Cyber Tec Security Limited Terms
1.1 In this Agreement (as defined in the Order Form):
1.1.1 Headings have been included for convenience only and shall not be used in construing any provision in this Agreement;
1.1.2 Words incorporating the singular include the plural, words importing any gender include every gender and words importing persons include bodies corporate and unincorporated;
1.1.3 References to any legislation or regulations include references to any amendments or re-enactments thereof;
1.1.4 References to Clauses and Schedules are references to clauses and schedules of this Agreement; and
1.1.5 Words beginning with capital letters are intended to have the meaning given to them either in these Terms and Conditions or in the Order Form.
1.2 In the event of any conflict or inconsistency between the various documents forming part of this Agreement the following order of precedence shall apply:
1.2.1 The Order Form;
1.2.2 These Terms and Conditions;
1.2.3 The Schedules to these Terms and Conditions; and
1.2.4 The Proposal.
1.3 For the purposes of these Terms and Conditions: a reference to a party or parties means CyberTec and/or the Customer (as appropriate); and the Charges, Customer, Effective Date, Initial Term, Location, Proposal and Services shall have the meaning ascribed to them in the Order Form.
2.1 CyberTec agrees to provide to the Customer the Services for the Term (as defined below) in accordance with these Terms and Conditions.
2.2 If at any time during the Term the Customer wishes to alter all or any part of the Services, the Customer and CyberTec shall discuss the proposed change and CyberTec shall provide to the Customer a quotation for the amendments required to the Services and any agreed charges.
2.3 The Customer may elect either to:
2.3.1 Accept the revised Services and charges pursuant to the quotation in which case this Agreement shall be amended in accordance therewith and with Clause 14.12; or
2.3.2 Withdraw the proposed alterations in which case this Agreement shall continue in force unchanged. If such withdrawal results in a delay in the performance of the Services, CyberTec shall not be liable for such delay and shall be entitled to an extension of time for performing its obligations equal to the period of the delay.
3 Customer Responsibilities
3.1 The Customer shall comply with its responsibilities set out in Schedule 1 (the “Customer Responsibilities”).
3.2 Except in the case where CyberTec provides hardware as part of the Services, the Customer acknowledges and agrees that if it does not comply with the Customer Responsibilities, CyberTec may: not be able to supply the Services in accordance with this Agreement; and/or increase the Charges to reflect CyberTec’s increased costs therefrom. To the extent that CyberTec is unable to provide the Services due to such non-compliance, CyberTec shall not be liable for any costs, charges or losses sustained or incurred by the Customer that arise directly or indirectly from such non-provision of the Services.
3.3 The Customer agrees that it shall always provide CyberTec a reasonable opportunity to correct any deficiency in the Services before claiming a breach by CyberTec of its obligations under this Agreement.
4 CyberTec Responsibilities
4.1 CyberTec shall use reasonable endeavours to perform its obligations under this Agreement.
4.2 CyberTec shall provide the Services with reasonable skill and care, using suitably trained personnel or agents and in accordance with good industry practice.
4.3 CyberTec shall use reasonable endeavours to observe all relevant health and safety rules and regulations and any other reasonable security requirements that apply at the Locations and that have been communicated to it under Schedule 1 paragraph 1.4 provided that CyberTec shall not be liable under this Agreement if, as a result of such observation, such observation by CyberTec places CyberTec in breach of any of its obligations under this Agreement.
5 Charges and Payment
5.1 The Customer shall pay CyberTec the charges set out in the Order Form and / or Proposal monthly in advance by direct debit (unless otherwise agreed by the parties in writing in the Order Form and / or the Proposal).
5.2 The Customer shall pay any invoice submitted to it by CyberTec, in full and in cleared funds, within the payment period set out in CyberTec’s relevant invoice without deduction or set-off. Time for payment shall be of the essence of this Agreement.
5.3 If any sums invoiced to the Customer by CyberTec (other than those that are subject to a bona fide dispute pursuant to Clause 5.5) are not paid within the specified time limits set out in this Clause 5, CyberTec shall be entitled, in addition to its termination right under Clause 12.3, to:
5.3.1 Suspend all Services until payment has been made in full;
5.3.2 Charge the Customer interest on the overdue amount, payable by the Customer immediately on demand, from the due date up to the date of actual payment, after as well as before judgment, at an annual rate equal to 4% over the then current base lending rate of HSBC Bank Plc. Such interest shall accrue on a daily basis; and/or
5.3.3 On or after the second such occurrence in any consecutive 12 (twelve) month period and notwithstanding Clause 14.12, vary the payment terms set out in this Clause 5 on written notice to the Customer.
5.4 All sums payable by the Customer under this Agreement are stated to be exclusive of VAT and all other similar taxes and duties payable in respect of such payments, which shall be added to CyberTec’s invoice(s) at the appropriate rate and on the same payment terms as apply to the sums to which the VAT and such other taxes and duties relates.
