Please read these Terms and Conditions carefully, which cover Expandi’s Master Subscription Agreement (MSA). All contracts that the Provider may enter into from time to time for the provision of the Subscription Services and related services shall be governed by these Terms and Conditions,. The Provider reserves the right to amend these Terms and Conditions from time to time.
Except to the extent expressly provided otherwise, in these Terms and Conditions:
“Account” means an account enabling a person to access and use the Subscription Services, including both administrator accounts and user accounts;
“Affiliate” means an entity that Controls, is Controlled by, or is under common Control with the relevant entity;
“Agreement” means a contract between the parties incorporating these Terms and Conditions and the Services Order Form, and any amendments to these agreed by the parties in writing from time to time;
“Business Day” means any weekday other than a bank or public holiday in England;
“Business Hours” means the hours of 09:00 to 17:30 GMT/BST on a Business Day;
“Subscription Fees” means the following amounts:
- the amounts specified in Section 4 of the Services Order Form;
- such amounts as may be agreed in writing by the parties from time to time;
“Control” means the legal power to control (directly or indirectly) the management of an entity (and “Controlled” should be construed accordingly);
“Customer” means the entity identified as such in Section 1 of the Services Order Form;
“Agency Partner Customer” means the entity identified as a Expandi accredited Agency Partner or Reseller of subscription services produced by the Provider and as such in Section 1 of the Services Order Form;
“Customer Confidential Information” means:
- any information disclosed by or on behalf of the Customer to the Provider (whether disclosed in writing, orally or otherwise) that at the time of disclosure:
- was marked as “confidential”; or
- should have been reasonably understood by the Provider to be confidential; and
- the Customer Data;
“Customer Data” means all data (including without limitation Customer Personal Data), works and materials: uploaded to or stored on the Platform by the Customer; transmitted by the Platform at the instigation of the Customer; generated by the Platform as a result of the use of the Subscription Services by the Customer;
“Contact Personal Data” means Personal Data that is processed by the Provider or its Subprocessors (as the term is defined in the Data Processing Agreement attached hereto as Schedule 4) on behalf of the Customer in relation to the Agreement and shall include: Contact Data, full names of contacts, email addresses, job titles, telephone numbers, business postal addresses, social media profile account information and marketing campaign event details.
“Documentation” means the documentation for the Subscription Services produced by the Provider and attached at Schedule 5;
“Data Processing Agreement” means the agreement that sets out the obligations and rights of the parties in relation to Customer Personal Data processed under this Agreement, and which forms Schedule 4 attached hereto.
“Data Protection Laws” or “DPL” means all applicable data protection and privacy legislation in force from time to time in the UK including the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended or superseded from time to time, the EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws or regulations of any other country;
“Effective Date” the date on which Customer and Provider enter into a Services Order Form;
“EU Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR“) and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications);
“Force Majeure Event” means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, reasonably unavoidable: hacker attacks, denial of service attacks, virus or other reasonably unavoidable malicious software attacks or infections or power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);
“Identified Contacts” means contact details of individuals working for the Selected Companies that match the Target Roles;
“Subscription Services” means the hosted services, as specified in the Subscription Services Specification section 2 of the Services Order Form, which will be made available by the Provider to the Customer as a Subscription Service via the internet in accordance with these Terms and Conditions;
“Subscription Services Defect” means a defect, error or bug in the Platform having a material adverse effect on the appearance, operation, functionality or performance of the Subscription Services, but excluding any defect, error or bug caused by or arising as a result of:
- any act or omission of the Customer or any person authorised by the Customer to use the Platform or Subscription Services;
- any use of the Platform or Subscription Services contrary to the Documentation or Provider’s instructions, whether by the Customer or by any person authorised by the Customer;
- a failure of the Customer to perform or observe any of its obligations in the Agreement; and/or
- an incompatibility between the Platform or Subscription Services and any other system, network, application, program, hardware or software not specified as compatible in the Subscription Services Specification;
“Subscription Services Specification” means the specification for the Platform and Subscription Services set out in Section 2 of the Services Order Form and in the Documentation;
“Intellectual Property Rights” means all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these “intellectual property rights” include copyright and related rights, database rights, source code, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs);
“Maintenance Services” means the general maintenance of the Platform and Subscription Services, and the application of Updates and Upgrades as defined within Schedule 2 of this agreement;
“Minimum Term” means, in respect of the Agreement, the period of 12 months beginning on the Effective Date;
“Permitted Purpose” means the access and use of the Platform in accordance with these Terms and Conditions of use;
“Personal Data” has the meaning given to it in the General Data Protection Regulation, Regulation (EU) 2016/679;
“Companies Data” means the data (including Personal Data) that has been obtained by the Provider from multiple third-party sources in respect of the company types that the Customer has included in its dashboard profile as those that it is interested in marketing to;
“Contact Data” means the data received by the Provider from the Contact Data Sources about the Identified Contacts, which will likely include: first name, surname, employer, job description and office contact information (when Personal Data, the Provider uses publicly available sources);
“Contact Data Sources” means the Provider’s third-party vendors and sources. Within a request to the Contact Data Sources, the Provider sets out the Selected Companies and Target Roles. Subsequently, the Contact Data sources supply the Provider with all contact data it holds of individuals working for the Selected Companies that match the Target Roles;
“Personal Data Breach” shall have the meaning ascribed to it in Article 4(12) of the GDPR;
“Platform” means the Expandi platform owned, operated and managed by the Provider and used by the Provider to provide the Subscription Services, including the application and database software for the Subscription Services, the system and server software used to provide the Subscription Services, and the computer hardware on which that application, database, system and server software is installed;
“Provider” means Expandi Limited, a company incorporated in England and Wales registration number 06971472, whose registered office is 38 Craven Street, London, England, WC2N 5NG, United Kingdom
“Provider Indemnity Event” has the meaning given to it in Clause 17.1;
“Selected Companies” means those companies which Customer identifies as companies to which they are interested in marketing, and in respect of which Customer supplies Provider with typical job roles and seniority levels that usually form part of the buying decision-making unit of those prospects;
“Services” means any services that the Provider provides to the Customer, or has an obligation to provide to the Customer, under these Terms and Conditions;
“Services Order Form” means an electronic order form signed by or on behalf of each party, in each case incorporating the Terms and Conditions as agreed in writing by the parties;
“Set Up Services” means the configuration, implementation and integration of the Subscription Services in accordance with Sections 2 and 3 of the Services Order Form;
“Support Services” means support in relation to the use of, and the identification and resolution of errors in, the Subscription Services, as contemplated herein and in Schedule 3 (Support SLA) but shall not include the provision of training services;
“Supported Web Browser” means the current release from time to time of Microsoft Internet Explorer, Mozilla Firefox, Google Chrome or Apple Safari, or any other web browser that the Provider agrees in writing shall be supported;
“Subscription Term” means the term of the Agreement, commencing in accordance with Clause 2.1 and ending in accordance with Clause 2.2;
“Target Roles” means the typical job roles and seniority levels that usually form part of the buying decision-making unit of the companies that Customer has identified to Expandi that it is interested in marketing to;
“Terms and Conditions” means the main body of these Terms and Conditions and the attached Schedules, including any amendments to that documentation agreed in writing by the parties from time to time;
“Update” means a hotfix, patch or minor version update to any Platform software; and
“Upgrade” means a major version upgrade of any Platform software.
