Online Sales Agreement
Online Sales Agreement
This Online Sales Agreement (“Agreement”) sets out the terms and conditions that govern Your access and use of the Services. This Agreement is between UKCloud Ltd, company number 07619797, whose registered office is Hartham Park, Corsham, Wiltshire SN13 0RP (“ We”, “Us” or “Our”) and the entity you represent (“You” or “ Your”), each a “Party”, and together the “Parties”.
This Agreement comes into effect when you click “I Agree” (the “ Effective Date”).
1. Sales and Order Process
1.1 When You place Your first order (the “ Initial Order”) it will be limited to Our “UKCloud for VMware” Service. Further detail is set out here https://docs.ukcloud.com/articles/other/other-faq-credit-card.html
1.2 We are under no obligation to accept Your order. We will be in touch with You within 1 working day to qualify Your order, verify Your identity and ensure that You and the entity You represent comply with the terms of this Agreement (“Qualification” or “ Qualified”).
1.3 We reserve the right to decommission Your Service in accordance with the provisions of clause 8.5 of this Agreement if You or the entity You represent cannot be satisfactorily Qualified by Us, or if We are unable to complete the Qualification process within 2 working days because of Your unavailability.
1.4 Once the Qualification process has been completed satisfactorily, account restrictions shall be removed. Please contact firstname.lastname@example.org for more information about any additional Services that may be available to You.
2. Supply of the Services
2.1 We are entitled upon giving 30 business days’ written notice to You to vary Our Services or to exclude from this Agreement any part of the Services as We think fit if for any reason and the supply of such Services shall be discontinued.
2.2 We may exclude, discontinue or make changes to the Services without notice to You where there is significant risk to the security, integrity and availability of any third party’s platforms, services and content, but will use best endeavours to give You reasonable notice in line with the emergency maintenance provisions within the applicable Service Definition.
2.3 You acknowledge and agree that any Service provisioned via Our Management Portal is subject to the terms of this Agreement (including any applicable annexes) the applicable Service Definition, any applicable Fair Use Policy, and Our System Interconnect Security Policy (SISP).
2.4 We are entitled to suspend Your or any End User’s right to access all or some of the Services immediately upon notice to You if We reasonably believe that:
a) You or an End User is a security risk to the Services or to a third party;
b) You or an End User could adversely affect Our platforms and Services or the platforms, services and content of any third party;
c) You or an End User’s use of the Services is fraudulent; or
d) We are required to suspend Your access to the Services under Law;
2.5 If We suspend Your right of access to the Services You will remain responsible for all fees and Charges You incur during the suspension and You will not be entitled to any Service Credits for any period of suspension.
3. Service Levels and Service Credits
3.1 Subject to clause 3.2 We shall provide the Services to meet or exceed the relevant Service Levels.
3.2 You are not entitled to receive support services, Service Levels or Service Credits until Your Initial Order has been Qualified.
3.3 When applicable, and subject to the limit set out in the Service Definition, We will credit You with the applicable Service Credits, provided You claim the Service Credits from Us within 30 calendar days of the Service Level event.
3.4 Notwithstanding anything stated in this Agreement, We shall not be liable for any failure to perform, or any delay in performing, any of Our obligations under this Agreement to the extent such failure is directly caused by an act or omission of You, an End User or any other person under Your control.
4.1 You are entitled to use the “Powered by UKCloud” logo when marketing Services which are hosted on Our platform in accordance with the usage guidelines which are available on request from email@example.com.
4.2 You shall not use deceptive, misleading or unethical practices that are, or might be, detrimental to Us, the Services, or any third party and You shall not publish or employ, or co-operate in the publication or employment of, any false, misleading or deceptive advertising material or other representations with regard to Us or the Services.
5. Price and payment
5.1 When You place Your Initial Order We will, via a third-party payment provider, deduct £1.00 from Your payment card in order to verify Your payment details. This will be refunded to You no later than within 5 working days.
5.2 Your Initial Order will entitle You to a one-time credit of £100 towards the Charges (“One Time Credit”). Any Service consumption which exceeds the value of the One Time Credit shall be charged at Our standard rates set out in Our Pricing Guide.
5.3 You may cancel your Initial Order, or any subsequent order, at any time, but You shall be liable for any Charges You incur that exceed the value of the One Time Credit. Further information about how to cancel Your order is available from firstname.lastname@example.org.
5.4 We may change the price of any Service at any time.
5.5 The Charges are stated exclusive of any applicable value added tax and other sales tax, which shall be payable by You in addition following receipt of a valid invoice from Us.
5.6 Unless otherwise stated in the Pricing Guide, We will invoice You monthly in arrears for the Charges.
5.7 Your payment card shall be debited with the full amount invoiced to it by Us (subject to any amounts legitimately disputed by You) in pounds sterling no sooner than 7 working days of the invoice being issued to You to the email address you have given in relation to this Agreement.
5.8 Your non-cancellation, non-termination or continued use of a Service confirms that We are authorised to debit Your payment card with the applicable Charges for the Services, and You shall be responsible for the Charges.
5.9 Interest may be chargeable on any undisputed debt hereunder at the statutory interest rate in accordance with the Late Payment of Commercial Debts (Interest) Act 1998, without prejudice to any other right or remedy of either Party.
5.10 Each Party shall bear its own costs in complying with its obligations under this Agreement.
6.1 Both Parties shall:
a) comply with all legal requirements from time to time in force relating to the sale and performance of the Services;
b) inform the other Party immediately of any changes in ownership or Control and of any change in its organisation or method of doing business which might affect the performance of their duties in this Agreement; and
c) promptly inform the other Party of any claims or proceedings made or brought against the Party that may affect the rights or interests of the other Party under this Agreement.
