of that individual’s duties to the Supplier, ensuring that
all such individuals are subject to confidentiality undertakings or professional or
statutory obligations of confidentiality.
4 Security
4.1 Subject to clause 4.2 below, the Supplier will implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk, including
amongst other things as appropriate:
(a) the pseudonymisation and encryption of Personal Data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
(c) the ability to restore the availability and access to Personal Data in a timely
manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of
technical and organisational measures for ensuring the security of the
Processing.
4.2 In assessing the appropriate level of security for clause 4.1 above, the Supplier will take
account in particular of the risks of a Personal Data Breach that are presented by the
Processing to be undertaken under the relevant Contract.
16
4.3 The Supplier will in relation to Personal Data:
(a) implement and maintain appropriate information security to protect Personal
Data against:
i. a Personal Data Breach;
ii. all other unauthorised or unlawful forms of Processing; and
iii. any breach of the Supplier’s information security obligations in this
attachment. The Supplier will (and will ensure that its Sub-processors)
provide full cooperation and assistance to the Customer in ensuring that
the individuals´ rights under the Data Protection Laws are timely and
appropriately addressed for the fulfilment of the Customer’s obligation to
respond without undue delay to requests by such individuals as required
by Data Privacy Laws, including the rights of subject access, rectification,
erasure, and portability, and the right to restrict or object to certain
Processing;
(b) take reasonable steps to inform its staff, and any other person acting under its
supervision, of the responsibilities of any Data Privacy Laws due to the
incidental access to Personal Data, and ensure the reliability of its staff and
any other person acting under its supervision who may come into contact
with, or otherwise have access to and Process, such Personal Data.
5 Subprocessors
5.1 The Customer authorises the Supplier to appoint Subprocessors (and permits each
Subprocessor appointed in accordance with this clause 5 to appoint Subprocessors) in
accordance with this clause 5 and any restrictions in these terms and conditions.
5.2 The Supplier will give the Customer prior written notice of the appointment of any new
Subprocessor, including full details of the Processing to be undertaken by the
Subprocessor. If, within two weeks of receipt of that notice, the Customer notifies the
Supplier in writing of any objections (on reasonable grounds) to the proposed
appointment, the Supplier will not appoint (nor disclose any Personal Data to) the
proposed Subprocessor unless and until it obtains the prior written consent of the
Customer.
5.3 With respect to each Subprocessor, the Supplier will:
(a) enter into an agreement with the Subprocessor which includes the same data
protection obligations as set out in this attachment (and Appendix 1) and in
particular includes sufficient guarantees to implement appropriate technical
and organisational measures in such a manner that the processing will meet
the requirements of the GDPR. If the Subprocessor fails to fulfil its data
protection obligations, the Supplier will remain fully liable to the Customer for
the performance of that Subprocessor’s obligations;
(b) if the Processing by the Subprocessor will involve a Restricted Transfer, ensure
that the IDTA is at all relevant times incorporated into the agreement between
the Supplier and the Subprocessor; and
(c) provide to the Customer for review, copies of the Supplier’s agreements with
Subprocessors (confidential commercial information that is not relevant to the
requirements of this attachment may be blacked out) as the Customer may
request from time to time.
17
5.4 Appendix 1 to this attachment sets out certain information regarding the Supplier’s
Processing of Personal Data, as required by article 28(3) of the GDPR. The Customer may
make reasonable amendments to Appendix 1 by written notice to the Supplier from
time to time as the Customer reasonably considers necessary to meet those
requirements.
6 Data Subjects’ Rights
6.1 Taking into account the nature of the Processing, the Supplier will, by implementing
appropriate technical and organisational measures to the extent described in clause 4,
assist the Customer to respond to requests to exercise Data Subject rights under the
Data Protection Laws.
6.2 The Supplier will:
(a) promptly notify the Customer if the Supplier or any Subprocessor receives a
request from a Data Subject under any Data Protection Law in respect of
Personal Data; and
(b) ensure that the Supplier or relevant Subprocessor does not respond to that
request except on the documented instructions of the Customer or as
required by applicable laws to which they are subject, in which case the
Supplier will to the extent permitted by applicable laws inform the Customer
of that legal requirement before the Supplier or relevant Subprocessor
responds to the request.
7 Assist Customer
7.1 Assist Customer with Security of Processing:
(a) The Supplier will assist the Customer in respect of the Customer’s obligations
to implement appropriate technical and organisational measures to ensure a
level of security appropriate to the risk, by complying with the Supplier’s
obligations under clause 4 of this attachment.
7.2 Assist Customer with notifications of Personal Data Breach
(a) The Supplier will notify the Customer without undue delay if the Supplier or
any Subprocessor becomes aware of a Personal Data Breach, providing the
Customer with sufficient information to allow the Customer to meet any
obligations to report the Personal Data Breach to the relevant Supervisory
Authority under the Data Protection Laws (noting that the Customer is
required, where feasible, to notify applicable Personal Data breaches to the
relevant Supervisory Authority within 72 hours after having become aware of
the breach).
