Asset Bank Terms and Conditions

The parties to the Agreement are: (i) Bright Interactive Ltd, a company incorporated in England and Wales (registration number 03865036) having its registered office at Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK ("we", and "us" and "our" shall be construed accordingly); and (ii) the person (natural or legal) who is specified as the customer in the Proposal ("you", and "your" and "yours" shall be construed accordingly).

1. Definitions

1.1 In the Agreement:

"Account Holder" means the individual identified as such in the Proposal, or a replacement individual notified by you to us in writing;

"Admin Account" means an administrator account on the Platform enabling you to create user accounts and configure aspects of the Hosted Services;

"Agreement" means the agreement between the parties for the provision of the Hosted Services and/or On-premises Software incorporating:

  1. the Proposal;
  2. these terms and conditions;
  3. where applicable, the standard contractual clauses set out in Annex 1; and
  4. the Support SLA available at https://support.assetbank.co.uk/hc/en-gb/articles/115000153291-Customer-Support-Service-Description

including any variations from time to time; 

"Business Day" means any weekday other than a bank or public holiday in England;

"Business Hours" means between 09:00 and 17:00 London time on a Business Day;

"Charges" means the amounts payable by you to us under or in relation to the Agreement, as specified in the Proposal or elsewhere in the Agreement;

"Client Data" means all digital assets, files, works and materials uploaded to, stored on, processed using or transmitted via the Platform by you or on your behalf;

"Cloud Services" means the Hosted Services plus the Support Services provided in relation to those Hosted Services;

"Confidential Information" means, in respect of a party, any information disclosed by that party to the other party during the Term that at the time of disclosure is marked as confidential, is described as confidential by the disclosing party, or should have been understood as confidential by the recipient party (acting reasonably); and providing that the Client Data shall be your Confidential Information and any third party service provider contracts that we supply to you shall be our Confidential Information;

"Customisations" means any new software developments, updates, upgrades, modules, libraries and APIs that are:

  1. designed to be incorporated into, or to interface with, the Hosted Services and/or On-premises Software; and
  2. created by us on your behalf in accordance with a written project plan and specification agreed in writing between the parties;

Data Exporter” means the person (natural or legal) who is specified as the customer in the Services Order Form, and acts as such in Annex 1;

Data Importer” means Bright Interactive Ltd, and acts as such in Annex 1;

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, for the period during which they are in force and applicable to the Personal Data, the UK's Data Protection Act 2018 and Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

"Defect" means a critical issue or major issue (as defined in the SLA) in the Hosted Services and/or On-premises Software, or a failure of the Hosted Services and/or On-premises Software to conform with the specification set out in the Proposal in some material way;

"Effective Date" means the date of execution of the Agreement, being the date upon which a paper copy or electronic copy of the signature page is signed by the second of the parties to sign;

"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet, hacker attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);

"Hosted Services" means:

  1.  the Asset Bank functionality on the Platform, enabling you to upload, tag, organise, store, search, manipulate, access and download digital files; and
  2. if the Proposal so provides or the parties have so agreed in writing, the Brand Hub functionality on the Platform;

"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right of application for such rights (and these "Intellectual Property Rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing-off rights, unfair competition rights, patents, petty patents, utility models and rights in designs);

"Minimum Term" means the period of 12 months beginning on the Effective Date;

"On-premises Software" means the software known as Asset Bank that we own and license;

"Permitted Purposes" means the purposes of uploading, tagging, organising, storing, searching, manipulating, accessing, sharing and downloading digital files; 

"Personal Data" means any personal data (as defined in the Data Protection Laws) that we process on your behalf under the Agreement;

"Platform" means the hardware, system software, server software, database software and application software that we use to provide the Hosted Services, whether shared or dedicated;

"Proposal" means the proposal we issue to you setting out the particulars of the Agreement;

"Services" means all the services provided or to be provided by us to you under the Agreement, including any Hosted Services, Set-up Services and Support Services;

"Set-up Services" means the installation, integration and configuration of the Hosted Services and/or On-premises Software, and the provision of any associated training and consultancy services specified in the Proposal;

"SLA" means the service level agreement;

"Support Services" means:

  1. assistance in relation to the use of the Hosted Services or On-premises Software;
  2. the identification and resolution of defects in the Hosted Services or On-premises Software;
  3. general maintenance of the Platform; and
  4. the application of Upgrades to the Hosted Services or the supply to you of Upgrades and application of those Upgrades to the On-premises Software;

"Support Services Limit" has the meaning given to it in the SLA;

"Term" means the term of the Agreement;

"Third Party Services" means any hosted or cloud service owned and operated by a third party that may transmit data to and/or from the Hosted Services and/or On-premises Software under a contract or arrangement between you and the relevant third party; and 

"Upgrades" means new versions of, and updates to, the Hosted Services and/or On-premises Software, whether for the purpose of fixing an error, bug or other issue or enhancing the functionality of the Hosted Services and/or On-premises Software.

2. Term

2.1 The Agreement will come into force on the Effective Date.

2.2 The Agreement will continue in force indefinitely, unless and until terminated in accordance with its express provisions.

3. Set-up Services

3.1 We shall provide the Set-up Services to you promptly following the Effective Date.

3.2 The Cloud Services or On-premises Software shall be configured in accordance with your licence tier (Essential, Professional or Enterprise Unlimited), and shall be subject to the resource limitations applicable to your licence tier, as specified in the Proposal.