“GDPR” means EU General Data Protection Regulation 2016/679.
- Subscription Term
2.1. The Agreement shall come into force upon the Effective Date.
2.2. The Agreement shall continue in force for the Initial Term, subject to earlier termination in accordance with the provisions of the Agreement.
2.3. Unless the parties expressly agree otherwise in writing, each Services Order Form shall create a distinct contract incorporating these Terms and Conditions.
- Set Up Services
3.1 The Provider shall provide the Set-Up Services to the Customer.
3.2 The Provider shall use reasonable endeavours to ensure that the Set-Up Services are provided in accordance with the timetable set out in Section 2 of the Services Order Form.
3.3 The Customer acknowledges that a delay in the Customer performing its obligations in the Agreement may result in a delay in the performance of the Set-Up Services; and subject to Clause 18.1 the Provider will not be liable to the Customer in respect of any failure to meet the Set-Up Services timetable to the extent that that failure arises out of a delay in the Customer performing its obligations under these Terms and Conditions.
3.4 Subject to any written agreement of the parties to the contrary, any Intellectual Property Rights that may arise out of the performance of the Set-Up Services by the Provider shall be the exclusive property of the Provider.
3.5 The Provider shall provide all services hereunder with reasonable skill and care using appropriately qualified and experienced individuals.
- Subscription Services
4.1 The Provider shall create an Account for the Customer and shall provide to the Customer login details for that Account on or promptly following the Effective Date.
4.2 The Provider hereby grants to the Customer a non-exclusive licence to use the Subscription Services by means of a Supported Web Browser for the internal business purposes of the Customer in accordance with the Documentation during the Subscription Term.
4.3 The licence granted by the Provider to the Customer under Clause 4.2 is subject to the following limitations:
- the Subscription Services may only be used by current personnel of the Customer organisation which Customer may configure as named users in the user management module of the Expandi platform, providing that the Customer may change, add or remove a designated named user in accordance with the procedure set out therein;
4.4 Except to the extent expressly permitted in these Terms and Conditions or required by law on a non-excludable basis, the licence granted by the Provider to the Customer under Clause 4.2 is subject to the following prohibitions:
- the Customer must not sub-license its right to access and use the Subscription Services, unless the Customer entity is deemed by the Provider to be an Agency Partner Customer and identified in section 1 of the Customer Order Form as such;
- the Agency Partner Customer is only permitted to sub-licence the Subscription Services to their customers nominated by the Agency Partner Customer to the Provider, and as such identified in section 1 of the Customer Order Form;
- the Agency Partner Customer must warrant that all users of the Subscription Services under a sub licence agreement will comply with clause 4 and sub-clauses; 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 and 4.10
- the Customer must not permit any unauthorised person to access or use the Subscription Services;
- the Customer must not use the Subscription Services to provide services to third parties;
- the Customer must not externally republish or redistribute any content or material from the Subscription Services provided that Customer may: (i) share and redistribute data obtained via the Subscription Services internally with its personnel; and (ii) share and use the data obtained via the Subscription Services to contact external companies, entities and individuals in support of its sales and marketing activities; and
- the Customer must not make any unauthorised alteration to the Platform.
4.5 The Customer shall use reasonable endeavours, including reasonable security measures relating to Account access details, to ensure that no unauthorised person may gain access to the Subscription Services using an Account.
4.6 The Provider shall provide the Subscription Services to the Customer. The parties acknowledge and agree that Schedule 1 (Availability SLA) shall govern the availability of the Subscription Services.
4.7 The Customer must not knowingly use the Subscription Services in any way that causes, or is likely to cause, damage to the Subscription Services or Platform or impairment of the availability or accessibility of the Subscription Services.
4.8 The Customer must not use the Subscription Services:
- in any way that is unlawful, illegal or fraudulent; or
- in connection with any unlawful, illegal or fraudulent purpose or activity.
4.9 For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Subscription Term.
4.10 The Provider may suspend the provision of the Subscription Services if any amount due to be paid by the Customer to the Provider under the Agreement (ie. monthly payment) or related to the Subscription Services (ie. Activation services such as digital advertising) is overdue, and the Provider has given to the Customer at least 30 days’ written notice, following the amount becoming overdue, of its intention to suspend the Subscription Services on this basis.
