compliance and risks
Master License And Services Agreement (MLSA)
COMPLIANCE & RISKS LIMITED (REGISTERED NUMBER) 356948 WHOSE REGISTERED OFFICE IS AT UNIT 9, EASTGATE AVENUE, EASTGATE BUSINESS PARK, LITTLE ISLAND, CORK, IRELAND (“C&R”) PROVIDES SOFTWARE AS A SERVICE AND RELATED SERVICES INCLUDING ACCESS TO A WEB BASED KNOWLEDGE MANAGEMENT DATABASE WHICH INCLUDES COMPLIANCE AND REGULATORY DATA CONTENT. BY: (I) CLICKING ON THE “ACCEPT” BUTTON; OR (II) SIGNING/E-SIGNING THIS AGREEMENT; OR (III) USING THE SERVICES; AND/OR (IV) PAYING THE INVOICE (WHERE RELEVANT) YOU AGREE TO THE TERMS OF THIS AGREEMENT WHICH WILL BIND YOU AS THE CUSTOMER AND THE AUTHORISED USER (AS DEFINED BELOW).
1. DEFINITIONS & INTERPRETATION
Affiliate means any entity, that is controlled by, is under common control with, or controls a person, where “control” means the ability, whether directly or indirectly, to direct the affairs of another by means of majority ownership, contract, or otherwise.
Agreement means the terms and conditions in this master license and services agreement and the Order Form and/or Statement of Work and any other documents explicitly incorporated by reference by the written agreement of the Parties.
Authorised Users means those employees, agents and independent contractors who use the SaaS Services on behalf of the Customer.
C2P means the web based product licensed by C&R to the Customer, including the C&R IP and the C&R Content.
C&R IP means the intellectual property rights in the C&R Content, the Software, the Deliverables and the Services and any updates or modifications thereto.
Confidential Information means information that is proprietary or confidential to the disclosing Party but only to the extent that a reasonable person would consider such information as confidential.
Customer: means the individual or company to whom C&R has agreed to provide a subscription to C2P and/or the Services and who has accepted this Agreement or is otherwise exercising rights under this Agreement. Where relevant references to the Customer shall include the Authorised Users. References to Customer shall apply to any Affiliate of Customer entering into a Order Form and/or Statement of Work with C&R under the terms of this Agreement.
Customer Content means (i) the data input by the Customer or the Authorised Users into C2P to facilitate the Customer’s use of C2P and (ii) the data provided by Customer to C&R as part of the Services.
C&R Content means the information provided by C&R as part of the Deliverables which includes regulatory updates, expert comments, news and analysis and details of regulations and other documents.
Deliverables means the items to be provided by C&R pursuant to this Agreement and any Order Form and/or Statement of Work. The Deliverables may include the SaaS Services and any process, material, report, specification, invention, improvement, design, computer program, method, research, technique or any other material, result or deliverable developed by C&R, in any media, pursuant to or otherwise in connection with this Agreement and any Order Form and/or Statement of Work, including software, reports, plans, documents, and specifications (including drafts, updates and modifications to any of the aforementioned materials).
Effective Date means the date set out in the Order Form and/or Statement of Work that the relevant Services will commence.
Fees means the fees payable by the Customer to C&R for the Deliverables, as set out in the Order Form and/or Statement of Work.
Initial Subscription Term means in the case of any license to C2P, the period of one (1) year from the Effective Date unless otherwise agreed in the Order Form.
Order Form means the document executed by C&R and Customer during the term of this Agreement, setting forth the SaaS Services and the corresponding Fees.
Party means either one of C&R or the Customer as applicable and together they are (the “Parties”) Professional Services means development, migration, integration, testing, conversion, consulting or other services and deliverables provided by C&R as further described in the applicable Statement of Work.
Professional Services means development, migration, integration, testing, conversion, consulting or other services and deliverables provided by C&R as further described in the applicable Statement of Work.
Professional Services Term means the expected term of any Professional Services provided hereunder as set out in the relevant Statement of Work.
Renewal Term means the period described in clause 12.1.
Services means the services provided by C&R under the relevant Order Form or Statement of Work including without limitation, the SaaS Services and the Professional Services and the related Deliverables.