4. Cloud Services

4.1 This Clause 4 applies if the Proposal specifies that we have agreed to supply Cloud Services to you.

4.2 We shall complete the installation of your Asset Bank and create one or more Admin Accounts for you after the Effective

4.3 Date, enabling you to access the Hosted Services.
Subject to Clauses 4.5 to 4.7, we hereby grant to you a non-exclusive licence to use the Hosted Services on the Platform for the Permitted Purposes via:

  1. any supported web browser; and
  2. if the applicable specification for the Hosted Services so provides, via the API for the Hosted Services,

in each case during the Term.

4.4 You may permit your own customers to use the Hosted Services on the Platform for the Permitted Purposes via any supported web browser, whether on a free or paid basis, providing that you shall be responsible for your customers' use of the Hosted Services and that all the other limitations and prohibitions relating to your use of the Hosted Services shall apply to your customers' use.

4.5 Your use of the Hosted Services must not exceed the user limitations and storage resources limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.

4.6 Your use of the non-storage resources for the Hosted Services (bandwidth, processing power and API calls) must not be excessive. For the purposes of this Clause 4.6, usage will be excessive if:

  1. it exceeds, during any calendar month, with respect to any one or more of these resources, the 99th percentile of use that we observe from our other customers within your licence tier during the preceding calendar month; and/or
  2. it causes a material negative impact upon the services that we provide to our other customers;

and if your use is excessive, we may give you written notice of this.  From time to time during the Term we may agree with you changes to the resources available to you. Increases may be subject to additional Charges. Notwithstanding the preceding provisions of this Clause 4.6, we may use technical measures to ensure that the usage of non-storage resources is not excessive.

4.7 Except to the extent mandated by applicable law or expressly permitted in the Agreement or in any reseller agreement between us and you, the licence granted under Clause 4.3 is subject to the following prohibitions:
  1. you must not frame or otherwise republish or redistribute the Platform or Hosted Services;
  2. you must not modify or alter, or attempt to modify or alter, the Platform or Hosted Services; and
  3. you must not hack or attempt to gain unauthorised access to any part of the Platform or Hosted Services.

4.8 All Intellectual Property Rights in the Platform and Hosted Services shall, as between the parties, be our exclusive property.

4.9 You must ensure that no unauthorised person accesses the Platform or Hosted Services using any Admin Account or your API access credentials (if we supply these to you).

4.10 We shall use reasonable endeavours to ensure that the Hosted Services are available 99.9% of the time during each calendar month, subject to downtime for scheduled maintenance under Clause 6. Hosted Services uptime shall be measured and calculated by us using any reasonable methodology, and reported to you promptly following our receipt of a written request from you.

4.11 For the avoidance of doubt, you have no right to access the object code or source code of the Platform or Hosted Services, either during or after the Term.

5. On-premises Software

5.1 This Clause 5 applies if the Proposal specifies that we have agreed to supply On-premises Software to you.

5.2 Subject to Clauses 5.3 and 5.4, we grant to you a worldwide, non-transferable, non-exclusive, non-expiring (subject to Clause 20.6) licence from the Effective Date to:

  1. install a single copy of the On-premises Software for live use on a computer in your control and use that On-premises Software for the Permitted Purposes;
  2. install a second copy of the On-premises Software on a computer in your control for fail-over purposes only; and
  3. make and keep up to 5 back-up copies of the On-premises Software.

5.3 Your use of the On-premises Software must not exceed the user limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.

5.4 Except as required by applicable law on a mandatory basis, you must not: 

  1. copy any part of the On-premises Software except in accordance with Clause 5.2;
  2. reverse compile or reverse assemble any portion of the On-premises Software;
  3. distribute, disclose, market, rent, lease or transfer the On-premises Software; or
  4. allow others to make or obtain copies of the On-premises Software.

5.5 You must use reasonable technical and organisational security measures to prevent the disclosure of the On-premises Software code to any unauthorised person.

5.6 For the avoidance of doubt, you have no right to access the source code of the On-premises Software, either during or after the Term.

5.7 You will be responsible for enabling us to apply Upgrades to the On-premises Software. We may from time to time by written notice grant to you the right to apply Upgrades to the On-premises Software, but we shall have no obligation to do so.

  1. If any Upgrade is not applied to the On-premises Software within the period of 12 months following release as a result of any act or omission by you, then:
  2. any Services required as a result of such failure will be subject to additional Charges at our then current time and materials rates; and
  3. subject to Clause 18.1, we will not be liable to you in respect of any loss or damage that may arise out of the failure to apply the Upgrade.

5.8 If a critical security Upgrade is not applied to the On-premises Software within 7 days following release as a result of any act or omission by you, then, subject to Clause 18.1, we will not be liable to you in respect of any loss or damage that may arise out of the failure to apply the Upgrade.

6. Support Services

6.1 If you are entitled to Cloud Services, then we will provide Support Services to you in respect of the Hosted Services in accordance with the SLA; and if the Proposal specifies that you are entitled to Support Services in respect of On-premises Software, then we will provide the Support Services to you in respect of the On-premises Software in accordance with the SLA.

6.2 You acknowledge that from time to time we may apply Upgrades to the Hosted Services.

6.3 We may suspend access to the Hosted Services at any time in order to carry out scheduled maintenance to the Hosted Services and/or Platform. Our scheduled maintenance windows are published on the Asset Bank Help Centre and updated from time to time. Scheduled maintenance will usually be completed outside working hours in your jurisdiction.