(b) The Supplier will co-operate with the Customer and take such reasonable
commercial steps as are directed by the Customer to assist in the
investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Assist Customer with communication of Personal Data breach to Data Subject
(a) Where a Personal Data Breach is likely to result in a high risk to the rights and
freedoms of natural persons:
18
i. such that the Customer is required to communicate the Personal Data
Breach to the Data Subject (including where, despite the conditions
referenced in clause 7.3(a)(ii) below being met, the Supervisory Authority
has required the Customer to communicate the Personal Data Breach to
the Data Subject), the Supplier will assist the Customer in doing so by
providing all relevant information as may be reasonably required by the
Customer;
ii. but despite that high risk, the Customer is not required to communicate
the Personal Data Breach to the Data Subject due to certain conditions
being met (such as that the Personal Data is encrypted and so
unintelligible to any person not authorised to access it), the Supplier will
assist the Customer by providing all relevant information as may be
reasonably required by the Customer.
7.4 Assist Customer with Data Protection Impact Assessments
(a) The Supplier will provide reasonable assistance to the Customer with any data
protection impact assessments which the Customer reasonably considers to
be required of the Customer by Article 35 of the GDPR or equivalent provisions
of related Data Protection Laws. The Supplier’s obligations under this clause
7.4(a) are solely in relation to Processing of Personal Data by the Supplier and
taking into account the nature of the Processing and information available to
the Supplier.
7.5 Assist Customer with Prior Consultation with Supervisory Authority
(a) The Supplier will provide reasonable assistance to the Customer with prior
consultations with Supervising Authorities or other competent data privacy
authorities, which the Customer reasonably considers to be required of the
Customer by Article 36 of the GDPR or equivalent provisions of related Data
Protection Laws. The Supplier’s obligations under this clause 7.5(a) are solely
in relation to Processing of Personal Data by the Supplier and taking into
account the nature of the Processing and information available to the Supplier.
8 Deletion or return of Personal Data
8.1 Subject to clauses 8.2 and 8.3, the Supplier will, within three weeks of the date of
expiration or termination of Services involving the Processing of Personal Data (the “End
of Processing Date”), delete and procure the deletion of all copies of the Personal Data.
8.2 Subject to clause 8.3, the Customer may in its absolute discretion by written notice to
the Supplier within two weeks of the End of Processing Date require the Supplier to:
(a) return a complete copy of all Personal Data to the Customer by secure file
transfer in such format as is reasonably notified by the Customer to the
Supplier; and
(b) delete and procure the deletion of all other copies of Personal Data Processed
by the Supplier. The Supplier will comply with any such written request within
two weeks of the End of Processing Date.
19
8.3 The Supplier may retain Personal Data to the extent required by applicable Laws and
only to the extent and for such period as required by applicable Laws and always
provided that the Supplier will:
(a) ensure the confidentiality of all such Personal Data;
(b) ensure that such Personal Data is only processed as necessary for the
purpose(s) specified in the applicable laws requiring its storage and for no
other purpose.
8.4 The Supplier will provide written certification to the Customer that it has fully complied
with this clause 8 within three weeks following the End of Processing Date.
9 Audit rights
9.1 Subject to clauses 9.2 to 9.4, the Supplier will make available to the Customer on request
all information necessary to demonstrate compliance with this attachment, and will
allow for and contribute to audits, including inspections, by the Customer or an auditor
mandated by the Customer in relation to the Processing of Personal Data by the
Supplier.
9.2 Information and audit rights of the Customer only arise under clause 9.1 to the extent
that a Contract does not otherwise give them information and audit rights meeting the
relevant requirements of Data Protection Laws (including, where applicable, article
28(3)(h) of the GDPR).
9.3 The Supplier may, on reasonable grounds, object to the proposed auditor in which case
the Customer will propose an alternate auditor.
(a) The Customer will give the Supplier reasonable notice of any audit or
inspection to be conducted under clause 9.1 and will make (and ensure that
its auditor makes) reasonable endeavours to avoid causing any damage, injury
or disruption to the Supplier’s premises, equipment, personnel and business
while its personnel are on those premises in the course of such an audit or
inspection. The Supplier need not give access to its premises for the purposes
of such an audit or inspection for the purposes of more than one audit or
inspection in any calendar year, except for any additional audits or inspections
which:
i. the Customer reasonably considers necessary because of genuine
concerns as to the Supplier’s compliance with this attachment; or
ii. the Customer is required or requested to carry out by Data Protection Law,
a Supervisory Authority or any similar regulatory authority responsible for
the enforcement of Data Protection Laws in any country or territory,
where the Customer has identified its concerns or the relevant
requirement or request in its notice to the Supplier of the audit or
inspection.
10 Restricted Transfers
10.1 The Customer acknowledges that, as between the Customer and the Supplier, in
providing Personal Information to the Supplier under each Contract, there is no
Restricted Transfer given that the Supplier is in the United Kingdom.