6.2 You shall be responsible for any third party licenses and license costs which are not included in the relevant Service Definition and will be wholly liable to Us for any unlicensed software used in connection with Our Services including unlicensed software installed by any End User.
6.3 You shall own all rights, title and interest in and to the Content and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Content.
6.4 You acknowledge and agree that We may disclose Your Content to third parties if We are under duty to comply with any legal obligation.
7.1 Each Party warrants that:
a) it has full capacity and authority and all necessary consents to enter into and to perform this Agreement and to grant the rights and licences referred to in this Agreement and that this Agreement is executed by its duly authorised representative and represents a binding commitment on it; and
b) it shall comply with all applicable Laws in the performance of its obligations under this Agreement.
7.2 You warrant that You, any End User and the entity You represent:
a) shall not access, store, distribute or transmit any viruses or malware, or any material or Content during the course of use of the Services that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; or is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activity. We reserve the right, without liability, to immediately disable access to or remove any material that breaches the provisions of this clause;
b) shall not conduct any activity in relation to the Services which We may reasonably believe is a security risk to the Services or to a third party or could adversely affect Our platforms and Services or the platforms and Content of third parties;
c) shall not use the Services in a fraudulent manner;
d) shall not cause reputational damage to Us;
e) have made no false or misleading representations about You, an End User or the entity that You represent.
8. Term and Termination
8.1 This Agreement shall commence on the Effective Date and shall (subject to earlier termination as provided in this Agreement) continue in force for an initial period of 2 years and shall automatically renew thereafter for successive periods of 1 year unless terminated by either Party giving the other Party 30 days’ notice.
8.2 Unless otherwise specified in the applicable Service Definition, Both Parties may terminate this Agreement for convenience by giving the other Party 30 days’ written notice.
8.3 In the event of termination for convenience neither Party be liable for lost or anticipated profits or unabsorbed indirect costs or overhead of the other Party.
8.4 Either Party may terminate this Agreement for cause if the other Party is in material or persistent minor breach of this Agreement, and the material or persistent minor breach remains uncured for a period of 30 days from receipt of notice from the other Party.
8.5 We may terminate this Agreement immediately upon notice to You if We reasonably believe that You are in breach of clauses 7 (Warranties ), 11 (Confidential Information), and 12 ( Ethical Behaviour) of this Agreement or in order to comply the Law or requests of government entities, in which case We are entitled to remove Your Content from Our platforms with immediate effect.
9. Consequences of Termination
9.1 Upon termination of this Agreement:
a) the Parties shall at their own expense within 30 days return to the other Party or otherwise dispose of in accordance with the directions of the other Party all documentation of any nature whatsoever relating to the Services in its possession or control;
b) You shall cease to use the Trade Marks;
c) You shall remain responsible for all Charges You have incurred through the termination date and You shall remain responsible for Charges You incur during the post termination period and Your payment card will be debited accordingly.
d) no other sums shall become due from Us to You
e) unless We terminate pursuant to clause 8.5 during 30 days following the termination date we will not remove Your Content from Our platforms and We will allow You to retrieve Your Content only if You have paid all Charges due under this Agreement; and
f) if You do not pay all Charges due under this Agreement within 30 days of termination, We reserve the right to remove Your Content from Our platforms.
9.2 Termination of this Agreement shall be without prejudice to any other continuing rights or remedies that either Party may be entitled to hereunder or at Law. Such termination shall not affect any accrued rights or liabilities of either Party or any rights or liabilities which are expressly or by implication intended to come into or continue in force on or after such termination together with such provisions of this Agreement as are intended to survive termination, including, but not limited to, clauses 5 (Price and Payment), 6 (Undertakings), 7 (Warranties) 8 (Term/Termination), 11 (Confidential Information), 13 (Limitation of Liability), and 19 (General Provisions) which shall not be affected by termination.
10. Intellectual Property Rights
10.1 We grant to You for the duration of this Agreement a non-exclusive licence to use the Trade Marks for the purposes of promotion of the Services, in accordance with Our branding guidelines which are available on request from email@example.com
10.2 You shall not register or use any URL incorporating Our Trade Marks or any other name confusingly similar to Our Trade Marks and You shall not use any of the Trade Marks in any form within Your domain name.
10.3 Other than as expressly set out in this Agreement, We do not grant to You any licence of, right in, or make any assignment of any of Our Intellectual Property Rights.
10.4 Nothing in this Agreement gives or shall give any intellectual property ownership or control rights of You to Us.
11. Confidential Information
11.1 Confidential Information of either Party is disclosed for the limited purposes of enabling each Party to carry out its obligations and exercise its rights under this Agreement.
11.2 The Parties agree that in consideration of the disclosure of Confidential Information by one Party (the “Discloser”) to the other (the “Recipient”):
a) Information disclosed hereunder shall be considered “Confidential Information” and subject to the terms and conditions of this Agreement if disclosed either: (i) in writing; (ii) by delivery of items; (iii) by initiation of access to Confidential Information such as may be contained in an electronic data repository; or (iv) by oral and/or visual presentation.
b) If Confidential Information is disclosed in non-written form the Confidential Information will be identified to the Recipient as confidential at the time of initial disclosure and within 14 days thereafter the Discloser will provide the Recipient with written confirmation of the Confidential Information disclosed; all protection and restrictions in this Agreement as to the use and disclosure of Confidential Information shall apply during the said period of 14 days.
11.3 During the term of this Agreement the Recipient shall, subject to the following provisions of this Agreement, hold the Confidential Information under conditions of strict confidence using the same care and discretion as it uses with its own confidential information of a similar nature (but using no less than a reasonable standard of care) and shall not use, copy, or disclose the Confidential Information in whole or in part in any manner or form for other than for the Purpose of this Agreement.
