SUBSCRIBER TERMS AND CONDITIONS
PARTIES:
MÉDIS – SERVIÇOS DE SAÚDE, S.A., legal person no. 517246236, holding share capital of 50,000.00 Euros; (“First Contracting Party”)
TRANSACTOR SERVICES LIMITED a company registered in England and Wales with company number 04153911, whose registered office is located at 2 Upperton Gardens, Eastbourne, England BN21 2AH (“Second Contracting Party”)
The SUBSCRIBER whose details are provided in the Order (“Subscriber”)
These terms and conditions set out the terms and conditions on which the Second Contracting Party will contract with the First Contracting Party and the Subscriber to supply the Subscriber with the Services.
By agreeing an Order, as described below, you agree, on behalf of the Subscriber, to be bound by the terms herein. If you do not have authorization to bind the Subscriber, or you do not agree with these terms, do not register to use the Services.
(A) The Second Contracting Party renders the provision of the Services (as defined below), to which end it is endowed with its own structure, comprising specialised technical staff, with the appropriate technical qualifications to provide the services it proposes to carry out, as well as having the appropriate material resources and equipment necessary to provide the aforementioned services, having all the legal and regulatory authorisations applicable to the carrying out of its activity.
(B) Subscriber wishes to use, and Second Contracting Party has agreed to permit Subscriber to use, the Services in accordance with the terms of this Agreement.
(C) The First Contracting Party has agreed to pay the Charges to the Second Contracting Party in respect of such use of the Services by the Subscriber.
NOW THEREFORE, the Parties hereby agree as follows:
1.1. In this Agreement the following expressions shall, unless the context otherwise requires, have the following respective meanings:
“Agreement” means the agreement between the First Contracting Party, the Second Contracting Party and the Subscriber, which shall comprise the Order and these Terms and Conditions and all Schedules.
“Charges” means the Subscription Fee specified in the Order.
“Commencement Date” means the date on which the provision of the Services shall commence as set out in the Order.
“Effective Date” means the date on which the Order is accepted by all parties.
“Intellectual Property Rights” means all intellectual property rights, including patents, utility models, trade and service marks, trade names, domain names, right in designs, copyrights, moral rights, topography rights, rights in databases, trade secrets and know-how, in all cases whether or not registered or registrable and including registrations and applications for registration of any of these and rights to apply for the same, and all rights and forms of protection of a similar nature or having equivalent or similar effect to any of these anywhere in the world.
“Non-Personal Data” means all data which is not Personal Data and, for the avoidance of doubt, Non-Personal Data includes, without limitation, all laboratory product, dental service and pricing data which the Subscriber makes available for processing using the Services.
“Order” means the order placed by the First Contracting Party or the Subscriber for the Subscriber’s use of the Services, which has been accepted by the other parties in writing, by email, or by provision of access to the Services.
“Personal Data” shall have the meaning set out in the Data Processing Addendum.
“Portal” means, where the Order specifies that the Services will be accessed via desktop as a service, the website portal used to facilitate Use of the Services.
“Second Contracting Party Data” means data which may be made available to the First Contracting Party or the Subscriber by Second Contracting Party, at Second Contracting Party’s sole discretion, via the Services from time.
“Services” means the services to be provided by Second Contracting Party to the Subscriber, which shall include the provision of such software and software as a service as is set out in the Order, together with the Set Up Services and Support Services.
“Set Up Services” means the set up services (if any) agreed between the Second Contracting Party and the Subscriber, which may include but not be limited to, set up and configuration; customization; data input; data migration; back end modifications.
“Subscriber Data” means all data, materials, or content uploaded by the Subscriber or its Users in connection with the Services. This does not include any data or information comprised within the Second Contracting Party Data.
“Support Schedule” means the support schedule attached at Annex 1.
“Support Services” means the support services in respect of the Services more particularly described in the Support Schedule.
“Term” means the minimum term set out in the Order.
“Training Services” means the training services, if any, in respect of the Services more particularly described on the Order or otherwise agreed between the Subscriber and the Second Contracting Party.
“Use” means to access (and permit users to access) the Services in the manner set out in the Order, and to use the Services for the Subscriber’s own internal business purposes and only to the extent necessary to receive the benefit of the Services as expressly contemplated hereunder.
“User Manual” means the documentation (if any) provided by Second Contracting Party to the Subscriber which contains information about the use of the Services, including governance requirements and laboratory procedures, Portal security procedures and other generally applicable policies governing the use of the Services which are issued by Second Contracting Party to the Subscriber from time to time and/or is available on the Portal applicable to the relevant Services, as may be updated from time to time.
“Users” means the permitted number of Subscriber’s employees and/or self-employed consultants as from time to time may Use the Services as required by the Subscriber and specified on the Order or otherwise agreed in writing between the parties.
“Working Hours” means 09:00 to 17:00, Monday to Friday, excluding all bank and public holidays.
1.2. The Order(s) form part of this Agreement and shall be subject to the terms and conditions set out herein.
2. ORDER PROCESS
2.1. Orders may be agreed between the parties in writing, or through the registration functionality that forms part of the Services.
2.2. A binding contract for the provision of the Services shall not come into existence between the First Contracting Party, the Second Contracting Party and the Subscriber until acceptance of the Order by Second Contracting Party.
2.3. Acceptance of the Order by Second Contracting Party shall be deemed to have occurred on the earlier of: written notification by Second Contracting Party to the other parties of acceptance of the Order; where applicable, notification by Second Contracting Party that the Portal has been made available; or, if applicable, provision by Second Contracting Party of the Services. Second Contracting Party may reject the Order for any reason, in which case Second Contracting Party shall notify the Subscriber and the First Contracting Party that the Order has been rejected.
