Terms and Conditions
Terms and Conditions
Terms and Conditions
1. These terms
1.1 What these terms cover. These are the terms and conditions on which we supply services to you as set out in the Letter of Engagement and upon which you are granted access to Polyloop (“The Platform”).
2. Information about us and how to contact us
2.1 Who we are. We are Policy Platforms Limited, a company registered in Northern Ireland, UK. Our company registration number is NI681353 and our registered office is at Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.2 How to contact us. You can contact us by telephoning our service team at +44 (0)2033 550530 or by writing to us at support@polyloop.io AND Reception, Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.3 How we may contact you. If we have to contact you we will do so by telephone or by writing to you at the email address or postal address you provided to us in your order.
2.4 “Writing” includes emails. When we use the words “writing” or “written” in these terms, this includes emails.
3. Our contract with you
3.1 How we will accept your order. Our acceptance of your order will take place when we tell you that we are able to provide you with the services. This will also be confirmed in writing in our Letter of Engagement, at which point a contract will be entered into by you and us.
3.2 What the Letter of Engagement will contain. The Letter of Engagement will set out the following information:
– Our scope of work
– Our fees
– Indicative timetable to complete the scope of work
– Our team
– The person who will be our point of contact at your business
3.3 Conflict with Letter of Engagement. If there is a conflict between the terms of the Letter of Engagement and these terms, the Letter of Engagement shall prevail.
4. Your rights to make changes
4.1 If you wish to make a change to the services please contact us. We will let you know if the change is possible. If it is possible we will let you know about any changes to the price of the services, their timing or anything else which would be necessary as a result of your requested change and ask you to confirm whether you wish to go ahead with the change.
5. Our rights to make changes
5.1 Minor changes to the services. We may change the services:
(a) to reflect changes in relevant laws and regulatory requirements; and
(b) to implement minor technical adjustments and improvements, for example to address a security threat.
These changes will not affect your use of the services.
6. Providing the services
6.1 When we will provide the services. We will supply the services to you from the date set out in our Letter of Engagement for the time period set out in the Letter of Engagement. The estimated completion date for the services is as set out in the Letter of Engagement or until either you end the contract for the services as described in clause 7 or we end the contract by written notice to you as described in clause 8.
6.2 We will comply with all applicable law in our supply of the services in accordance with these terms and conditions and the Letter of Engagement, which for the avoidance of doubt will include, but not be limited to, the Bribery Act 2010 and the Modern Slavery Act 2015. We will ensure that we establish, maintain and enforce policies and procedures which are adequate to ensure compliance with the Modern Slavery Act 2015 and the Bribery Act 2010 and to prevent the concurrence of a Prohibited Act (as defined in the Bribery Act 2010). We will notify You immediately in writing of any failure to comply with this clause. We will keep appropriate records of our compliance with these obligations and make such records available on request. If We fail to comply with this clause, You will have the right to terminate the Agreement immediately without further liability and without prejudice to any other rights or remedies that may have accrued to your benefit under or in connection with this Agreement. We will refund you in full all sums paid by You for the provision of the services.
6.3 We are not responsible for delays outside of our control. If our performance of the services is affected by an event outside our control then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided we do this we will not be liable for delays caused by the event but if there is a risk of substantial delay you may contact us to end the contract and receive a refund for any services you have paid for but not received.
6.4 If you do not allow us access to provide services. If you have asked us to provide the services to you at your business and you do not allow us access to your business premises as arranged (and you do not have a good reason for this)
we may charge you additional costs incurred by us as a result. If, despite our reasonable efforts, we are unable to contact you or re-arrange access to your business we may end the contract and clause 7.3 will apply.
6.5 Information you must provide to us. The data you supply to us must be accurate and in line with our guidance notes. We will not be responsible for checking the accuracy of the data. The data sources are to be clearly identifiable and
open to evaluation by us. We must be provided with access to stakeholders upon reasonable notice. You will be responsible for inputting data unless otherwise agreed in the Letter of Engagement.
6.6 What will happen if you do not provide required information to us. As we informed you in the Letter of Engagement, we will need certain information from you so that we can provide the services to you. We will contact you in writing to ask for this information. If you do not, within a reasonable time of us asking for it, provide us with this information, or you provide us with incomplete or incorrect information, we may either end the contract (see clause 8.1) or make an additional charge of a reasonable sum to compensate us for any extra work that is required as a result. We will not be responsible for providing the services late or not providing any part of them if this is caused by you not giving us the information we need within a reasonable time of us asking for it.
6.7 Reasons we may suspend the services. We may have to suspend the services to:
(a) deal with technical problems or make minor technical changes;
(b) update the services to reflect changes in relevant laws and regulatory requirements;
(c) make changes to the services as requested by you or notified by us to you (see clause 5).
6.8 Your rights if we suspend the services. We will contact you in advance to tell you we will be suspending the services, unless the problem is urgent or an emergency. If we have to suspend the services for longer than three months in any six month period we will adjust the price so that you do not pay for services while they are suspended. You may contact us to end the contract if we suspend the services, or tell you we are going to suspend them, in each case for a period of more than three months and we will refund any sums you have paid in advance for services not provided to you.
6.9 We may also suspend the services if you do not pay. If you do not pay us for the services when you are supposed to (see clause 10.3) and you still do not make payment within ten days of us reminding you that payment is due, we may suspend supply of the products until you have paid us the outstanding amounts. We will contact you to tell you we are suspending supply of the products. We will not suspend the products where you dispute the unpaid invoice (see clause 10.7). We will not charge you for the services during the period for which they are suspended. As well as suspending the services we can also charge you interest on your overdue payments (see clause 10.6).
7. Your rights to end the contract
7.1 You can always end the contract before the services have been supplied and paid for. You may contact us at any time to end the contract for the services, but in some circumstances we may charge you certain sums for doing so,
as described below.
7.2 What happens if you have good reason for ending the contract. If you are ending the contract for a reason set out below the contract will end immediately and we will refund you in full for any services which have not been provided or have not been properly provided. The relevant reasons are:
(a) We have committed a material breach of our obligation(s) and in the case of any such breach which is capable of remedy, failed to remedy the breach within 10 days of notification of such breach;
(b) we have told you about an upcoming change to the services or these terms which you do not agree to (see clause 5);
(c) we have told you about an error in the price or description of the services you have ordered and you do not wish to proceed;
(d) we suspend the services for technical reasons, or notify you we are going to suspend them for technical reasons, in each case for a period of more than 2 months;
(e) you have a legal right to end the contract because of something we have done wrong;
(f) we enter into liquidation, whether compulsory or voluntarily, other than for the purpose of amalgamation or reconstruction without insolvency;
(g) we compound or make any arrangements with our creditors; or
(h) we cease, or threaten to cease, to carry on business.
7.3 What happens if you end the contract without a good reason. If you are not ending the contract for one of the reasons set out in clause 7.2, the contract will end immediately but we may charge you reasonable compensation for the net costs we will incur as a result of your ending the contract
8. Our rights to end the contract
8.1 We may end the contract if you break it. We may end the contract at any time by writing to you if:
(a) you do not make any payment to us when it is due and you still do not make payment within ten days of us reminding you that payment is due;
(b) you do not, within a reasonable time of us asking for it, provide us with information that is necessary for us to provide the services;
(c) you do not provide internal resources sufficient to enable us to complete the reporting process;
(d) you do not, within a reasonable time, give us access to your property to enable us to provide the services to you; or
(e) it becomes apparent that we are unable to perform the services in a manner that is consistent with our company mission.
To the extent that you do not perform the above responsibilities, we have the option, where appropriate, of performing those services for you and you agree to pay us an additional amount to reflect our additional services.
8.2 You must compensate us if you break the contract. If we end the contract in the situations set out in clause 8.1(a)-(d) we will refund any money you have paid in advance for services we have not provided but we may deduct or charge you compensation for the net costs we will incur as a result of your breaking the contract.
8.3 We may stop providing the services. We may write to you to let you know that we are going to stop providing the services. We will let you know at least 1 month in advance of our stopping the services and will refund any sums you have paid in advance for services which will not be provided.
9. If there is a problem with the services
9.1 How to tell us about problems. If you have any questions or complaints about the services, please contact us on the email set out above.
9.2 Our guarantee. We offer the following goodwill guarantee which is in addition to your legal rights and does not affect them. In the unlikely event there is any defect with the services:
(a) if remedying the defect is impossible or cannot be done within a reasonable time or without significant inconvenience to you we will refund the price you have paid for the services.
(b) in all other circumstances we will use every effort to repair or fix the defect free of charge, without significant inconvenience to you, as soon as we reasonably can and, in any event, within 1 month. If we fail to remedy the defect by this deadline we will refund the price you have paid for the services.
10. Price and payment
10.1. Fees. Customer will pay for access to and use of the Service as set forth on the applicable Order (“Fees”). All Fees will be paid in the currency stated in the applicable Order or, if no currency is specified, Great British Pounds (GBP). Payment obligations are non-cancelable and, except as expressly stated in this Agreement, non-refundable. Polyloop may modify its Fees or introduce new fees at its sole discretion. Customer always has the right to choose not to renew their subscription if they do not agree with any new or revised Fees.
10.2. Payment. Policy Platforms through its third-party payment processor (“Stripe”) will charge Customer for the Fees via credit card, debit card, or ACH payment, pursuant to the credit card or ACH payment information provided by Customer to Policy Platforms. Policy Platforms will have the right to charge Customer’s credit card or ACH payment method for any services provided to Customer by Policy Platforms under the Order, including recurring Fees. It is Customer’s sole responsibility to provide Policy Platforms with current and up to date credit card, debit card, or ACH information; failure to provide such information may result in suspension of Customer’s access to the Services. Policy Platforms will also have the right to set-off any Fees due from Customer to Policy Platforms Limited. If Customer pays the Fees through a Payment Processor such payment processing will be subject to the terms, conditions, and privacy policies of the Payment Processor in addition to this Agreement. Terms and conditions of the payment processor can be found here https://stripe.com/gb/legal/ssa. Policy Platforms Limited is not responsible for any error by, or other acts or omissions of, the Payment Processor. Policy Platforms Limited reserves the right to correct any errors or mistakes that the Payment Processor makes even if Policy Platforms has already requested or received payment. If authorised by Customer through acceptance of an Order, recurring charges (e.g. monthly billing) will be charged to Customer’s payment method without further authorisation from Customer, until Customer terminates this Agreement in accordance with its terms or changes its payment method in Customer’s account in the Service.
10.3. Taxes. Fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Policy Platforms has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Policy Platforms will invoice Customer and Customer will pay that amount unless Customer provides Policy Platforms with a valid tax exemption certificate authorised by the appropriate taxing authority in advance. For clarity, Policy Platforms is solely responsible for taxes assessable against it based on its income, property, and employees.