11.4 The Recipient may disclose the Confidential Information only to those of its officers and employees and those of its parents, subsidiaries and subsidiaries of its parents as need to know the Information for the Purpose of this Agreement. If the Recipient needs to disclose the Information to third parties, the Recipient shall first obtain the Discloser’s written approval and have a written agreement with such third party no less restrictive than this Agreement.
11.5 It is understood that receipt of Confidential Information under this Agreement shall not create any obligation in any way restricting the assignment and/or reassignment of any Parties’ employees within their respective companies and those of its parent and subsidiaries.
11.6 The restrictions and obligations in paragraphs 11.3 and 11.4 shall not apply to any of the Information which the Recipient can show:
a) is already known to the Recipient without restrictions on disclosure or use prior to its disclosure; or
b) is received by the Recipient without any obligation of confidence from a third party having a right to disclose it; or
c) has been generated independently by the Recipient; or
d) is in or enters the public domain otherwise than by breach of this Agreement or another undertaking; or
e) was authorised for public disclosure in writing by the Discloser.
11.7 The Recipient may disclose Confidential Information when required by Law or directed by an authorised government representative acting within the scope of his authority. In such cases the Recipient shall: (i) give the Discloser prompt notice; and (ii) make a reasonable effort to obtain appropriate protection; and (iii) provide the Discloser with every available opportunity to challenge, appeal, or seek modification of such order; and (iv) shall identify the Discloser as the source of the Confidential Information; and (v) include all restrictive legends in any released Confidential Information.
11.8 On completion or termination of this Agreement, the Recipient shall promptly return or verify destruction of the Confidential Information, and any copies of it, to the Discloser. Notwithstanding the foregoing, latent data such as deleted files, and other non-logical data types, such as memory dumps, swap files, temporary files, printer spool files, and metadata that can only be retrieved by information technology experts and is generally considered inaccessible without the use of specialised tools and techniques will not be required to be returned or destroyed.
11.9 Any obligations which by their nature extend beyond the termination or expiration of this Agreement will remain in effect until fulfilled and will apply to either Party’s successors or assignees.
11.10 The Parties will comply with all applicable United Kingdom or any other relevant security regulations for the handling of classified information.
12. Ethical Behaviour
12.1 The Parties shall comply with applicable Laws and regulations relating to anti-corruption, including, without limitation, the UK Bribery Act 2010.
12.2 In carrying out their responsibilities under this Agreement, Parties represents that:
a) they have not paid, offered, promised to pay or authorised and will not pay, offer, promise to pay, or authorise the payment directly or indirectly of any monies or anything of value (in the form of entertainment, gifts, gratuities, or otherwise) for the purpose of obtaining or rewarding favourable treatment;
b) they have not paid, offered, promised to pay or authorised and will not pay, offer, promise to pay, or authorise the payment directly or indirectly of any monies or anything of value to (i) any person or firm employed by or acting for or on behalf of any customer, whether private or governmental, or (ii) any government official or employee or any political party or candidate for political office for the purpose of influencing any act or decision or inducing or rewarding any action by the customer in any commercial transaction or in any governmental matter or securing any improper advantage to assist in obtaining or retaining business or directing business to any person;
c) they have not made and will not make, either directly or indirectly, any improper payments, including but not limited to facilitation payments, gratuities or kickbacks;
d) they have established and will maintain an effective business ethics and compliance program and procedures to prevent corruption and ensure compliance with the Bribery Act. Each Parties program and procedures shall implement guidance published by the United Kingdom Ministry of Justice relative to compliance with the Bribery Act;
e) Each Party will promptly disclose to the other together with all pertinent facts any violation, or alleged violation, of the Bribery Act in connection with the performance of this Agreement.
13. Limitation of liability
13.1 Nothing in this Agreement excludes the liability of either Party:
a) for death or personal injury caused by its negligence;
b) for fraud or fraudulent misrepresentation; or
c) for any other matter to the extent that such liability may not be limited or excluded by applicable Law.
13.2 Subject to clause 13.1, We shall not be liable to You whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for:
a) loss of profits (whether direct or indirect), loss of business, anticipated savings or similar losses;
b) damage to reputation or goodwill; or
c) any indirect or consequential loss or damage.
13.3 Excepting clauses 6.2, 7.2, 8.5,13.1 and 13.2, each Party’s total aggregate liability in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited to 125% of the Charges payable by You to the Us in the year in which the liability arises or any anniversary thereof in which the liability arises during the Agreement .
14. Data Processing
14.1 Each Party shall comply with its respective obligations under the provisions of the Data Protection Act 2018 (the “DPA“), and references in this clause to “Data Processor“, “Data Controller“, “Data Subject” and ” Personal Data” shall have the meanings defined in the DPA.
14.2 The Parties acknowledge that for the purposes of the DPA, You are the Controller and We are the Processor. The only processing that We are authorised to do is determined by You and may not be determined by Us.
14.3 We shall notify You without undue delay if We consider that any of Your instructions infringe the DPA.
14.4 We shall provide all reasonable assistance to You in the preparation of any Data Protection Impact Assessment prior to commencing any processing. Such assistance may, at Your discretion, include:
a) a systematic description of the envisaged processing operations and the purpose of the processing;
b) an assessment of the necessity and proportionality of the processing operations in relation to the Services;
c) an assessment of the risks to the rights and freedoms of Data Subjects; and
d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of Personal Data.