6.4 Hosted Services downtime during any scheduled maintenance shall not be counted as downtime for the purposes of Clause 4.9.

6.5 Upgrades may result in changes to the appearance and/or functionality of the Hosted Services and/or On-premises Software. We will give you advanced written notice of the deprecation or removal of any major functionality by an Upgrade.

7. Other services

7.1 We may from time to time agree with you that we will provide:
  1. additional training and/or consultancy Services relating to the Hosted Services and/or On-premises Software; and/or
  2. other additional Services or changes to Services.

7.2 Unless we agree otherwise in writing, all such additional Services will be provided under and subject to the Agreement, and will be subject to additional Charges at our then current time and materials rates.

8. Your obligations

8.1 Save to the extent that we have agreed otherwise in writing, you must provide to us, or procure for us, such:

  1. co-operation, support and advice;
  2. information and documentation,

as are reasonably necessary to enable us to perform our obligations under the Agreement.

8.2 If we agree to supply On-premises Software to you, you must provide to us, or procure for us, such access to your computer hardware, software, networks and systems as may be reasonably required by us to enable us to perform our obligations under the Agreement.

9. Client Data

9.1 We will perform a back-up of Client Data once per day. At your request, we will promptly restore the Client Data in the Hosted Services database using the latest available back-up.

9.2 All the Intellectual Property Rights in Client Data will remain your property and the property of your licensors, subject to Clause 9.3.

9.3 You grant to us a non-exclusive licence to store, copy and otherwise use Client Data on and in relation to the Platform for the purposes of operating the Platform, providing the Services, fulfilling our obligations under the Agreement and exercising our rights under the Agreement. The exercise of our rights under this licence is subject to our obligations under Clause 15 in respect of Personal Data.

9.4 You warrant to us that Client Data, and its use by us in accordance with the terms of the Agreement, will not:

  1. breach any laws, statutes, regulations or legally binding codes;
  2. infringe any person's Intellectual Property Rights or other legal rights; or
  3. give rise to any cause of action against you or us or any third party.

9.5 If we reasonably suspect that there has been a breach by you of the provisions of Clause 9.4, we may:

  1. delete or amend the relevant elements of Client Data; and/or
  2. suspend any or all of the Services and/or your access to the Platform while we investigate the matter,

providing that we will give you advance notification of any such action if that notification does not prejudice our legal position.

9.6 Any breach by you of Clause 9.4 will be deemed to be a material breach of the Agreement for the purposes of Clause 19.

10. Integrations with Third Party Services

10.1 You will have the opportunity to activate integrations with Third Party Services; such integrations will not be active by default.

10.2 The supply of Third Party Services shall be under a separate contract or arrangement between you and the relevant third party. We do not contract to supply the Third Party Services and are not a party to any contract for, or otherwise responsible in respect of, the provision of any Third Party Services.

10.3 The use of some features of the Hosted Services and/or On-premises Software may depend upon you enabling and agreeing to integrations with Third Party Services.

10.4 We may remove, suspend or limit any Third Party Services integration at any time in our sole discretion.

10.5 You acknowledge that:

  1. the integration of Third Party Services may entail the transfer of Client Data to the relevant Third Party Services; and
  2. we have no control over, or responsibility in respect of, any disclosure, modification, deletion, export or other use of Client Data by any third party resulting from any integration with any Third Party Services.

10.6 You warrant to us that the transfer of Client Data to a provider of Third Party Services in accordance with this Clause 10 will not infringe any person's legal or contractual rights and will not put us in breach of any applicable laws (including the Data Protection Laws).

10.7 Save to the extent that the parties expressly agree otherwise in writing and subject to Clause 18.1:

  1. we give no warranties or representations in respect of any Third Party Services; and
  2. we will not be liable to you in respect of any loss or damage that may be caused by any Third Party Services or any provider of Third Party Services.

11. Customisations

11.1 This Clause 11 applies if we agree with you in writing, whether in the Proposal or otherwise, that we shall design and develop a Customisation or Customisations on your behalf.

11.2 Each Customisation will conform in all material respects with the specification for the Customisation agreed by us in writing.

11.3 We will use reasonable endeavours to ensure that each Customisation is made available or (if it forms part of the On-premises Software) delivered to you in accordance with any timetable or project plan agreed by the parties in writing.

11.4 All Intellectual Property Rights in the Customisations shall, as between the parties, be our exclusive property. However, this shall not affect the ownership of Intellectual Property Rights in your brands and/or logos, which shall belong to you.

11.5 From the time and date when a Customisation is first delivered or made available to you, the Customisation shall form part of the Hosted Services and/or On-premises Software, as the case may be, and accordingly from that time and date your rights to use the Customisation shall be governed by Clauses 4 and/or 5.

11.6 You acknowledge that we may make any Customisation available to any of our other customers or any other third party at any time.

12. Charges

12.1 You must pay the Charges to us in accordance with Clause 13.

12.2 All Charges and other amounts stated in or in relation to the Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by you to us.

12.3 We may elect to vary any element of the Charges (including any time-based charging rate) by giving to you not less than 90 days' written notice of the variation, providing that:

  1. we will not vary the Charges payable with respect to Services provided during the first 12 months of the Agreement; and
  2. if we vary any element of the Charges during the Term by a percentage exceeding the percentage increase, during the same period, in the Retail Prices Index (all items) published by the UK's Office for National Statistics, then we will provide to you a written explanation of the reason for the increase.