- Maintenance Services
5.1 The Provider shall provide the Maintenance Services to the Customer during the Subscription Term.
5.2 The Provider shall provide the Maintenance Services in accordance with Schedule 2 (Maintenance SLA).
- Support Services
6.1 The Provider shall provide the Support Services to the Customer during the Subscription Term.
6.2 The Provider shall provide the Support Services with reasonable skill and care.
6.3 The Provider shall provide the Support Services in accordance with Schedule 3 (Support SLA).
- Customer obligations
7.1 Save to the extent that the parties have agreed otherwise in writing, the Customer must provide to the Provider, or procure for the Provider, such:
- information and documentation as is requested by the Provider
and as are reasonably necessary to enable the Provider to perform its obligations under the Agreement.
- Customer Data
8.1 The Customer hereby grants to the Provider a non-exclusive, non-transferable, limited licence for the Subscription Term to copy, reproduce, store, distribute, export, adapt, edit and translate the data that the Customer has uploaded to the Platform to the extent necessary for the performance of the Provider’s obligations under the Agreement, together with the right to sub-license these rights to its hosting, connectivity and telecommunications service providers to the extent necessary for the performance of the Provider’s obligations under the Agreement.
For the avoidance of doubt, this Section 8.1 shall not, under any circumstance, a) grant the Provider any rights to the Customer’s Personal Data, which shall be processed exclusively in accordance with Section 14 and the Data Processing Agreement; or b) grant the Provider the right to use data uploaded to the Platform by the Customer for the purposes of providing services to other Provider customers.
8.2 The Customer warrants to the Provider that data that Customer uploads to the Platform will not infringe the Intellectual Property Rights or other legal rights of any person.
8.3 The Provider shall create a back-up copy of the Customer Data at least daily, and shall ensure that each such copy is sufficient to enable the Provider to restore the Subscription Services to the state they were in at the time the back-up was taken, and shall retain and securely store each such copy for a minimum period of 30 days.
- Prohibited and Unauthorised Use
9.1 You will not: use or launch any automated system, including, “robots,” “spiders,” or “offline readers,” that sends more request messages to our servers in a given period of time than a human can reasonably produce in the same period by using a conventional browser;
9.2 use the Subscription Service in any manner intended to: damage, disable, overburden, or impair any of our Platform or that is intended to interfere with any other party’s use of the Subscription Service;
9.3 attempt to gain unauthorised access to the Subscription Service;
9.4 access the Subscription Service other than through our interface;
9.5 use the Subscription Service for any purpose or in any manner that is unlawful or prohibited by this Agreement.
- No assignment of Intellectual Property Rights
10.1 Nothing in these Terms and Conditions shall operate to assign or transfer any Intellectual Property Rights from the Provider to the Customer, or from the Customer to the Provider.
11.1 The Customer shall pay the Charges to the Provider in accordance with these Terms and Conditions.
11.2 All amounts stated in or in relation to these Terms and Conditions are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider.
12.1 The Provider shall issue either invoices for the Charges to the Customer on an annual in advance subscription basis, or arrange for direct debit payments to be scheduled on a monthly in advance basis. The method of payment is to be determined within the Customer Order Form.
12.2 The Customer must pay the Charges due to the Provider within the period of 30 days following the issue of an invoice in accordance with this Clause 12. The Provider will not grant the access until the payment is notified by the Provider’s bank or by the Customer with an attached copy of the payment.
12.3 The Customer must pay the Charges by direct electronic bank transfer or standing order bank transfer using such payment details as are notified by the Provider to the Customer from time to time.
12.4 The Provider reserves the right to suspend Customer access to the Subscription Services in accordance with Clause 4.10.
- Provider’s confidentiality obligations
13.1 The Provider must:
- keep the Customer Confidential Information strictly confidential;
- not disclose the Customer Confidential Information to any person without the Customer’s prior written consent, and then only under conditions of confidentiality approved in writing by the Customer OR no less onerous than those contained in these Terms and Conditions;
- use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider’s own confidential information of a similar nature, being at least a reasonable degree of care;
- not use any of the Customer Confidential Information for any purpose other than the Permitted Purpose.
13.2 This Clause 13 imposes no obligations upon the Provider with respect to Customer Confidential Information that:
- is known to the Provider before disclosure under these Terms and Conditions and is not subject to any other obligation of confidentiality;
- is or becomes publicly known through no act or default of the Provider; or
- is obtained by the Provider from a third party in circumstances where the Provider has no reason to believe that there has been a breach of an obligation of confidentiality.
13.3 The restrictions in this Clause 13 do not apply to the extent that any Customer Confidential Information is required to be disclosed by any compulsory legal process or regulation, by any judicial or governmental order, or pursuant to mandatory disclosure requirements relating to the listing of the stock of the Provider on any recognised stock exchange provided that, to the extent it is legally permitted to do so, the Provider gives the Customer as much written notice of any disclosure as possible and it takes into account the reasonable requests of the Customer in relation to the scope and or content of any disclosure.
13.4 The provisions of this Clause 13 shall continue in force indefinitely following the termination of the Agreement.
- Data protection
14.1.1 The provisions of this Clause 14 are in addition to any obligations of Provider or Customer in the Data Processing Agreement in place between them (with which Agreement Provider shall comply), which is attached hereto as Schedule 4.
14.1.2 In the case of conflict or ambiguity between any of the provisions of this Clause 14 and the provisions of the Data Processing Agreement, the provisions of the Data Processing Agreement will prevail.