14.5 We shall, in relation to any Personal Data processed in connection with this Agreement:
a) process that Personal Data only in accordance with Your instructions, unless We are required to do otherwise by Law. If it is so required We shall promptly notify You before processing the Personal Data unless prohibited by Law;
b) ensure that We have in place Protective Measures, which have been reviewed and approved You as appropriate to protect against a Data Loss Event having taken account of the:
(i) nature of the data to be protected;
(ii) harm that might result from a Data Loss Event;
(iii) state of technological development; and
(iv) cost of implementing any measures;
c) ensure that:
(i) Our personnel do not process Personal Data except in accordance with this Agreement;
(ii) We take all reasonable steps to ensure the reliability and integrity of any of Our personnel who have access to the Personal Data and ensure that they:
(A) are aware of and comply with Our duties under this clause;
(B) are subject to appropriate confidentiality undertakings with Us or any Sub-processor;
(C) are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third Party unless directed in writing to do so by You or as otherwise permitted by this Agreement; and
(D) have undergone adequate training in the use, care, protection and handling of Personal Data; and
d) not transfer Personal Data outside of the EU unless we have received Your prior written consent and the following conditions are fulfilled:
(i) You or We have provided appropriate safeguards in relation to the transfer (whether in accordance with GDPR Article 46 or LED Article 37) as determined by You;
(ii) the Data Subject has enforceable rights and effective legal remedies;
(iii) We comply with Our obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if not so bound, uses best endeavours to assist You in meeting Your obligations); and
(iv) We comply with any reasonable instructions notified to Us in advance by You with respect to the processing of the Personal Data;
e) at Your written direction, delete or enable the return of Personal Data to You on termination of the Agreement unless We are required by Law to retain the Personal Data. You may retrieve Your Personal Data at any time.
14.6 Subject to clause 14.7, We shall notify You as soon as possible if We:
a) receive a Data Subject Access Request (or purported Data Subject Access Request);
b) receive a request to rectify, block or erase any Personal Data;
c) receive any other request, complaint or communication relating to either Party’s obligations under the Data Protection Legislation;
d) receive any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed under this Agreement;
e) receive a request from any third Party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; or
f) become aware of a Data Loss Event.
14.7 Our obligation to notify under clause 14.6 shall include the provision of further information to You in phases, as details become available.
14.8 Taking into account the nature of the processing, We shall provide You with full assistance in relation to either Party’s obligations under the DPA and any complaint, communication or request made under clause 14.6 (and insofar as possible within the timescales reasonably required by You) including by promptly providing:
a) You with full details and copies of the complaint, communication or request;
b) such assistance as is reasonably requested by You to enable You to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
c) At Your request, provide You with any Personal Data We hold in relation to a Data Subject;
d) assistance as requested by You following any Data Loss Event;
e) assistance as requested by You with respect to any request from the Information Commissioner’s Office, or any consultation by You with the Information Commissioner’s Office.
14.9 We shall maintain complete and accurate records and information to demonstrate Our compliance with this clause.
14.10 We shall allow for audits of Our Data Processing activity by You or Your designated auditor. Such audits shall not compromise the availability, security or integrity of Our Services, platforms and third party data.
14.11 We shall designate a data protection officer which can be contacted at firstname.lastname@example.org .
14.12 Before allowing any Sub-processor to process any Personal Data related to this Agreement, We will:
a) notify You in writing of the intended Sub-processor and processing;
b) obtain Your written consent;
c) enter into a written agreement with the Sub-processor which give effect to the terms set out in this clause 14.12 such that they apply to the Sub-processor; and
d) provide You with such information regarding the Sub-processor as You may reasonably require.
14.13 We shall remain fully liable for all acts or omissions of any Sub-processor.
14.14 We may, at any time on not less than 30 Working Days’ notice, revise this clause by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when incorporated by attachment to this Agreement).
14.15 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office
15. Force Majeure
15.1 Subject to the remaining provisions of this clause 15, neither Party shall in any circumstances be liable to the other for any delay or non-performance of its obligations under this Agreement to the extent that such non-performance is due to a Force Majeure Event.
15.2 In the event that either Party is delayed or prevented from performing its obligations under this Agreement by a Force Majeure Event, such Party shall:
a) give notice in writing of such delay or prevention to the other Party as soon as reasonably possible, stating the commencement date and extent of such delay or prevention, the cause thereof and its estimated duration;
b) use all reasonable endeavours to mitigate the effects of such delay or prevention on the performance of its obligations under this Agreement; and
c) resume performance of its obligations as soon as reasonably possible after the removal of the cause of the delay or prevention.
15.3 As soon as practicable following the affected Party’s notification, the Parties shall consult with each other in good faith and use all reasonable endeavours to agree appropriate terms to mitigate the effects of the Force Majeure Event and to facilitate the continued performance of this Agreement.
15.4 The affected Party shall notify the other Party as soon as practicable after the Force Majeure Event ceases or no longer causes the affected Party to be unable to comply with its obligations under this Agreement. Following such notification, this Agreement shall continue to be performed on the terms existing immediately prior to the occurrence of the Force Majeure Event unless agreed otherwise by the Parties.
16.1 Any notice to a Party under this Agreement shall be in writing. We shall send any notice to You to the email address You have registered for Your account with Us, and You shall send any notices to email@example.com .
17. Assignment and Subcontracting
17.1 Notwithstanding anything stated to the contrary in this Agreement, either Party shall not, without the prior written consent of the other Party, assign or sub-contract, any of its rights or obligations under this Agreement (such consent not to be unreasonably withheld).
18. Dispute Resolution
18.1 If any dispute arises in connection with this Agreement, the Parties will, within 7 days of a written request from one Party to the other (or within such time as may be agreed by the Parties in writing), meet in a good faith effort to resolve the dispute.