5.5 If the Customer (acting in good faith) disputes part or all of any invoice on reasonable grounds, it shall notify CyberTec in writing as soon as is reasonably possible identifying clearly the disputed part of such invoice and the reasons why it is challenged. If a bona fide dispute exists in relation to part only of an invoice, the Customer shall pay the undisputed amount in accordance with Clause 5.2. The disputed element of any invoice will be dealt with in accordance with Clause 14.1.
5.6 In the event that CyberTec demonstrates that a change in any relevant legislation, regulations, codes of practice, guidance and other requirements of any relevant government or governmental or regulatory agency (together the “Rules”) or the Customer’s failure to perform or delay in the performance of any of the Customer’s Responsibilities directly or indirectly increases the cost to CyberTec of providing the Services in accordance with this Agreement, the Charges shall be increased by an equitable amount reflecting such increase, save to the extent that any change in the Rules affects the entirety of CyberTec’s business operations.
5.7 CyberTec may increase the charges in the Order Form (including out of scope work) on the next anniversary of the Effective Date by giving the Customer not less than 10 (ten) working days’ prior written notice. Notwithstanding clause 12.3, the Customer may terminate this Agreement by giving written notice to CyberTec within 10 (ten) working days of receiving notice of such revised charges.
6.1 Each party agrees and undertakes that during the Term and for five (5) years following termination of this Agreement it shall keep confidential all documentation or information, including but not limited to the contents of this Agreement; and shall not use for its own purposes nor without the prior written consent of the other party disclose to any third party any information which is proprietary or confidential (including trade secrets and information of commercial value) and which is either labelled or stated as such or else which should reasonably to be considered as confidential because of its nature and the manner of its disclosure (“Confidential Information”), unless such Confidential Information is or becomes public knowledge other than through any act or omission of the receiving party, is in the receiving party’s lawful possession before the disclosure, is lawfully disclosed to the receiving party by a third party without restriction on disclosure or is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
7 Limitation of Liability
7.1 Subject to Clauses 7.2, 7.3, 7.8 and 10.1, the entire financial liability of CyberTec to the Customer in respect of this Agreement shall not exceed 110% of the total amount paid or payable by the Customer to CyberTec pursuant to this Agreement in the calendar year the claim or series of claims arose.
7.2 In no circumstances shall either party be liable to the other for any loss of profits, loss of or damage to or corruption of data, loss of revenue or contracts, loss of goodwill or for any special, indirect or consequential loss or damage howsoever arising from the provision of the Services even if such loss was in the contemplation of the parties at the date of this Agreement and/or one party had advised the other party of the possibility of such loss occurring.
7.3 Nothing in this Clause 7 shall in any way limit either party’s liability arising from personal injury or death caused by its negligence, fraud or fraudulent misrepresentation or any other liability which cannot lawfully be excluded or limited.
7.4 Except as expressly and specifically provided in this Agreement, all warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from this Agreement.
7.5 Any third party products, services and/or software provided by CyberTec for the provision of the Services are provided “as is” without any warranty of any kind either express or implied subject to:
7.5.1 Where a manufacturer warranty exists, products shall be covered by such warranty exclusively; and
7.5.2 CyberTec’s support obligations for such software and services (as the case may be) being limited to contacting the relevant software vendor or supplier to report any fault with the relevant third party software or services.
7.6 CyberTec does not warrant that such third party products, services and/or software shall be error-free or that such errors will be corrected. The Customer shall be solely responsible for all costs and expenses associated with rectification, repair or damage caused by such errors.
7.7 If the Service does not conform with Clause 4.2, CyberTec will at its expense, use all reasonable commercial efforts to correct any such non-conformance in a timely manner, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer’s sole and exclusive remedy for any breach of Clause 4.2.
7.8 The Customer acknowledges and agrees (and it is a condition of CyberTec providing the Services) that:
7.8.1 the Services and the Customer attaining Cyber Essentials’ or other equivalent certification only partially mitigates the risk of a cyber attack. Cyber Essentials, Cyber Essentials Plus and / or IASME purchased as part of the Services are only valid and certified on the date that the relevant assessment is completed;
7.8.2 CyberTec cannot guarantee that the Customer will not suffer a successful cyber security incident during the Term;
7.8.3 the Customer shall make its own arrangements to prevent any permanent loss or corruption of the Customer’s data; and
7.8.4 CyberTec shall have no liability to the Customer hereunder for any losses or damages incurred by the Customer as a result of: any malware or cyber attack where CyberTec has used reasonable skill and care and acted in accordance with good industry practice pursuant to Clause 4.2 regarding the Services; any zero-day exploits; and / or the Customer not following up CyberTec’s findings and / or recommendations. Given the dangers and fast moving nature of cybersecurity, if you are unhappy with the balance of the parties’ rights and obligations under this Agreement, the Customer should use an alternative provider for its attempts to mitigate the risk of a cyber attack.