14.1.3 The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with these Terms and Conditions, and that the processing of that Personal Data by the Provider for the Permitted Purpose in accordance with these Terms and Conditions will not breach any applicable data protection or data privacy laws (including the General Data Protection Regulation, Regulation (EU) 2016/679 and the Data Protection Act 2018).
14.1.4 The Provider warrants to the Customer that it has the legal right to disclose any Personal Data that it does in fact disclose to the Customer under or in connection with the Services it provides to the Customer, and that such disclosure will not breach any applicable data protection or data privacy laws (including the General Data Protection Regulation, Regulation (EU) 2016/679 and the Data Protection Act 2018).
14.2 The Provider warrants to the Customer that, in respect only of the processing of Personal Data by Provider (or its Subprocessors) as a data Processor on behalf of Customer:
- it will act only on instructions from the Customer in relation to the processing of Customer Personal Data;
- it has in place appropriate technical and organisational measures) to ensure a level of security appropriate to the risks that are presented by processing, against: accidental, unlawful or unauthorised processing, destruction, alteration, unauthorised disclosure of Customer Personal Data and against loss or corruption of Customer Personal Data or unathorised access to personal data transmitted, stored or otherwise processed, including without limitation the measures referred to in Article 32(1) of the GDPR;
- it will only process the Customer Personal Data for the purposes of performing its obligations under the Agreement, including without limitation under the Data Processing Agreement;
- it will process (and shall procure that its Subprocessors (as defined in the Data Processing Agreement) only process) the Customer Personal Data in compliance with all applicable laws including the DPL;
- it will not transfer or permit the transfer of Customer Personal Data to any place outside the EEA without the prior written consent of the Customer;
- it will assist the Customer by appropriate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising the rights of a data subject laid down in Chapter III of the GDPR;
- it will promptly assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Provider;
- at the Customer’s election, it shall delete or return all Customer Personal Data to the Customer upon expiry or termination of the provision of the Services, and shall delete existing copies unless applicable law to which the Provider is subject requires storage of the Customer Personal Data and in that event, the storage term shall be limited to that required under applicable law after which period the Customer Personal Data shall be deleted. Provider acknowledges that any Customer Personal Data held by it after expiry or earlier termination of this Agreement is held by Provider as controller. ‘
- it will promptly make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer; the Provider may seek to satisfy these obligations by providing to Customer a report of the Provider’s external auditors containing all information necessary to demonstrate compliance with obligations laid down in Article 28 GDPR.
- it shall immediately inform the Customer if, in its opinion, an instruction given by or on behalf of the Customer infringes DPL.
14.3 The Provider shall notify the Customer as soon as practicable (and in any event no later than the timescales set out in the Data Processing Agreement) if:
- any of the Customer Personal Data is lost or destroyed, or becomes damaged, corrupted or unusable;
- any of the Customer Data is lost or destroyed, or becomes damaged, corrupted or unable as a result of a data security breach;
- the Provider receives any complaint or regulatory notice which relates to the processing of any of the Customer Personal Data;
- the Provider receives a request from a data subject for access to any of the Customer Personal Data; or
- It becomes aware of or reasonably suspects a Personal Data Breach in respect of any Customer Personal Data.
14.4 The Provider shall ensure that access to the Customer Personal Data is limited to those Provider personnel who have a reasonable need to access the Customer Personal Data to enable the Provider to perform its duties under the Agreement and that such personnel are subject to an enforceable obligation of confidentiality or are under an appropriate statutory obligation of confidentiality; any access to the Customer Personal Data must be limited by the Provider to such part or parts of the Customer Personal Data as are strictly necessary.
14.5 The Provider will ensure that it and all of its Subprocessors and partners have all necessary and appropriate consents and notices in place to enable lawful transfer of any Customer Personal Data obtained by it (excluding such data which is supplied by the Customer in respect of which Customer shall be responsible for maintaining all such consents and notices for the purpose of transfer to and use by Provider) (whether directly or via its Subprocessors or partners) in the performance of the Services to the Customer for the duration and purposes of the Agreement so that the Customer may lawfully use, process and transfer such personal data as contemplated by this Agreement.
15.1 The Provider warrants to the Customer that:
- the Provider has the legal right and authority to enter into the Agreement and to perform its obligations under these Terms and Conditions;
- the Provider will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider’s rights and the fulfilment of the Provider’s obligations under these Terms and Conditions;
- the Provider has the legal right to grant to the Customer a licence to use the Platform as contemplated by this Agreement; and
- the Provider has or has access to all necessary know-how, expertise and experience to perform its obligations under these Terms and Conditions.
15.2 The Provider warrants to the Customer that:
- the Platform and Subscription Services will conform in all material respects with the Subscription Services Specification;
- the Platform will incorporate and maintain security and permissions features necessary to meet requirements under applicable law (including the DPL) and that reflect the requirements of good industry practice.
15.3 The Provider warrants to the Customer that the Subscription Services, when used by the Customer in accordance with these Terms and Conditions, will not breach any laws, statutes or regulations applicable under English law or the DPL.
15.4 The Provider warrants to the Customer that the Subscription Services, when used by the Customer in accordance with these Terms and Conditions, will not infringe the Intellectual Property Rights of any person in any jurisdiction and under any applicable law.
15.5 The Customer warrants to the Provider that it has the legal right and authority to enter into the Agreement and to perform its obligations under these Terms and Conditions.
15.6 All of the parties’ warranties and representations in respect of the subject matter of the Agreement are expressly set out in these Terms and Conditions. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement or any related contract.
- Acknowledgements and warranty limitations
16.1 The Customer acknowledges that complex software is never wholly free from defects, errors and bugs; and subject to the other provisions of these Terms and Conditions, the Provider gives no warranty or representation that the Subscription Services will be wholly free from defects, errors and bugs.