18.2 If the dispute is not resolved at that meeting (or within such other period that is agreed by both parties in writing), the Parties will attempt to settle it by mediation in accordance with the Centre for Effective Dispute Resolution (“CEDR”) Model Mediation Procedure. Unless otherwise agreed between the Parties, the mediator will be nominated by CEDR. To initiate the mediation a Party must give notice in writing (“ADR notice”) to the other Party to the dispute requesting a mediation. A copy of the request should be sent to CEDR Solve. The mediation will start not later than 14 days after the date of the ADR notice.
18.3 No Party may commence any court proceedings in relation to any dispute arising out of this Agreement until it has attempted to settle the dispute by mediation and either the mediation has terminated or the other Party has failed to participate in the mediation, provided that the right to issue proceedings is not prejudiced by a delay.
19. General Provisions
19.1 No single or partial exercise, or failure or delay in exercising any right, power or remedy by any Party shall constitute a waiver by that Party of, or impair or preclude any further exercise of, that or any right, power or remedy arising under this Agreement or otherwise.
19.2 Nothing in this Agreement shall create a partnership or joint venture between the Parties and save as expressly provided in this Agreement neither Party shall enter into or have authority to enter into any engagement or make any representation or warranty on behalf of or pledge the credit of or otherwise bind or oblige the other Party.
19.3 We reserve the right to modify this Agreement at any time (including any referenced documents) by placing a revised version on Our website, and We recommend that You revisit the terms of this Agreement on Our website from time to time.
19.4 This Agreement sets out the entire agreement and understanding of the Parties with respect to the subject matter of this Agreement and supersedes all representations, communications and prior agreements (written or oral).
19.5 This Agreement, and any matters arising out of or in connection with it (whether contractual or non-contractual) shall be governed by and construed in accordance with the Laws of England and Wales.
ANNEX A: MICROSOFT ADDITIONAL CLAUSES
Applicable when you deploy Microsoft products on our services
1. You will ensure that any application provider and any End User has valid Microsoft Licensing using the Microsoft Mobility Programme.
2. Existing Licensing or SQL can be purchased through Us.
3. Microsoft Operating System licensing may only be provided by Us.
4. You or an End User may provide own application licensing but must complete and provide a Microsoft Mobility Agreement to Us.
5. In the event that You have failed to pay for the correct number of End Users, or other necessary software licenses, You will promptly obtain the correct amount, and hold Us harmless against any consequential liabilities.
6. You will comply with the Microsoft End User Licence Terms. Please contact firstname.lastname@example.org for a copy of these terms.
ANNEX B – PUBLIC SECTOR NETWORK (PSN) ADDITIONAL CLAUSES
Applicable when the Services are deployed over the PSN
1. Defined Terms
CESG :The UK government’s National Technical Authority for Information Assurance. See
Code of Connection or CoCo : The agreement, as set out in the code template, setting out the obligations and requirements for organisations wanting to connect to the PSN, together with all documents annexed to it and referenced within it.
Code of Interconnection or CoICo : The agreement, as set out in the code template, setting out the obligations and requirements for an organisation to provide PSN connectivity services, together with all documents annexed to it and referenced within it.
Code of Practice or CoP : The agreement, as set out in the code template, setting out the obligations and requirements for an organisation wanting to provide PSN services, together with all documents annexed to it and referenced within it.
GCN Service Provider or GCNSP : A component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.
Government Conveyance Network or GCN : The total network of all GCN services provided by all GCN Service Providers.
PSN connectivity service : A component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.
PSN connectivity service provider : An organisation that is supplying or is approved to supply a PSN connectivity service in accordance with a CoICo.
PSN compliance certificate : The certificate awarded to the individual infrastructures, GCN Services, PSN services and PSN connectivity services that make up the PSN.
PSN Customer : The PSN service consumer that has achieved PSN compliance certification for their PSN Customer environments and holds PSN supply agreement(s) with PSN service providers and PSN connectivity service providers for the services concerned.
PSN supply agreement : Either a contract or – if it is between public sector bodies – a Memorandum of Understanding (MoU) to deliver PSN services or PSN connectivity services.
PSN service consumer : An organisation which uses PSN services or PSN connectivity services.
PSN Service Provider or PSNSP : An organisation that is supplying or is approved to supply PSN services in accordance with a CoP.
PSN service : A functional service available to PSN-connected organisations from a PSN-connected infrastructure in order to enable the fulfillment of a specific business activity, which is offered by a PSN Service Provider in accordance with a CoP and for which a PSN Compliance Certification has been awarded by the Public Services Network Team.
Public Services Network or PSN : The government’s high-performance network, which helps public sector organisations work together, reduce duplication and share resources.
2.1. We shall ensure that any PSN and GCN services that it supplies, or are supplied by others, pursuant to this Agreement shall have been awarded and retain at all times a PSN compliance certificate.
2.2. We shall ensure that any PSN and GCN services that it supplies, or are supplied by others, pursuant to this Agreement are delivered in accordance with the applicable code, codes or Documents of Understanding (DoU).
2.3. You shall ensure that any PSN Customer environment used to consume PSN and GCN services supplied pursuant to this Agreement shall have been awarded and retain at all times a PSN compliance certificate.
2.4. You shall ensure that any PSN Customer environment used to consume PSN and GCN services supplied pursuant to this Agreement shall be provided and maintained in accordance with the applicable code or codes.
2.5. Each of the Parties warrants and undertakes that they shall throughout the term, where specifically requested in writing by the PSN team acting on advice from the Infrastructure SIRO, immediately disconnect its GCN services, PSN services or Customer environment (as the case may be) from such PSN services (including any Direct Network Services (DNS)), GCN services and Customer environments as the PSN team instructs where there is an event affecting national security, or the security of the GCN or PSN.
2.6. The Parties acknowledge and agree that the PSN team shall not be liable to them or any other party for any claims, proceedings, actions, damages, costs, expenses and any other liabilities of any kind which may arise out of, or in consequence of any notification pursuant to clause 2.5.