8 Force Majeure
8.1 A party, provided that it has complied with the provisions of Clause 8.2, shall not be in breach of this Agreement or liable to the other for any delay or non performance of its obligations under this Agreement arising from any cause or causes beyond its reasonable control including, without limitation, any of the following: acts of God, including but not limited to fire, flood, earthquake, windstorm or other natural disaster; fire, explosion or accidental damage; adverse weather conditions; interruption or failure in communications networks and facilities (including the internet or CyberTec and / or its supply chain’s data centre (as appropriate)) or a utility service (including electricity); and/or mandatory compliance with any law (including a failure to grant any licence or consent needed or any change in the law or interpretation of the law) (“Force Majeure Event”).
8.2 Any party that is subject to a Force Majeure Event shall not be in breach of this Agreement provided that:
8.2.1 It notifies the other party in writing in a timely manner of the nature and extent of the Force Majeure Event causing its failure or delay in performance;
8.2.2 It has used all reasonable endeavours to mitigate the effect of the Force Majeure Event and to carry out its obligations under this Agreement in any way that is reasonably practicable; and
8.2.3 As soon as reasonably possible after the end of the Force Majeure Event, the affected party shall notify the other party in writing that the Force Majeure Event has ended and shall resume performance of its obligations under this Agreement.
8.3 If any Force Majeure Event continues for more than 90 (ninety) days, the party not subject to the Force Majeure Event may immediately terminate this Agreement on giving written notice to the other.
9 Title and Risk
9.1 Title to any equipment (including but not restricted to hardware, software and/or consumables) supplied by CyberTec (the “Equipment”) shall pass on full payment (in cash or cleared funds).
9.2 The risk in the Equipment shall pass to the Customer from delivery or, if the Customer wrongfully fails to take delivery of the Equipment, the time when CyberTec has tendered delivery of the Equipment. For the avoidance of any doubt, CyberTec shall have no liability for any loss or damage in connection with the Equipment howsoever caused on delivery.
9.3 Without prejudice to Clause 9.2, until title to the Equipment has passed to the Customer, the Customer shall:
9.3.1 Hold the Equipment on a fiduciary basis as CyberTec’s Bailee;
9.3.2 Store the Equipment safely, securely and separately from all other goods held by the Customer so that they remain readily identifiable as CyberTec’s property;
9.3.3 Not modify, pledge or sell the Equipment or remove, deface or obscure any identifying mark or packaging on or relating to the Equipment; and
9.3.4 Maintain the Equipment in satisfactory condition and in accordance with the manufacturer’s recommendations and keep such Equipment insured on CyberTec’s behalf for their full price against all risks with a reputable insurer. The Customer shall provide CyberTec with a copy of such insurance policy within 5 working days’ of CyberTec’s request.
9.4 If title to the Equipment has not yet passed to the Customer and the Customer becomes subject to any of the events in Clauses 12.2.2 to 12.2.3 then, without limiting any other right or remedy CyberTec may have, CyberTec may at any time require the Customer to deliver up the Equipment and, if the Customer fails to do so promptly, enter any premises of the Customer or of any third party where the relevant Equipment is stored in order to recover them.
10.1 Each party shall indemnify the other party against all claims, liabilities, proceedings, costs, losses, damages or expenses (including legal fees) up to £1 million per claim or series of claims, that may be suffered by the other, or made by third parties or awarded against or settled by the other party in favour of any third party in connection with any claims or proceedings relating to Clause 11.7 other than by reason of any unauthorised act or negligence by the other party, its employees, agents, consultants or contractors. The indemnified party shall: notify the indemnifying party in a timely manner of becoming aware of such claim; allow the indemnifying party to conduct such claim; provide reasonable assistance (at the indemnifying party’s expense) to the indemnifying party in defending such claim; and not make any admissions which may be prejudicial to the defence or settlement of any claim.
11 Intellectual Property Rights
11.1 All copyright, database right, patents, registered and unregistered design rights, registered and unregistered trade marks, and all other industrial, commercial or intellectual property rights existing in any jurisdiction in the world and all the rights to apply for the same (the “Intellectual Property Rights”) in the Customer’s documentation, information, data, software or invention (the “Customer Material”) shall remain vested in the Customer or its licensors.
11.2 Where appropriate, the Customer shall grant, or shall procure the grant of a royalty free, non-exclusive and non-transferable licence to CyberTec during the Term to copy and use any Customer Material as agreed by the parties in order to allow CyberTec to provide the Services under this Agreement.
11.3 All Intellectual Property Rights in any report, documentation, information, data, software, equipment or invention prepared, created or provided by CyberTec in relation to this Agreement (the “CyberTec Material”) shall remain vested in CyberTec (or its relevant licensors) and to the extent that such rights in any such CyberTec Material vest in the Customer by operation of law, the Customer hereby assigns such rights to CyberTec.