12.4 You acknowledge that we may charge for new functionality added to Hosted Services or On-premises Software.

13. Payments

13.1 We will issue invoices for the Charges in accordance with the Proposal; and, save to the extent specified otherwise in the Proposal, you must pay the Charges to us within 30 days following the date of issue of the relevant invoice. 

13.2 Charges must be paid by bank transfer or by such other means as we may authorise from time to time.

13.3 If more than one payment due under the Agreement is not received by us by the due date and you are signed-up for quarterly or 6-monthly invoicing, we may by written notice to you move your invoicing frequency to annual and issue your next invoice on this basis.

13.4 If you do not pay any amount properly due to us under or in connection with the Agreement, we may claim interest and statutory compensation from you pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.

13.5 We may suspend the provision of any Services if any amounts due to be paid by you to us under the Agreement are overdue, and we have given you at least 5 Business Days' written notice of our intention to suspend Services on this basis.

14. Confidentiality

14.1 Each party must:

  1. keep the other party's Confidential Information strictly confidential;
  2. not disclose the other party's Confidential Information to any person without the other party's prior written consent, and then only under conditions of confidentiality no less onerous than those contained in the Agreement;
  3. use the same degree of care to protect the confidentiality of the other party's Confidential Information as it uses to protect its own confidential information of a similar nature, being at least a reasonable degree of care; and
  4. act in good faith at all times in relation to the other party's Confidential Information.

14.2 Notwithstanding Clauses 14.1, a party's Confidential Information may be disclosed by the other party to that other party's officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Confidential Information that is disclosed for the performance of their work and who are bound by a written agreement or professional obligation to protect the confidentiality of the Confidential Information that is disclosed.

14.3 No obligations are imposed by this Clause 14 with respect to a party's Confidential Information if that Confidential Information:

  1. is known to the other party before disclosure under the Agreement and is not subject to any other obligation of confidentiality;
  2. is or becomes publicly known through no act or default of the other party; or
  3. is obtained by the other party from a third party in circumstances where the other party has no reason to believe that there has been a breach of an obligation of confidentiality.

14.4 The restrictions in this Clause 14 do not apply to the extent that any Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of either party on any recognised stock exchange.

14.5 The provisions of this Clause 14 shall continue in force indefinitely following the termination of the Agreement.

15. Personal Data and the General Data Protection Regulation

15.1 The parties agree that:

  1. the Personal Data to be processed under the Agreement may consist of: (i) names, email addresses and other account-related data; and (ii) any information comprised in digital assets and metadata that are processed by the Hosted Services or the On-premises Software; and
  2. the Personal Data shall relate to: (i) individuals holding accounts in the Hosted Services or On-premises Software; and (ii) other persons whose data is comprised in the digital assets and metadata processed by the Hosted Services or the On-premises Software.
15.2 You warrant to us that:
  1. all of the Personal Data supplied by you to us shall fall within the categories specified in Clause 15.1;
  2. the Personal Data has been and shall be collected in accordance with the Data Protection Laws; and
  3. you have the legal right to disclose the Personal Data to us (and, where such disclosure is based upon consent, have retained evidence of such consent).

15.3 We warrant to you that: 

  1. we will act only on documented instructions from you in relation to the processing of the Personal Data (which instructions are set out in the Agreement and in any additional documents agreed by the parties) unless required to do so by applicable law (in which case we shall inform you of that legal requirement, unless such information is prohibited by applicable law on important grounds of public interest);
  2. we will only process the Personal Data for the purposes of providing the Hosted Services, performing our obligations under the Agreement and exercising our rights under the Agreement;
  3. the processing of the Personal Data by us shall take place only during the Term, subject to the express derogations elsewhere in the Agreement;
  4. we have in place appropriate security measures (both technical and organisational) against unlawful or unauthorised processing of the Personal Data and against loss or corruption of the Personal Data, including those measures specified in our security policy as published on our website from time to time;
  5. save to the extent caused by your failure to comply with Clause 15.2, we will process the Personal Data in compliance with the Data Protection Laws;
  6. we shall not appoint or utilise any sub-processor of the Personal Data without your prior specific or general authorisation, and we will notify you at least 30 days in advance of any change of sub-processor with respect to any general authorisation by updating the list of sub-processors in the Asset Bank Help Centre; we will also notify you by email if you have subscribed to our sub-processor email notification service; and if you object to any such change, you may terminate the Agreement on at least 14 days' written notice to us expiring before the end of that 30-day period;
  7. we shall ensure that each contract between us and any sub-processor of the Personal Data contains equivalent data protection obligations to those set out in the Agreement; 
  8. subject to applicable law, we will not transfer or permit the transfer of the Personal Data to any place outside the UK or EEA without your prior written consent; and
  9. we shall maintain written records of our Personal Data processing activities in accordance with the requirements of the Data Protection Laws.

15.4 You hereby give to us a general authorisation to appoint sub-processors of Personal Data in the following categories:

  1. hosting service providers;
  2. connectivity and electronic communications service providers;
  3. data transfer service providers;
  4. document and file processing or transformation service providers; and
  5. application development, support and professional service providers.

Details of appointed processors are set out in the Asset Bank Help Centre. You acknowledge that some of our appointed sub-processors are multi-national corporations with facilities in jurisdictions around the world, and hereby consent to the transfer of Personal Data outside the UK and EEA to or by sub-processors, providing that: (i) the principal database for the Hosted Services shall be located within the UK or EEA, unless you expressly agree otherwise in writing; (ii) all such transfers shall be made only for the purpose of providing services to you; and (iii) all such transfers shall be protected by appropriate safeguards in accordance with the Data Protection Laws.