2.7. Each of the Parties acknowledges and agrees that these clauses 2.4 and 2.5 are for the benefit of and may be enforced by the PSN team, notwithstanding the fact that the PSN team is not a party to this agreement, pursuant to the Contracts (Rights of Third Parties) Act 1999.
2.8. We shall cooperate with suppliers of other PSN services and GCN service providers to enable the efficient operation of PSN.
2.9. The PSN services shall be delivered in a way that enables the sharing of services across Customers of PSN services and maximises the savings to be achieved by such sharing of services.
ANNEX C – HEALTH AND SOCIAL CARE NETWORK (HSCN) MANDATORY SUPPLEMENTAL TERMS
Applicable when the services are deployed over the HSCN
means a consumer network service provider, as defined in the HSCN Solution Overview document and the HSCN Operational Design Overview.
means a deed of undertaking made between the HSCN Authority and a CN-SP which governs the obligations owed by the CN-SP to the HSCN Authority and HSCN Consumers.
means the government’s network for health and social care, which helps all organisations involved in health and social care delivery to work together and interoperate.
HSCN Authority’s Advanced Network Monitoring Service
means the Advanced Network Monitoring Service as described in the HSCN Operational Design Overview.
HSCN Authority Network Analytic Service
means the Network Analytic Service as described in the HSCN Operational Design Overview.
HSCN Connectivity Services
means any service which is offered by a CN-SP to provide access to and / or routing over the HSCN.
means the recipient(s) of HSCN Connectivity Services.
means any supplier providing any element of the HSCN services.
HSCN Website – Providers of NHS Services
means the providers of NHS services section of the HSCN website that can be accessed at https://digital.nhs.uk/services/health-and-social-care-network/hscn-suppliers#central-network-services .
Data Security & Protection Toolkit (DSPT)
means the system for assessing compliance with Department of Health information governance policies and standards available at: https://www.dsptoolkit.nhs.uk .
NHS Digital National Applications
means the applications listed at https://digital.nhs.uk/services .
1. Any changes to this Connection Agreement shall be subject to the change control procedures as available at the HSCN Website
Providers of NHS Services section and may be updated from time-to-time by the HSCN Authority
2. Help in completing this Connection Agreement
2.1 There are several sources of information available to help HSCN Consumers understand and meet their security obligations under this Connection Agreement. These include:
2.1.1 CN-SPs – these are the organisations that will connect HSCN Consumers to the HSCN, help HSCN Consumers understand how the HSCN service will work and how best to secure the HSCN service to meet HSCN Consumer’s obligations under this Connection Agreement;
2.1.2 Organisations with whom HSCN Consumers already work to provide IT and network systems and services – for example, an IT department, systems suppliers, or network or IT provider. These organisations will generally understand how to protect against wider cyber-security threats – including malware; and
2.1.3 HSCN Website – Providers of NHS Services.
3. Entitlement to connect to and use the HSCN
3.1 Connection to the HSCN is provided based on the business need to share information within the health and social care community.
3.2 However, to protect the availability of the HSCN as a shared resource for the health and social care system, where (in its sole discretion) the HSCN Authority has concerns in respect of the cyber security, information assurance or information governance arrangements of an organisation applying for a HSCN service or if the CN-SP providing that HSCN service has breached any of its obligations pursuant to its CN-SP Deed, it reserves the right to:
3.2.1 refuse a HSCN service if such HSCN service is not already in place;
3.2.2 restrict or modify access under a HSCN service to the HSCN Authority’s systems, services or applications (including National Applications); or
3.2.3 terminate a HSCN service.
3.3 Despite the HSCN Authority’s rights set out above, its preference shall be to work with a HSCN Consumer to identity and rectify root cause security issues to avoid terminating a HSCN service where possible.
3.4 However, if evidence emerges of activity or behaviour by a HSCN Consumer in relation to the use of the HSCN that would undermine the availability of the HSCN, damage the reputation of the HSCN, the NHS or Her Majesty’s Government, or otherwise pose a security threat to the organisation or other HSCN Consumers or providers of the HSCN, the HSCN Authority may have no choice other than to terminate the HSCN service.
4. Security Considerations for the HSCN
4.1 The primary security consideration of the HSCN is to make sure that it is available as a resource to carry information between providers in the health and social care community. There is a secondary requirement to maintain and to improve a good standard of information governance and cyber-security across the health and social care community. This will help to reduce the exposure of the NHS and wider health and social care providers to the kinds of cyber-attack and loss of personal data that has been widely reported in the media in the last few years.
4.2 It is important that each HSCN Consumer (where necessary working with or through its IT partners, suppliers, or other HSCN Consumers):
4.2.1 works with the HSCN Authority, HSCN Suppliers, and other members of the health and social care community to help each of these requirements be realised and, in the event that a security incident – including cyber-attack or malware outbreak – is detected or suspected, works (collaboratively where necessary) to help contain the problem, minimise the impact, subsequently resolve it and then to help prevent a re-occurrence;
4.2.2 ensures that each and every other organisation which routes traffic through the HSCN Consumer’s own HSCN connection:
126.96.36.199 has signed and submitted to the HSCN Authority an HSCN Connection Agreement; or
188.8.131.52 is otherwise made subject to legally binding terms identical to those set out in this Connection Agreement (which the HSCN Authority may require the HSCN Consumer to verify in writing at any time); and
4.2.3 has technical measures in place to prevent organisations that have not signed a Connection Agreement (or are not subject to terms identical to those set out in this Connection Agreement) in accordance with clause 4.2.2 are prevented from routing traffic to the HSCN through that HSCN Connection.