16.2 The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of these Terms and Conditions, the Provider gives no warranty or representation that the Subscription Services will be entirely secure.
16.3 The Customer acknowledges that the Subscription Services are designed to be compatible only with that software and those systems specified as compatible in the Subscription Services Specification; and the Provider does not warrant or represent that the Subscription Services will be compatible with any other software or systems.
16.4 The Customer acknowledges that the Provider will not provide any legal, financial, accountancy or taxation advice under these Terms and Conditions or in relation to the Subscription Services; and, except to the extent expressly provided otherwise in these Terms and Conditions, the Provider does not warrant or represent that the Subscription Services or the use of the Subscription Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person in this regard.
16.5 Notwithstanding the above, Provider warrants that it will exercise reasonable care and skill in the provision of the Services, including by maintaining controls consistent with good industry practice, and in material conformance with the Information Security Policy of Provider (as the same is set out in the Data Processing Agreement) for the purpose of ensuring the confidentiality, integrity and security of Customer Data.
17.1 Subject to clause 17.2, the Provider shall indemnify and shall keep indemnified the Customer against any and all liabilities, damages, losses, costs and expenses (including legal expenses and amounts reasonably paid in settlement of legal claims) suffered or incurred by the Customer and arising directly or indirectly as a result of any:
(i) breach, non-performance or negligent performance by the Provider of these Terms and Conditions;
(ii) claim made against the Customer for actual or alleged infringement of a third party’s intellectual property rights arising out of or in connection with its use (provided such use is in accordance with the Provider’s instructions and Documentation as shown in Schedule 5 of this agreement) of the Platform or the Subscription Services;
(iii) claim made against the Customer by a third party arising out of or in connection with the provision of the Services, to the extent that such claim arises out of the breach, negligent performance or failure or delay in performance of this Agreement by the Provider, its employees, agents or subcontractors;
each a “Provider Indemnity Event”
17.2 The Customer must:
- upon becoming aware of an actual Provider Indemnity Event, notify the Provider;
- provide to the Provider all such assistance as may be reasonably requested by the Provider in relation to the Provider Indemnity Event;
- allow the Provider the non-exclusive conduct of all disputes, proceedings, negotiations and settlements with third parties relating to the Provider Indemnity Event; and
- not admit liability to any third party in connection with the Provider Indemnity Event or settle any disputes or proceedings involving a third party and relating to the Provider Indemnity Event without the prior written consent of the Provider which consent shall not be unreasonable withheld, delayed or conditioned, without prejudice to the Provider’s obligations under Clause 17.1 which shall not apply until the Customer has notified the Provider of the Provider Indemnity Event under clause 17.2.1 above.
17.3 The indemnity protection set out in this Clause 17 shall be subject to the limitations and exclusions of liability set out in the Agreement.
- Limitations and exclusions of liability
18.1 Nothing in these Terms and Conditions will:
- limit or exclude any liability for death or personal injury resulting from negligence;
- limit or exclude any liability for fraud or fraudulent misrepresentation;
- limit any liabilities in any way that is not permitted under applicable law; or
- exclude any liabilities that may not be excluded under applicable law.
18.2 Save as set out expressly in this Agreement, the limitations and exclusions of liability set out in this Clause 18 and elsewhere in these Terms and Conditions:
- are subject to Clause 18.1; and
- govern all liabilities arising under these Terms and Conditions or relating to the subject matter of these Terms and Conditions, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in these Terms and Conditions.
18.3 Neither party shall be liable to the other party in respect of any loss or corruption of any data, database or software; providing that this Clause 18.3 shall not protect the Provider unless the Provider has fully complied with its obligations under the Data Processing Agreement.
18.4 Neither party shall be liable to the other party in respect of any special, indirect or consequential loss or damage.
18.5 Subject to clause 18.1, the liability of the Provider to the Customer under the Agreement in respect of any event or series of related events shall not exceed the following:
(a) up to a maximum of: the total amount paid and payable by the Customer to the Provider under the agreement in the 12-month period preceding the commencement of the event or events; in respect of Providers breach, nonperformance or negligent performance of any obligation, in each case under: (A) the Data Processing Agreement; (B) Clause 13 (Confidentiality); (C) Clause 14 (Data Protection); or (D) indemnification under clause 17.1(ii);
18.6 Subject to Clause 18.1, 18.3 and 18.4, Customer’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising out of or in connection with this Agreement shall not exceed the total amount paid and payable by the Customer to the Provider under the Agreement in the 12-month period preceding the commencement of the event or events.
18.7 For the duration of the Agreement, each party shall have and maintain in place professional indemnity insurance, cyber insurance together with any other insurance(s) required by law.
- Force Majeure Event
19.1 If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under the Agreement, that obligation will be suspended for the duration of the Force Majeure Event.
19.2 A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under the Agreement, must:
- promptly notify the other; and
- inform the other of the period for which it is estimated that such failure or delay will continue.
19.3 A party whose performance of its obligations under the Agreement is affected by a Force Majeure Event (the “Affected Party”) must take reasonable steps to mitigate the effects of the Force Majeure Event.
19.4 If the Force Majeure Event prevents, hinders or delays the Affected Party’s performance of its obligations for a continuous period of more than 4 weeks, the party not affected by the Force Majeure Event may terminate this Agreement by giving 30 days written notice to the Affected Party. Any fees paid in respect of Services not rendered as a result of the occurrence of the Force Majeure Event shall be refunded to the Customer upon request.
- Termination and Renewal
20.1 Your subscription period will be specified in your Order. If you add products during the Subscription Term, the fees for these additional products will be pro-rated for the remaining subscription period specified in your Order.
20.2 The Customers subscription will auto-renew unless notice to terminate is served in writing to email@example.com no earlier than 90 days, but no later than 45 days before the expiry of the Subscription Term.