10.4. Failure to Pay. If Customer fails to pay any Fees when due, Policy Platforms may suspend Customer’s access to the Service pending payment of such overdue amounts. Customer also authorises Policy Platforms to make multiple re-attempts at charging the Customer’s payment instrument if an initial charge attempt is unsuccessful, without any specific limit on the number of retries. If Customer believes that Policy Platforms has billed Customer incorrectly, Customer must contact Policy Platforms no later than sixty (60) days after the closing date on the first billing statement in which the error or problem appeared, to receive an adjustment or credit. Once Policy Platforms receives notice of a disputed invoice, Policy Platforms will review such notice and provide Customer with a written decision regarding the dispute, including documentary support for such decision. If Policy Platforms reasonably determines that the amounts billed are, in fact, due, Customer will pay such amounts (if they have not done so already) within ten days of Policy Platforms notifying Customer in writing of such decision.
11. Term and Termination.
11.1. Agreement Term and Renewals. Subscriptions to access and use the Service commence on the start date stated on the applicable Order (“Subscription Start Date”) and continue for the duration of the Subscription Period. Customer may choose not to renew its Subscription Period by notifying Policy Platforms at support@polyloop.io (provided that Policy Platforms confirms such cancellation in writing) or by modifying its subscription through Customer’s account within the Service. This Agreement will become effective on the first day of the Subscription Period and remain effective for the duration of the Subscription Period stated on the Order along with any renewals of the Subscription Period and any period that Customer is using the Service even if such use is not under a paid Order (“Term”). If the parties terminate this Agreement, it will automatically terminate all Orders. If Customer cancels or does not renew its paid subscription to the Service, Customer’s subscription will be accessible but will automatically be downgraded to a version of the Service with diminished features and functionality that Policy Platforms offers to unpaid subscribers (“Free Version”). If Customer or Policy Platforms terminates this Agreement or Customer deletes its workspace within the Service, Customer will not have access to the Free Version.
11.2. Termination. Either party may terminate this Agreement upon written notice to the other party if the other party materially breaches this Agreement and such breach is not cured within thirty (30) days after the breaching party’s receipt of such notice. Policy Platforms may terminate Customer’s access to the Free Version at any time upon notice to Customer.
11.3. Effect of Termination. If Customer terminates this Agreement because of Policy Platforms’s uncured breach, Policy Platforms will refund any unused, prepaid Fees for the remainder of the then-current Subscription Period. If Policy Platforms terminates this Agreement because of Customer’s uncured breach, Customer will pay any unpaid Fees covering the remainder of the then-current Subscription Period after the effective date of termination, if any. In no event will any termination relieve Customer of the obligation to pay any Fees payable to Policy Platforms for the period prior to the effective date of termination. Upon any termination of this Agreement, all rights and licenses granted by Policy Platforms hereunder will immediately terminate; Customer will no longer have the right to access or use the Service. Within thirty (30) days of termination of this Agreement for cause, upon Customer’s request following termination, or if Customer deletes its workspace within the Service, Policy Platforms will delete Customer’s User Information, including passwords and all related information, files, and User Submissions, unless Customer requests an earlier deletion in writing. If Customer is using the Free Version, Policy Platforms will retain User Submissions and User Information to facilitate such use. Policy Platforms may delete all User Submissions or User Information if Customer maintains an account in the Free Version but such account is not used for a period of one (1) year or more.
11.4 Where to find the price for the services. The price of the services (which does not include VAT) will be the price we have set out in our Letter of Engagement.
11.5 We will pass on changes in the rate of VAT. If the rate of VAT changes between your order date and the date we provide the services, we will adjust the rate of VAT that you pay, unless you have already paid for the services in full before the change in the rate of VAT takes effect.
11.6 Additional Fees. If, during the course of our services for you, a need for additional services not set out in the Letter of Engagement is identified, agreement to these additional services will be obtained from you before any expenditure
is incurred.
11.7 When you must pay and how you must pay. The Letter of Engagement will set out our fees. You must pay each invoice within 30 calendar days after the date of the invoice.
11.8 What to do if you think an invoice is wrong. If you think an invoice is wrong please contact us promptly to let us know. You will not have to pay any interest until the dispute is resolved. Once the dispute is resolved we will charge you interest on correctly invoiced sums from the original due date
12. Customer Data & Security
12.1 All Customers own all rights, titles and interest in their data. The Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of their data.
12.2 In the event of any loss or damage to Customer Data, Policy Platforms shall use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up, this will be the Customer's sole and exclusive remedy. Policy Platforms shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
12.3 Policy Platforms will comply with its Privacy Policy. The Privacy Policy may be amended from time to time by Policy Platform at its sole discretion.
12.4 If Policy Platforms processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the parties record their intention that the Customer shall be the data controller and Policy Platforms shall be a data processor, defined as such:
Data Controller - the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
Data Processors - means any natural or legal person who processes the data on behalf of the Data Controller.
12.4.1 To provide services to you, we may need to share your personal information with parties located within the European Economic Area (EEA), where data protection laws are equivalent to those in the UK. We will take reasonable steps to ensure the privacy of your information and will comply with current legislation before any such sharing occurs.
12.4.2 If applicable, the Customer shall ensure that relevant third parties within the EEA have been informed of, and have given their consent to, such use, processing, and transfer, in accordance with all applicable data protection legislation.
12.4.3 Policy Platforms will process personal data solely in line with the terms of this Agreement and any lawful instructions reasonably provided by the Customer, ensuring data remains within the EEA.
12.4.4 Both parties shall implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, as well as accidental loss, destruction, or damage.
12.5 The Processor shall implement and maintain adequate security measures to standards no less than those imposed on the Controller under the Data Protection Legislation whilst it continues to Process the Data on behalf of the Controller, such measures shall include (but not be limited to):
12.5.1 Encryption: Data is encrypted as part of the cloud computing service. This service uses industry-accepted encryption products to protect customer data and communications during transmissions between a customer and Policy Platforms, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centres for replication purposes. All Personal Data is processed through Policy Platforms private infrastructure hosted by AWS.
12.5.2 Backup: All data submitted to Policy Platforms is automatically replicated on a near real-time basis to a secondary data centre site. It is backed up on a regular basis and stored on backup media for 3 days, after which it is securely overwritten or deleted. Any backups are verified for integrity and stored in the same data centres as their instance. At Policy Platforms we maintain a weekly backup of data, stored securely with access permissions limited to key personnel. We have a policy of not moving commercially sensitive data on removable media.
12.5.3 Resilience: All Policy Platforms network accelerators, load balancers, web servers and application servers are configured in a redundant configuration. All Customer Data submitted to Policy Platforms is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to Policy Platforms is stored on highly redundant carrier-class disk storage and multiple data paths to ensure reliability and performance. The Policy Platforms development environment provides various protections against malicious code which are implemented in the Policy Platforms application with the Web Application Firewall.
12.5.4 Disaster recovery: Policy Platforms supports disaster recovery with a dedicated team and a 4 hour recovery point objective (RPO) and 12 hour recovery time objective (RTO). Policy Platforms maintains a Business Continuity Plan outlining business risks, detailing the impact and response to any disruption, and appropriate recovery strategies.
12.5.5 Incident notification: Incident detection and response is part of the security procedures that are incorporated into Policy Platforms standard practices. Policy Platforms also uses security scanners to analyse and monitor the product for potential security issues. Policy Platforms maintains security incident management policies and procedures, and will promptly notify their customers of any actual or reasonably suspected unauthorised disclosure of their respective data. In the event of a disruption or other incident, we would notify our customers directly by email based on our customer usage.
13. The Platform
13.1 Intellectual Property. The copyright in the material contained in the Platform (save for the products/ outcomes of the services) and any trademarks and brands included in that material belongs to us or our licensors. We grant to You a
non-exclusive, non-transferable, licence to use such IPR for Your own internal business purposes with a right to sub-licence such IPR on equivalent terms to an entity within the [company name] Group.
13.1.1 We assign to You by way of present and future assignment, with full title guarantee and free from all third party rights, all intellectual property rights and all other rights in the products and /or outcomes of the services.
13.1.2 We will, promptly at Your request, do (or procure to be done) all such acts and things and the execution of all such other documents as the You may from time to time require for the purpose of securing for You the full benefit of the
Agreement, including right, title and interest in and to the intellectual property rights and all other rights assigned to the You in accordance with clause 11.1A.
13.1.2 Accuracy of Information. We will use reasonable endeavours to ensure that the information available on the Platform is, at all reasonable times, accurate. We will use all reasonable endeavours to correct errors and omissions as quickly
as practicable after becoming aware or being notified of the same.
13.1.3 Changes to the Platform. We may also change, suspend or discontinue any aspect of the Platform, including the availability of any features, information, database or content or restrict access to parts or all of the platform without notice or
liability.
13.2 Our responsibility for loss or damage suffered by you
13.3 We are responsible to you for foreseeable loss and damage caused by us. If we fail to comply with these terms, we are responsible for loss or damage you suffer that is a foreseeable result of our breaking this contract or our failing to use reasonable care and skill, but we are not responsible for any loss or damage that is not foreseeable. Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and you knew it might happen, for example, if you discussed it with us during the sales process.
13.4 We do not exclude or limit in any way our liability for the following:
(a) death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors;
(b) for fraud or fraudulent misrepresentation;
(c) for breach of your legal rights in relation to the services;
(d) for Our liability under clause 13 (data protection).
13.5 Total Liability. Subject to clause 12.2, Our total liability to you in respect of all other losses arising under or in connection with the services, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall in no circumstances exceed the fees received from you.
13.6 We are not liable for business losses. We will have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.
13.7. Data Protection For the purposes of this clause, the following terms will have the definitions set out below:
“Data” has the meaning given in the Data Protection Legislation and more specifically means data as described in Appendix 1 to be made available by the Controller to the Processor for the purposes of providing the services;
“Data Controller” means the Customer as per the definition in the Data Protection Legislation;
“Data Processor” means the Supplier as per the definition in the Data Protection Legislation;
“Data Protection Legislation” means, for the periods in which they are in force in the United Kingdom, the Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the GDPR and all applicable Laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner, in each case as amended or substituted from time to time;
“Data Subject” has the meaning given to it by the Data Protection Legislation;
“GDPR” means (a) the General Data Protection Regulations (Regulation (EU) 2016/679) which comes into force on 25 May 2018; and (b) any equivalent legislation amending or replacing the General Data Protection Regulations (Regulation (EU) 2016/679;
“Personal Data” has the meaning as set out in the Data Protection Legislation which forms part of the Data; “Personal Data Breach” has the meaning as set out in the Data Protection Legislation; “Processing” has the meaning as set out in the Data Protection Legislation and “Process” and “Processed” shall be construed accordingly;
“Special Categories of Personal Data” means Sensitive Personal Data or Special Categories of Personal Data, as defined in the Data Protection Legislation, which is Processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Agreement;
13.8 Both parties shall duly observe all their obligations under the Data Protection Legislation which arise in connection with the contract and shall not perform their obligations in such a way as to cause the other party to breach any of
its obligations under the Data Protection Legislation.
13.9 With respect to the parties’ rights and obligations under the contract, the Parties agree that [company name] Group is the Data Controllers and that the Policy Platforms Limited is the Data Processor.
13.10 The Data Controller shall not disclose any Personal Data to the Data Processor save where it is lawful and in a form which is lawful.
13.11 The subject-matter and duration of the Processing, nature and purpose of the Processing, types of Personal Data, and categories of Data Subjects are set out in Appendix 1 to these Terms and Conditions.