5. HSCN Authority’s obligations under this Connection Agreement
5.1 The HSCN Authority commits to:
5.1.1 work with HSCN Consumers to help improve and maintain good cyber security and good data handling processes. This includes communicating updates to good cyber security, information governance and other related guidance to its HSCN Consumers; and
5.1.2 inform HSCN Consumers in a timely manner of any incident or security matter that the HSCN reasonably believes will have a negative impact on the connection to the HSCN.
6. HSCN Consumer Obligations
6.1 Whilst there are no specific assurance or compliance regimes to which HSCN Consumers must adhere in order to obtain a connection to the HSCN, there are a number of obligations on all organisations that use the HSCN. These are designed to help maintain the availability of the HSCN whilst improving the overall cyber security position of HSCN Consumers and continuing to
6.2 protect personal information about patients and service users.
6.3 In the event of a security incident which relates to your use of the HSCN or your connection to the HSCN, you agree that you (or a partner working on your behalf, for example, a system supplier, or IT supplier) will:
6.3.1 conduct initial diagnosis of the incident to determine which service is the cause (or most likely cause of the incident);
6.3.2 raise the incident with your CN-SP for the affected service;
6.3.3 at the earliest opportunity inform the HSCN Authority through the mechanism for notifying security incidents as set out on the HSCN Website – Providers of NHS Services section and to complete actions assigned by the HSCN Authority or its representatives in an agreed timeframe to support containment and resolution of the incident;
6.3.4 if the HSCN Data Security Centre team contacts you to help resolve an incident or problem, you must respond as you would for one of your own customers or users;
6.3.5 depending on the nature of the incident, provide audit logs holding user activities, exceptions and information security events to assist in investigations; and
6.3.6 where appropriate, notify other HSCN Consumers with whom you share a HSCN service of any incident that has been communicated to you by the HSCN Supplier or the HSCN Authority.
6.4 Where an incident occurs relating to the use of the HSCN by another HSCN Consumer or HSCN Supplier or you reasonably suspect an incident has occurred, you agree that you will notify the HSCN Authority at the earliest opportunity using the contact information set out on the HSCN website.
Cyber and Information Security
6.5 All HSCN Consumers have a duty, through the implementation of robust data handling and information security practices:
6.5.1 to be ‘good citizens’ to help ensure that the HSCN remains available for all users; and
6.5.2 a wider duty to protect their information, systems and services from unauthorised disclosure, destruction, theft, unavailability or loss of integrity through cyber and / or other forms of attack. In some cases, this duty is set out in law, in others it is what service users and patients might reasonably expect of organisations that hold, control or process personal or personal sensitive information about them.
6.6 You acknowledge that your organisation has been notified of this information and your responsibilities to implement good information security.
6.7 The HSCN Consumer agrees that the HSCN Authority Network Analytic Service will monitor the connection point between their networks and the HSCN for the purposes of maintaining the availability of the HSCN, systems and / or services that are available through the HSCN, and the connection between the HSCN and the internet. Examples include looking for abnormal amounts of traffic that could indicate a malware or other cyber security attack.
6.8 However, the HSCN Authority Network Analytic Service does not look at or store the content of network traffic.
6.9 The HSCN Consumer agrees that the HSCN Authority’s Advanced Network Monitoring Service will monitor and inspect, through signature and behavioural analysis, the content of unencrypted internet-bound traffic to look for evidence of malicious or suspicious content. The HSCN Consumer acknowledges that the operation of this service involves the analysis of the content of internet traffic, including Personal Data and Sensitive Personal Data.
6.9.1 “Controller”, “Processor”, “Data Subject”, “Personal Data Breach” and “Processing” shall have the same meanings as in the Data Protection Laws and “Processed” and “Process” shall be construed in accordance with the definition of “Processing”. “Personal Data” and “Sensitive Personal Data” shall have the same meaning as in the Data Protection Laws, and shall refer to Personal Data (or Sensitive Personal Data) provided by the HSCN Consumer to the HSCN Authority in connection with this Connection Agreement, or as otherwise Processed by the HSCN Authority in relation to the services offered to the HSCN Consumer in connection with HSCN.
6.10 For the avoidance of doubt, the HSCN Authority shall have no liability to the HSCN Consumer in respect of the functioning or non-functioning of the HSCN Authority Network Analytic Service and/or the HSCN Authority’s Advanced Network Monitoring Service.
6.11 Each HSCN Consumer acknowledges that:
6.11.1 the HSCN’s primary requirement is to be available as a means for sharing information between the health and social care community;
6.11.2 the HSCN does not help secure data in any way as it passes across the network. Responsibility for providing sufficient security lies with the sending and receiving organisation, or the providers and users of sites or applications that are accessed through the HSCN. This includes providing assurances that any service or application available on the HSCN or any organisations or users on the network are authentic and appropriately secured; and
6.11.3 the HSCN does not warrant the authenticity of any service, system or data available through the HSCN or of any information received through the HSCN.
6.12 Because there is sometimes a business need to access a variety of content from a range of services, the HSCN network does not impose any restrictions on categories of sites or services that HSCN Consumers can access through the HSCN, except that:
6.12.1 for internet access, a standard set of controls are in place to prevent data from being shared with known malware resources (for example, places on the internet with which malware may try to communicate with). The purpose of this restriction is to limit the impact on the HSCN community should a malware attack take place, and as such the list of blocked sites may change from time to time; and
6.12.2 HSCN Consumers may agree access restrictions on internet access or general network access (for example, blocks on categories of internet sites) with their CN-SP, but that is a solely a matter between the HSCN Consumers and their CN-SP.