SaaS Services means C2P, the Software and related software-as-a-service, hosting, maintenance and/or support services made available by C&R as part of C2P for remote access by Customer, including any documentation and updates thereto.
Software means the object code version of C2P including, databases, data schemas and data models and documentation and any modifications and updates thereto.
Statement of Work means the document executed by C&R and Customer during the term of this Agreement, setting forth the Professional Services to be performed and Deliverables to be provided, and the corresponding Fee.
Subscription Term has the meaning given in clause 12.1.
User Licences has the meaning given at clause 3.1 .
2. AGREEMENT STRUCTURE
2.1. This Agreement sets out the terms and conditions, and establishes a framework, under which C&R will provide, and Customer agrees that it will acquire, the Services and/or Deliverables pursuant to any Order Form or Statement of Work.
2.2. If the Customer is ordering SaaS Services, C&R and Customer or the relevant Affiliate of Customer shall enter into an Order Form describing the scope of the SaaS Services and the relevant Fees.
2.3. If the Customer is ordering Professional Services, C&R and Customer or the relevant Affiliate of Customer shall enter into a Statement of Work describing the scope of the Professional Services and the relevant Fees.
2.4. Each Order Form and/or Statement of Work shall, once validly executed by both Parties, constitute a separate binding contract between the Parties which incorporates and is subject to the terms and conditions of this Agreement.
3. USER LICENCES
3.1. C&R hereby grants to the Customer’s designated Authorised Users a non-exclusive, non-transferable license to use the SaaS Services during the Subscription Term solely for the Customer’s internal business operations (the “User Licences”).
3.2. The Customer undertakes:
3.2.1. that the number of Authorised Users shall not exceed the number of User Licences set out in the Order Form;
3.2.2. that each User Licence may only be used by one Authorised User;
3.2.3. that each Authorised User shall keep a secure password for use of the SaaS Services and shall keep that password confidential; and
3.2.4. to maintain a list of current Authorised Users and provide such list to C&R upon request.
3.3. The Customer shall not access, store, distribute or transmit any viruses or any material when using the SaaS Services that is considered illegal or harmful or facilitates illegal activity.
3.4. The Customer may do any of the following within the Customer’s business:
3.4.1. view, search, copy and print out C&R Content from C2P;
3.4.2. revise and customise C&R Content from C2P; and
3.4.3. make available to customers, suppliers and partners copies of the C&R Content from C2P provided this is done on a reasonable, non-systematic basis that is not commercially prejudicial to C&R.
3.5. The Customer shall not except to the extent expressly permitted under this Agreement:
3.5.1. attempt to modify, duplicate, create derivative works from, or distribute all or any portion of the SaaS Services (as applicable);
3.5.2. attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software;
3.5.3. access all or any part of the SaaS Services in order to build a product or service which competes with the SaaS Services;
3.5.4. use the SaaS Services to provide services to third parties; or
3.5.5. license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the SaaS Services available to any third party except the Authorised Users.
3.6. The Authorised Users may be granted different rights of access to the SaaS Services. The relevant access rights will be set out in the Order Form.
3.7. Additional User Licenses may be purchased by the Customer upon agreement between the Parties.
4. SAAS SERVICES
4.1. C&R shall provide the SaaS Services to the Customer on and subject to the terms of this Agreement during the Subscription Term.
4.2. C&R shall use commercially reasonable endeavours to provide access to the SaaS Services, 24 hours a day, seven days a week, except for planned maintenance (carried out during such times which are notified to the Customer) and unscheduled maintenance.
4.3. C&R will provide the Customer with support and training on the use of the SaaS Services as set out in the Order Form.
4.4. C&R makes no representation or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any third party website accessible via the SaaS Services, or any transactions completed, and any contract entered into by the Customer, with any such third party.
4.5. Subject to clause 6.1 , C&R shall not be responsible for any inaccuracies or faults in the translated version of any document.
The original version shall always prevail over the translated version in the event of any conflicts.
4.6. C&R reserves the right to modify the SaaS Services at any time. C&R will make available to the Customer all improvements from time to time made available by it to other customers.
5.1. C&R shall provide the Professional Services to the Customer on and subject to the terms of this Agreement during the Professional Services Term.