13.12 The Data Controller may make reasonable amends to Appendix 1 by written notice to the Data Processor from time to time as the Data Controller considers necessary to meet the requirements of the Data Protection Legislation.
13.13 The Processor agrees to only Process the Data in accordance with these Terms and Conditions and, subject to the overriding requirements of Data Processing Legislation, undertakes to:
13.14.1 only process the Personal Data for and on behalf of the Controller, strictly in accordance with the written instructions of the Data Controller, unless the Processing is required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by such applicable laws inform the Data Controller of that legal requirement before Processing;
13.14.2 ensure that any personnel with access to Personal Data are subject to a duty of confidentiality (whether contractual or statutory) and ensure that access is strictly limited to those individuals who need to know/access
the Personal Data;
13.14.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall, in relation to the Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred
to in Article 32(1) of the GDPR;
13.14.4 only engage Sub-Contractors with the prior written consent of the Data Controller and under a written contract,
imposing the same data protection obligations as set out in the Agreement, remaining liable to the Data Controller for compliance of any Sub-Contractor engaged and informing the Data Controller of any changes concerning the addition or replacement of Sub-Contractors giving the Data Controller sufficient opportunity to object to such changes;
13.14.5 assist the Data Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the Data Subject’s rights laid
down in the Data Protection Legislation;
13.14.6 notify the Data Controller within five (5) Working Days if it receives a request from a Data Subject under the Data Protection Legislation in respect of the Personal Data and not respond to any such request without the written authorisation of the Data Controller or as required by the Data Protection Legislation to which the Data Processor is subject but only after informing the Data Controller of such legal requirement before responding to the request;
13.14.7 notify the Data Controller without undue delay, and at least within 48 hours, upon becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow it to meet its obligations under the Data Protection Legislation and to enable the Controller to report the breach to the Information
Commissioner’s Office within the 72 hour deadline imposed by the GDPR and assist the Data Controller, as directed, in the investigation, mitigation and remediation of such Personal Data Breach;
13.14.8 assist the Data Controller in ensuring compliance with the obligations pursuant to the Data Protection Legislation taking into account the nature of the Processing for the purposes of the Agreement and the information available
to the Data Processor, including but not limited to those obligations relating to (a) security of processing; (b) notification of a Personal Data Breach to the Information Commissioner’s Office; (c) communication of a Personal Data Breach to the Data Subject; and (d) Data Protection impact assessments and any subsequent consultations with the Information Commissioner’s Office;
13.14.5 on the expiry or termination of the Agreement, promptly upon request from the Data Controller (at the Data Controller’s discretion) either: (a) return all Personal Data to the Data Controller and delete all existing copies, or procure such deletion; or (b) securely destroy such Personal Data, unless an applicable law requires storage of the Personal Data but only to the extent and for such period as required by such law;
13.14.11 notify the Data Controller of the deletion of Personal Data in accordance with Clause 1.6.9 within 21 days of the expiry or termination of the Agreement;
13.14.12 not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Data Controller;
13.14.13 make available to the Data Controller on request all information necessary to demonstrate compliance with the Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller including to permit the Data Controller or its external advisers (subject to reasonable and appropriate confidentiality undertakings) to inspect and audit the Data Processor’s data processing activities and those of its agents, subsidiaries and sub-contractors and comply with all
reasonable requests or directions by the Data Controller to enable the Data Controller to verify and procure that the Data Processor is in full compliance with its obligations under the Agreement.
13.15 The Data Processor shall, at all times during and after the term of the Agreement, indemnify the Data Controller and keep the Data Controller indemnified against all losses, damages, costs or expenses and other liabilities (including
legal fees) incurred by, awarded against or agreed to be paid by the Data Controller arising from any breach of the Data Processor’s obligations under this clause except and to the extent that such liabilities have resulted directly from the Data Controller’s instructions.
13.16 The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.
14. Other important terms
14.1 You may only transfer your rights under our guarantee to someone else. You may only transfer your rights or your obligations under these terms to another person with our written consent. We may withhold our consent.
14.2 Nobody else has any rights under this contract. This contract is between you and us. Save for [company name] Group (as defined in the Letter of Engagement), no other person shall have any rights to enforce any of its terms. Neither of us will need the consent of any person acquiring rights under our guarantee to end the contract or make any changes to these terms.
14.3 Notices. Any notice or other communication given by us or you shall be in writing, addressed to us or you at the registered office (if it is a company) or its principal place of business (in any other case) or such other address as we
or you may have specified in writing, and shall be delivered personally or sent by prepaid first-class post or other next working day delivery service, or by commercial courier, or e-mail. A notice or other communication shall be
deemed to have been received: if delivered personally, when left at the address referred to in the Letter of Engagement; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second business day after posting; if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or, if sent by e-mail, on the sending of the e-mail.
14.4 Exclusive Terms. These terms apply to the Agreement to the exclusion of any other terms that you may seek to
impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
14.5 If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.
14.6 Even if we delay in enforcing this contract, we can still enforce it later. If we do not insist immediately that you do anything you are required to do under these terms, or if we delay in taking steps against you in respect of your breaking this contract, that will not mean that you do not have to do those things or prevent us taking steps against you at a later date. For example, if you miss a payment and we do not chase you but we continue to provide the services, we can still require you to make the payment at a later date.
14.7 Dispute Resolution. Any and all disputes relating to this Agreement and/or the subject matter of it, shall in the first instance be referred to the parties contract managers for resolution. Upon such referral the contract managers shall meet within 5 days of such referral to resolve the issue. If the contract managers cannot resolve the issue within 5 days of their meeting, the matter shall be referred to the parties senior management for resolution. If the Senior Managers cannot resolve the issue within 10 days of their meeting over it, the parties shall be free to refer the matter
to meditation or other alternative dispute resolution procedure.
14.8 Which laws apply to this contract and where you may bring legal proceedings. These terms are governed by English law and you can bring legal proceedings in respect of the services in the English courts.
APPENDIX 1: DATA PROCESSING
This Appendix includes certain details of the Processing of Personal Data as required by the Data Protection Legislation.
1 THE SUBJECT-MATTER AND DURATION OF THE PROCESSING
1.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
1.1.1 Subject Matter: the provision of services to [company name] Group by Policy Platforms Limited, as set out in the Letter of Engagement.
1.1.2 Duration of the Processing: the duration of the processing shall be for the term designated under the agreement between Policy Platforms Limited and [company name] Group.
2 THE NATURE AND PURPOSE OF THE PROCESSING
2.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
2.1.1 Policy Platforms will process the Personal Data for the purposes of providing services to [company name] Group, as set out in our Letter of Engagement.
3 THE TYPES OF PERSONAL DATA TO BE PROCESSED
3.1 The types of Personal Data that shall be processed in accordance with this Agreement will be:
3.1.1 The Personal Data that shall be processed in accordance with this Agreement shall include names, telephone numbers, email addresses, job titles.
4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES
4.1 The categories of individuals whose Personal Data is processed in accordance with this Agreement will be: Employees
1. These terms
1.1 What these terms cover. These are the terms and conditions on which we supply services to you as set out in the Letter of Engagement and upon which you are granted access to Polyloop (“The Platform”).
2. Information about us and how to contact us
2.1 Who we are. We are Policy Platforms Limited, a company registered in Northern Ireland, UK. Our company registration number is NI681353 and our registered office is at Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.2 How to contact us. You can contact us by telephoning our service team at +44 (0)2033 550530 or by writing to us at support@polyloop.io AND Reception, Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.3 How we may contact you. If we have to contact you we will do so by telephone or by writing to you at the email address or postal address you provided to us in your order.
2.4 “Writing” includes emails. When we use the words “writing” or “written” in these terms, this includes emails.
3. Our contract with you
3.1 How we will accept your order. Our acceptance of your order will take place when we tell you that we are able to provide you with the services. This will also be confirmed in writing in our Letter of Engagement, at which point a contract will be entered into by you and us.
3.2 What the Letter of Engagement will contain. The Letter of Engagement will set out the following information:
– Our scope of work
– Our fees
– Indicative timetable to complete the scope of work
– Our team
– The person who will be our point of contact at your business
3.3 Conflict with Letter of Engagement. If there is a conflict between the terms of the Letter of Engagement and these terms, the Letter of Engagement shall prevail.
4. Your rights to make changes
4.1 If you wish to make a change to the services please contact us. We will let you know if the change is possible. If it is possible we will let you know about any changes to the price of the services, their timing or anything else which
would be necessary as a result of your requested change and ask you to confirm whether you wish to go ahead with the change.
5. Our rights to make changes
5.1 Minor changes to the services. We may change the services:
(a) to reflect changes in relevant laws and regulatory requirements; and
(b) to implement minor technical adjustments and improvements, for example to address a security threat.
These changes will not affect your use of the services.
6. Providing the services
6.1 When we will provide the services. We will supply the services to you from the date set out in our Letter of Engagement for the time period set out in the Letter of Engagement. The estimated completion date for the services is as set out in the Letter of Engagement or until either you end the contract for the services as described in clause 7 or we end the contract by written notice to you as described in clause 8.
6.2 We will comply with all applicable law in our supply of the services in accordance with these terms and conditions and the Letter of Engagement, which for the avoidance of doubt will include, but not be limited to, the Bribery Act 2010 and the Modern Slavery Act 2015. We will ensure that we establish, maintain and enforce policies and procedures which are adequate to ensure compliance with the Modern Slavery Act 2015 and the Bribery Act 2010 and to prevent the concurrence of a Prohibited Act (as defined in the Bribery Act 2010). We will notify You immediately in writing of any failure to comply with this clause. We will keep appropriate records of our compliance with these obligations and make such records available on request. If We fail to comply with this clause, You will have the right to terminate the Agreement immediately without further liability and without prejudice to any other rights or remedies that may have accrued to your benefit under or in connection with this Agreement. We will refund you in full all sums paid by You for the provision of the services.
6.3 We are not responsible for delays outside of our control. If our performance of the services is affected by an event outside our control then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided we do this we will not be liable for delays caused by the event but if there is a risk of substantial delay you may contact us to end the contract and receive a refund for any services you have paid for but not received.
6.4 If you do not allow us access to provide services. If you have asked us to provide the services to you at your business and you do not allow us access to your business premises as arranged (and you do not have a good reason for this)
we may charge you additional costs incurred by us as a result. If, despite our reasonable efforts, we are unable to contact you or re-arrange access to your business we may end the contract and clause 7.3 will apply.
6.5 Information you must provide to us. The data you supply to us must be accurate and in line with our guidance notes. We will not be responsible for checking the accuracy of the data. The data sources are to be clearly identifiable and
open to evaluation by us. We must be provided with access to stakeholders upon reasonable notice. You will be responsible for inputting data unless otherwise agreed in the Letter of Engagement.
6.6 What will happen if you do not provide required information to us. As we informed you in the Letter of Engagement, we will need certain information from you so that we can provide the services to you. We will contact you in writing to ask for this information. If you do not, within a reasonable time of us asking for it, provide us with this information, or you provide us with incomplete or incorrect information, we may either end the contract (see clause 8.1) or make an additional charge of a reasonable sum to compensate us for any extra work that is required as a result. We will not be responsible for providing the services late or not providing any part of them if this is caused by you not giving us the information we need within a reasonable time of us asking for it.