11.4 The Customer shall comply with any licence terms provided with the CyberTec Material (including any maximum number of Customer users) and promptly notify CyberTec upon becoming aware of any unauthorised use of CyberTec Material.
11.5 The Customer acknowledges and agrees that it shall not acquire or claim any title to any of CyberTec’s (or CyberTec’s licensors) Intellectual Property Rights by virtue of the rights granted to the Customer under this Agreement or through its use of CyberTec’s (or CyberTec’s licensors) Intellectual Property Rights.
11.6 The Customer agrees that it shall not, at any time, do, or omit to do, anything which is likely to prejudice CyberTec’s or its licensors ownership of such Intellectual Property Rights.
11.7 For the duration of the Term:
11.7.1 CyberTec warrants that the use of the CyberTec Material by the Customer as permitted by this Agreement shall not infringe any third party Intellectual Property Rights; and
11.7.2 The Customer warrants that the use of the Customer Material by CyberTec as permitted by this Agreement shall not infringe any third party Intellectual Property Rights.
12.1 This Agreement shall commence on the Effective Date and shall continue for the duration of the Initial Term and shall continue thereafter from year to year with each party having the right, without prejudice to its other rights or remedies, to terminate this Agreement on each anniversary of the Effective Date by giving not less than 3 (three) months prior written notice to the other party (the “Term”).
12.2 Notwithstanding Clause 12.1, each party shall have the right, without prejudice to its other rights and remedies, to terminate this Agreement immediately by written notice to the other if the other:
12.2.1 Is in material breach of any term of this Agreement and such breach is either incapable of remedy or is capable of remedy but the party in breach has failed to remedy it within thirty (30) days of receipt of a notice from the party not in breach requiring it to do so;
12.2.2 Ceases to trade or threatens to cease to trade (either in whole, or as to any part or division involved in the performance of this Agreement); and / or
12.2.3 Becomes insolvent or makes an arrangement with its creditors or is put into liquidation (other than solely for the purpose of amalgamation or reconstruction) or has an administrator, administrative receiver, receiver or similar officer appointed over all or any part of its assets or undertaking and such administrator, administrative receiver or receiver is not discharged within a period of 30 (thirty) days of such appointment.
12.3 CyberTec may terminate this Agreement if the Customer is more than five (5) days late paying any of the monthly or other payments due pursuant to clause 5.
12.4 Termination of this Agreement by whatever means shall not affect any rights, obligations or liabilities of either party:
12.4.1 Which have accrued before termination of this Agreement; and/or
12.4.2 Which are intended to continue to have effect beyond termination.
12.5 Upon termination of this Agreement:
12.5.1 Each party shall promptly return to the other the Confidential Information owned by the other and destroy any electronic copies of the same;
12.5.2 The Customer shall immediately cease to use and, at CyberTec’s request, either promptly return to CyberTec all CyberTec Material and in which title has not vested in the Customer or destroy such CyberTec Material, held electronically or otherwise, and if destroyed, provide a certificate stating that all the CyberTec Material has been destroyed;
12.5.3 CyberTec shall promptly return the Customer Material except where it is necessary to retain such Confidential Information or Customer Materials to exercise any rights granted under this Agreement or by law which is intended to survive termination of this Agreement;
12.5.4 Save in the case of a Customer’s breach pursuant to Clause 12.2, CyberTec shall, at the Customer’s written request, provide reasonable assistance to the Customer to ensure an orderly transfer of the Services to the Customer or, at the Customer’s request, a new service provider. Such assistance shall be provided on a time and materials basis at CyberTec’s then standard hourly fee rates; and
12.5.5 all amounts payable to CyberTec by the Customer for the remainder of the Term shall become immediately due and owing.
13 Transferring Employees
13.1 The parties are of the understanding that the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) will not apply at the outset or on the termination of this Agreement. If any person who is an employee of the Customer, the incumbent provider to the Customer or CyberTec claims or it is determined that his/her contract of employment has, or should have, been transferred to CyberTec on the Effective Date or from CyberTec to the Customer or the successive supplier on termination of this Agreement pursuant to TUPE (as appropriate), the relevant party shall notify the other and the parties shall discuss such claim in good faith.
14.1 If there is a dispute that may arise out of or relate to this Agreement, CyberTec and the Customer will use their reasonable endeavours to negotiate in good faith and settle the dispute. If this is not possible, the Manager of the party identifying such dispute shall notify the other party’s Manager in writing specifying the nature of the dispute (“Matter in Dispute”). Failing the Managers agreeing a solution in writing within 10 working days of such notice, either Manager may refer the Matter in Dispute to the senior representatives nominated by the Managing Director of each party, who shall then attempt to resolve the Matter in Dispute in good faith within 10 working days from the date of the reference. If the Matter in Dispute has not been resolved within such further period of 10 working days, the parties shall refer it to their respective Managing Directors for resolution. Where the circumstances so require, the parties shall use all reasonable efforts to expedite the above procedure. If agreement is reached on the Matter in Dispute, then each party shall promptly comply with its obligations as set out in the written record of such agreement. Subject to the exercise of any right to terminate this Agreement, where a dispute has been referred for escalation in accordance with the procedures set out in this Clause 14.1, the Customer will continue to pay the Charges.