5.2. Each Deliverable is limited to research detailed in the Statement of Work. C&R provides general regulatory information as part of the Deliverables. This should not be considered as a substitute for application of the regulation or standards to actual product, design or facilities or the enforcement practices of the relevant jurisdiction.
5.3. C&R provides the information included in the Deliverables as a resource of general information. Customer accepts that information contained therein is subject to change without notice by governments, regulatory bodies, or other industry associations. The information included in the Deliverables does not constitute nor should it be deemed to constitute a legal opinion on the subject matter presented, nor does the information contained therein replace any applicable legal or regulatory requirements and is provided “as is”. C&R makes no representation whatsoever that any Deliverable includes all laws and regulations (national, federal, provincial, state, and local) related to any class of product and Customer shall not rely upon any Deliverable as being all inclusive or a notification by C&R of all such laws and regulations.
5.4. Except where agreed in writing, C&R has no duty or obligation to change, update or supplement any Deliverables after publication, whether in light of new information provided by Customer or changes in the law or variations in any other relevant information forming the basis of the Deliverables. Any requests for changes, supplements, or additions to the Deliverables should be made by Customer in writing and shall be valid only if agreed in writing by an authorized representative of C&R.
6. C&R OBLIGATIONS
6.1. C&R undertakes to provide the Services with reasonable skill and care and in compliance with all applicable laws.
6.2. Notwithstanding the foregoing:
6.2.1. C&R does not warrant that the Customer’s use of the SaaS Services will be uninterrupted or error-free; nor that the Services, the C&R Content, and/or the information obtained by the Customer through the Services will meet the Customer’s requirements;
6.2.2. the C&R Content is general and educational in nature and is not intended to constitute a definitive or complete statement of the law on any subject;
6.2.3. nothing in C2P nor any receipt or use of the Services, shall be construed or relied on as advertising or soliciting to provide any legal services, creating any solicitor-client relationship or providing any legal representation, advice or opinion; and
6.2.4. C&R is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet.
6.3. All warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement.
7. CUSTOMER OBLIGATIONS
7.1. The Customer warrants and represents that it has all necessary rights and authority to enter into this Agreement or if Customer is entering into this Agreement on behalf of a company, organization, educational institution, or agency, that Customer has the right and authority to legally bind such entity or organization to the terms and obligations of this Agreement.
7.2. The Customer warrants that it shall:
7.2.1. comply with all applicable laws and regulations with respect to its activities under this Agreement;
7.2.2. ensure that the Deliverables and Services are used in accordance with the terms and conditions of this Agreement and shall be responsible and liable for any breach of this Agreement;
7.2.3. be solely responsible for procuring and maintaining its systems, network connections and telecommunications links to access the Services;
7.2.4. provide, for C&R, its agents, subcontractors, consultants and employees, in a timely manner and at no charge, access to the Customer’s premises, office accommodation, data and other facilities as reasonably required by C&R;
7.2.5. provide, in a timely manner, such Customer Content and other information as C&R may reasonably require, and ensure that it is accurate in all material respects; and
7.2.6. obtain and maintain all necessary licences and consents in relation to the Services.
7.3. If C&R’s performance of its’ obligations under this Agreement is prevented or delayed by any act or omission of the Customer, its agents, subcontractors, consultants or employees, C&R shall not be liable for any costs, charges or losses sustained or incurred by the Customer that arise directly or indirectly from such prevention or delay.
7.4. The Customer shall not, without the prior written consent of C&R, at any time from the date of this Agreement to the expiry of twelve (12) months after the termination of this Agreement, solicit or entice away from C&R or employ or attempt to employ any person who is, or has been, engaged as an employee of C&R in the provision of the Services.
8. CHARGES AND PAYMENT
8.1. In consideration for receipt of the Services, the Customer shall pay the Fees specified in the Order Form and/or Statement of Work.
8.2. The Fees are payable within thirty (30) days of the date of invoice unless otherwise specified in the Order Form and/or Statement of Work. The Fees are exclusive of value added tax or other applicable sales tax, which shall be added to C&R’s invoice at the appropriate rate.
8.3. The Customer agrees to pay each invoice in accordance with the payment terms set out herein.
8.4. If C&R has not received payment in accordance with this Agreement, C&R may, without liability to the Customer, disable the Customer’s account and access to all or part of the Services. C&R shall be under no obligation to provide any or all of the Services while the invoice concerned remain unpaid.