3. PURPOSE
3.1. From the Commencement Date, for the Term, Second Contracting Party shall provide the Services to the Subscriber.
3.2. Subject to the payment of the Charges and to all the terms of this Agreement, Second Contracting Party shall provide the Set Up Services in accordance with the Order.
3.3. In the event that the Order specifies, or the parties otherwise agree, that Training Services will be provided, the following provisions shall apply:
3.3.1. the date and timing of the training days and/or online training sessions will be agreed by the Subscriber and Second Contracting Party provided that Second Contracting Party reserves the right to decide when each online training session and/or training day will take place and to modify these dates provided it gives the Subscriber reasonable notice;
3.3.2. all online training sessions and/or training days must be used prior to the termination of this Agreement.
3.5. Subscriber agrees to give Second Contracting Party access and assistance as may be necessary for Second Contracting Party to audit Subscriber’s operations wherever situated, as and to the extent that Second Contracting Party deems necessary to confirm Subscriber’s compliance with this Agreement.
4. SUBSCRIBER’S OBLIGATIONS
4.1. Where the Subscriber uses the Services to procure items from another subscriber, the Subscriber acknowledges and agrees that the contract for such procurement is between the Subscriber and the other subscriber. Provider shall have no rights, obligations or liabilities under such contract, and the Subscriber shall be responsible for agreeing appropriate terms with the other subscriber.
4.2. The Subscriber shall:
4.2.1. ensure that the Subscriber and its Users are and shall remain compliant with the User Manual; and
4.2.2. act in accordance with the reasonable instructions of Second Contracting Party.
4.3. The Subscriber acknowledges that it is solely responsible for setting the permissions and access rights for its Users; and shall be liable for all Use made of the Services, whether authorised or unauthorised, by the Users or by any person using a login registered to one of its Users.
4.4. The Subscriber will not:
4.4.1. attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services in any form or media or by any means;
4.4.2. attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form for all or any part of the Services;
4.4.3. access, store, distribute or transmit Viruses or any harmful or illegal material during the course of its use of the Services; or
4.4.4. introduce or permit the introduction of, any Virus or Vulnerability into the Provider’s network and information systems.
5. USE OF THE SERVICES
5.1. Subject to the payment of the Charges by the First Contracting Party or the Subscriber, Second Contracting Party hereby grants to the Subscriber the non-exclusive, non-assignable, non-sub-licensable right to access and Use the Services in the manner set out in the Order, and to permit Users to Use the Services for the term of this Agreement.
5.2. The Subscriber shall and shall procure that each User shall use the Services only in accordance with the terms of this Agreement and the User Manual. The Subscriber shall be responsible for the use of the Services by Users and shall be liable for breach of this Agreement by a User as if it were a breach by the Subscriber. In addition to any other remedies in respect of such breach, Second Contracting Party shall be entitled to suspend the access of a User who fails to comply with the User Manual.
5.4. Second Contracting Party shall use reasonable endeavours to ensure that access to the Services is available during Working Hours however the Subscriber acknowledges and agrees that the Services may not be accessible to the Subscriber from time to time.
5.5. Second Contracting Party shall provide the Support Services to the Subscriber during the Working Hours. The Second Contracting Party shall use reasonable endeavours to schedule service interruptions outside of the Working Hours and reasonable endeavours to give as much prior written notice of such scheduled service interruptions to the Subscriber as possible.
5.6.1. use the Services to provide to any third parties, computing services or access thereto, including but not limited to commercial software or computer timesharing, rental or sharing arrangements, or data processing services offered on a service bureau basis;
5.6.2. provide, disclose, divulge or make available to, or permit use of the Services by persons other than Users without Second Contracting Party’s prior written consent;
5.6.3. remove or alter any copyright or other proprietary notice on any of the Services;
5.6.4. fail to comply with the User Manual.
6.1. In consideration for the provision of the Services to Subscriber hereunder, the First Contracting Party or the Subscriber (as set out in the Order) shall pay Second Contracting Party the Charges. The Charges shall be due and payable thirty (30) days from the date of an invoice in respect thereof issued by Second Contracting Party. In the event that the Charges are not paid in accordance with the provisions herein, subject to clause 6.4 Second Contracting Party shall be entitled to terminate or suspend the provision of the Services forthwith on notice.
6.2. Second Contracting Party reserves the right to charge the First Contracting Party or the Subscriber (as applicable) interest on any payment not made in accordance with the payment terms. Interest will be calculated on a daily basis, both before and after any judgement, at the rate of 8 per cent per annum above the base rate from time to time of the Bank of England’s base rate, for the period from the due date until the date on which the outstanding payment is actually paid.
6.3. All payments made or to be made under this Agreement shall be made in full, without any deduction, withholding, set-off or counterclaim on account of any taxes or otherwise.
6.4. Where the Order specifies that the First Contracting Party will pay the Charges, and if the Charges are not paid in accordance with the provisions of this Agreement, the Second Contracting Party will notify the Subscriber and request that the Subscriber assumes responsibility for payment of the Charges. Where the Subscriber has not confirmed that it will assume responsibility for payment of the Charges within 30 days the Second Contracting Party shall be entitled to terminate or suspend the provision of the Services forthwith on notice.
6.5. In the event of a bona fide dispute regarding any invoice or other request for payment, the First Contracting Party or the Subscriber (as applicable) shall immediately notify Second Contracting Party in writing and the Parties shall attempt promptly and in good faith to resolve any dispute regarding the amounts owed. In each such case, the First Contracting Party or the Subscriber shall pay all undisputed amounts on or before the due date for payment of such invoice.