14.2 A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce or to enjoy the benefit of any term of this Agreement.
14.3 All notices which are required to be given under this Agreement shall be in writing and shall be sent to the Managing Director at the address of the recipient set out in the Order Form (or such other person or address as either party may indicate by at least fourteen (14) days prior written notice to the other party). Any such notice may be sent by pre-paid recorded or special delivery letter or by email and shall be deemed to have been received: by pre-paid recorded or special delivery letter – at the time of delivery; and by email – immediately upon transmission provided a confirmatory copy is mailed by first class pre-paid post (including recorded or special delivery letter) by the end of the next working day following the time of transmission.
14.4 This Agreement and all documents referred to herein contains the whole agreement between the parties relating to the transactions contemplated by this Agreement and, save as expressly set out herein, supersedes all previous agreements, representations (other than fraudulent) oral or written, and all other prior communications between the parties relating to these transactions. Each of the parties irrevocably and unconditionally waives any right it may have to claim damages and/or rescind this Agreement by reason of any misrepresentation not contained in this Agreement unless such misrepresentation was made fraudulently.
14.5 The Customer shall not be entitled to assign, transfer or sub-contract or deal in any other manner with this Agreement without the prior written consent of CyberTec. CyberTec shall be entitled to assign or transfer any of its rights or obligations under this Agreement to Ralston Enterprises Limited (a company incorporated in England and Wales with registered company number 07766654) (“REL”) and each and any subsidiary of CyberTec, and/or REL on written notice to the Customer and to subcontract any part of its obligation to provide the Services.
14.6 Neither party shall and such party will procure that its advisers, agents and representatives will not, without the other party’s prior written consent, at any time from the date of this Agreement to the expiry of 9 (nine) months after the termination of this Agreement:
14.6.1 directly or indirectly solicit for employment in any capacity any person who is at the Effective Date a director, officer, employee or consultant of the other party/any member of the other party’s group who is involved in the Agreement; or
14.6.2 encourage or seek to encourage such person to leave his current employment or to breach the terms of such employment or consultancy.
14.7 Each party shall comply with its data protection obligations in Schedule 3 (Data Protection).
14.8 Nothing in this Agreement is intended to, or shall, operate to:
14.8.1 Create a partnership or joint venture of any kind between CyberTec and the Customer;
14.8.2 Authorise either party to act as agent for the other party; and/or
14.8.3 Authorise either party to act in the name or on behalf of, or otherwise bind, the other party in any way.
14.9 Both parties shall comply with the Bribery Act 2010.
14.10 No failure to exercise and no delay in exercising on the part of either party any right, power or privilege hereunder shall operate as a waiver thereof nor shall any single or partial exercise of any right, power or privilege preclude the enforcement of any other right, power or privilege nor shall the waiver for any breach of any provision herein be taken or held to be a waiver of the provision itself. Any waiver to be effective must be in writing.
14.11 If any part of this Agreement is found by a court of competent jurisdiction to be invalid, unlawful or unenforceable then such part shall be severed from the remainder of the Agreement which shall continue to be valid and enforceable to the fullest extent permitted by law.
14.12 Any amendment to this Agreement must be in writing and signed by a duly authorised representative from each party.
14.13 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute an original of this Agreement, but all the counterparts shall together constitute the same Agreement.