8.5. All SaaS Services Fees stated or referred to in this Agreement are non-cancellable and non-refundable.
9. PROPRIETARY RIGHTS AND CONFIDENTIALITY
9.1. The Customer acknowledges and agrees that C&R and/or its licensors own all intellectual property rights in the C&R IP.
9.2. Except as expressly stated herein, this Agreement does not grant the Customer any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the C&R IP.
9.3. Each Party may be given access to the Confidential Information of the other Party in order to perform its obligations under this Agreement. Confidential Information shall not include information that:
9.3.1. is or becomes publicly known other than through any act or omission of the receiving Party;
9.3.2. was in the other Party’s lawful possession before the disclosure;
9.3.3. is lawfully disclosed to the receiving Party by a third party without restriction on disclosure; or
9.3.4. is independently developed by the receiving Party, which independent development can be shown by written evidence.
9.4. Each Party shall hold the other’s Confidential Information in confidence and, unless required by law, shall not make the other’s Confidential Information available to any third party, or use the other’s Confidential Information for any purpose other than the implementation of this Agreement.
9.5. Each Party shall take all reasonable steps to ensure that the other’s Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.
9.6. The Customer shall own all rights, title and interest in and to all of the Customer Content and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Content.
9.7. C&R acknowledges that the Customer Content is the Confidential Information of the Customer.
9.8. The Customer acknowledges that C&R IP is the Confidential Information of C&R.
9.9. This clause shall survive termination of this Agreement, however arising.
10.1. Subject to clause 11 , C&R shall defend the Customer against any third party claims that the C&R IP infringes any patent, copyright, trade mark or database right and shall indemnify the Customer for any amounts awarded against the Customer in judgment or settlement of such claims, provided that:
10.1.1. C&R is given prompt notice of any such claim;
10.1.2. the Customer provides reasonable co-operation to C&R in the defence and settlement of such claim, at C&R’s expense; and
10.1.3. C&R is given sole authority to defend or settle the claim.
10.2. In the defence or settlement of any claim, C&R may procure the right for the Customer to continue using the C&R IP, replace or modify the C&R IP so that it becomes non-infringing or, if such remedies are not reasonably available, terminate this Agreement on two (2) days’ notice to the Customer without any additional liability to the Customer as a result of such early termination.
10.3. In no event shall C&R, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:
10.3.1. a modification of the C&R IP by anyone other than C&R; or
10.3.2. the Customer’s use of the Services in a manner contrary to the instructions given to the Customer by C&R or in breach of the terms of this Agreement; or
10.3.3. the Customer’s use of the Services after notice of the alleged or actual infringement from C&R or any appropriate authority.
10.4. The foregoing states the Customer’s sole and exclusive rights and remedies, and C&R’s (including C&R’s employees’, agents’ and sub-contractors’) entire obligations and liability, for infringement of any intellectual property right.
10.5. The Customer shall defend and indemnify C&R against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with the Customer’s use of the Services other than in accordance with this Agreement.
11. LIMITATION OF LIABILITY
11.1. This clause 11 sets out the entire financial liability of C&R (including any liability for the acts or omissions of its employees, contributing experts, agents and sub-contractors) to the Customer.
11.2. Nothing in this Agreement excludes the liability of C&R, for death or personal injury caused by C&R’s negligence or for fraud or fraudulent misrepresentation.
11.3. Subject to clause 11.2 :
11.3.1. C&R shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits, loss of business, depletion of goodwill and/or similar losses or loss or corruption of data or information, or pure economic loss, or for any special, indirect or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and
11.3.2. C&R’s total aggregate liability in contract, tort (including negligence or breach of statutory duty),
misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated
performance of this Agreement shall be limited to the total Fees paid by the Customer during the twelve (12) months immediately preceding the date on which the claim arose.
12. TERM AND TERMINATION
12.1. The SaaS Services shall commence on the Effective Date and, unless otherwise terminated in accordance with this Agreement, shall continue for the Initial Subscription Term as applicable and, thereafter, the relevant Order Form shall be automatically renewed for successive periods of 12 months (each a “Renewal Term”), unless either Party notifies the other Party of termination, in writing, at least sixty (60) days before the end of the Initial Subscription Term or any Renewal Term (together “the Subscription Term”).