6.6. The Charges are exclusive of any applicable sales, use or service tax or any other applicable tax of any nature whatsoever, including any Value Added Tax; all such taxes will be added to the appropriate invoice and shall be payable by the First Contracting Party or the Subscriber in accordance with the law from time to time and the terms hereof. If any applicable law requires the First Contracting Party or the Subscriber to withhold amounts from any payments to Second Contracting Party hereunder, (i) the relevant party shall effect such withholding, remit such amounts to the appropriate taxing authorities and promptly furnish Second Contracting Party with tax receipts evidencing the payments of such amounts, and (ii) the sum payable by the relevant party upon which the deduction or withholding is based shall be increased to the extent necessary to ensure that, after such deduction or withholding, Second Contracting Party receives and retains, free from liability for such deduction or withholding, a net amount equal to the amount Second Contracting Party would have received and retained in the absence of such required deduction or withholding.
6.7. Second Contracting Party may increase the Charges from time to time on the provision of reasonable notice to the First Contracting Party or the Subscriber, as applicable.
7.1. The Second Contracting Party, hereby declares and guarantees that it complies with all legislation and regulations applicable to the activity pursued by it and that it has and will have - directly or through any entities which may be outsourced by it under the terms of the Outsourcing Clause - all the authorisations, licenses and/or approvals that, under the terms of the law and regulations, are applicable to it and are necessary for the pursuit of the activity, as well as for the fulfilment of the obligations arising from this Agreement.
7.2. The Second Contracting Party undertakes to maintain in force, throughout the term of this Agreement, the insurance policy whose policy has been attached as an Annex to this Agreement.
7.3. The First Contracting Party reserves the right to request at any time from the Second Contracting Party documentary evidence of compliance with the obligations referred to in the previous number.
7.4. The Second Contracting Party warrants that the Services meet the requirement and are suitable for the objectives and purposes agreed between the First Contracting Party and the Second Contracting Party in writing.
7.5. The Second Contracting Party further undertakes to cooperate with the Insurance and Pension Funds Supervisory Authority, or any person designated by it, with regard to the function or activity outsourced, under the terms defined in this Agreement.
7.6. The Second Contracting Party will submit to the First Contracting Party the reports that the First Contracting Party reasonably deems necessary for its security function, including reports regarding the internal audit function of the Second Contracting Party.
7.7. The Subscriber hereby warrants that the information provided by the Subscriber to Second Contracting Party is true, accurate and correct. The Subscriber further warrants that it shall promptly notify Second Contracting Party in the event of any changes to such information provided.
7.8. The express warranties set forth in this clause 7 are exclusive and in lieu of all other warranties, express or implied, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and any warranties arising by statute or otherwise in law or from course of dealing, course of performance, or use of trade and whether written or oral, all of which are hereby excluded and disclaimed to the fullest extent permissible by law. Without prejudice to the generality of the foregoing, Second Contracting Party (including its respective licensors, agents and sub-contractors, if any) does not warrant that that operation of the Services will be uninterrupted and hereby disclaims any and all liability in respect thereof.
8. BREACH
8.1. Without prejudice to the provisions of the Agreement Termination and Revocation Clause, the Second Contracting Party will inform the First Contracting Party in writing about any possible situations that may result in non-compliance with any obligations assumed by it and arising from this Agreement, as well as the foreseeable duration of the non-compliance, undertaking, in any case, to use all means at its disposal to avoid delays.
9. LIABILITY
9.1. Subject to clauses 9.2 and 9.4, the First Contracting Party and the Subscriber’s sole remedy at any time with respect to any claims arising out of the Agreement shall be limited in the aggregate to the monies paid by the First Contracting Party and/or the Subscriber to Second Contracting Party under this Agreement during the twelve (12) month period preceding the earliest event giving rise to such liability.
9.2. In no event shall any party (including its respective licensors, agents and sub-contractors, if any) be liable for:
9.2.1. any loss of profits, loss of anticipated savings, loss of data, business interruption, loss of use, loss of contracts, loss of goodwill business or business benefit, or the cost of procurement of substitute services by any other party (whether direct or indirect);
9.2.2. any special, indirect, incidental, or consequential damages or losses of any nature whatsoever.
9.3. In no event shall the Second Contracting Party (including its respective licensors, agents and sub-contractors, if any) be liable for:
9.3.1. any losses, damages or costs that arise wholly or partly as a result of any Subscriber or third party act, omission, software, services or systems;
9.3.2. any losses or costs that arises as a result of the supply by the Subscriber or the display by the Services of any incorrect or incomplete Non-Personal Data and/or Second Contracting Party Data; or
9.3.3. the provision of or failure to provide any Second Contracting Party Data to the Subscriber.
9.5. All Parties accept that the limitations and exclusions set out in this Agreement are reasonable having regard to all the circumstances.
9.6. The First Contracting Party and the Subscriber hereby agrees to afford Second Contracting Party not less than thirty (30) days (following notification thereof by Subscriber) in which to remedy any event of default hereunder.
9.7. No employee, agent, representative or affiliate of Second Contracting Party has authority to bind Second Contracting Party to any oral representations or warranty concerning the Services. Any written representation or warranty not expressly contained in this Agreement is unenforceable except that this shall not exclude liability for fraudulent misrepresentation.
10. INTELLECTUAL PROPERTY RIGHTS
10.1. Subscriber acknowledges that except for the limited rights expressly granted hereunder, it has no claim, right, title or interest with respect to any of the Intellectual Property Rights in the Services.
10.2. The Subscriber hereby grants to the Second Contracting Party the non-exclusive, non-assignable, non-sub-licensable right to use the Subscriber Data to the extent necessary to provide the Services for the term of this Agreement.
10.3. The Subscriber hereby grants to the Subscriber the non-exclusive, non-assignable, non-sub-licensable right to use the Subscriber Data to assess, analyse and report on the provision of the Subscriber’s products and services to the (and the products and services of other subscribers to the Services) to the Subscriber’s customers.