6.7 Reasons we may suspend the services. We may have to suspend the services to:
(a) deal with technical problems or make minor technical changes;
(b) update the services to reflect changes in relevant laws and regulatory requirements;
(c) make changes to the services as requested by you or notified by us to you (see clause 5).
6.8 Your rights if we suspend the services. We will contact you in advance to tell you we will be suspending the services, unless the problem is urgent or an emergency. If we have to suspend the services for longer than three months in any six month period we will adjust the price so that you do not pay for services while they are suspended. You may contact us to end the contract if we suspend the services, or tell you we are going to suspend them, in each case for a period of more than three months and we will refund any sums you have paid in advance for services not provided to you.
6.9 We may also suspend the services if you do not pay. If you do not pay us for the services when you are supposed to (see clause 10.3) and you still do not make payment within ten days of us reminding you that payment is due, we may suspend supply of the products until you have paid us the outstanding amounts. We will contact you to tell you we are suspending supply of the products. We will not suspend the products where you dispute the unpaid invoice (see clause 10.7). We will not charge you for the services during the period for which they are suspended. As well as suspending the services we can also charge you interest on your overdue payments (see clause 10.6).
7. Your rights to end the contract
7.1 You can always end the contract before the services have been supplied and paid for. You may contact us at any time to end the contract for the services, but in some circumstances we may charge you certain sums for doing so,
as described below.
7.2 What happens if you have good reason for ending the contract. If you are ending the contract for a reason set out below the contract will end immediately and we will refund you in full for any services which have not been provided or have not been properly provided. The relevant reasons are:
(a) We have committed a material breach of our obligation(s) and in the case of any such breach which is capable of remedy, failed to remedy the breach within 10 days of notification of such breach;
(b) we have told you about an upcoming change to the services or these terms which you do not agree to (see clause 5);
(c) we have told you about an error in the price or description of the services you have ordered and you do not wish to proceed;
(d) we suspend the services for technical reasons, or notify you we are going to suspend them for technical reasons, in each case for a period of more than 2 months;
(e) you have a legal right to end the contract because of something we have done wrong;
(f) we enter into liquidation, whether compulsory or voluntarily, other than for the purpose of amalgamation or reconstruction without insolvency;
(g) we compound or make any arrangements with our creditors; or
(h) we cease, or threaten to cease, to carry on business.
7.3 What happens if you end the contract without a good reason. If you are not ending the contract for one of the reasons set out in clause 7.2, the contract will end immediately but we may charge you reasonable compensation for the net costs we will incur as a result of your ending the contract
8. Our rights to end the contract
8.1 We may end the contract if you break it. We may end the contract at any time by writing to you if:
(a) you do not make any payment to us when it is due and you still do not make payment within ten days of us reminding you that payment is due;
(b) you do not, within a reasonable time of us asking for it, provide us with information that is necessary for us to provide the services;
(c) you do not provide internal resources sufficient to enable us to complete the reporting process;
(d) you do not, within a reasonable time, give us access to your property to enable us to provide the services to you; or
(e) it becomes apparent that we are unable to perform the services in a manner that is consistent with our company mission.
To the extent that you do not perform the above responsibilities, we have the option, where appropriate, of performing those services for you and you agree to pay us an additional amount to reflect our additional services.
8.2 You must compensate us if you break the contract. If we end the contract in the situations set out in clause 8.1(a)-(d) we will refund any money you have paid in advance for services we have not provided but we may deduct or charge you compensation for the net costs we will incur as a result of your breaking the contract.
8.3 We may stop providing the services. We may write to you to let you know that we are going to stop providing the services. We will let you know at least 1 month in advance of our stopping the services and will refund any sums you have paid in advance for services which will not be provided.
9. If there is a problem with the services
9.1 How to tell us about problems. If you have any questions or complaints about the services, please contact us on the email set out above.
9.2 Our guarantee. We offer the following goodwill guarantee which is in addition to your legal rights and does not affect them. In the unlikely event there is any defect with the services:
(a) if remedying the defect is impossible or cannot be done within a reasonable time or without significant inconvenience to you we will refund the price you have paid for the services.
(b) in all other circumstances we will use every effort to repair or fix the defect free of charge, without significant inconvenience to you, as soon as we reasonably can and, in any event, within 1 month. If we fail to remedy the defect by this deadline we will refund the price you have paid for the services.
10. Price and payment
10.1. Fees. Customer will pay for access to and use of the Service as set forth on the applicable Order (“Fees”). All Fees will be paid in the currency stated in the applicable Order or, if no currency is specified, Great British Pounds (GBP). Payment obligations are non-cancelable and, except as expressly stated in this Agreement, non-refundable. Polyloop may modify its Fees or introduce new fees at its sole discretion. Customer always has the right to choose not to renew their subscription if they do not agree with any new or revised Fees.
10.2. Payment. Policy Platforms through its third-party payment processor (“Stripe”) will charge Customer for the Fees via credit card, debit card, or ACH payment, pursuant to the credit card or ACH payment information provided by Customer to Policy Platforms. Policy Platforms will have the right to charge Customer’s credit card or ACH payment method for any services provided to Customer by Policy Platforms under the Order, including recurring Fees. It is Customer’s sole responsibility to provide Policy Platforms with current and up to date credit card, debit card, or ACH information; failure to provide such information may result in suspension of Customer’s access to the Services. Policy Platforms will also have the right to set-off any Fees due from Customer to Policy Platforms Limited. If Customer pays the Fees through a Payment Processor such payment processing will be subject to the terms, conditions, and privacy policies of the Payment Processor in addition to this Agreement. Terms and conditions of the payment processor can be found here https://stripe.com/gb/legal/ssa. Policy Platforms Limited is not responsible for any error by, or other acts or omissions of, the Payment Processor. Policy Platforms Limited reserves the right to correct any errors or mistakes that the Payment Processor makes even if Policy Platforms has already requested or received payment. If authorised by Customer through acceptance of an Order, recurring charges (e.g. monthly billing) will be charged to Customer’s payment method without further authorisation from Customer, until Customer terminates this Agreement in accordance with its terms or changes its payment method in Customer’s account in the Service.
10.3. Taxes. Fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Policy Platforms has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Policy Platforms will invoice Customer and Customer will pay that amount unless Customer provides Policy Platforms with a valid tax exemption certificate authorised by the appropriate taxing authority in advance. For clarity, Policy Platforms is solely responsible for taxes assessable against it based on its income, property, and employees.
10.4. Failure to Pay. If Customer fails to pay any Fees when due, Policy Platforms may suspend Customer’s access to the Service pending payment of such overdue amounts. Customer also authorises Policy Platforms to make multiple re-attempts at charging the Customer’s payment instrument if an initial charge attempt is unsuccessful, without any specific limit on the number of retries. If Customer believes that Policy Platforms has billed Customer incorrectly, Customer must contact Policy Platforms no later than sixty (60) days after the closing date on the first billing statement in which the error or problem appeared, to receive an adjustment or credit. Once Policy Platforms receives notice of a disputed invoice, Policy Platforms will review such notice and provide Customer with a written decision regarding the dispute, including documentary support for such decision. If Policy Platforms reasonably determines that the amounts billed are, in fact, due, Customer will pay such amounts (if they have not done so already) within ten days of Policy Platforms notifying Customer in writing of such decision.
11. Term and Termination.
11.1. Agreement Term and Renewals. Subscriptions to access and use the Service commence on the start date stated on the applicable Order (“Subscription Start Date”) and continue for the duration of the Subscription Period. Customer may choose not to renew its Subscription Period by notifying Policy Platforms at support@polyloop.io (provided that Policy Platforms confirms such cancellation in writing) or by modifying its subscription through Customer’s account within the Service. This Agreement will become effective on the first day of the Subscription Period and remain effective for the duration of the Subscription Period stated on the Order along with any renewals of the Subscription Period and any period that Customer is using the Service even if such use is not under a paid Order (“Term”). If the parties terminate this Agreement, it will automatically terminate all Orders. If Customer cancels or does not renew its paid subscription to the Service, Customer’s subscription will be accessible but will automatically be downgraded to a version of the Service with diminished features and functionality that Policy Platforms offers to unpaid subscribers (“Free Version”). If Customer or Policy Platforms terminates this Agreement or Customer deletes its workspace within the Service, Customer will not have access to the Free Version.
11.2. Termination. Either party may terminate this Agreement upon written notice to the other party if the other party materially breaches this Agreement and such breach is not cured within thirty (30) days after the breaching party’s receipt of such notice. Policy Platforms may terminate Customer’s access to the Free Version at any time upon notice to Customer.
11.3. Effect of Termination. If Customer terminates this Agreement because of Policy Platforms’s uncured breach, Policy Platforms will refund any unused, prepaid Fees for the remainder of the then-current Subscription Period. If Policy Platforms terminates this Agreement because of Customer’s uncured breach, Customer will pay any unpaid Fees covering the remainder of the then-current Subscription Period after the effective date of termination, if any. In no event will any termination relieve Customer of the obligation to pay any Fees payable to Policy Platforms for the period prior to the effective date of termination. Upon any termination of this Agreement, all rights and licenses granted by Policy Platforms hereunder will immediately terminate; Customer will no longer have the right to access or use the Service. Within thirty (30) days of termination of this Agreement for cause, upon Customer’s request following termination, or if Customer deletes its workspace within the Service, Policy Platforms will delete Customer’s User Information, including passwords and all related information, files, and User Submissions, unless Customer requests an earlier deletion in writing. If Customer is using the Free Version, Policy Platforms will retain User Submissions and User Information to facilitate such use. Policy Platforms may delete all User Submissions or User Information if Customer maintains an account in the Free Version but such account is not used for a period of one (1) year or more.
11.4 Where to find the price for the services. The price of the services (which does not include VAT) will be the price we have set out in our Letter of Engagement.
11.5 We will pass on changes in the rate of VAT. If the rate of VAT changes between your order date and the date we provide the services, we will adjust the rate of VAT that you pay, unless you have already paid for the services in full before the change in the rate of VAT takes effect.
11.6 Additional Fees. If, during the course of our services for you, a need for additional services not set out in the Letter of Engagement is identified, agreement to these additional services will be obtained from you before any expenditure
is incurred.
11.7 When you must pay and how you must pay. The Letter of Engagement will set out our fees. You must pay each invoice within 30 calendar days after the date of the invoice.
11.8 What to do if you think an invoice is wrong. If you think an invoice is wrong please contact us promptly to let us know. You will not have to pay any interest until the dispute is resolved. Once the dispute is resolved we will charge you interest on correctly invoiced sums from the original due date
12. Customer Data & Security
12.1 All Customers own all rights, titles and interest in their data. The Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of their data.
12.2 In the event of any loss or damage to Customer Data, Policy Platforms shall use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up, this will be the Customer's sole and exclusive remedy. Policy Platforms shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
12.3 Policy Platforms will comply with its Privacy Policy. The Privacy Policy may be amended from time to time by Policy Platform at its sole discretion.