20.3 No Early Termination; No Refunds. Except for the review period permitted during the first year of the Subscription Term only, the Subscription Term will end on the expiration date and you cannot cancel it before its expiration. We do not provide refunds if you decide to stop using the subscription service without cause during your Subscription Term.
- Effects of termination
21.1 Upon the termination of the Agreement, Clauses 13, 14, 17, 18, 21, 24 and 25 and any clauses (including those set out in the Data Processing Agreement) which expressly or by implication is intended to have effect after termination shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely)
21.2 Except to the extent that these Terms and Conditions expressly provide otherwise, the termination of the Agreement shall not affect the accrued rights of either party.
21.3 Within 30 days following the termination of the Agreement for any reason:
- the Customer must pay to the Provider any Charges properly due and unpaid in respect of the Subscription Services or other Services provided to the Customer before the termination of the Agreement; and
- the Provider must refund to the Customer any Charges paid by the Customer to the Provider in respect of the Subscription Services that were to be provided to the Customer after the termination of the Agreement, without prejudice to the parties’ other legal rights.
22.1 Without prejudice to any Provider obligations arising in the Data Processing Agreement in place between them, the Provider may subcontract any of its obligations under the Agreement, providing that the Provider must give to the Customer, prior written notice of the appointment of a subcontractor, specifying the subcontracted obligations and identifying the subcontractor in question.
22.2 The Provider shall remain responsible and liable to the Customer for the performance of any subcontracted obligations.
22.3 Notwithstanding any other provision of these Terms and Conditions, the Customer acknowledges and agrees that the Provider may subcontract to any reputable third party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform.
- Processing of data
23.1 Refer to the Data Processing Agreement for detail
- Entire agreement
24.1 The Services Order Form, the main body of these Terms and Conditions, the Data Processing Agreement and the Schedules shall constitute the entire agreement between the parties in relation to the subject matter of the Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter.
24.2 The provisions of this Clause 24 are subject to Clause 18.1.
- Law and jurisdiction
25.1 The Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by the laws of England and Wales and each Party irrevocably agrees that the courts of England and Wales shall have the exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Agreement or its subject matter or formation.
26.1 In these Terms and Conditions, a reference to a statute or statutory provision includes a reference to:
- that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and
- any subordinate legislation made under that statute or statutory provision.
26.2 The Clause headings do not affect the interpretation of these Terms and Conditions.
26.3 References in these Terms and Conditions to “calendar months” are to the 12 named periods (January, February and so on) into which a year is divided.
26.4 In these Terms and Conditions, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.
26.5 In the case of any conflict or ambiguity between any provisions contained in these Terms and Conditions and the Order Form, the provisions of these Terms and Conditions shall prevail.
26.6 Save as expressly set out otherwise, (including without limitation the Data Processing Agreement), in the case of any conflict or ambiguity between any provisions contained in the main body (being clauses 1-27) of these Terms and Conditions and a Schedule to these Terms and Conditions, the main body of these Terms and Conditions shall prevail.
27.1 Any notices under the Agreement will be in writing and given by hand or by pre-paid first-class post or other next working day delivery service to the address for each Party set out in the Order Form (with a copy by email to firstname.lastname@example.org).
27.2 Any notice shall be deemed to have been received:
27.2.1. if delivered by hand, at the time the notice is left at the proper address; and
27.2.2. if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second business day after posting.
27.3 Clauses 27.1 and 27.2 do not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.
27.4 No variation of the Agreement shall be effective unless it is in writing and signed by both Parties.
27.5 Save as expressly set out herein, neither Party will assign its rights or transfer its obligations under the Agreement without the prior written consent of the other Party (not to be unreasonably withheld or delayed).
27.6 A person who is not party to the Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Agreement.
27.7 A waiver of any right or remedy under the Agreement or by law is only effective if given in writing and will not be construed as a waiver of any subsequent right or remedy. A failure or delay by a Party to exercise any right or remedy provided under the Agreement or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Agreement or by law shall prevent or restrict the further exercise of that or any other right or remedy.
27.8 If any provision or part-provision of the Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of the Agreement.
SCHEDULE 1 (AVAILABILITY SLA)
- Introduction to availability SLA
1.1 This Schedule 1 sets out the Provider’s availability and commitments relating to the Subscription Services.
1.2 In this Schedule 1, “uptime” means the percentage of time during a given period when the Subscription Services are available at the gateway between public internet and the network of the hosting services provider for the Subscription Services which shall be no less than 99.95%.
2.1 The Provider shall use all reasonable endeavours to ensure that it meets the uptime set out in paragraph 1.2 above for the Subscription Services during each calendar month.
3.1 Downtime caused directly or indirectly by any of the following shall not be considered when calculating whether the Provider has met the uptime guarantee given in Paragraph 2.1:
- a Force Majeure Event;
- a fault or failure of the internet or any public telecommunications network;
- a fault or failure of the Customer’s computer systems or networks;
- any breach by the Customer of the Agreement; or
- scheduled maintenance carried out in accordance with the Agreement.
SCHEDULE 2 (MAINTENANCE SLA)
1.1 This Schedule 2 sets out the service levels applicable to the Maintenance Services.
- Scheduled Maintenance Services
2.1 The Provider shall where practicable give to the Customer at least 5 Business Days prior written notice of scheduled Maintenance Services that are likely to affect the availability of the Subscription Services or are likely to have a material negative impact upon the Subscription Services, without prejudice to the Provider’s other notice obligations under this Schedule 2.
2.2 The Provider shall provide all scheduled Maintenance Services outside Business Hours.
3.1 The Provider shall give to the Customer written notice of the application of any security Update to the Platform and at least 1 Business Day prior written notice of the application of any non-security Update to the Platform.