10.4. The Second Contracting Party may use the Second Contracting Party Data for any purpose, including without limitation usage data or audit logs, which the Second Contracting Party may monitor independently for their internal purposes, including but not limited to improving the Services, ensuring accurate billing, and providing support.
11.1. For the purposes of the provisions of this Agreement, Confidential Information shall be taken to mean any and all written, verbal, computerised or digital information, or of any other nature, relating to the activity, transactions, business or services provided by any of the Parties, or which contains data of an organisational, technical, commercial or financial nature, namely “know-how”, customer or supplier lists, materials and equipment, product lists, studies, “software” or any other information relating to the activity of each of the Parties or any company with which it has a controlling or group relationship.
11.2. All parties undertake:
11.2.1. To maintain the confidentiality of the information referred to in Clause 11.1 and which they have learned as a result of the performance of this Agreement/by any means;
11.2.2. Not to use said information in any context other than that of the present Agreement, unless previously authorised to this end by the other Contracting Party;
11.2.3. To avoid, by all lawful means within their reach, the information provided by the other Party from being communicated to third parties unrelated with the present Agreement;
11.2.4. To refrain from copying, wholly or partially, revealing, making use of or treating the confidential information in a manner different from that specifically stipulated in this Agreement;
11.2.5. To limit access to and the use of confidential information to their employees and to those entities outsourced by them which are directly involved in the negotiation and performance of the Agreement, restricting them to that which is strictly necessary for the purposes thereof and enforcing the non-disclosure obligations determined herein;
11.2.6. To return or destroy, at the request of the Contracting Party that revealed it, any information provided in writing or in any tangible manner, as well as any copies that may be in their possession;
11.2.7. To inform the other parties about any notifications received from the public authorities to provide confidential information and observe the recommendations of the latter which are compatible with the summons or with the legal obligation forming the basis for the notification and accompanying said information with the indication that it is confidential information belonging to a third party revealing a trade or industrial secret or a secret pertaining to intellectual and similar property rights.
11.3. The Parties further undertake not to disclose to third parties any information or documents exchanged between them within the scope of the negotiations of this Agreement, including the final clauses thereof.
11.4. The Parties hereby undertake to ensure that these confidentiality obligations will bind their employees and/or contributors, with the Parties being jointly and severally liable along with their employees and/or contributors for any breaches of the duty of confidentiality that they may incur.
11.5. The confidentiality obligations arising from this Agreement will be binding on the Parties after the termination hereof.
12. RESTRICTIONS ON COMMUNICATIONS AND ADVERTISING
12.1. None of the parties may use, mention, directly or indirectly, the name, brand, logo or any other distinctive trademarks, nor any reference to the products and/or services of the other parties, in any communication or advertising, regardless of the means, materials or support, without the specific, prior authorisation of the party to be the object of mention.
12.2. This limitation applies to all establishments of the parties, regardless of the territorial scope of the object of this Agreement.
12.3. The previous numbers do not apply to communications made exclusively for internal dissemination within the parties themselves or within companies in a controlling or group relationship with the parties.
13.1. This Agreement shall commence on the Effective Date and shall continue for the Term, unless terminated by either party in accordance with clause 13.2. Thereafter, this Agreement shall continue until terminated by either Party by giving at least thirty (30) days’ written notice to the other parties. Where the First Contracting Party gives notice to the other parties, the other parties may agree to continue on the terms set out herein, subject to clause 6.4 and the removal of all rights and obligations on the First Contracting Party.
13.2. Without prejudice to any compensation or penalties that may be due under the law or this agreement, either Party may immediately terminate this Agreement in the following cases:
13.2.1. Any material breach by the other party of the respective contractual obligations, provided that the party in breach, notified to correct its conduct, fails to comply with this determination, within the timeframe of eight days as from said notification;
13.2.2. Bankruptcy, insolvency or any other fact or event that makes it impossible or extremely unlikely for the other party to fully fulfil its contractual obligations;
13.2.3. The entry into the capital of one of the parties, of a financial group or company which is a competitor of the other party;
13.2.4. Any sanction that temporarily or permanently prevents any of the parties from fulfilling their contractual obligations.
13.4. The following clauses shall survive termination of this Agreement for any reason: 1, 6 (to the extent of any unpaid obligations), 9, 10, 11, 12, 13.4, 13.5, 13.6, 14, 15, 16, 20 and 22 and Schedule 2.
13.6. On termination or expiry of this Agreement for any reason:
13.6.1. the Subscriber’s and all Users’ access to the Services will be terminated and, subject to the provisions of clause 13.7, the Subscriber and Users will be unable to access any data stored by the Services or otherwise use the Services in any way;
13.6.2. all rights granted to the Subscriber and Users under this Agreement shall cease;
13.6.3. the Subscriber shall and shall procure that the Users shall cease all activities permitted pursuant this Agreement;
13.6.4. the Subscriber shall immediately destroy or return to Second Contracting Party (at Second Contracting Party’s option) all copies of the Confidential Information in its possession or that of the Users (if any) and certify to Second Contracting Party that it has complied with the foregoing.
14.1. Second Contracting Party shall, at Subscriber’s written request, either delete or return all Subscriber Data to Subscriber in such form as Subscriber reasonably requests within a reasonable time after the date on which all payments under the applicable Services have been made, and this Agreement has terminated or expired.
15. ACT OF GOD AND FORCE MAJEURE
15.1. If, during the validity of the present Agreement, any event or fact occurs which is regarded as an Act of God or case of Force Majeure and which prevents compliance in due time by any of the parties with their obligations within the contractual timeframes and dates, the timeframe for said compliance shall be deferred for the period pertaining to the ensuing delay, without prejudice to the parties making every possible effort to minimise the consequences of the event.