HSCN Service Information
6.13 Each HSCN Consumer agrees to provide and maintain (through their connection profile information posted at the HSCN Website – Providers of NHS Services section):
6.13.1 whether their connection to the HSCN is shared with any other organisations (whether health and social care or not) and if so the identity of those organisations; and
6.13.2 the following contacts at the HSCN Consumer:
184.108.40.206 the business sponsor of the connection – this contact should be in a senior position in the organisation who is ultimately responsible for the use of the HSCN Connectivity Services (e.g. Chief Information Officer); and
220.127.116.11 security lead with whom the HSCN Authority can communicate security information. This individual may be the Senior Information Risk Officer (SIRO), Caldicott Guardian, Chief Security Officer or of equivalent standing and responsibility. For some HSCN Consumers, this may be a contact at for example, a partner organisation such as an IT systems supplier or shared service provider who handles security matters for the HSCN Consumer.
Information Governance – NHS Digital National Applications
6.14 The HSCN Consumer shall comply with all applicable information governance requirements in order to handle patient data, and access systems, services and resources that are available through the HSCN.
6.15 For the NHS Digital National Applications, this is currently the Data Security & Protection Toolkit (DSPT). For other systems and services, local arrangements may apply.
6.16 In submitting this Connection Agreement, you are agreeing to comply with requirements and arrangements for those systems and services which you will access or make use of through the HSCN.
The current arrangements for the NHS Digital National Applications are set out here: https://www.dsptoolkit.nhs.uk. HSCN Consumers should check with organisations that provide systems and services that they use as to local arrangements that are in place.
6.17 The HSCN Consumer shall comply with all relevant policies, guidelines or directions from time to time made available on the HSCN Data Security Centre websites, accessible at the following locations (and/or via any replacement sites identified by the HSCN Authority from time to time):
ANNEX D Definitions
1. In this Agreement, the following definitions shall apply:
|“Agreement”||means this agreement and any referenced document.|
|“Charges”||means the charges payable by You to Us in respect of the Services, as specified in the Service Definitions and Pricing Guide https://ukcloud.com/pricing .|
|“Confidential Information“||means all commercial, financial, marketing, business and technical or other data, trade secrets, specifications, algorithms, calculations, formulae, processes, business methods, diagrams, drawings and all other confidential information of whatever nature (whether written, oral or in electronic or other form) concerning the business, products and affairs of a Party (or its other suppliers or customers) that the other Party obtains, receives or has access to in connection with this Agreement.|
|“Content”||means content that You or an End User run on, cause to interface with, or upload to, the Services, under Your account.|
|“Control”||means the ability to direct the affairs of another whether by virtue of contract, ownership of shares or otherwise howsoever.|
|“Data Protection Impact Assessment”||means an assessment by the Controller of the impact of the envisaged processing on the protection of Personal Data|
|“Data Loss Event”||means any event that results, or may result, in unauthorised access to Personal Data held by UKCloud under this Agreement, and/or actual or potential loss and/or destruction of Personal Data in breach of this Agreement, including any Personal Data Breach.|
|“Data Subject Access Request”||means a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.|
|“End User”||means the individual or entity end user that has been permitted to use the Services (or part thereof) by You.|
|“Fair Use Policy”||Means applicable fair use policies relating to the Services.|
|“Force Majeure Event”||means any cause affecting the performance by a Party of its obligations under this Agreement arising from acts, events, omissions or non-events beyond its reasonable control, including acts of God, riots, war, acts of terrorism, fire, flood, storm or earthquake and any disaster, but excluding any industrial dispute relating to the Parties.|
|“Inducement”||means (i) any payment, gift, consideration, benefit or advantage of any kind, which is (or is agreed to be) offered, promised, given, authorised, requested, accepted or agreed, whether directly or indirectly (through one or more intermediaries) which could act as an inducement or reward, for any form of improper conduct by any person in connection with their official, public, fiduciary, employment or business role, duties or functions; and/or (ii) anything that would amount to an offence of bribery or corruption under Applicable Law; and/or (iii) any Facilitation Payment and “Induce”, “Induced”, “Inducing” and other variants of “Inducement” shall be construed accordingly.|
|“Intellectual Property Rights”||means all of the intellectual property rights in or produced in connection with the Services including without limitation copyright, design rights, registered designs, database rights, patents, trademarks or names whether or not capable of registration and any applications or rights to apply for any such rights.|
means any law, subordinate legislation within the meaning of Section 21 (1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgement of a relevant court of law, or directives or requirements with which the Parties are bound to comply.
means Law Enforcement Directive (Directive (EU) 2016/680)
means the online portal through which Our Services are provisioned
|“Pricing Guide”||means the guide that sets out the prices for the Services https://ukcloud.com/pricing|
|“Protective Measures”||means appropriate technical and organisational measures which may include: pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the such measures adopted by it.|
|“Service Credits“||means the sums attributable to a failure by Us to deliver any part of the Services in accordance with the Service Levels, as specified in the Service Definitions https://ukcloud.com/pricing.|
|“Service Definition”||means the detailed description of the attributes and features of the Service https://ukcloud.com/pricing|
|“Service Levels”||means the service levels to which the Service are to be provided, as set out in the Service Definitions https://ukcloud.com/pricing.|
|“Services” or “Service”||means the UKCloud for VMware Service specified in the Service Definitions https://ukcloud.com/pricing as amended from time to time, and any additional service in Our portfolio as agreed with Us.|
|“System Interconnect Security Policy” or “SISP”||means the formal top-level security document that identifies those aspects that are within the remit of Our security officer and those that are within the remit of Your security officer.|
|“Sub-Processor”||means any third party appointed to process Personal Data on behalf of Us related to this Agreement.|
|“Trade Marks”||means the following trademarks used by Us: Our UKCloud logo and branding which are not registered.|
You warrant that You have the legal authority to bind the entity You represent to the terms of this Agreement.