14.14 This Agreement shall be governed by and shall be construed in accordance with the laws of England and Wales and the parties hereby submit to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1 – Customer Responsibilities
1 The Customer shall:
1.1 Fully co-operate with CyberTec in all matters relating to this Agreement;
1.2 Provide CyberTec, its agents, subcontractors, consultants, engineers and employees, in a timely manner and at no charge, with access to and use of all of its information, personnel, facilities, equipment (including, but in no way limited to, network ports in the Customer’s data centre) and relevant parts of the Locations as may be reasonably required by CyberTec for the purpose of providing the Services under this Agreement;
1.3 Appoint the Customer’s Manager (as set out in the Order Form) in relation to this Agreement, who shall have the authority contractually to bind the Customer on all matters relating to this Agreement. The Customer shall use all reasonable endeavours to ensure continuity of the Customer’s Manager;
1.4 Inform CyberTec in writing of all health and safety rules and regulations and any other reasonable security requirements that apply at the Locations and take all reasonable precautions to protect the health and safety of CyberTec’s agents, employees, consultants, engineers and subcontractors whilst at the Locations;
1.5 Use all reasonable endeavours to ensure that any information that it supplies to CyberTec which is required for CyberTec to provide the Services is complete, accurate and in the format agreed by the parties. If the Customer discovers that such information is incorrect or inaccurate it will promptly notify CyberTec of such errors and provide a correction as soon as reasonably practicable;
1.6 Comply with this Agreement, all its contracts with third parties that relate to this Agreement and CyberTec’s reasonable instructions, guidelines and directions in relation to the Services provided under this Agreement (including all safety, confidentiality and security requirements of CyberTec or any CyberTec employee, agent, consultant, engineer and subcontractor in relation to physical and/or remote access to the Services);
1.7 Be responsible (at its own cost) for:
1.7.1 Preparing and maintaining the relevant Locations for the supply of the Services;
1.7.2 Ensuring that throughout the Term its network and systems comply with the relevant specifications provided by CyberTec from time to time, including the hardware and software to be used with the Service conforming to the CyberTec approved products’ specification set out in Schedule 2 Part 1 (CyberTec Approved Products); and
1.7.3 Notifying CyberTec in writing before the Effective Date of all the Customer’s locations and devices that CyberTec are responsible for scanning/monitoring/testing through Security Incident and Event Management (SIEM) or other scanning and testing tools and services (unless otherwise agreed by the parties in writing in advance). The Customer shall promptly notify CyberTec in writing of any additional Customer locations or devices that the Customer would wish CyberTec to monitor/scan/test and follow the procedure in Clause 2.2 (Services) regarding such change. As part of the Services, CyberTec may identify additional Customer locations or devices that CyberTec believes that the Customer may wish to monitor/scan/test. CyberTec may notify the Customer of such locations/devices. If requested by the Customer, CyberTec would provide a quotation for the cost of monitoring/scanning/testing such locations/devices and the Customer would elect which option in Clause 2.3 (Services) it wishes to pursue regarding such locations/devices;
1.8 Ensure that all equipment necessary for the performance of the Services (other than the Equipment covered by Clause 9 (Title and Risk)) is: maintained in accordance with the relevant manufacturer’s recommendations; kept in appropriate environmental conditions where appropriate security measures are maintained for such equipment; in good working order; if the Customer is not the proprietor of the whole of such equipment, insured with a reputable insurer for its full reinstatement value; within the equipment manufacturer’s supported product life cycle; and ready and suitable to for the purposes for which it is used in relation to the Services. CyberTec reserves the right to inspect such equipment and, if not acceptable to reject it;
1.9 Be, unless otherwise agreed by the parties in writing in advance, solely responsible for procuring and maintaining its network connections and telecommunications links (including all DSL (digital subscriber lines) and MPLS (multiprotocol label switching) / SD-WAN (software defined wide area network)) which are required for CyberTec to fulfil its obligations to provide the Services and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer or its affiliates (as the case may be) network connections or telecommunications links or caused by the internet or unavailability of its data centre;
1.10 Where Services provided include:
1.10.1 A Security Incident and Event Management Solution (SIEM), be responsible when they instruct CyberTec to provide SIEM to correct any identified faults with and make operational the Legacy Equipment (as defined below). If the Customer reports or CyberTec identifies an issue with Legacy Equipment, CyberTec will inspect the Legacy Equipment in a timely manner and endeavour to identify the fault. CyberTec will advise the Customer of any identified fault in a timely manner. The Customer acknowledges and agrees that any further SIEM CyberTec provide in respect of the Legacy Equipment is not part of the Charges. In the event that the Legacy Equipment has died, has reached end of useful life, is beyond reasonable economic repair and / or written off, the Customer shall follow CyberTec’s recommendations regarding appropriate replacement equipment. If the Customer instructs CyberTec to correct the identified faults or further research the fault, such support and maintenance shall be on a time and materials basis at CyberTec’s then standard hourly fees rates set out in the Proposal. Until such replacement equipment is installed, any SIEM regarding such Legacy Equipment shall be provided by CyberTec on an endeavours basis;
1.10.2 General Security Systems, Testing Systems and other security product installation, sign off such installations and provide such sign off to CyberTec within 5 working days of such installations successfully completing CyberTec’s acceptance tests. In the absence of a response within 5 working days of such completion, the acceptance tests shall be deemed to have been signed off by the Customer.