15.5 If:
  1. the UK is or becomes a third country for the purposes of EU data protection law;
  2. the UK does not benefit from an adequacy decision from the EU data protection authorities with respect to the UK's data protection laws; and
  3. you transfer any Personal Data to us in the UK from within the EEA,

then the standard contractual clauses set out in Annex 1 shall apply with respect to that Personal Data, in addition to the provisions of this Clause 15.

15.6 We shall notify you in accordance with the Data Protection Laws, using the contact details set out in this Agreement or any alternative breach notification contact details supplied by you, promptly and in any case within 24 hours of becoming aware of the issue, if:

  1. any of the Personal Data is lost or destroyed, or becomes damaged, corrupted or unusable;
  2. we receive any complaint or regulatory notice which relates to the processing of any of the Personal Data; or
  3. we receive a request from a data subject for access to any of the Personal Data.

15.7 We shall co-operate with you in relation to:

  1. any request from you to amend or delete any of the Personal Data;
  2. any complaint or regulatory notification relating to the processing of any of the Personal Data;
  3. any request from a data subject for access to any of the Personal Data or relating to the exercise of the data subject's legal rights in relation to the Personal Data; and
  4. any measures taken by you that are reasonably necessary to ensure that you comply with your own obligations under Data Protection Laws,

in each case at your cost and expense.

15.8 We shall ensure that access to the Personal Data is limited to those of our personnel who have a reasonable need to access the Personal Data to enable us to perform our duties under the Agreement; any access to the Personal Data shall be limited to such part or parts of the Personal Data as are strictly necessary.

15.9 We shall take reasonable steps to ensure the reliability of any of our personnel who have access to the Personal Data. Without prejudice to this general obligation, we shall ensure that all relevant personnel are informed of the confidential nature of the Personal Data, are subject to confidentiality obligations in relation to the Personal Data, have undertaken training in the laws relating to handling Personal Data, and are aware of our duties in respect of that Personal Data.

15.10 Each party shall upon request make available to the other party all such information as may be necessary to demonstrate its compliance with the Data Protection Laws and the provisions of this Clause 15.

15.11 We shall upon request make available to you all such information as may be necessary to facilitate the carrying out of an audit of our compliance with the Data Protection Laws and the provisions of this Clause 15. For this purpose, we will provide to you a completed security questionnaire, in a form to be determined by us (acting reasonably). We shall ensure that the completed security questionnaire includes all the information that is necessary to enable you to assess our compliance. We will also provide, upon request, evidence of the most recent independent audit(s) carried out to verify GDPR compliance and ISO 27001 compliance. Other than the provision of this security questionnaire, and audit evidence, we may charge you at our standard time and materials rates for any work performed at your request when fulfilling our obligations under this Clause 15.11

15.12 In the event of changes to the Data Protection Laws that affect the terms of the Agreement, the parties shall act reasonably to agree any necessary changes to the Agreement.

15.13 We shall, if requested by you, provide to you a copy of the Personal Data in accordance with Clause 20.3; and, unless applicable law requires otherwise, we shall delete all the Personal Data from our systems and storage media at the end of the period of 4 months following termination.

16. Warranties

16.1 Each party warrants to the other party that:

  1. it has the legal right and authority to enter into and perform its obligations under the Agreement; and
  2. it will comply with all applicable laws in relation to the performance of those obligations.

16.2 We warrant to you that:

  1. we will perform our obligations under the Agreement with reasonable care and skill; and
  2. the Hosted Services and/or On-premises Software will not, when used by you in accordance with the Agreement, infringe the Intellectual Property Rights of any third party under English law.

16.3 We warrant to you that we will use reasonable endeavours to ensure that the Hosted Services and the On-premises Software will be supplied free from Defects, and we will endeavour to resolve any Defects and other issues in accordance with the SLA. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from defects, errors and bugs, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such defects, errors and bugs.

16.4 We warrant to you that we will ensure that the Hosted Services and the On-premises Software will incorporate security measures reflecting the requirements of good industry practice. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from security vulnerabilities, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such vulnerabilities.

16.5 All of the parties' warranties and representations in respect of the subject matter of the Agreement are expressly set out in the terms of the Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement.

17. Additional acknowledgements

17.1 You acknowledge that, subject to the express warranties set out in the Agreement:

  1. we do not warrant or represent that the Hosted Services or On-premises Software will be compatible with any other application, program or software; 
  2. you are responsible for determining whether the Hosted Services and/or On-premises Software meet your requirements, and we do not warrant or represent that the Hosted Services or On-premises Software will meet those requirements; 
  3. we will not and do not purport to provide any legal, taxation or accountancy advice under the Agreement or in relation to the Hosted Services or On-premises Software and (except to the extent expressly provided otherwise) we do not warrant or represent that the Hosted Services or On-premises Software will not give rise to any civil or criminal liability on the part of you or any other person; and
  4. we may from time to time make changes to the hardware, software, services and other technical means by which the Hosted Services are provided, although we will not make any such changes without your permission if the changes will have a material negative effect upon the security, functionality or performance of the Hosted Services. 
18. Limitations and exclusions of liability
18.1 Nothing in the Agreement will:
  1. limit or exclude the liability of a party for death or personal injury resulting from negligence;
  2. limit or exclude the liability of a party for fraud or fraudulent misrepresentation by that party;
  3. limit any liability of a party in any way that is not permitted under applicable law; or
  4. exclude any liability of a party that may not be excluded under applicable law.
18.2 The limitations and exclusions of liability set out in this Clause 18 and elsewhere in the Agreement:
    1. are subject to Clause 18.1; 
    2. govern all liabilities arising under the Agreement or in relation to the subject matter of the Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty;
    3. shall not apply to any liability of a party under Clause 9.4, 14, 15 or 16.2(b), except that Clause 18.9 shall apply to such liabilities.