15.2. For the purposes of this Agreement, an Act of God or Force Majeure shall be deemed to be a third party event to which the parties have in no way contributed, as well as any natural event or unpredictable or unavoidable situation whose effects are produced independently of the will or personal circumstances of the parties, such as acts of war, whether declared or otherwise, acts of subversion, civil unrest, revolutions, epidemics, cyclones, earthquakes, fire, lightning, floods, general or sectoral strikes or any events of the same nature that affect the performance of this Agreement.
15.3. Strikes that are not general do not constitute Acts of God or Force Majeure (hence, strikes that are limited to the Second Contracting Party or its suppliers or subcontractors are not regarded as such), nor do any governmental, administrative or jurisdictional determinations resulting from non-compliance by the Second Contracting Party, its suppliers or subcontractors, with any duties or burdens incumbent upon them, and fires or floods whose cause, spread or proportions can be put down to the failure of the latter to comply with safety standards.
15.4. Any party who wishes to invoke an Act of God or Case of Force Majeure as soon as it learns thereof, shall notify the other party in writing, providing, from the outset, proof of the event invoked and of its effects on the performance of the Agreement.
15.5. When an Act of God or Force Majeure permanently prevents compliance with this Agreement by either Party, it will be terminated, without any compensation or penalty being paid for non-compliance.
16. PERSONAL AND NON-PERSONAL DATA
16.1. Subscriber hereby grants to Second Contracting Party a non-exclusive perpetual licence (such licence to survive expiry or termination of this Agreement) to use, copy, distribute and disclose all Non-Personal Data for any purpose which Second Contracting Party shall determine from time to time, including, without limitation aggregating, analysing and publishing such data via the Portal or other media.
16.2. Each party shall comply with the provisions of the Data Processing Agreement in respect of their processing of personal data.
17. SECURITY REQUIREMENTS
17.1. The Second Contracting Party undertakes to transmit and ensure compliance with the Information Security requirements set out in this Agreement to all its subcontractors.
17.2. The Second Contracting Party undertakes:
17.2.1. to provide the Subscriber with information about all hardware and software components used in its products, including components purchased by it from external entities;
17.2.2. to provide information about the security measures implemented in its products, as well as the configurations necessary for their secure operation.
17.3. The Second Contracting Party also undertakes to communicate to the Subscriber the following changes in:
17.3.1. security facilities or mechanisms that influence or may influence the security requirements or the services provided to the Subscriber;
17.3.2. development or implementation of new systems (software and hardware) that affect or may affect the services provided to the Subscriber;
17.3.3. relevant suppliers who may directly or indirectly be involved in the services provided to the Subscriber;
17.3.4. the deployment of new technological components (Artificial Intelligence, Machine Learning components or those of other types of emerging technologies) in products or services provided to the Subscriber.
17.4. Within the scope of this Agreement, the Second Contracting Party has access to and/or produces the information described in the Data Processing Addendum, together with the Confidential information of the Subscriber.
17.5. The Second Contracting Party must use the contact: info@ageas.pt to communicate or address any issues relating to information security that influence or may influence the security requirements or services provided to the Subscriber.
17.6. The methods that will be implemented to provide access to the aforementioned information are as follows:
17.6.1. Secure internal channel;
17.6.2. Another channel after evaluation and approval by the Security Team of the Subscriber.
17.7. The deadlines relating to data retention are subject to Annex […], which is hereby reproduced in full and forms part of the Agreement.
17.8. In the event of the termination of the Agreement, upon indication of the Subscriber, the Second Contracting Party undertakes, within a maximum period of 10 working days, to return or destroy all information and documentation that has been disclosed or created, by virtue of the provision of services, which is in writing or in any other tangible form, as well as any copies thereof that are in its possession.
17.9. Any matters relating to security requirements are regulated in the Annex to this agreement and form an integral part hereof.
17.10. The Second Contracting Party declares that the Ageas Supplier Security Maturity Assessment Questionnaire that it has completed, which is attached to this Agreement and forms an integral part hereof, is true and it undertakes to maintain the identified measures in force.
17.11. The data stored and processed by the Second Contracting Party will be stored at [•].
17.12. The Second Contracting Party undertakes to notify the Subscriber in the event that it intends to change the location of the data centres, giving minimum notice of 30 (thirty) days thereof, with the latter benefiting from the right to oppose the intended change or to terminate the agreement, without this implying the payment of any compensation to the Second Contracting Party.
17.13. The Second Contracting Party undertakes to make immediately available to the Subscriber the data of the latter held by the Second Contracting Party, in the event of insolvency, termination of the agreement or interruption of the activities carried out by the Second Contracting Party, without the need to make any contact for this purpose and via those channels that the Subscriber may determine in due course.
18.1. The Second Contracting Party may outsource its contractual position under this Agreement to third parties provided always that the Second Contractual Party shall remain primarily liable for all acts and omissions of the sub-contactor in its performance of the Second Contracting Party’s obligations hereunder.
19. ASSIGNMENT OF THE CONTRACTUAL POSITION
19.1. Neither this Agreement nor any rights under this Agreement may be assigned or otherwise transferred by the Second Contracting Party or the Subscriber, in whole or in part, whether voluntarily or by operation of law, including by way of sale of assets, merger or consolidation, without the prior written consent of First Contracting Party. Subject to the foregoing, this Agreement will be binding upon and will inure to the benefit of the Parties and their respective successors and permitted assignees.
20. COMMUNICATIONS BETWEEN CONTRACTING PARTIES
20.1. Within the scope of this Agreement, communications between the Contracting Parties must be carried out by compatible electronic means between the Contracting Parties or recorded delivery with acknowledgment of receipt, to the following addresses:
The First Contracting Party:
e-mail: procurement@ageas.pt
Praça Príncipe Perfeito, Nº 2, Piso 10, 1990-278 Lisboa
The Second Contracting Party:
Address: 2 Upperton Gardens, Eastbourne, England BN21 2AH
e-mail: notices@procuur.com
20.2. Without prejudice to the provisions of the following sub-clause, any communications made by e-mail specifically indicated in the previous sub-clause shall be deemed to have been made on the date of their receipt, as evidenced by the receipt issued automatically upon sending, and any communications sent by recorded delivery with acknowledgement of receipt, on the date that the acknowledgement of delivery is recorded.