1.11 Not install any software, hardware or system, nor transfer any data, information or content to any party which may adversely affect the equipment, the Services or CyberTec’s ability to provide the Services;
1.12 Make amendments to network systems/services and comply with any change requests from CyberTec in relation to risk mitigation and reduction identified through SIEM or other testing mechanisms as provided by CyberTec from time to time;
1.13 Not store, distribute or transmit any material through the Service or use the Service for anything that: is unlawful, harmful, threatening, defamatory, obscene, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence, discrimination based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activities; or causes or is likely to cause harm to CyberTec or any third party;
1.14 Grant to CyberTec and its authorised agents (who shall be reasonably acceptable to the Customer and who shall in any event not be competitors of the Customer) the right of access at all reasonable times to carry out an audit of the Customer’s compliance with its obligations under this Agreement (including its use of the Services). The Customer shall provide all reasonable assistance at all times during the Term for the purposes of allowing CyberTec to obtain such information as is necessary to achieve this objective SUBJECT TO CyberTec exercising such audit rights during regular office hours and the opportunity to review and comment upon the results of such audit;
1.15 Be responsible for delays caused by its third party suppliers or vendors (including CyberTec’s additional costs resulting therefrom that CyberTec has used reasonable efforts to mitigate);
1.16 (unless stated in the Proposal as being provided by CyberTec as part of its Service) Use all reasonable endeavours throughout the term of this Agreement to prevent contamination of all equipment (including software and the Equipment) used in relation to the Services by known viruses, including testing the Customer’s software prior to delivery and shall install, maintain and use the latest version of industry leading:
1.16.1 anti-virus protection procedures and software;
1.16.2 spam, spyware, malware and phishing filtering on the Customer’s email system; and
1.16.3 web filtering for spyware, malicious code, malware and greyware, then available in the market in respect of all such equipment used in relation to the Services in accordance with best industry practice;
1.17 Only use and connect equipment (including Customer furnished equipment) and/or networks to CyberTec’s system that are approved and comply with all relevant legislation, standards and licence requirements.
Legacy Equipment and Warranty
- The Customer acknowledges and agrees that the following equipment and software is legacy equipment:
- For all equipment where the manufacturer has deemed the device “End of Life” and/or where drivers and / or software for the device are no longer available or supported for the device and operating system;
Operating systems and software that are not within the manufacturer life cycle and/or deemed “End of Life”
(the “Legacy Equipment“).
Notwithstanding the foregoing, the Customer may use equipment when the manufacturer has “end of life” the product. In respect of all Legacy Equipment, the Customer acknowledges and agrees that the provisions in Schedule 1 paragraph 220.127.116.11 apply in the event the Customer requires Legacy Equipment to be scanned/monitored/tested pursuant to this Agreement.
Schedule 2 – Hardware
Part 1 CyberTec Approved Products
Hardware and software solution which are within the manufacturer life cycle.
Part 2 Procuring Hardware and Other Equipment
CyberTec will assist with basic recommendations for security hardware and software.
To the extent it may provide by CyberTec for the Customer to use as part of the Services, CyberTec will enter into an agreement with its licensors to enable the Customer to receive the following that is not manufactured or owned by CyberTec as part of the Customer’s receipt of the Services:
- Security Incident and Event Management Systems (if part of the proposal/schedules);
- Any software or tools used as part of the service delivery (including, but in no way limited to, Trustica and AppGuard).
These third party software, products and / or services are provided on the terms of this Agreement, including Clauses 7.5, 7.6, 7.8, 11.3-11.6, 12.5.2.
Schedule 3 – Data protection
1. Both parties warrant that they shall observe all their obligations under the General Data Protection Regulation (2016/679) (“GDPR”) and the Data Protection Act 2018 (each as amended, replaced or superseded from time-to-time) and where applicable the mandatory guidance and codes of practice issued by the Information Commissioner (“Data Protection Legislation”) which arise in connection with this Agreement.
2. The Customer acknowledges and agrees that in relation to any personal data processed by CyberTec regarding its provision of the Services, the Customer is the Controller and CyberTec is the Processor. Both CyberTec and the Customer have described the processing of personal data being undertaken by CyberTec pursuant to this Agreement in the Appendix to this Schedule 3.
3. The Customer warrants and undertakes that:
a. such personal data is accurate, relevant and kept up to date;
b. the Customer’s appointment of CyberTec to provide the Services hereunder is in accordance with Article 6 of the GDPR; and
c. CyberTec’s processing of such personal data in compliance with the Customer’s processing instructions shall not cause CyberTec (and/or any third party) to be in breach of the Data Protection Legislation.