12.4 If Policy Platforms processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the parties record their intention that the Customer shall be the data controller and Policy Platforms shall be a data processor, defined as such:
Data Controller - the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
Data Processors - means any natural or legal person who processes the data on behalf of the Data Controller.
12.4.1 To provide services to you, we may need to share your personal information with parties located within the European Economic Area (EEA), where data protection laws are equivalent to those in the UK. We will take reasonable steps to ensure the privacy of your information and will comply with current legislation before any such sharing occurs.
12.4.2 If applicable, the Customer shall ensure that relevant third parties within the EEA have been informed of, and have given their consent to, such use, processing, and transfer, in accordance with all applicable data protection legislation.
12.4.3 Policy Platforms will process personal data solely in line with the terms of this Agreement and any lawful instructions reasonably provided by the Customer, ensuring data remains within the EEA.
12.4.4 Both parties shall implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, as well as accidental loss, destruction, or damage.
12.5 The Processor shall implement and maintain adequate security measures to standards no less than those imposed on the Controller under the Data Protection Legislation whilst it continues to Process the Data on behalf of the Controller, such measures shall include (but not be limited to):
12.5.1 Encryption: Data is encrypted as part of the cloud computing service. This service uses industry-accepted encryption products to protect customer data and communications during transmissions between a customer and Policy Platforms, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centres for replication purposes. All Personal Data is processed through Policy Platforms private infrastructure hosted by AWS.
12.5.2 Backup: All data submitted to Policy Platforms is automatically replicated on a near real-time basis to a secondary data centre site. It is backed up on a regular basis and stored on backup media for 3 days, after which it is securely overwritten or deleted. Any backups are verified for integrity and stored in the same data centres as their instance. At Policy Platforms we maintain a weekly backup of data, stored securely with access permissions limited to key personnel. We have a policy of not moving commercially sensitive data on removable media.
12.5.3 Resilience: All Policy Platforms network accelerators, load balancers, web servers and application servers are configured in a redundant configuration. All Customer Data submitted to Policy Platforms is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to Policy Platforms is stored on highly redundant carrier-class disk storage and multiple data paths to ensure reliability and performance. The Policy Platforms development environment provides various protections against malicious code which are implemented in the Policy Platforms application with Web Application Firewall.
12.5.4 Disaster recovery: Policy Platforms supports disaster recovery with a dedicated team and a 4 hour recovery point objective (RPO) and 12 hour recovery time objective (RTO). Policy Platforms maintains a Business Continuity Plan outlining business risks, detailing the impact and response to any disruption, and appropriate recovery strategies.
12.5.5 Incident notification: Incident detection and response is part of the security procedures that are incorporated into Policy Platforms standard practices. Policy Platforms also uses security scanners to analyse and monitor the product for potential security issues. Policy Platforms maintains security incident management policies and procedures, and will promptly notify their customers of any actual or reasonably suspected unauthorised disclosure of their respective data. In the event of a disruption or other incident, we would notify our customers directly by email based on our customer usage.
13. The Platform
13.1 Intellectual Property. The copyright in the material contained in the Platform (save for the products/ outcomes of the services) and any trademarks and brands included in that material belongs to us or our licensors. We grant to You a
non-exclusive, non-transferable, licence to use such IPR for Your own internal business purposes with a right to sub-licence such IPR on equivalent terms to an entity within the [company name] Group.
13.1.1 We assign to You by way of present and future assignment, with full title guarantee and free from all third party rights, all intellectual property rights and all other rights in the products and /or outcomes of the services.
13.1.2 We will, promptly at Your request, do (or procure to be done) all such acts and things and the execution of all such other documents as the You may from time to time require for the purpose of securing for You the full benefit of the
Agreement, including right, title and interest in and to the intellectual property rights and all other rights assigned to the You in accordance with clause 11.1A.
13.1.2 Accuracy of Information. We will use reasonable endeavours to ensure that the information available on the Platform is, at all reasonable times, accurate. We will use all reasonable endeavours to correct errors and omissions as quickly
as practicable after becoming aware or being notified of the same.
13.1.3 Changes to the Platform. We may also change, suspend or discontinue any aspect of the Platform, including the availability of any features, information, database or content or restrict access to parts or all of the platform without notice or
liability.
13.2 Our responsibility for loss or damage suffered by you
13.3 We are responsible to you for foreseeable loss and damage caused by us. If we fail to comply with these terms, we are responsible for loss or damage you suffer that is a foreseeable result of our breaking this contract or our failing to use reasonable care and skill, but we are not responsible for any loss or damage that is not foreseeable. Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and you knew it might happen, for example, if you discussed it with us during the sales process.
13.4 We do not exclude or limit in any way our liability for the following:
(a) death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors;
(b) for fraud or fraudulent misrepresentation;
(c) for breach of your legal rights in relation to the services;
(d) for Our liability under clause 13 (data protection).
13.5 Total Liability. Subject to clause 12.2, Our total liability to you in respect of all other losses arising under or in connection with the services, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall in no circumstances exceed the fees received from you.
13.6 We are not liable for business losses. We will have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.
13.7. Data Protection For the purposes of this clause, the following terms will have the definitions set out below:
“Data” has the meaning given in the Data Protection Legislation and more specifically means data as described in Appendix 1 to be made available by the Controller to the Processor for the purposes of providing the services; “Data Controller” means the Customer as per the definition in the Data Protection Legislation; “Data Processor” means the Supplier as per the definition in the Data Protection Legislation; “Data Protection Legislation” means, for the periods in which they are in force in the United Kingdom, the Data
Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the GDPR and all applicable Laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner, in each case as amended or substituted from time to time;
“Data Subject” has the meaning given to it by the Data Protection Legislation;
“GDPR” means (a) the General Data Protection Regulations (Regulation (EU) 2016/679) which comes into force on 25 May 2018; and (b) any equivalent legislation amending or replacing the General Data Protection Regulations
(Regulation (EU) 2016/679; “Personal Data” has the meaning as set out in the Data Protection Legislation which forms part of the Data; “Personal Data Breach” has the meaning as set out in the Data Protection Legislation; “Processing” has the meaning as set out in the Data Protection Legislation and “Process” and “Processed” shall be
construed accordingly; “Special Categories of Personal Data” means Sensitive Personal Data or Special Categories of Personal Data, as defined in the Data Protection Legislation, which is Processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Agreement;
13.8 Both parties shall duly observe all their obligations under the Data Protection Legislation which arise in connection with the contract and shall not perform their obligations in such a way as to cause the other party to breach any of
its obligations under the Data Protection Legislation.
13.9 With respect to the parties’ rights and obligations under the contract, the Parties agree that [company name] Group is the Data Controllers and that the Policy Platforms Limited is the Data Processor.
13.10 The Data Controller shall not disclose any Personal Data to the Data Processor save where it is lawful and in a form which is lawful.
13.11 The subject-matter and duration of the Processing, nature and purpose of the Processing, types of Personal Data, and categories of Data Subjects are set out in Appendix 1 to these Terms and Conditions.
13.12 The Data Controller may make reasonable amends to Appendix 1 by written notice to the Data Processor from time to time as the Data Controller considers necessary to meet the requirements of the Data Protection Legislation.
13.13 The Processor agrees to only Process the Data in accordance with these Terms and Conditions and, subject to the overriding requirements of Data Processing Legislation, undertakes to:
13.14.1 only process the Personal Data for and on behalf of the Controller, strictly in accordance with the written instructions of the Data Controller, unless the Processing is required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by such applicable laws inform the Data Controller of that legal requirement before Processing;
13.14.2 ensure that any personnel with access to Personal Data are subject to a duty of confidentiality (whether contractual or statutory) and ensure that access is strictly limited to those individuals who need to know/access
the Personal Data;
13.14.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall, in relation to the Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred
to in Article 32(1) of the GDPR;
13.14.4 only engage Sub-Contractors with the prior written consent of the Data Controller and under a written contract,
imposing the same data protection obligations as set out in the Agreement, remaining liable to the Data Controller for compliance of any Sub-Contractor engaged and informing the Data Controller of any changes concerning the addition or replacement of Sub-Contractors giving the Data Controller sufficient opportunity to object to such changes;
13.14.5 assist the Data Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the Data Subject’s rights laid
down in the Data Protection Legislation;
13.14.6 notify the Data Controller within five (5) Working Days if it receives a request from a Data Subject under the Data Protection Legislation in respect of the Personal Data and not respond to any such request without the written authorisation of the Data Controller or as required by the Data Protection Legislation to which the Data Processor is subject but only after informing the Data Controller of such legal requirement before responding to the request;
13.14.7 notify the Data Controller without undue delay, and at least within 48 hours, upon becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow it to meet its obligations under the Data Protection Legislation and to enable the Controller to report the breach to the Information
Commissioner’s Office within the 72 hour deadline imposed by the GDPR and assist the Data Controller, as directed, in the investigation, mitigation and remediation of such Personal Data Breach;
13.14.8 assist the Data Controller in ensuring compliance with the obligations pursuant to the Data Protection Legislation taking into account the nature of the Processing for the purposes of the Agreement and the information available
to the Data Processor, including but not limited to those obligations relating to (a) security of processing; (b) notification of a Personal Data Breach to the Information Commissioner’s Office; (c) communication of a Personal Data Breach to the Data Subject; and (d) Data Protection impact assessments and any subsequent consultations with the Information Commissioner’s Office;
13.14.5 on the expiry or termination of the Agreement, promptly upon request from the Data Controller (at the Data Controller’s discretion) either: (a) return all Personal Data to the Data Controller and delete all existing copies, or procure such deletion; or (b) securely destroy such Personal Data, unless an applicable law requires storage of the Personal Data but only to the extent and for such period as required by such law;
13.14.11 notify the Data Controller of the deletion of Personal Data in accordance with Clause 1.6.9 within 21 days of the expiry or termination of the Agreement;
13.14.12 not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Data Controller;
13.14.13 make available to the Data Controller on request all information necessary to demonstrate compliance with the Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller including to permit the Data Controller or its external advisers (subject to reasonable and appropriate confidentiality undertakings) to inspect and audit the Data Processor’s data processing activities and those of its agents, subsidiaries and sub-contractors and comply with all
reasonable requests or directions by the Data Controller to enable the Data Controller to verify and procure that the Data Processor is in full compliance with its obligations under the Agreement.
13.15 The Data Processor shall, at all times during and after the term of the Agreement, indemnify the Data Controller and keep the Data Controller indemnified against all losses, damages, costs or expenses and other liabilities (including
legal fees) incurred by, awarded against or agreed to be paid by the Data Controller arising from any breach of the Data Processor’s obligations under this clause except and to the extent that such liabilities have resulted directly from the Data Controller’s instructions.
13.16 The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.
14. Other important terms
14.1 You may only transfer your rights under our guarantee to someone else. You may only transfer your rights or your obligations under these terms to another person with our written consent. We may withhold our consent.
14.2 Nobody else has any rights under this contract. This contract is between you and us. Save for [company name] Group (as defined in the Letter of Engagement), no other person shall have any rights to enforce any of its terms. Neither of us will need the consent of any person acquiring rights under our guarantee to end the contract or make any changes to these terms.