20.3. Communications for the purposes of terminating this Agreement must be communicated to the other Contracting Party by recorded delivery with acknowledgement of receipt.
21. ELECTRONIC SIGNATURE
21.1. The Parties agree that in the event of signing this Agreement by electronic signature (whatever the applicable method), said method of signature confirms the intention of each of the Parties to assume the obligations contained in this Agreement as if they had signed it in person by hand.
21.2. The Parties also recognise the evidentiary value of any documents signed and received within the scope of the performance of this Agreement through electronic signature.
21.3. By signing this Agreement, the signatory of each Party confirms that he/she is full empowered to bind the Party on whose behalf he/she is signing this Agreement.
21.4. In the event of any dispute between the Parties, the court or court of arbitration deciding upon the dispute may rely on any identification details, certification files and/or time stamps to prove that the Parties have signed this Agreement.
22. MISCELLANEOUS
22.1. Any waiver of the provisions of this Agreement or of a Party’s rights or remedies under this Agreement must be in writing to be effective. Failure, neglect or delay by a Party to enforce the provisions of this Agreement or its rights or remedies at any time will not be construed or be deemed to be a waiver of such Party’s rights under this Agreement and will not in any way affect the validity of the whole or any part of this Agreement or prejudice such Party’s right to take subsequent action.
22.2. If any part of any provision of this Agreement shall be invalid or unenforceable, then the remainder of such provision and all other provisions of this Agreement shall remain valid and enforceable.
22.3. This Agreement contains the entire agreement of the Parties with respect to the subject matter of this Agreement and supersedes all previous communications, representations, understandings and agreements, either oral or written, between the Parties with respect to the subject matter.
22.4. This Agreement may not be altered or modified in any way except by an instrument in writing signed by (or by a duly authorised representative on behalf of) each of the Parties.
22.5. No terms, provisions or conditions of any purchase order, acknowledgement or other business form that Subscriber may use in connection with the acquisition or licensing of the Services will have any effect on the rights, duties or obligations of the Parties hereunder, or otherwise modify this Agreement, regardless of any failure of Second Contracting Party to object to such terms, provisions or conditions.
22.6. Subscriber agrees that upon execution of this Agreement, Second Contracting Party may issue a press release announcing that it has entered into a contract with Subscriber and stating the general financial value of this Agreement. Additionally, Second Contracting Party may on an ongoing basis during the term of this Agreement use Subscriber’s name and logo on Second Contracting Party’s website and in press releases, product brochures and financial reports indicating that Subscriber is a customer of Second Contracting Party.
22.7. A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce or enjoy the benefit of any terms of this Agreement.
22.8. This Agreement shall be construed in accordance with English law and the parties irrevocably submit to the exclusive jurisdiction of the English courts to settle any disputes, which may arise in connection with this Agreement.
Schedule 1
SUPPORT SERVICES
1.1 The Support Services shall comprise and be limited to the services set out in this Schedule 1.
1.2 The Support Service shall be provided during the Working Hours.
1.4 The Support Service shall comprise:
1.4.1 e-mail responses; and
1.4.2 remote diagnosis and, where possible, correction of issues.
1.4.3 basic instruction on the use of the Services;
1.4.4 basic explanation of the processes and calculations used in the Services.
1.5 Second Contracting Party may provide the Subscriber with maintenance releases from time to time during the term of this Agreement at its sole discretion. The Subscriber shall promptly follow all instructions provided by Second Contracting Party in respect of the maintenance releases.
1.6 Scheduled maintenance releases may take place at any time. It is a condition of the provision of the Services that maintenance releases (which may correct issues, add functionality, or otherwise amend or upgrade the Services, save in the case of new versions of the relevant Services which from time to time is publicly marketed and offered for purchase by Second Contracting Party in the course of its normal business, which shall not be considered a maintenance release) shall be applied to all installations of the Services and the Subscriber (i) may not refuse to take such maintenance release; and (ii) such maintenance release shall not materially adversely affect the functionality of the Services to which it relates.
1.7 The Subscriber agrees to provide Second Contracting Party with all information required, within reason, to identify the reported problem. Second Contracting Party shall use its reasonable endeavours to reproduce the reported problem. In the event that Second Contracting Party cannot reproduce a problem reported by the Subscriber, the Second Contracting Party will notify Subscriber who shall demonstrate such non reproducible Issue to Second Contracting Party at which point the Second Contracting Party will use reasonable endeavours to correct the issue.
1.8 Without prejudice to the foregoing Subscriber shall provide Second Contracting Party a detailed description of any issue requiring Support and shall include sufficient material and information to enable Second Contracting Party to duplicate the problem to the extent the information is available to Subscriber, including, but not limited to:
1.8.1 a clear and accurate description of the issue;
1.8.2 the area of the Services to which it relates and which User(s) have experienced the issue;
1.8.3 what function was being performed when the issue occurred and/or the sequence of events leading up to the occurrence of the issue;
1.8.4 the error message displayed, if any;
1.8.5 any other information relating to the Services or the issue which Second Contracting Party requires to perform its obligations hereunder, including but not limited to a copy of data held on the database that forms part of the Services.