12.2. C&R may grant access to the SaaS Services on a trial basis under this Agreement. Such access may be terminated by C&R at any time.
12.3. The Professional Services shall commence on the Effective Date specified in the Statement of Work and shall continue for the Professional Services Term unless otherwise terminated in accordance with this Agreement.
12.4. Either Party may at any time terminate the order for Professional Services under any Work Order for any reason or no reason by giving the other Party thirty (30) days written notice of such termination.
Termination for breach
12.5. Without prejudice to any other rights or remedies to which the Parties may be entitled, either Party may terminate this Agreement without liability to the other if:
12.5.1. the other Party is in material or persistent breach of any of its obligations under this Agreement and either that breach is incapable of remedy, or the other Party has failed to remedy that breach within twenty (20) days after receiving written notice requiring it to remedy that breach; or
12.5.2. the other Party is unable to pay its debts or becomes insolvent or an order is made or a resolution passed for the administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction) or an administrative or other receiver, manager, liquidator, administrator, trustee or similar officer is appointed over all or any substantial part of the assets of the other or the other enters into or proposes any composition or arrangement with its creditors generally or anything analogous to the foregoing occurs in any applicable jurisdiction.
Consequences of termination
12.6. On termination of this Agreement for any reason:
12.6.1. the User Licences granted under this Agreement shall immediately terminate;
12.6.2. each Party shall make no further use of any Confidential Information (and all copies of them) belonging to the other Party;
12.6.3. Customer shall have thirty (30) days to export the Customer Content using the C2P export to Excel function. Following this period C&R may destroy the Customer Content in its possession;
12.6.4. the due date of all invoices will be automatically accelerated to the effective date of termination and Customer shall be liable to pay for all Services provided to the date of termination; and
12.6.5. the accrued rights of the Parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.
12.7. In any of the circumstances under this Agreement in which a Party may terminate this Agreement (including all Order Forms and/or Statements of Work), the Party may instead terminate one or part of the relevant Order Form and/or Statement of Work.
13. FORCE MAJEURE
C&R shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of C&R or any other Party), failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or sub-contractors, provided that the Customer is notified of such an event and its expected duration.
14.1. Where the Parties have affixed their respective electronic signatures hereto by means of Docusign’s electronic signature system, the signatories acknowledge and warrant that they are authorised to sign this Agreement and that they intend to bind the respective Parties on behalf of whom they are signing.
14.2. If the Parties have decided to sign this Agreement by means of Docusign’s electronic signature system, the Parties shall each nominate their signatories and their respective email addresses and the Parties agree that the electronic signature emanating from a nominated email address of a signatory constitutes a valid signature by that signatory and shall be construed as that signatory having signed this Agreement as an original in manuscript.
15. GENERAL PROVISIONS
15.1. If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.
15.2. This Agreement, and any documents referred to in it, constitute the whole agreement between the Parties and supersede any previous arrangement, understanding or agreement between them relating to the subject matter they cover.
15.3. The Data Processing Agreement attached as an addendum to this Agreement shall apply, as applicable, to the processing of personal information by C&R on behalf of the Customer where the General Data Protection Regulation applies, as part of the Services provided under this Agreement.
15.4. Customer agrees that C&R may publicise the existence of this working relationship as a statement of fact. The extent of such publicity may include use of the Customer logo, posting on the C&R website and inclusion in C&R collateral materials.
C&R agrees to apply industry standard practices to all publicity to ensure the highest levels of accuracy and editorial quality.
15.5. Each of the Parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.
15.6. The Customer shall not, without the prior written consent of C&R, assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
15.7. C&R may at any time assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.
15.8. Any notice to be given under this Agreement will be in writing and addressed to the Party at the address stated in this Agreement.
15.9. The terms and conditions in the Order Form and/or Statement of Work shall prevail over the terms and conditions in this Agreement (Clause 1 to Clause 15 ) to the extent of any conflict. Terms contained in any purchase order or acknowledgement will be of no effect, even if such acknowledgement provides that C&R’s acceptance of the purchase order is conditioned on Customer’s agreement to the proposed terms contained in such purchase order or acknowledgement.