3.2 The Provider shall apply Updates to the Platform as follows:
- third party security Updates shall be applied to the Platform promptly following release by the relevant third party, providing that the Provider may acting reasonably decide not to apply any particular third party security Update;
- the Provider’s security Updates shall be applied to the Platform promptly following the identification of the relevant security risk and the completion of the testing of the relevant Update; and
- other Updates shall be applied to the Platform in accordance with any timetable notified by the Provider to the Customer or agreed by the parties from time to time.
4.1 The Provider shall produce Upgrades from time to time during the Term
4.2 The Provider shall give to the Customer at least 5 Business Days’ prior written notice of the application of an Upgrade to the Platform.
4.3 The Provider shall apply each Upgrade to the Platform within any period notified by the Provider to the Customer or agreed by the parties in writing.
SCHEDULE 3 (SUPPORT SLA)
1.1 This Schedule 3 sets out the service levels applicable to the Support Services.
2.1 The Provider shall make available to the Customer a helpdesk for the duration of the Agreement. The helpdesk shall be available between 09:00-17:30 hours, Monday to Friday, excluding Bank Holidays and may be contacted by email on email@example.com. The helpdesk shall be provided and issues managed in accordance with the provisions of this Schedule 3.
- Response and resolution
3.1 Issues raised through the Support Services shall be categorised as follows:
- critical: the Subscription Services are inoperable or a core function of the Subscription Services is unavailable;
- serious: a core function of the Subscription Services is significantly impaired;
- moderate: a core function of the Subscription Services is impaired, where the impairment does not constitute a serious issue; or a non-core function of the Subscription Services is significantly impaired; and
- minor: any impairment of the Subscription Services not falling into the above categories; and any cosmetic issue affecting the Subscription Services.
3.2 The Provider shall determine, acting reasonably, into which severity category an issue falls.
3.3 The Provider shall use all reasonable endeavours to respond to requests for Support Services promptly.
- Provision of Support Services
4.1 The Support Services shall be provided remotely, save to the extent that the parties agree otherwise in writing.
SCHEDULE 4 (Data Processing Agreement , DPA)
- The object of the following conditions is to define the operating modalities by which the Data Processor (Expandi Ltd and all its subsidiaries) undertakes to carry out, on behalf of the Data Controller (Customer), the processing of personal data that uploads or otherwise provides Expandi Ltd in connection with the services and the processing of any personal data that Expandi Ltd provides to Customer in connection with the service. Where Expandi Ltd, (38 Craven Street, London WC2N 5NG, UK): the holding company represents the companies within the group.
2. EXPANDI LTD’S OBLIGATIONS
The parties agree, in relation to the data processing activities, the following:
2.1 That the data of the data subjects will be processed exclusively for the purposes inherent in the execution of the service.
2.2 That the type of personal data and the categories of data subjects to the processing will be limited only to those provided for in the service.
2.3 Expandi LTD shall process personal data only on documented instruction of the Data Controller.
3. ORGANIZATIONAL AND TECHNICAL MEASURES
3.1 Expandi LTD shall ensure that persons entitled to the processing of personal data have previously signed a confidentiality agreement (Non-disclosure agreement NDA).
3.2 Expandi LTD shall appoint, within the meaning of article 28, par. 2 of Regulation (EU 2016/679), another Data Processor, exclusively after explicit approval by the Data Controller.
3.3 Expandi LTD shall maintain the technical and organizational measures in order to ensure a level of security appropriate to the risk.
3.4 Customers reserve the right to verify and monitor the compliance status of the Data Processor with the information provided in the field of data protection, including through periodic audits by its personnel or external appointed personnel.
4. DATA SUBJECTS RIGHTS AND REQUESTS
4.1 Expandi LTD shall assist the Data Controller using appropriate technical and organizational measures, in order to comply with the obligations of the Data Controller to respond the requests for the exercise of the rights of the data subjects under Article 15 of the EU regulation 2016/679.
4.2 In the event that Expandi LTD has advanced requests from the data subject about the exercise of his or her rights relating to the personal data owned by Data Controller, for example and not exhaustively: rectification, cancellation and limitation, data portability, Expandi LTD will have to inform Data Controller, without delay, and in any case not beyond the terms of the law.
4.3 In the event that Data Controller is obligated to provide information on personal data to other Data Controllers or third parties, Expandi LTD shall be obliged to cooperate by providing all necessary information.
5. COMMUNICATION OF DATA TO THIRD PARTIES
5.1 Expandi LTD shall not disclose the data to third parties, to the public administration or to the judicial authority, without the prior authorization of Data Controller. In the event that European Union law or national law requires data communication and access to them, Expandi LTD shall communicate the data to the applicant and, subsequently, notify the event to the Data Controller, also communicating this legal obligation, unless the right prohibits such information for relevant reasons of public interest.
6. RESTITUTION OR ERASURE OF PERSONAL DATA
6.1 Unless different dispositions of law, Expandi LTD , depending on the choice of Data Controller, shall delete or return the personal data upon the due date or suspension of the services. Expandi LTD undertakes to delete existing copies, at the request of the Data Controller, unless the law of the European Union or Member States provides for the retention of data beyond the limit set by the Data Controller.
7. ASSISTANCE AND REGISTERS
7.1 Expandi LTD must maintain, and from time to time update, the register containing the names and contact details of Expandi LTD’s sub- suppliers.
7.2 Expandi LTD shall maintain a log of access to personal data by a public administration, judicial authority or third part audit.
7.3 Expandi LTD shall maintain a record of the violations involving personal data of the data subjects.
7.4 In addition, Expandi LTD shall fill in the register of processing activities, pursuant to article 24, taking care to inform, when requested, the Data Controller of the categories of processing activities carried out on behalf of the Data Controller, and of any subcontractors involved.