1.9 The Support Services shall not include the diagnosis and rectification of any issue resulting from:
1.9.1 any repair adjustment alteration or modification of the Services by Subscriber without Second Contracting Party’s prior consent;
1.9.2 the use of the Services for a purpose for which they were not designed;
1.9.3 an issue in the Subscriber’s equipment or in any other software operating in conjunction with or integrating with the Services;
or for
1.9.4 rectification of lost or corrupted data arising for any reason other than Second Contracting Party’s own negligence; or
1.9.5 loss or damage caused directly or indirectly by Subscriber’s error or omission.
Schedule 2
DATA PROCESSING AGREEMENT
BACKGROUND
This Data Processing Agreement (“DPA”) forms part of the Subscriber Terms and Conditions (Agreement) to which this is attached, as updated from time to time. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail.
All capitalised terms shall have the meaning assigned to them in the Agreement unless otherwise defined in this DPA.
1 DEFINITIONS
|
Applicable Law |
means as applicable and binding on Subscriber or Second Contracting Party: (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of; (b) the common law and laws of equity as applicable to the parties from time to time; (c) any binding court order, judgment or decree; or (d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business; |
|
Appropriate Safeguards |
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time; |
|
Business Day |
means any day except Saturdays, Sundays, banks holiday and public holidays; |
|
Data Controller |
has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws; |
|
Data Processor |
has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws; |
|
Data Protection Laws |
means any laws and regulations relating to privacy or the use or processing of data relating to natural persons, including: (a) EU Directive 2002/58/EC (as amended by 2009/136/EC) and any legislation implementing or made pursuant to such directive; (b) EU Regulation 2016/679 (“GDPR”); (c) the GDPR as it forms part of the law in England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (“DP Act”); (d) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (“Swiss FADP”); (e) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR, UK GDPR, DP Act or Swiss FADP; (f) in each case, to the extent in force, and as such are updated, amended or replaced from time to time; and (g) any mandatory guidance or codes of practice issued by a Supervisory Authority in each case, to the extent in force and applicable to the parties, and as such are updated, amended or replaced from time to time; |
|
Data Subject |
means a natural person who can be identified, directly or indirectly, by the Personal Data; |
|
Data Subject Request |
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; |
|
International Organisation |
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries; |
|
Personal Data |
means any information relating to an identified or identifiable natural person, including an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
|
Personal Data Breach |
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; |
|
processing |
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings); |
|
Processing Instructions |
has the meaning given to that term in clause 3.1.1; |
|
Protected Data
|
means Personal Data received from or on behalf of Subscriber in connection with the performance of Second Contracting Party’s obligations under the Agreement and this DPA, including on or through the Platform; |
|
Standard Contractual Clauses or “EU-SCCs” |
means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance) as amended, superseded or replaced from time to time; |
|
Services |
means all services provided by Second Contracting Party to Subscriber, including the Platform; |
|
Sub-Processor |
means another Data Processor engaged by Second Contracting Party for carrying out processing activities in respect of the Protected Data on behalf of Subscriber; and |
|
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and |
|
UK Addendum |
means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time. |
2 Data Processor and Data Controller
2.2 Second Contracting Party shall process Protected Data in compliance with:
2.3 Subscriber shall comply with:
2.4 Subscriber warrants, represents and undertakes, that:
3 Instructions and details of processing
3.1 Insofar as Second Contracting Party processes Protected Data on behalf of Subscriber:
3.1.1 unless required to do otherwise by Applicable Law, Second Contracting Party shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Subscriber’s documented instructions as set out in this clause 3 and Schedule 1, Annex 1 to this DPA (“Data processing details”), as updated from time to time (“Processing Instructions”);
3.1.2 notwithstanding any other provision of this DPA, if any Applicable Law requires Second Contracting Party to conduct Processing of the Personal Data other than in accordance with Subscriber’s Instructions, such Processing shall not constitute a breach of this DPA;
3.1.3 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, Second Contracting Party shall notify Subscriber of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
(a) this shall be without prejudice to clauses 2.3 and 2.4; and
(b) to the maximum extent permitted by mandatory law, Second Contracting Party shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with Subscriber’s Processing Instructions following Subscriber’s receipt of that information.
4 Technical and organisational measures
4.1 Second Contracting Party shall implement and maintain appropriate technical and organisational measures in relation to the processing of Protected Data by Second Contracting Party, as set out in Schedule 1, Annex 2 to this DPA (“Technical and organisational measures”).
5 Using staff and other processors
5.1.1 remove such Sub-Processor from the list and not engage such Sub-Processor to Process any Protected Data, in which case this DPA shall continue; or
5.1.2 discuss alternative solutions with Subscriber, in which case, where the parties have failed to agree on a solution within reasonable time, Second Contracting Party shall have the right to terminate this DPA and the Service with a reasonable notice period. During the notice period, Second Contracting Party shall not transfer any Personal Data to the Sub-Processor.
5.2 Second Contracting Party shall enter into appropriate written agreements with all of its Sub-Processors on terms substantially similar to this DPA, including without limitation Subscriber’s right to conduct audits at the Sub-Processor, or ensure that the Sub-Processor will conduct audits using external auditors at least once per year. Second Contracting Party shall remain primarily liable to Subscriber for the performance or non-performance of the Sub-Processor’s obligations.
5.3 Upon Subscriber’s request, Second Contracting Party shall provide information regarding any Sub-Processor, including name, email address and the Processing carried out by the Sub-Processor.
6 Assistance with Subscriber’s compliance and Data Subject rights
6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.3 The Subscriber shall pay Second Contracting Party’s reasonable charges for providing the assistance described in this clause 6.
7 International data transfers
8 Records, information and audit
9.1.1 notify Subscriber of the Personal Data Breach; and
9.1.2 provide Subscriber with details of the Personal Data Breach.
10 Deletion or return of Protected Data and copies
and delete existing copies, unless storage of any data is required by Applicable Law and, if so, Second Contracting Party shall inform Subscriber of any such requirement. Notwithstanding the Subscriber hereby authorises Second Contracting Party to retain one copy of the Protected Data for backup purposes only.