18.3 Neither party will be liable to the other for any indirect or consequential loss.

18.4 Neither party will be liable to the other party for any loss of business, contracts or commercial opportunities.

18.5 Neither party will be liable to the other party for any loss of or damage to goodwill or reputation.

18.6 Subject to our compliance with Clause 9.1 and excluding any loss of the most recent back-up copy of the Client Data we make in accordance with Clause 9.1, we will not be liable to you in respect of any loss or corruption of any Client Data.

18.7 Neither party will be liable to the other party for any losses arising out of a Force Majeure Event. Where a Force Majeure Event gives rise to a failure or delay in either party performing its obligations under the Agreement (other than the obligation to make payment), those obligations will be suspended for the duration of the Force Majeure Event.

18.8 Neither party's liability to the other party in relation to any event or series of related events will exceed the greater of:

  1. GBP 25,000; and
  2. the total amount paid and payable by you to us under the Agreement during the 12 month period immediately preceding the event or events giving rise to the claim.

18.9 Neither party's aggregate liability to the other party will exceed GBP 2,000,000.

19. Termination

19.1 The Agreement may only be terminated for convenience after the end of the Minimum Term in accordance with this Clause 19.1. You may terminate the Agreement by giving to us at least 30 days' written notice of termination expiring after the end of the Minimum Term; and we may terminate the Agreement by giving to you at least 120 days' written notice of termination expiring after the end of the Minimum Term.

19.2 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:

  1. the other party commits any material breach of the Agreement, and the breach is not remediable; or
  2. the other party commits a material breach of the Agreement, and the breach is remediable but the other party fails to remedy the breach within the period of 30 days following the giving of a written notice to the other party requiring the breach to be remedied.

19.3 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:

  1. the other party: (i) is dissolved; (ii) ceases to conduct all (or substantially all) of its business; (iii) is or becomes unable to pay its debts as they fall due; (iv) is or becomes insolvent or is declared insolvent; or convenes a meeting or makes or proposes to make any arrangement or composition with its creditors;
  2. an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party;
  3. an order is made for the winding up of the other party, or the other party passes a resolution for its winding up; or
  4. if that other party is an individual: (i) that other party dies; (ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or (iii) that other party is the subject of a bankruptcy petition or order.

19.4 We may terminate the Agreement immediately by giving written notice to you if:

  1. any amount due to be paid by you to us under the Agreement is unpaid by the due date and remains unpaid upon the date that that written notice of termination is given; and
  2. we have given to you at least 30 days' written notice, following the failure to pay, of our intention to terminate the Agreement in accordance with this Clause 19.4.

20. Effects of termination

20.1 Upon termination of the Agreement, all the provisions of the Agreement will cease to have effect, save that the following provisions of the Agreement will survive and continue to have effect (in accordance with their terms or otherwise indefinitely): Clauses 1, 4.11, 5 (if applicable and subject to Clause 20.6), 10.7(b), 13.4, 14, 15, 18, 20, 23 and 24.

20.2 Termination of the Agreement will not affect either party's accrued liabilities and rights as at the date of termination.

20.3 You may download a copy of the Client Data from the Platform at any time before the date of termination. We will retain a copy of the Client Data for a period of at least 30 days following the date of termination. During this period, if you request that we provide you with a copy of the Client Data, we will do so, subject to payment of charges (calculated using our standard time-based charging rates). At any time following the end of that 30 day period, we may delete from our computer systems all Client Data. You acknowledge that, if you have not retrieved Client Data from the Platform before termination or requested it before deletion, you will lose that Client Data.

20.4 You acknowledge that we may retain Client Data in our systems for a period of up to 4 months after the date of termination; and the licence set out in Clause 9.3 shall continue after termination to the extent necessary for us to exercise our rights under this Clause 20.4.

20.5 If the Agreement is terminated under Clause 15.3(f) or 19.1, then you will be entitled to a refund of any Charges paid to us with respect to Services that were to be provided to you after the date of effective termination, and you will be released from any liability to pay such Charges. The amount of the refund or release shall be calculated by us using any reasonable methodology. Subject to this, you will not be entitled to any refund of the Charges upon the termination of the Agreement, nor will you be released from any liability to pay Charges that have accrued before the date of effective termination.

20.6 If the Agreement is terminated under Clause 15.3(f) or 19.1, then any licence of On-premises Software under the Agreement shall continue notwithstanding such termination; if the Agreement is terminated in any other circumstances, then any licence of On-premises Software under the Agreement shall automatically and simultaneously terminate. If any licence of On-premises Software continues following termination of the Agreement, and it comes to our attention that you have breached any term of that licence, whether before or after termination of the Agreement, then we may by written notice to you terminate that licence.

21. Notices and the Account Holder

21.1 Any notice under the Agreement must be in writing (whether or not described as "written notice" in the Agreement) and must be sent in accordance with this Clause 21.