14.3 Notices. Any notice or other communication given by us or you shall be in writing, addressed to us or you at the registered office (if it is a company) or its principal place of business (in any other case) or such other address as we
or you may have specified in writing, and shall be delivered personally or sent by prepaid first-class post or other next working day delivery service, or by commercial courier, or e-mail. A notice or other communication shall be
deemed to have been received: if delivered personally, when left at the address referred to in the Letter of Engagement; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second business day after posting; if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or, if sent by e-mail, on the sending of the e-mail.
14.4 Exclusive Terms. These terms apply to the Agreement to the exclusion of any other terms that you may seek to
impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
14.5 If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.
14.6 Even if we delay in enforcing this contract, we can still enforce it later. If we do not insist immediately that you do anything you are required to do under these terms, or if we delay in taking steps against you in respect of your breaking this contract, that will not mean that you do not have to do those things or prevent us taking steps against you at a later date. For example, if you miss a payment and we do not chase you but we continue to provide the services, we can still require you to make the payment at a later date.
14.7 Dispute Resolution. Any and all disputes relating to this Agreement and/or the subject matter of it, shall in the first instance be referred to the parties contract managers for resolution. Upon such referral the contract managers shall meet within 5 days of such referral to resolve the issue. If the contract managers cannot resolve the issue within 5 days of their meeting, the matter shall be referred to the parties senior management for resolution. If the Senior Managers cannot resolve the issue within 10 days of their meeting over it, the parties shall be free to refer the matter
to meditation or other alternative dispute resolution procedure.
14.8 Which laws apply to this contract and where you may bring legal proceedings. These terms are governed by English law and you can bring legal proceedings in respect of the services in the English courts.
APPENDIX 1: DATA PROCESSING
This Appendix includes certain details of the Processing of Personal Data as required by the Data Protection Legislation.
1 THE SUBJECT-MATTER AND DURATION OF THE PROCESSING
1.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
1.1.1 Subject Matter: the provision of services to [company name] Group by Policy Platforms Limited, as set out in the Letter of Engagement.
1.1.2 Duration of the Processing: the duration of the processing shall be for the term designated under the agreement between Policy Platforms Limited and [company name] Group.
2 THE NATURE AND PURPOSE OF THE PROCESSING
2.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
2.1.1 Policy Platforms will process the Personal Data for the purposes of providing services to [company name] Group, as set out in our Letter of Engagement.
3 THE TYPES OF PERSONAL DATA TO BE PROCESSED
3.1 The types of Personal Data that shall be processed in accordance with this Agreement will be:
3.1.1 The Personal Data that shall be processed in accordance with this Agreement shall include names, telephone numbers, email addresses, job titles.
4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES
4.1 The categories of individuals whose Personal Data is processed in accordance with this Agreement will be: Employees
1. These terms
1.1 What these terms cover. These are the terms and conditions on which we supply services to you as set out in the Letter of Engagement and upon which you are granted access to Polyloop (“The Platform”).
2. Information about us and how to contact us
2.1 Who we are. We are Policy Platforms Limited, a company registered in Northern Ireland, UK. Our company registration number is NI681353 and our registered office is at Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.2 How to contact us. You can contact us by telephoning our service team at +44 (0)2033 550530 or by writing to us at support@polyloop.io AND Reception, Portview Trade Centre, 310 Newtownards Road, Belfast, Northern Ireland, BT4 1HE
2.3 How we may contact you. If we have to contact you we will do so by telephone or by writing to you at the email address or postal address you provided to us in your order.
2.4 “Writing” includes emails. When we use the words “writing” or “written” in these terms, this includes emails.
3. Our contract with you
3.1 How we will accept your order. Our acceptance of your order will take place when we tell you that we are able to provide you with the services. This will also be confirmed in writing in our Letter of Engagement, at which point a contract will be entered into by you and us.
3.2 What the Letter of Engagement will contain. The Letter of Engagement will set out the following information:
– Our scope of work
– Our fees
– Indicative timetable to complete the scope of work
– Our team
– The person who will be our point of contact at your business
3.3 Conflict with Letter of Engagement. If there is a conflict between the terms of the Letter of Engagement and these terms, the Letter of Engagement shall prevail.
4. Your rights to make changes
4.1 If you wish to make a change to the services please contact us. We will let you know if the change is possible. If it is possible we will let you know about any changes to the price of the services, their timing or anything else which
would be necessary as a result of your requested change and ask you to confirm whether you wish to go ahead with the change.
5. Our rights to make changes
5.1 Minor changes to the services. We may change the services:
(a) to reflect changes in relevant laws and regulatory requirements; and
(b) to implement minor technical adjustments and improvements, for example to address a security threat.
These changes will not affect your use of the services.
6. Providing the services
6.1 When we will provide the services. We will supply the services to you from the date set out in our Letter of Engagement for the time period set out in the Letter of Engagement. The estimated completion date for the services is as set out in the Letter of Engagement or until either you end the contract for the services as described in clause 7 or we end the contract by written notice to you as described in clause 8.
6.2 We will comply with all applicable law in our supply of the services in accordance with these terms and conditions and the Letter of Engagement, which for the avoidance of doubt will include, but not be limited to, the Bribery Act 2010 and the Modern Slavery Act 2015. We will ensure that we establish, maintain and enforce policies and procedures which are adequate to ensure compliance with the Modern Slavery Act 2015 and the Bribery Act 2010 and to prevent the concurrence of a Prohibited Act (as defined in the Bribery Act 2010). We will notify You immediately in writing of any failure to comply with this clause. We will keep appropriate records of our compliance with these obligations and make such records available on request. If We fail to comply with this clause, You will have the right to terminate the Agreement immediately without further liability and without prejudice to any other rights or remedies that may have accrued to your benefit under or in connection with this Agreement. We will refund you in full all sums paid by You for the provision of the services.
6.3 We are not responsible for delays outside of our control. If our performance of the services is affected by an event outside our control then we will contact you as soon as possible to let you know and we will take steps to minimise the effect of the delay. Provided we do this we will not be liable for delays caused by the event but if there is a risk of substantial delay you may contact us to end the contract and receive a refund for any services you have paid for but not received.
6.4 If you do not allow us access to provide services. If you have asked us to provide the services to you at your business and you do not allow us access to your business premises as arranged (and you do not have a good reason for this)
we may charge you additional costs incurred by us as a result. If, despite our reasonable efforts, we are unable to contact you or re-arrange access to your business we may end the contract and clause 7.3 will apply.
6.5 Information you must provide to us. The data you supply to us must be accurate and in line with our guidance notes. We will not be responsible for checking the accuracy of the data. The data sources are to be clearly identifiable and
open to evaluation by us. We must be provided with access to stakeholders upon reasonable notice. You will be responsible for inputting data unless otherwise agreed in the Letter of Engagement.
6.6 What will happen if you do not provide required information to us. As we informed you in the Letter of Engagement, we will need certain information from you so that we can provide the services to you. We will contact you in writing to ask for this information. If you do not, within a reasonable time of us asking for it, provide us with this information, or you provide us with incomplete or incorrect information, we may either end the contract (see clause 8.1) or make an additional charge of a reasonable sum to compensate us for any extra work that is required as a result. We will not be responsible for providing the services late or not providing any part of them if this is caused by you not giving us the information we need within a reasonable time of us asking for it.
6.7 Reasons we may suspend the services. We may have to suspend the services to:
(a) deal with technical problems or make minor technical changes;
(b) update the services to reflect changes in relevant laws and regulatory requirements;
(c) make changes to the services as requested by you or notified by us to you (see clause 5).
6.8 Your rights if we suspend the services. We will contact you in advance to tell you we will be suspending the services, unless the problem is urgent or an emergency. If we have to suspend the services for longer than three months in any six month period we will adjust the price so that you do not pay for services while they are suspended. You may contact us to end the contract if we suspend the services, or tell you we are going to suspend them, in each case for a period of more than three months and we will refund any sums you have paid in advance for services not provided to you.
6.9 We may also suspend the services if you do not pay. If you do not pay us for the services when you are supposed to (see clause 10.3) and you still do not make payment within ten days of us reminding you that payment is due, we may suspend supply of the products until you have paid us the outstanding amounts. We will contact you to tell you we are suspending supply of the products. We will not suspend the products where you dispute the unpaid invoice (see clause 10.7). We will not charge you for the services during the period for which they are suspended. As well as suspending the services we can also charge you interest on your overdue payments (see clause 10.6).
7. Your rights to end the contract
7.1 You can always end the contract before the services have been supplied and paid for. You may contact us at any time to end the contract for the services, but in some circumstances we may charge you certain sums for doing so,
as described below.
7.2 What happens if you have good reason for ending the contract. If you are ending the contract for a reason set out below the contract will end immediately and we will refund you in full for any services which have not been provided or have not been properly provided. The relevant reasons are:
(a) We have committed a material breach of our obligation(s) and in the case of any such breach which is capable of remedy, failed to remedy the breach within 10 days of notification of such breach;
(b) we have told you about an upcoming change to the services or these terms which you do not agree to (see clause 5);
(c) we have told you about an error in the price or description of the services you have ordered and you do not wish to proceed;
(d) we suspend the services for technical reasons, or notify you we are going to suspend them for technical reasons, in each case for a period of more than 2 months;
(e) you have a legal right to end the contract because of something we have done wrong;
(f) we enter into liquidation, whether compulsory or voluntarily, other than for the purpose of amalgamation or reconstruction without insolvency;
(g) we compound or make any arrangements with our creditors; or
(h) we cease, or threaten to cease, to carry on business.
7.3 What happens if you end the contract without a good reason. If you are not ending the contract for one of the reasons set out in clause 7.2, the contract will end immediately but we may charge you reasonable compensation for the net costs we will incur as a result of your ending the contract
8. Our rights to end the contract
8.1 We may end the contract if you break it. We may end the contract at any time by writing to you if:
(a) you do not make any payment to us when it is due and you still do not make payment within ten days of us reminding you that payment is due;
(b) you do not, within a reasonable time of us asking for it, provide us with information that is necessary for us to provide the services;
(c) you do not provide internal resources sufficient to enable us to complete the reporting process;
(d) you do not, within a reasonable time, give us access to your property to enable us to provide the services to you; or
(e) it becomes apparent that we are unable to perform the services in a manner that is consistent with our company mission.
To the extent that you do not perform the above responsibilities, we have the option, where appropriate, of performing those services for you and you agree to pay us an additional amount to reflect our additional services.
8.2 You must compensate us if you break the contract. If we end the contract in the situations set out in clause 8.1(a)-(d) we will refund any money you have paid in advance for services we have not provided but we may deduct or charge you compensation for the net costs we will incur as a result of your breaking the contract.
8.3 We may stop providing the services. We may write to you to let you know that we are going to stop providing the services. We will let you know at least 1 month in advance of our stopping the services and will refund any sums you have paid in advance for services which will not be provided.
9. If there is a problem with the services
9.1 How to tell us about problems. If you have any questions or complaints about the services, please contact us on the email set out above.