8. TRANSFER OF DATA OUTSIDE THE EUROPEAN UNION
8.1 Expandi LTD will inform Data Controller of further notice and documents relating to the international transfer data mechanism in accordance with article 46 of GDPR.
9. EXPANDI LTD’S SUB-SUPPLIERS
9.1 The engagement of Expandi LTD’s sub – supplier, requires Data Controller’s explicit prior written approval by using Certified Mail, if possible, otherwise, by e-mail. Expandi LTD will notify Data Controller in advance and without undue delay of any changes to Expandi LTD’s sub – supplier in accordance with the previous and explicitly approved list.
9.2 Expandi LTD shall impose the same data protection obligations as set out in this DPA on any approved Expandi LTD’s sub – supplier.
9.3 In case of Expandi LTD, in accordance with art. 28, par. 4 European Regulation 679/2016, appoint a Expandi LTD’s sub – supplier, to the latter are imposed the same obligations in force between the controller and Expandi LTD.
9.4 Expandi LTD remains responsible for its sub – processors and liable for their acts and omissions as for its own acts and omissions and any references to Expandi LTD ’s obligations, acts and omissions in this DPA shall be construed as referring also to Expandi LTD ’s sub – processors.
10. PERSONAL DATA BREACH
10.1 Expandi LTD will inform Data Controller without undue delay of any suspected non-compliance with applicable Data Protection Laws or relevant contractual terms of this DPA or in case of serious disruptions to operations or any other irregularities in the processing of the Data Controller Personal Data. Expandi LTD will promptly investigate and rectify any non-compliance as soon as possible and upon Data Controller’s request, provide Data Controller with all information requested with regard to the suspected non-compliance.
10.2 Expandi LTD will notify Data Controller without undue delay (and in no event later than 24 hours) after becoming aware of a Personal Data Breach in respect of the Services. Expandi LTD will promptly investigate the Personal Data Breach and will provide Data Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify Supervisory Authorities or Data Subjects).
10.3 To clarify, Expandi LTD will inform, at first Data Controller of any data breach, secondly Expandi LTD will inform Data Controller of any sub – Expandi LTD s’ data breach within 24 hours from the incident detection.
11.1 This DPA will remain valid until the discontinuance of the Services. Expandi LTD will maintain maximum confidentiality on data and information concerning the Controller of which it became aware of the fulfilment of its obligations.
11.2 Expandi LTD, at the expiration of the Services, must interrupt each operation of Data processing or it must provide for their complete cancellation, in both cases it must release a written statement stating that at Expandi LTD does not own any copy. In the case of request of the Data Controller, Expandi LTD must indicate the technical methods and procedures used for the cancellation and destruction.
12. JURISDICTION AND MEDIATION
12.1 Contentious, enquire and litigations between Parties concerning the DPA must be established forward the Court of London
12.2 English Law governs this DPA.
Annex 1 – SECURITY MEASURES
Expandi LTD will maintain all technical and organizational security measures in accordance with GDPR Data Security Principles, for protecting Data Controller Personal Data against accidental loss, destruction, alteration, unauthorized disclosure or access, or unlawful destruction.
GDPR DATA SECURITY PRINCIPLES
In the field of processing activities, which are the object of this DPA, Controller provides that Expandi LTD observes these security measures during processing activities:
- Maintain data Subject data within protected archives in mobile devices and in shared storage devices. In case of encryption it is recommended to choose a cryptographic key that is appropriate to the nature of the personal data involved.
- Limit the spread of data Subject data to authorized parties.
- Allow the access to personal data by users according to the rule of “minimum privilege”.
- Use of an appropriate user’s authentication system on the systems that process personal data.
- Record and monitor system users’ access to personal data in order to guarantee a clear and verifiable chain of responsibility.
- Keep the relevant access log (anomalies) on the system and personal data for the duration of processing activity.
- Record all access to the system logs by users with administrative rights.
- Prohibit the use of shared users among users for access to the systems and data.
- Logically segregate the network, so that “Guest” users cannot access the same subnet and users of the company’s system. In general, where it is possible to use multiple logical subnets (VLANs) each with specific rules (ACL) for access to service and network resources.
- Use the appropriate security protocol for Wi-Fi networks.
- Physically segregate the network, so that only authorized personnel can access the network devices.
- Use only secure communication protocols such as TLS 1.2 and SSH for client – server communication sessions.
- Allow remote access to IT resources only and exclusively through secure channels that make data traffic non traceable (IPsec, etc.).
- Store cryptographic keys used for applications and communications in special “containers”.
- Inhibit the access by users of the systems to the TOR network (The Onion Routing).
- Only use mobile storage systems (USB) with adequate cryptographic protection in the transportation of personal data of the data subjects.
- Provide MDM / MDA solutions if users use or store personal data of the data subjects on mobile devices, whether they are owned by the company (COPE) or promiscuous (BYOD).
- Use the SFTP protocol for massive data transfer, prohibit the use of FTP.
- Inhibit the use by users of personal private cloud systems (ex: DropBox, Gdrive, Wetransfer etc) for the storage and transfer of files containing personal data of the interested parties.
- Use only instant-messaging systems that use the OTR (Off the record) protocols.
- Use PGP or S / MIME protocols for cryptographic security of email content.
- Provide adequate systems able to guarantee the continuity of the service provided (business continuity) on behalf of the owner, such that, in the event of a security incident, the same does not compromise the availability of data and service provided on behalf or in favour of the holder.
- Provide appropriate accident management procedures such that each security incident is detected, registered and processed by specialized personnel in its resolution. Each incident must be recorded in the incident register of the person in charge and then communicated to the data controller.