21.2 Any notice that a party gives to the other party under the Agreement must be sent by email, courier or recorded signed-for post:

  1. in the case of notices to you, using the contact details in the Proposal; and
  2. in the case of notices to us, using the following contact details: support@assetbank.co.uk or to Bright Interactive Ltd, Ninth Floor, Tower Point, 44 North Road, Brighton, BN1 1YR.

21.3 A party receiving from the other party a notice by email must acknowledge receipt by email promptly, and in any event within 2 Business Days following receipt of the notice.

21.4 A notice will be deemed to have been received:

  1. in the case of notices sent by email, at the time of the sending of an acknowledgement of receipt by the receiving party; and
  2. in the case of notices sent by courier or recorded signed-for post, 48 Business Hours following sending.

21.5 You acknowledge that we may treat all instructions received by us in relation to this Agreement from the Account Holder or from any user with an Admin Account as fully authorised by you.

22. Subcontractors

22.1 We may subcontract the provision of hosting services and any other of our obligations under the Agreement, subject to our obligations in relation to the appointment of sub-processors of Personal Data.

22.2 We shall remain responsible to you for the performance of any subcontracted obligations.

23. General

23.1 No breach of any provision of the Agreement will be waived except with the express written consent of the party not in breach.

23.2 If a Clause of the Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other Clauses of the Agreement will continue in effect. If any unlawful and/or unenforceable Clause would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the Clause will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant Clause will be deemed to be deleted). 

23.3 The Agreement may be varied as follows:

  1. the Charges may be varied in accordance with Clause 12.3; and
  2. the Agreement may be varied by a written instrument signed or otherwise agreed by or on behalf of each party.

23.4 Either party may freely assign the entirety of its contractual rights and obligations under the Agreement to any group company of the assigning party or to any successor to all or a substantial part of the business of the assigning party.  The assigning party must give to the other party written notice of any assignment upon or before the date of the assignment. Save as provided in this Clause 23.4, neither party may without the other party's prior written consent assign, transfer, charge, license or otherwise dispose of or deal in the Agreement or any contractual rights or obligations under the Agreement.

23.5 The Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate or rescind, or agree any amendment, waiver, variation or settlement under or relating to, the Agreement are not subject to the consent of any third party.

23.6 Subject to Clause 18.1:

  1. the Agreement constitutes the entire agreement between the parties in relation to the subject matter of the Agreement, and supersedes all previous agreements, arrangements and understandings between the parties in respect of that subject matter; and
  2. neither party will have any remedy in respect of any misrepresentation (whether written or oral) made to it upon which it relied in entering into the Agreement.

23.7 The Agreement will be governed by and construed in accordance with English law; and the courts of England and Wales will have exclusive jurisdiction to adjudicate any dispute arising under or in connection with the Agreement.

24. Interpretation

24.1 In the Agreement, a reference to a statute or statutory provision includes a reference to:

  1. that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and 
  2. any subordinate legislation made under that statute or statutory provision.

24.2 The Clause headings do not affect the interpretation of the Agreement.

24.3 In the Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.

Annex 1 - Standard Contractual Clauses (Processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Parties

Name of the data exporting organisation:

[The Data Exporter, as defined in the Agreement]

Fax: N/A

 

Address: N/A  Email: N/A 
Telephone: N/A  Other information needed to identify the organisation: N/A 

(the data exporter)

and

Name of the data importing organisation: Bright Interactive Ltd

Fax: N/A

Address: 9th Floor, 44 Tower Point, Brighton, BN1 1YR, UK Email: info@bright-interactive.com
Telephone: +44 (0) 1273 923 150

Other information needed to identify the organisation: N/A

(the data importer)

each a 'party'; together 'the parties',

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1. Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 

Clause 2. Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

 

Clause 3. Third-party beneficiary clause

(1) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

(2) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

(3) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(4) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 

Clause 4. Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;

(j) that it will ensure compliance with Clause 4(a) to (i).

 

Clause 5. Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorised access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

 

Clause 6. Liability

(1) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

(2) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

(3) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

 

Clause 7. Mediation and jurisdiction

(1) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

(2) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

 

Clause 8. Cooperation with supervisory authorities

(1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

(2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

(3) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

 

Clause 9. Governing law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

 

Clause 10. Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

 

Clause 11. Sub-processing

(1) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

(2) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

(3) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

(4) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

 

Clause 12. Obligation after termination

(1) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

(2) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

 

Additional commercial clauses

The parties are able to add additional commercial clauses.

When including additional commercial clauses, the parties should ensure that these clauses do not in any way:

  • overlap with or contradict the standard contractual clauses;
  • reduce the level of protection which the data importer is required to provide for the personal data; or
  • reduce the rights of data subjects, or make it any more difficult for them to exercise their rights.

Priority of standard contractual clauses

The Standard Contractual Clauses take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into.

Unless the Clauses are expressly referred to and expressly amended, the parties do not intend that any other agreement entered into by the parties, before or after the date the Clauses are entered into, will amend the terms or the effects of the Clauses, or limit any liability under the Clauses, and no term of any such other agreement should be read or interpreted as having that effect.

Effective date of the Standard Contractual Clauses

The parties intend that these Clauses should only become effective if Art 44 of the General Data Protection Regulation (the “GDPR”) applies to a transfer of personal data from the EEA to the UK, because the UK has left the European Union, and the transfer is not permitted under Art 45.