9.2 Our guarantee. We offer the following goodwill guarantee which is in addition to your legal rights and does not affect them. In the unlikely event there is any defect with the services:
(a) if remedying the defect is impossible or cannot be done within a reasonable time or without significant inconvenience to you we will refund the price you have paid for the services.
(b) in all other circumstances we will use every effort to repair or fix the defect free of charge, without significant inconvenience to you, as soon as we reasonably can and, in any event, within 1 month. If we fail to remedy the defect by this deadline we will refund the price you have paid for the services.
10. Price and payment
10.1. Fees. Customer will pay for access to and use of the Service as set forth on the applicable Order (“Fees”). All Fees will be paid in the currency stated in the applicable Order or, if no currency is specified, Great British Pounds (GBP). Payment obligations are non-cancelable and, except as expressly stated in this Agreement, non-refundable. Polyloop may modify its Fees or introduce new fees at its sole discretion. Customer always has the right to choose not to renew their subscription if they do not agree with any new or revised Fees.
10.2. Payment. Policy Platforms through its third-party payment processor (“Stripe”) will charge Customer for the Fees via credit card, debit card, or ACH payment, pursuant to the credit card or ACH payment information provided by Customer to Policy Platforms. Policy Platforms will have the right to charge Customer’s credit card or ACH payment method for any services provided to Customer by Policy Platforms under the Order, including recurring Fees. It is Customer’s sole responsibility to provide Policy Platforms with current and up to date credit card, debit card, or ACH information; failure to provide such information may result in suspension of Customer’s access to the Services. Policy Platforms will also have the right to set-off any Fees due from Customer to Policy Platforms Limited. If Customer pays the Fees through a Payment Processor such payment processing will be subject to the terms, conditions, and privacy policies of the Payment Processor in addition to this Agreement. Terms and conditions of the payment processor can be found here https://stripe.com/gb/legal/ssa. Policy Platforms Limited is not responsible for any error by, or other acts or omissions of, the Payment Processor. Policy Platforms Limited reserves the right to correct any errors or mistakes that the Payment Processor makes even if Policy Platforms has already requested or received payment. If authorised by Customer through acceptance of an Order, recurring charges (e.g. monthly billing) will be charged to Customer’s payment method without further authorisation from Customer, until Customer terminates this Agreement in accordance with its terms or changes its payment method in Customer’s account in the Service.
10.3. Taxes. Fees do not include any taxes, levies, duties or similar governmental assessments of any nature, including, for example, value-added, sales, use or withholding taxes, assessable by any jurisdiction whatsoever (collectively, “Taxes”). Customer is responsible for paying all Taxes associated with its purchases hereunder. If Policy Platforms has the legal obligation to pay or collect Taxes for which Customer is responsible under this section, Policy Platforms will invoice Customer and Customer will pay that amount unless Customer provides Policy Platforms with a valid tax exemption certificate authorised by the appropriate taxing authority in advance. For clarity, Policy Platforms is solely responsible for taxes assessable against it based on its income, property, and employees.
10.4. Failure to Pay. If Customer fails to pay any Fees when due, Policy Platforms may suspend Customer’s access to the Service pending payment of such overdue amounts. Customer also authorises Policy Platforms to make multiple re-attempts at charging the Customer’s payment instrument if an initial charge attempt is unsuccessful, without any specific limit on the number of retries. If Customer believes that Policy Platforms has billed Customer incorrectly, Customer must contact Policy Platforms no later than sixty (60) days after the closing date on the first billing statement in which the error or problem appeared, to receive an adjustment or credit. Once Policy Platforms receives notice of a disputed invoice, Policy Platforms will review such notice and provide Customer with a written decision regarding the dispute, including documentary support for such decision. If Policy Platforms reasonably determines that the amounts billed are, in fact, due, Customer will pay such amounts (if they have not done so already) within ten days of Policy Platforms notifying Customer in writing of such decision.
11. Term and Termination.
11.1. Agreement Term and Renewals. Subscriptions to access and use the Service commence on the start date stated on the applicable Order (“Subscription Start Date”) and continue for the duration of the Subscription Period. Customer may choose not to renew its Subscription Period by notifying Policy Platforms at support@polyloop.io (provided that Policy Platforms confirms such cancellation in writing) or by modifying its subscription through Customer’s account within the Service. This Agreement will become effective on the first day of the Subscription Period and remain effective for the duration of the Subscription Period stated on the Order along with any renewals of the Subscription Period and any period that Customer is using the Service even if such use is not under a paid Order (“Term”). If the parties terminate this Agreement, it will automatically terminate all Orders. If Customer cancels or does not renew its paid subscription to the Service, Customer’s subscription will be accessible but will automatically be downgraded to a version of the Service with diminished features and functionality that Policy Platforms offers to unpaid subscribers (“Free Version”). If Customer or Policy Platforms terminates this Agreement or Customer deletes its workspace within the Service, Customer will not have access to the Free Version.
11.2. Termination. Either party may terminate this Agreement upon written notice to the other party if the other party materially breaches this Agreement and such breach is not cured within thirty (30) days after the breaching party’s receipt of such notice. Policy Platforms may terminate Customer’s access to the Free Version at any time upon notice to Customer.
11.3. Effect of Termination. If Customer terminates this Agreement because of Policy Platforms’s uncured breach, Policy Platforms will refund any unused, prepaid Fees for the remainder of the then-current Subscription Period. If Policy Platforms terminates this Agreement because of Customer’s uncured breach, Customer will pay any unpaid Fees covering the remainder of the then-current Subscription Period after the effective date of termination, if any. In no event will any termination relieve Customer of the obligation to pay any Fees payable to Policy Platforms for the period prior to the effective date of termination. Upon any termination of this Agreement, all rights and licenses granted by Policy Platforms hereunder will immediately terminate; Customer will no longer have the right to access or use the Service. Within thirty (30) days of termination of this Agreement for cause, upon Customer’s request following termination, or if Customer deletes its workspace within the Service, Policy Platforms will delete Customer’s User Information, including passwords and all related information, files, and User Submissions, unless Customer requests an earlier deletion in writing. If Customer is using the Free Version, Policy Platforms will retain User Submissions and User Information to facilitate such use. Policy Platforms may delete all User Submissions or User Information if Customer maintains an account in the Free Version but such account is not used for a period of one (1) year or more.
11.4 Where to find the price for the services. The price of the services (which does not include VAT) will be the price we have set out in our Letter of Engagement.
11.5 We will pass on changes in the rate of VAT. If the rate of VAT changes between your order date and the date we provide the services, we will adjust the rate of VAT that you pay, unless you have already paid for the services in full before the change in the rate of VAT takes effect.
11.6 Additional Fees. If, during the course of our services for you, a need for additional services not set out in the Letter of Engagement is identified, agreement to these additional services will be obtained from you before any expenditure
is incurred.
11.7 When you must pay and how you must pay. The Letter of Engagement will set out our fees. You must pay each invoice within 30 calendar days after the date of the invoice.
11.8 What to do if you think an invoice is wrong. If you think an invoice is wrong please contact us promptly to let us know. You will not have to pay any interest until the dispute is resolved. Once the dispute is resolved we will charge you interest on correctly invoiced sums from the original due date
12. Customer Data & Security
12.1 All Customers own all rights, titles and interest in their data. The Customer shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of their data.
12.2 In the event of any loss or damage to Customer Data, Policy Platforms shall use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up, this will be the Customer's sole and exclusive remedy. Policy Platforms shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party.
12.3 Policy Platforms will comply with its Privacy Policy. The Privacy Policy may be amended from time to time by Policy Platform at its sole discretion.
12.4 If Policy Platforms processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the parties record their intention that the Customer shall be the data controller and Policy Platforms shall be a data processor, defined as such:
Data Controller - the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.
Data Processors - means any natural or legal person who processes the data on behalf of the Data Controller.
12.4.1 To provide services to you, we may need to share your personal information with parties located within the European Economic Area (EEA), where data protection laws are equivalent to those in the UK. We will take reasonable steps to ensure the privacy of your information and will comply with current legislation before any such sharing occurs.
12.4.2 If applicable, the Customer shall ensure that relevant third parties within the EEA have been informed of, and have given their consent to, such use, processing, and transfer, in accordance with all applicable data protection legislation.
12.4.3 Policy Platforms will process personal data solely in line with the terms of this Agreement and any lawful instructions reasonably provided by the Customer, ensuring data remains within the EEA.
12.4.4 Both parties shall implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, as well as accidental loss, destruction, or damage.
12.5 The Processor shall implement and maintain adequate security measures to standards no less than those imposed on the Controller under the Data Protection Legislation whilst it continues to Process the Data on behalf of the Controller, such measures shall include (but not be limited to):
12.5.1 Encryption: Data is encrypted as part of the cloud computing service. This service uses industry-accepted encryption products to protect customer data and communications during transmissions between a customer and Policy Platforms, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, Customer Data is encrypted during transmission between data centres for replication purposes. All Personal Data is processed through Policy Platforms private infrastructure hosted by AWS.
12.5.2 Backup: All data submitted to Policy Platforms is automatically replicated on a near real-time basis to a secondary data centre site. It is backed up on a regular basis and stored on backup media for 3 days, after which it is securely overwritten or deleted. Any backups are verified for integrity and stored in the same data centres as their instance. At Policy Platforms we maintain a weekly backup of data, stored securely with access permissions limited to key personnel. We have a policy of not moving commercially sensitive data on removable media.
12.5.3 Resilience: All Policy Platforms network accelerators, load balancers, web servers and application servers are configured in a redundant configuration. All Customer Data submitted to Policy Platforms is stored on a primary database server with multiple active clusters for higher availability. All Customer Data submitted to Policy Platforms is stored on highly redundant carrier-class disk storage and multiple data paths to ensure reliability and performance. The Policy Platforms development environment provides various protections against malicious code which are implemented in the Policy Platforms application with Web Application Firewall.
12.5.4 Disaster recovery: Policy Platforms supports disaster recovery with a dedicated team and a 4 hour recovery point objective (RPO) and 12 hour recovery time objective (RTO). Policy Platforms maintains a Business Continuity Plan outlining business risks, detailing the impact and response to any disruption, and appropriate recovery strategies.
12.5.5 Incident notification: Incident detection and response is part of the security procedures that are incorporated into Policy Platforms standard practices. Policy Platforms also uses security scanners to analyse and monitor the product for potential security issues. Policy Platforms maintains security incident management policies and procedures, and will promptly notify their customers of any actual or reasonably suspected unauthorised disclosure of their respective data. In the event of a disruption or other incident, we would notify our customers directly by email based on our customer usage.
13. The Platform
13.1 Intellectual Property. The copyright in the material contained in the Platform (save for the products/ outcomes of the services) and any trademarks and brands included in that material belongs to us or our licensors. We grant to You a
non-exclusive, non-transferable, licence to use such IPR for Your own internal business purposes with a right to sub-licence such IPR on equivalent terms to an entity within the [company name] Group.
13.1.1 We assign to You by way of present and future assignment, with full title guarantee and free from all third party rights, all intellectual property rights and all other rights in the products and /or outcomes of the services.