20
11 Order of precedence
11.1 Nothing in this attachment reduces the Supplier’s obligations under a Contract in
relation to the protection of Personal Data or permits the Supplier to Process (or permit
the Processing of) Personal Data in a manner which is prohibited by the Contract. In the
event of any conflict or inconsistency between this attachment and the IDTA, the IDTA
will prevail.
11.2 Subject to clause 11.1, in the event of inconsistencies between the provisions of this
attachment and the other parts of these terms and conditions or any Associated
Agreement, the provisions of this attachment will prevail.
12 Changes in Data Protection Laws
12.1 The Customer may by at least 30 calendar days’ written notice to the Supplier:
(a) vary the IDTA (only if applicable, and only in accordance with Section 5 of the
IDTA), as they apply to Restricted Transfers which are subject to non-UK data
protection laws, as required as a result of any change in, or decision of a
competent authority under, that data protection law, to allow those
Restricted Transfers to be made (or continue to be made) without breach of
that data protection law; and
(b) propose any other variations to this attachment which the Customer
reasonably considers to be necessary to address the requirements of any data
protection law.
12.2 If the Customer gives notice under clause 12.1(a):
(a) the Supplier will promptly co-operate (and require affected Subprocessors to
promptly co-operate) to ensure that equivalent variations are made to the
agreements made under clause 5.3; and
(b) the Customer will not unreasonably withhold or delay agreement to any
consequential variations to this attachment proposed by the Supplier to
protect the Supplier against additional risks associated with the variations
made under this clause 12.2.
12.3 If the Customer gives notice under clause 12.1(b), the parties will promptly discuss the
proposed variations and negotiate in good faith with a view to agreeing and
implementing those or alternative variations designed to address the requirements
identified in the Customer’s notice as soon as is reasonably practicable.
13 Definitions
In this attachment:
“Adequacy Decision” means a country (or territory or specified sector within it) or an international
organisation which the European Commission has decided, under Article 45(3) of the GDPR,
ensures an adequate level of data protection;
21
“Approved Jurisdiction” means the countries in the EEA and jurisdictions for which an Adequacy
Decision has been made and any other countries or territories for which there are UK adequacy
regulations;
“Contracted Processor” means the Supplier or a Subprocessor;
“Data Subject” means an identified or identifiable natural person, or any updated definition of
this term from time to time in the GDPR;
“EEA” means the European Economic Area;
“Information Security Obligations” means commercially reasonable and appropriate physical,
technical and organisational security measures (determined with regard to risks associated with
the Processing of Personal Data as part of the Services), including the measures set out in this
GDPR attachment and in particular in the IDTA (where applicable).
“International Data Transfer Agreement” or “IDTA” means the international data transfer
addendum to the European Commission’s Standard Contractual Clauses for international data
transfers, as issued by the UK Information Commissioner’s Office’s (ICO) under section 119A(1) of
the Data Protection Act 2018 and as applicable on and from 21 March 2022.
“Restricted Transfer” means transferring Personal Data outside of the United Kingdom, whether
this is:
(a) a transfer of Personal Data from the Customer to the Supplier or to a Subprocessor; or
(b) an onward transfer of Personal Data from one Contracted Processor to another
Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer means would be prohibited by Data Protection Laws (or by the
terms of data transfer agreements put in place to address the data transfer restrictions of Data
Protection Laws), in the absence of the IDTA;
“Services” means, for the purposes of this GDPR Attachment, the products, services and/or
deliverables (as applicable) and any related services supplied to or carried out by or on behalf of
the Supplier for the Customer under a Contract;
“Subprocessor” means any person (including any third party, but excluding an employee of the
Supplier or any of its sub-contractors) appointed by or on behalf of the Supplier to Process
Personal Data on behalf of the Customer in connection with a Contract;
The term “Supervisory Authority” has the meaning given to that term in the GDPR.
22
APPENDIX 1 TO GDPR ATTACHMENT
DETAILS OF PROCESSING OF PERSONAL DATA
This Appendix 1 includes certain details of the Processing of Personal Data as required by Article
28(3) GDPR.
Subject matter and duration of the Processing of Personal Data
Contact information of Customer personnel for purposes of services to be provided to Customer.
Duration will be the term for which the Supplier provides Services to the Customer under any
Associated Agreements and a reasonable period following that term to allow for handover.
The nature and purpose of the Processing of Personal Data
For the purposes of these Master Terms and Conditions and each Associated Agreement. To
provide Services to the Customer and for related activities prior to or after Contracts are made as
anticipated in these Master Terms and Conditions.
The types of Personal Data to be Processed
Contact details for Customer personnel: name, email address and telephone number.
The categories of Data Subject to whom Personal Data relates
Customer management personnel, Customer staff who are entitled to contact Supplier for
services.
The obligations and rights of the Customer
The obligations and rights of the Customer are set out in each Contract (including this
attachment).