15.10. This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with: (i) the laws of the Republic of Ireland where the Customer’s registered or head office is in any country outside of the United States of America; and (ii) the laws of the State of California where the Customer’s registered or head office is in the United States of America.
15.11. The Parties irrevocably agree that in relation to any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims): (i) the courts of the Republic of Ireland shall have jurisdiction where the Customer’s registered or head office in any country outside of the United States of America; and (ii) the state courts of the State of California shall have jurisdiction where the Customer’s registered or head office is in the United States of America.
ADDENDUM – DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) documents the obligations of the Parties pursuant to Article 28 of the GDPR, where C&R acts as Processor and Customer acts as Controller of the relevant Personal Data. This DPA forms part of the Agreement between the Parties.
(A) C&R has agreed to provide certain Services to the Customer under the terms of the Agreement. The Services involve the processing of Personal Data. A Data Record covering the specific processing activities for the Services is attached to this DPA;
(B) The provisions of this DPA govern the processing of Personal Data pursuant to the Agreement;
(C) For the purposes of the Services provided by C&R, the Customer is the Controller and C&R is the Processor; and (A) This DPA shall take precedence over the terms and conditions of the Agreement in case of any conflict.
1. DEFINITIONS AND INTERPRETATION
1.1. The following definitions shall apply for the purposes of this DPA:
Agreement: means the agreement between the Parties for the provision by C&R of certain services which require that C&R processes Personal Data on behalf of the Customer, as described in the relevant Order Form.
Controller: has the meaning provided in the GDPR;
Data Record: is the record of processing activities attached as Annex 1 to this Data
GDPR: means regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
Personal Data: means any information processed by Supplier under the Agreement relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
DP Laws: means the GDPR and any other applicable data protection legislation including the Data Protection Act 1988 to 2018 in the Republic of Ireland;
Processor: has the meaning provided in the GDPR;
Security Event: means an incident which resulted in (or may result in) the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, Personal Data while in the custody or control of C&R; and
Sub-Processor: means another Processor engaged by C&R in carrying out processing activities in respect of the Personal Data on behalf of C&R and authorised by the Customer in accordance with this Data Processing Agreement and the Data Record.
1.2. The terms “data subject” and “processing” have the meanings set out in the GDPR (and related terms such as “process” have corresponding meanings).
1.3. The terms of this Data Processing Agreement are confidential between the Customer and C&R and C&R shall not disclose or otherwise use the terms of this Data Processing Agreement except for the purposes of compliance with the terms set out herein.
1.4. Capitalised terms used herein but not defined shall have the meaning provided in the Agreement.
2.1. In the course of the Agreement, C&R will process Personal Data on behalf of the Customer.
2.2. C&R acts as a Processor when providing the Services to the Customer and the Customer is the Controller.
2.3. This Data Processing Agreement specifies the obligations of the Parties as Controller and Processor.
3. OBLIGATIONS OF THE SUPPLIER
3.1. C&R in its role of Processor will:
3.1.1. comply with the DP Laws in connection with all processing of Personal Data undertaken hereunder;
3.1.2. process Personal Data provided for the Services only for the purposes of providing the Services and in compliance with the instructions of the Customer;
3.1.3. ensure that all staff processing Personal Data are subject to obligations of confidentiality to ensure that the Personal Data is kept safe and secure;
3.1.4. provide the Services to meet the technical and organizational measures specified as part of the Data Record. C&R may change the security measures specified on the Data Record but must ensure that the level or protection does not thereby fall below the contractually stipulated level of protection;
3.1.5. provide all information necessary for the purposes of any data protection impact assessment
undertaken pursuant to Article 35 and Article 36 of the GDPR;
3.1.6. notify the Customer, as soon as reasonably practicable, in the event of violations against laws and regulations relating to the protection of Personal Data or against the provisions of this Data Processing Agreement committed by C&R or the persons employed by C&R within the scope of the Agreement.
3.2. The name of the C&R and Customer designated contact for all data protection issues that fall within the scope of this Agreement is set out in the Data Record.