On that basis, the Clauses will become effective on:

(i)     the first date Article 44 GDPR applies to a transfer of personal data from the EEA to the UK, and that transfer is not permitted under Article 45 GDPR; or

(ii)    the date of the Standard Contractual Clauses, if later.

In this clause, 'a transfer of personal data' has the same meaning as in Article 44 of the GDPR.

On behalf of the data exporter: 

Name (written out in full):

[The Data Exporter, as defined in the Agreement]

Address:

N/A

Position: N/A Other information necessary in order for the contract to be binding(if any): N/A
Signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]
Date of the Standard Contractual Clauses: [The Effective Date, as defined in the Agreement]

 

On behalf of the data importer:

Name (written out in full):

Bright Interactive Ltd

Address: 9th Floor, 44 Tower Point, Brighton, BN1 1YR, UK

 

Position: N/A Other information necessary in order for the contract to be binding (if any): N/A

Signature: 

[By executing the Agreement, the parties also agree to these Standard Contractual Clauses]

 

Appendix 1 of the Standard Contractual Clause

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

The data exporter’s business or organisation type is (please specify):

The customer of the data importer, Bright Interactive Ltd, who has executed this Standard Contractual Clause

The data exporter is using the personal data which is being transferred for the following purposes or activities (please specify):

Processing and storage in the software and services provided by Bright Interactive Ltd, for the purposes as controlled and defined by the data exporter

The data importer is:

Bright Interactive Ltd - a provider of software solutions, including digital asset management software solutions and associated services.

The data importer’s activities for the data exporter, which are relevant to the transfer are:

Bright Interactive Ltd processes data upon the instruction of the data exporter in order to deliver services, and to meet contractual obligations. This processing includes transfer and secure storage of data, and consultancy and support services.

Data subjects:

Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff.

The personal data transferred concern the following categories of data subjects (please specify): 

Any user of the service as determined by the data exporter

Any individuals whose personal data is contained within any assets or metadata uploaded to the service by the data exporter or any of its authorised users

Categories of data:

The personal data transferred concern the following categories of data (please specify):

Names, emails and other account related data of users of the service

Any personal data that is contained within any assets or metadata uploaded to the service by the data exporter or any of its authorised users. This personal data may include but is not limited to:

  • Images of individuals
  • Names or other textual information contained within documents, other assets and image metadata

Special categories of data (if appropriate):

The personal data transferred concern the following special categories of data (please specify):

Data exporter may submit special categories of data to the data importer at the sole discretion of the data exporter (special categories include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.)

Processing operations:

The personal data transferred will be subject to the following basic processing activities (please specify):

Data importer may undertake the following process activities:

  • Transfer of data to our cloud hosting solution for secure storage
  • Backup of the data
  • Access and transfer for the data for the provision of ongoing support services, and specific consultancy activities
  • Deletion of the data
  • Other activities as requested by the data exporter or as required for the provision of the services

All under instruction from the data exporter and in line with contractual obligations


Data exporter
Company Name: [The Data Exporter, as defined in the Agreement]
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]
Date signed: [The Effective Date, as defined in the Agreement]

Data importer
Company name: Bright Interactive Ltd
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]

 

Appendix 2 of the Standard Contractual Clause

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The following is the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):

Data importer has in place appropriate security measures (both technical and organisational) to protect against unlawful or unauthorised processing of personal data and against loss or corruption of the personal data, including those measures specified in Bright's security policy as published in the Asset Bank Help Centre from time to time. Such measures include, but are not limited to:

  1. Physical Access - Data importer shall take reasonable measures to ensure the security of all physical locations and equipment required to perform its duties. This includes controls such as door security, CCTV, alarms, lockable storage and safes, encryption policies for storage media and leaver processes.
  2. System Access - Data importer shall take reasonable measures to prevent Personal Data from being accessed without authorisation. This includes the use of industry standard password-management techniques, device handling procedures, network access procedures, user authentication controls and other documented procedures as well as logging protocols to capture all relevant activities.
  3. Network Access - Data importer shall take reasonable measures to ensure the appropriate security techniques are utilised for all system access, including but not limited to controls governing secure protocols, port access restrictions , encryption and file transfer technologies and procedures.
  4. Application Browser Access - Data importer shall take reasonable measures to ensure the service utilises sufficiently secure techniques when being delivered via a client browser. This includes utilisation of encryption protocols and support for SSL certificates.
  5. Application Level Access - Data importer shall take reasonable measures to protect Personal Data that is handled by any applications that operate as part of any delivered services. This includes the use of encryption, data segregation and access and deployment restrictions and segregations.
  6. Infrastructure penetration testing - Data importer shall take reasonable measures to test the security and vulnerability of the infrastructure delivered as part of the services via the use of regular risk assessments, information security reviews and formal penetration tests.
  7. Patch management - Data importer shall take reasonable measures to ensure the security and reliability of the services through proper patch management techniques. This includes maintaining active awareness of all applicable latest software versions and following a documented process to incorporate these versions into the service as appropriate.
  8. Data Backups - Data importer shall take reasonable measures to protect against accidental destruction or loss of personal data by taking regular backups of this data and applying suitable security measures to the process.
Data exporter
Company Name: [The Data Exporter, as defined in the Agreement]
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]
Date signed: [The Effective Date, as defined in the Agreement]


Data importer
Company name: Company name: Bright Interactive Ltd
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]

 

 

Revision: 22 November 2019