13.1.2 We will, promptly at Your request, do (or procure to be done) all such acts and things and the execution of all such other documents as the You may from time to time require for the purpose of securing for You the full benefit of the
Agreement, including right, title and interest in and to the intellectual property rights and all other rights assigned to the You in accordance with clause 11.1A.
13.1.2 Accuracy of Information. We will use reasonable endeavours to ensure that the information available on the Platform is, at all reasonable times, accurate. We will use all reasonable endeavours to correct errors and omissions as quickly
as practicable after becoming aware or being notified of the same.
13.1.3 Changes to the Platform. We may also change, suspend or discontinue any aspect of the Platform, including the availability of any features, information, database or content or restrict access to parts or all of the platform without notice or
liability.
13.2 Our responsibility for loss or damage suffered by you
13.3 We are responsible to you for foreseeable loss and damage caused by us. If we fail to comply with these terms, we are responsible for loss or damage you suffer that is a foreseeable result of our breaking this contract or our failing to use reasonable care and skill, but we are not responsible for any loss or damage that is not foreseeable. Loss or damage is foreseeable if either it is obvious that it will happen or if, at the time the contract was made, both we and you knew it might happen, for example, if you discussed it with us during the sales process.
13.4 We do not exclude or limit in any way our liability for the following:
(a) death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors;
(b) for fraud or fraudulent misrepresentation;
(c) for breach of your legal rights in relation to the services;
(d) for Our liability under clause 13 (data protection).
13.5 Total Liability. Subject to clause 12.2, Our total liability to you in respect of all other losses arising under or in connection with the services, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall in no circumstances exceed the fees received from you.
13.6 We are not liable for business losses. We will have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.
13.7. Data Protection For the purposes of this clause, the following terms will have the definitions set out below:
“Data” has the meaning given in the Data Protection Legislation and more specifically means data as described in Appendix 1 to be made available by the Controller to the Processor for the purposes of providing the services; “Data Controller” means the Customer as per the definition in the Data Protection Legislation; “Data Processor” means the Supplier as per the definition in the Data Protection Legislation; “Data Protection Legislation” means, for the periods in which they are in force in the United Kingdom, the Data
Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the GDPR and all applicable Laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner, in each case as amended or substituted from time to time;
“Data Subject” has the meaning given to it by the Data Protection Legislation;
“GDPR” means (a) the General Data Protection Regulations (Regulation (EU) 2016/679) which comes into force on 25 May 2018; and (b) any equivalent legislation amending or replacing the General Data Protection Regulations
(Regulation (EU) 2016/679; “Personal Data” has the meaning as set out in the Data Protection Legislation which forms part of the Data; “Personal Data Breach” has the meaning as set out in the Data Protection Legislation; “Processing” has the meaning as set out in the Data Protection Legislation and “Process” and “Processed” shall be
construed accordingly; “Special Categories of Personal Data” means Sensitive Personal Data or Special Categories of Personal Data, as defined in the Data Protection Legislation, which is Processed by the Data Processor on behalf of the Data Controller pursuant to or in connection with the Agreement;
13.8 Both parties shall duly observe all their obligations under the Data Protection Legislation which arise in connection with the contract and shall not perform their obligations in such a way as to cause the other party to breach any of
its obligations under the Data Protection Legislation.
13.9 With respect to the parties’ rights and obligations under the contract, the Parties agree that [company name] Group is the Data Controllers and that the Policy Platforms Limited is the Data Processor.
13.10 The Data Controller shall not disclose any Personal Data to the Data Processor save where it is lawful and in a form which is lawful.
13.11 The subject-matter and duration of the Processing, nature and purpose of the Processing, types of Personal Data, and categories of Data Subjects are set out in Appendix 1 to these Terms and Conditions.
13.12 The Data Controller may make reasonable amends to Appendix 1 by written notice to the Data Processor from time to time as the Data Controller considers necessary to meet the requirements of the Data Protection Legislation.
13.13 The Processor agrees to only Process the Data in accordance with these Terms and Conditions and, subject to the overriding requirements of Data Processing Legislation, undertakes to:
13.14.1 only process the Personal Data for and on behalf of the Controller, strictly in accordance with the written instructions of the Data Controller, unless the Processing is required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by such applicable laws inform the Data Controller of that legal requirement before Processing;
13.14.2 ensure that any personnel with access to Personal Data are subject to a duty of confidentiality (whether contractual or statutory) and ensure that access is strictly limited to those individuals who need to know/access
the Personal Data;
13.14.3 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall, in relation to the Personal Data, implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred
to in Article 32(1) of the GDPR;
13.14.4 only engage Sub-Contractors with the prior written consent of the Data Controller and under a written contract,
imposing the same data protection obligations as set out in the Agreement, remaining liable to the Data Controller for compliance of any Sub-Contractor engaged and informing the Data Controller of any changes concerning the addition or replacement of Sub-Contractors giving the Data Controller sufficient opportunity to object to such changes;
13.14.5 assist the Data Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Data Controller’s obligations to respond to requests for exercising the Data Subject’s rights laid
down in the Data Protection Legislation;
13.14.6 notify the Data Controller within five (5) Working Days if it receives a request from a Data Subject under the Data Protection Legislation in respect of the Personal Data and not respond to any such request without the written authorisation of the Data Controller or as required by the Data Protection Legislation to which the Data Processor is subject but only after informing the Data Controller of such legal requirement before responding to the request;
13.14.7 notify the Data Controller without undue delay, and at least within 48 hours, upon becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow it to meet its obligations under the Data Protection Legislation and to enable the Controller to report the breach to the Information
Commissioner’s Office within the 72 hour deadline imposed by the GDPR and assist the Data Controller, as directed, in the investigation, mitigation and remediation of such Personal Data Breach;
13.14.8 assist the Data Controller in ensuring compliance with the obligations pursuant to the Data Protection Legislation taking into account the nature of the Processing for the purposes of the Agreement and the information available
to the Data Processor, including but not limited to those obligations relating to (a) security of processing; (b) notification of a Personal Data Breach to the Information Commissioner’s Office; (c) communication of a Personal Data Breach to the Data Subject; and (d) Data Protection impact assessments and any subsequent consultations with the Information Commissioner’s Office;
13.14.5 on the expiry or termination of the Agreement, promptly upon request from the Data Controller (at the Data Controller’s discretion) either: (a) return all Personal Data to the Data Controller and delete all existing copies, or procure such deletion; or (b) securely destroy such Personal Data, unless an applicable law requires storage of the Personal Data but only to the extent and for such period as required by such law;
13.14.11 notify the Data Controller of the deletion of Personal Data in accordance with Clause 1.6.9 within 21 days of the expiry or termination of the Agreement;
13.14.12 not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Data Controller;
13.14.13 make available to the Data Controller on request all information necessary to demonstrate compliance with the Data Protection Legislation, and allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller including to permit the Data Controller or its external advisers (subject to reasonable and appropriate confidentiality undertakings) to inspect and audit the Data Processor’s data processing activities and those of its agents, subsidiaries and sub-contractors and comply with all
reasonable requests or directions by the Data Controller to enable the Data Controller to verify and procure that the Data Processor is in full compliance with its obligations under the Agreement.
13.15 The Data Processor shall, at all times during and after the term of the Agreement, indemnify the Data Controller and keep the Data Controller indemnified against all losses, damages, costs or expenses and other liabilities (including
legal fees) incurred by, awarded against or agreed to be paid by the Data Controller arising from any breach of the Data Processor’s obligations under this clause except and to the extent that such liabilities have resulted directly from the Data Controller’s instructions.
13.16 The provisions of this clause shall apply during the continuance of the Agreement and indefinitely after its expiry or termination.
14. Other important terms
14.1 You may only transfer your rights under our guarantee to someone else. You may only transfer your rights or your obligations under these terms to another person with our written consent. We may withhold our consent.
14.2 Nobody else has any rights under this contract. This contract is between you and us. Save for [company name] Group (as defined in the Letter of Engagement), no other person shall have any rights to enforce any of its terms. Neither of us will need the consent of any person acquiring rights under our guarantee to end the contract or make any changes to these terms.
14.3 Notices. Any notice or other communication given by us or you shall be in writing, addressed to us or you at the registered office (if it is a company) or its principal place of business (in any other case) or such other address as we
or you may have specified in writing, and shall be delivered personally or sent by prepaid first-class post or other next working day delivery service, or by commercial courier, or e-mail. A notice or other communication shall be
deemed to have been received: if delivered personally, when left at the address referred to in the Letter of Engagement; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second business day after posting; if delivered by commercial courier, on the date and at the time that the courier’s delivery receipt is signed; or, if sent by e-mail, on the sending of the e-mail.
14.4 Exclusive Terms. These terms apply to the Agreement to the exclusion of any other terms that you may seek to
impose or incorporate, or which are implied by trade, custom, practice or course of dealing.
14.5 If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.
14.6 Even if we delay in enforcing this contract, we can still enforce it later. If we do not insist immediately that you do anything you are required to do under these terms, or if we delay in taking steps against you in respect of your breaking this contract, that will not mean that you do not have to do those things or prevent us taking steps against you at a later date. For example, if you miss a payment and we do not chase you but we continue to provide the services, we can still require you to make the payment at a later date.
14.7 Dispute Resolution. Any and all disputes relating to this Agreement and/or the subject matter of it, shall in the first instance be referred to the parties contract managers for resolution. Upon such referral the contract managers shall meet within 5 days of such referral to resolve the issue. If the contract managers cannot resolve the issue within 5 days of their meeting, the matter shall be referred to the parties senior management for resolution. If the Senior Managers cannot resolve the issue within 10 days of their meeting over it, the parties shall be free to refer the matter
to meditation or other alternative dispute resolution procedure.
14.8 Which laws apply to this contract and where you may bring legal proceedings. These terms are governed by English law and you can bring legal proceedings in respect of the services in the English courts.
APPENDIX 1: DATA PROCESSING
This Appendix includes certain details of the Processing of Personal Data as required by the Data Protection Legislation.
1 THE SUBJECT-MATTER AND DURATION OF THE PROCESSING
1.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
1.1.1 Subject Matter: the provision of services to [company name] Group by Policy Platforms Limited, as set out in the Letter of Engagement.
1.1.2 Duration of the Processing: the duration of the processing shall be for the term designated under the agreement between Policy Platforms Limited and [company name] Group.
2 THE NATURE AND PURPOSE OF THE PROCESSING
2.1 The subject-matter and duration of the Processing of Personal Data in accordance with this Agreement shall consist of:
2.1.1 Policy Platforms will process the Personal Data for the purposes of providing services to [company name] Group, as set out in our Letter of Engagement.
3 THE TYPES OF PERSONAL DATA TO BE PROCESSED
3.1 The types of Personal Data that shall be processed in accordance with this Agreement will be:
3.1.1 The Personal Data that shall be processed in accordance with this Agreement shall include names, telephone numbers, email addresses, job titles.
4 CATEGORIES OF DATA SUBJECTS TO WHOM PERSONAL DATA RELATES
4.1 The categories of individuals whose Personal Data is processed in accordance with this Agreement will be: Employees
© Policy Platforms Ltd