4. OBLIGATIONS OF THE CUSTOMER
4.1. The Customer will comply with the DP Laws.
4.2. The Customer must ensure, where applicable, that in connection with all Personal Data provided to C&R that it has complied with Article 6 and Article 9 of the GDPR to ensure that the Customer can legally provide the Personal Data to C&R and C&R can process the Personal Data to provide the Services.
4.3. The Customer acknowledges that C&R is reliant on the Customer for direction as to the extent to which C&R is entitled to process the Personal Data. Consequently, C&R will not be liable for any claim brought by a data subject arising from any action or omission by C&R, to the extent that such action or omission resulted from the instructions of the Customer.
5. DATA SUBJECT ACCESS REQUESTS
5.1. If the Customer has an obligation to provide a data subject with information on the processing of their Personal Data, C&R will assist the Customer in making this information available. The Customer must request C&R’s written assistance specifying the Personal Data required. C&R shall not respond directly to any data subject requests for information and shall refer the data subject to the Customer and inform the Customer in writing about the details of any request received, as soon as possible.
5.2. If a data subject requests C&R to correct, delete or block Personal Data, C&R shall refer the data subject to the Customer and inform the Customer in writing of the details of the request.
6.1. C&R must have all Sub-Processors approved by the Customer before providing any Personal Data to them for processing in connection with the Agreement.
6.2. The Customer approves the Sub-Processors specified in the Data Record and it is acknowledged that C&R may provide those approved Sub-Processors with Personal Data in order to provide the Services under this Agreement.
6.3. C&R must ensure that all processing undertaken with any Sub-Processor imposes materially the same terms and conditions on the Sub-Processor as are imposed on C&R under this Agreement.
6.4. The Data Record will specify any Sub-Processors that the Customer agrees may be used by C&R in order to provide the Services. In the event that C&R uses any Sub-Processor situated in a country outside of the European Economic Area, or for which the European Commission has not determined that such country ensures an adequate level of protection, C&R will ensure a transfer method compliant with the GDPR is used to transfer the Personal Data.
7. AUDIT AND ASSESSMENT
7.1. C&R will allow its implementation and compliance with its obligations under this Data Processing Agreement to be audited by the Customer or an external auditor approved by the Customer at least annually. If and insofar as the audit indicates that C&R’s compliance falls short on one or more aspects, C&R will make concrete proposals for improvements in this respect, if possible in the context of its continuous improvement program.
7.2. If the audit/assessment referred to in paragraph 7.1 identifies any gaps in C&R’s processing activities which are not compliant with this Data Processing Agreement or the relevant DP Laws the Customer has the right to ask C&R to update the technical and organizational security measures taken so that they are in line with the relevant requirements. C&R will provide all reasonable cooperation and as soon as reasonably practicable implement the necessary modifications indicated by the Customer.
ANNEX 1 – DATA RECORD
Customer: [INSERT] Supplier: Compliance & Risks Limited
Customer Contact Name: [INSERT] Supplier Contact Name: [INSERT]
Processing carried out by Supplier: C&R delivers a web-based SaaS product as further detailed in the Order Form which involves the processing of user registration and support information.
Retention: The personal data will be processed for the duration of the Agreement and for thirty (30) days following termination.
Description of Data Subject: Authorised Users of the Services including employees and contractors of the Customer
Personal Data processed as part of the Services:
User First Name and Last Name
User Email Address
User support and maintenance queries
Special Categories of Personal Data: N/A
Permitted Sub- Processors and transfers:
Sub processor Services
- Amazon Web Services Ireland
- Compliance and Risks Inc.
- Revolution IT Ltd
- Zendesk Inc.
- Hubspot Inc
- Slack Technologies
- Hosting Services
- Support Services, affiliate of Supplier
- Maintenance and Security Services
- Maintenance and Security Services
- Support Services
- Support Services
- Support Services
Technical and Organisational Measures
The technical and organisational measures undertaken by C&R are specified in Annex 2
ANNEX 2 – TECHNICAL AND ORGANISATIONAL MEASURES
C&R will utilize only SOC 2/SSAE 18/ISAE 3402 certified data centre facilities, which sets a standard for Environmental and Physical security.
C&R encrypts Personal Data using SSL/TLS strong ciphers when in transit between a user computer and C&R servers.