4. CyberTec will:
a. process the Customer’s personal data only to the extent necessary for the purposes of performing CyberTec’s obligations under the Agreement and otherwise in accordance with the Customer’s reasonable and lawful documented instructions and applicable laws, unless required to do so by European Union or Member State law to which the processor is subject; in such a case, CyberTec shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b. ensure that, in addition to the confidentiality provisions in this Agreement, all persons authorised by it to process the Customer’s personal data are subject to appropriate duties of confidentiality;
c. have at all times during the term of the Agreement, taking in to account the nature of the processing, appropriate technical and organisational measures in place to:
i. provide a necessary level of security to protect any of the Customer’s personal data against unauthorised or unlawful processing and against accidental loss, alteration, destruction or damage; and
ii. assist the Customer, where requested by the Customer (and at the Customer’s cost) and to the extent possible, with fulfilling the Customer’s obligations to respond to requests from a data subject under the Data Protection Legislation for access to, rectification, erasure or portability of, or for restriction of, or objections to, the processing of, that data subject’s personal data;
d. assist the Customer, where reasonably requested by the Customer (and at the Customer’s cost) and to the extent possible taking into account the nature of processing and the information available to CyberTec, with the Customer’s compliance obligations in respect of security of personal data, notifications of breaches of Data Protection Legislation to supervisory authorities, communications of breaches of Data Protection Legislation to data subjects, the carrying out of data protection impact assessments and any consultations with supervisory authorities pursuant to Articles 32 to 36 of the GDPR;
e. cease processing the personal data in connection with this Agreement on the termination or expiry of the Agreement, or if earlier, on termination or cessation of the service to which they relate and at the Customer’s request (and at the Customer’s cost), delete (in respect of all the Customer’s personal data) or return to the Customer (in respect of all the Customer’s personal data except copies of back-ups which will be deleted) the Customer’s personal data, and delete all existing copies unless applicable laws require their retention;
f. make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this paragraph and where requested by the Customer (and at the Customer’s cost) allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer;
g. not process the Customer’s personal data in any country outside the European Union (or, after the United Kingdom’s departure from the European Union, outside the combined area of the United Kingdom and the European Union) unless:
i. CyberTec has ensured that there are appropriate safeguards in relation to the transfer and processing in accordance with Article 46 of the GDPR;
ii. the data subject has enforceable rights and effective legal remedies;
iii. CyberTec complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any of the Customer’s personal data that is transferred.
If CyberTec is required by applicable laws to transfer the Customer’s personal data outside of the European Union (or after the United Kingdom’s departure from the European Union, outside the combined area of the United Kingdom and the European Union), CyberTec shall inform the Customer of such requirement before making the transfer (unless CyberTec is barred from making such notification under the relevant applicable law);
h. on reasonable written notice provide the Customer with all reasonable assistance and information required by the Customer to satisfy the Customer’s record keeping obligations under the Data Protection Legislation; and
i. without undue delay after having become aware, notify the Customer of any unauthorised or unlawful processing of any of the Customer’s Personal Data to which this paragraph applies and of any loss or destruction or other damage and shall take such steps consistent with good industry practice to mitigate the detrimental effects of any such incident on the data subjects and co-operate with the Customer in dealing with such incident and its consequences.
5. CyberTec shall (and the Customer acknowledges and agrees that CyberTec shall) use third party sub-Processors for the following general categories of data processing and in order to meet its obligations under the Agreement from time to time:
a. Cloud services providers (including Office 365);
b. Payment services providers;
d. Network Management / SIEM / SOC and Scanning / Testing
A list of the sub-processors used by CyberTec is set out on CyberTec’s website and is available at https://www.CyberTecSecurity.com/documents/CyberTec_Sub_Processors.pdf. If CyberTec wishes to add or replace other sub-Processors, it shall first inform the Customer of the intended change and give the Customer not less than a 30 (thirty) day period in which to object to such changes. Where CyberTec engages another Processor for carrying out specific processing activities on behalf of CyberTec in order for CyberTec to meet its obligations under the Agreement from time to time:
• equivalent data protection obligations as set out in paragraph 4 above shall be imposed on that other Processor by way of a written contract;
• where the Customer objects to the addition of or an intended change to a sub-Processor, the Customer will notify CyberTec in writing of such objection within the above time period and CyberTec may terminate the Agreement by providing the Customer with not less than 30 (thirty) days’ notice;
• CyberTec will remain fully liable to the Customer for the acts and omissions of a sub-Processor.
6. If CyberTec appoints sub-Processors who process the Customer’s personal data outside the European Union (or after the United Kingdom’s departure from the European Union, outside the combined area United Kingdom and the European Union), CyberTec shall notify the Customer of such sub-Processors and the jurisdiction(s) in which the Customer’s personal data shall be processed and paragraph 5 shall apply in respect of any objection by the Customer.
7. The terms “Controller”, “Processor”, “data subject”, “personal data” and “processed” bear the respective meanings given them in the Data Protection Legislation.
|Subject Matter||The subject matter of the processing of the Customer’s personal data is: personal data submitted, stored, sent or received by the Customer or its end users via the Services, including user IDs, emails, documents, presentations, tasks, IP addresses and other data.|
|Nature and purpose of Processing||The purpose for the processing of the Customer’s personal data is the performance of the following tasks on behalf of Customer: the provision of the Services; and the provision of technical support services.|
|Types of personal data|
First Name, Surname, Business Address, (where necessary) home address, IP address, email address, telephone numbers.
Any data stored within a customers system which may be scanned or monitored by CyberTec systems during the course of our security scanning or on-going SIEM monitoring of the customer systems.
|Data Subjects||The processing concerns the following categories of data subjects – the Customer’s end users, suppliers and contractors, and any other person who transmits data via the Services, including individuals collaborating and communicating with the Customer’s end users for the purpose of delivering services within this Agreement.|