Customer data in C2P is encrypted when at rest in all backup media and at rest in the database.
Network security measures include:
- The Next Generation Firewall (NGFW) with network-based IDS/IPS (intrusion detection system/ intrusion prevention system)
- The only port open to the public internet is 443 (HTTPS)
- VPN connection is used for deployments and server management.
- Strong VPN authentication uses individual certificate and its password to authenticate the user
- VPN is using AES-256 encryption with SHA-256 for data integrity
SSH access is available only through VPN or sometimes from specified IP.
- MySQL access is available only through VPN or through SSH tunnel from specified IP.
- HTTPS ciphers and protocols are reviewed and evaluated annually.
Host security measures include:
- Linux Server OS is hardened using multiple hardening guidelines from:
- Red Hat
- Please ask us for the full list for linux hardening standards.
- OpenSCAP security hardening baseline auditing
- Unused OS services are disabled.
- All OS patches are applied every quarter
- High severity security patches are applied within hours according to SLA level.
- Host OS uses strong password policy and only SSH keys authentication is allowed for remote users. SSH password authentication is disabled.
- Advanced Host firewall CSF is in use (We use many CSF features like Login Failed Daemon, Connection Tracking, Port scanning, etc.)
- Malicious IP’s block lists are used in CSF.
- CSF cluster with real time blocking of honeypot IP’s.
- Antivirus for malware protection
- Host-based Intrusion Detection, which is connected with SEIM.
- File Integrity Monitoring for configuration files
- Periodic static and dynamic security e-mail reports
- Extensive event logging. All commands and outgoing connections are logged.
- Applications run only as non-privileged OS users.
- C2P apache proxy servers have mod_security as Web Application Firewall
Backups and Disaster Recovery measures include:
- Data stored in the database is using MySQL cluster.
- Data backups are happening every 6/12/24 hours based on criticality to local NAS (Network Attached Storage) and to remote site.
- All backups are automated with bash shell script to pull and collect data (file and database) to backup VM. No manual intervention is required.
- Database backups are encrypted at the time of database dump.
- Backups visibility – e-mails about backup failures and daily backup status.
- VM images are created and stored on local and remote NAS to recreate VM if needed.
- Backup Retention Policy – Backup of C2P databases: daily for rolling 6 month.
- The distance between the operational location and disaster recovery site is about 5000 miles, ensuring independence from a single disaster.
- Database backups are restored every quarter to ensure restorability.
Semi-annual recovery tests to validate the disaster recovery process.
Other security measures include:
- Separate syslog server for secure log storage and error analysis
Vulnerability scanning is performed on at least an annual basis. Any issues discovered are immediately addressed and vulnerability scanning repeated until satisfactory results.
- Special honeypot server is exposed to the internet to capture unwanted scanning and break-in attempts. All CSF blocks on honeypot are distributed immediately to all other servers as part of CSF cluster functionality.
- Many custom CSF block rules have been configured to block web server attacks.
- We use centralized SaltStack configuration management system and gather security information to generate reports.
- Security operations are done with SEIM system to monitor for suspicious activities and failed login attempts.
- Proactive resource monitoring
C2P is offered with many data segregation options:
- 1) Shared multi-tenant application server with data segregation at hibernate filters level
- 2) Dedicated virtual C2P application server with separate database schema
- Other custom configurations are available upon request.
Application security measures include:
- C2P content is located behind a login page.
- There are configurable and non-configurable password requirements.
C2P login page has a brute-force protection after several failed login attempts.
- C2P application allows users to change their passwords.
- Log Out. Web application offer a “log out” button or link that, when clicked, not only terminates the session (deletes cookies from the client) but also invalidates the entire session ID.
- Most of the customer data is stored encrypted at rest in the database using 256-bit encryption.
- C2P passwords and secure question are stored hashed in the database
System change control procedures (Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.)
- Technical review of applications after operating platform changes (When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.)
- The application server maintains standard user access logs that contain user’s IP address and the application URLs accessed by the user.
- Secure development environment
- 12-18 months of Application access and user action logs retention
- The C2P history subsystem logs user transactions in C2P and retains them indefinitely.
- C2P supports SAML 2.0 Single Sign-On
- Dynamic Application vulnerability scanning