11 Dispute Resolution
11.1 This DPA shall be governed by the law of England and Wales and the parties hereby submit to the exclusive jurisdiction of the English Courts.
SCHEDULE 1 TO THE DPA
ANNEX 1
DETAILS OF PROCESSING
Under Data Protection Law, Second Contracting Party shall only Process Personal Data in accordance with Subscriber’s Processing Instructions, as regulated in the DPA. This document forms part of Subscriber’s Processing Instructions, directing Second Contracting Party on the scope, nature, and purpose when Processing Personal Data on behalf of Subscriber. The Processing Instructions may be amended in writing by Subscriber from time to time, as communicated in writing to Processor by authorised representative of Subscriber or through Subscriber’s use of the Service.
1. Purpose of Processing
Second Contracting Party shall process personal data only for the purpose of performance of the Services for Subscriber.
2. Categories of Data Subjects
· Customers of the First Contracting Party
3. Types of Personal Data
· Name
· Contact Details
· Photographs
· Information relating to any treatment recommended and provided.
4. Special categories of Personal Data
· Racial or ethnic origin
· Religious or philosophical beliefs
· Genetic data
· Health data
5. Processing activities
· Collection
· Analysis
· Storing
· Accessing, reading or consultation
· Erasure or destruction
· Sharing with other subscribers, as expressly requested by the Subscriber
6. Duration of Processing
Personal Data shall not be processed for a period longer than is necessary for serving its purpose. The processing of data collected in respect of a project shall cease on expiry or termination of the services provided in connection with such project and all personal data will be returned to customer and all copies destroyed, save for one copy that Second Contracting Party will keep securely for its own records for 7 years after termination of the applicable services.
7. Processing Location
Processing takes place in the following country/countries: EU and UNITED KINGDOM ONLY.
ANNEX 2
TECHNICAL AND ORGANISATIONAL MEASURES
SEE SCHEDULE 3
ANNEX 3 - LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
V2 Cloud, 1801 Avenue McGill College, Montreal, Quebec, H3A 1Z4, Canada – Hosted Desktop as a Service – hosted in London, UK
Microsoft, Microsoft Campus Thames Valley Park Reading RG6 1WG - Azure Cloud hosting – hosted in the UK
Catalyst2,
Team Blue Internet Services UK Limited,
t/a Catalyst2
Acton House, Perdiswell Park, Worcester, Worcestershire, WR3 7GD – servers
hosted in Reading, UK
Schedule 3
SECURITY REQUIREMENTS
Ref: B
If applicable, depending on the services provided
The following matrix sets out the Security Requirements applicable to this Contract. The requirements can be found after the matrix.
|
Nº |
Chapter |
Sub-Chapter |
Ref. A |
Ref. B |
Ref. C |
Ref. D |
Ref. E |
Ref. F |
Ref. G |
Ref. H |
Ref. I |
Ref. J |
Ref. K |
|
1 |
Security Governance and Management |
Information Security Management System |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
1 |
Security Governance and Management |
Information Security Policies |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
|
1 |
Security Governance and Management |
Defined Security Responsibilities |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
1 |
Security Governance and Management |
Asset Management |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
1 |
Security Governance and Management |
Security Risk Management |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
X |
|
1 |
Security Governance and Management |
Security in Human Resources Processes |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
1 |
Security Governance and Management |
Information Security Training Program |
|
|
|
|
|
X |
|
|
X |
X |
|
|
1 |
Security Governance and Management |
Information Protection Measures |
X |
X |
X |
|
|
X |
X |
|
|
X |
X |
|
1 |
Security Governance and Management |
Security Incident Management and Reporting |
|
|
|
|
X |
X |
X |
X |
X |
X |
|
|
1 |
Security Governance and Management |
Security Incident Management and Reporting - Increase |
X |
X |
X |
X |
X |
||||||
|
1 |
Security Governance and Management |
Support for the investigation of Ageas Security Incidents |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
1 |
Security Governance and Management |
Certification Management |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
X |
|
2 |
Equipment protection (containing Ageas Portugal Grupo information) |
Physical and Environmental Security |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
2 |
Equipment protection (containing Ageas Portugal Grupo information) |
Workstation Maintenance |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
2 |
Equipment protection (containing Ageas Portugal Grupo information) |
Datacenter Equipment Maintenance |
|
X |
X |
X |
X |
|
X |
|
|
X |
X |
|
2 |
Equipment protection (containing Ageas Portugal Grupo information) |
Datacenter Equipment Maintenance - Increase |
X |
|
|
|
|
|
|
|
|
|
|
|
3 |
Access Control Management |
Physical Access Management |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
3 |
Access Control Management |
Segregation of Functions |
X |
X |
X |
|
|
x |
|
|
|
|
X |
|
3 |
Access Control Management |
Identity, Role and Profile Management |
X |
X |
X |
X |
X |
|
|
|
|
|
X |
|
3 |
Access Control Management |
User Management |
|
X |
X |
X |
X |
X |
X |
|
|
|
X |
|
3 |
Access Control Management |
User Management - Increase |
X |
|
|
|
|
|
|
|
|
|
|
|
3 |
Access Control Management |
Password Management |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
3 |
Access Control Management |
Password encryption |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
3 |
Access Control Management |
Administration Groups |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
3 |
Access Control Management |
Administration Accounts |
X |
X |
X |
X |
X |
|
|
|
|
|
X |
|
3 |
Access Control Management |
Service Accounts |
X |
X |
X |
X |
X |
|
|
|
|
|
X |
|
3 |
Access Control Management |
Changing Accounts and Default Passwords |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
3 |
Access Control Management |
Remote Access |
X |
X |
X |
X |
X |
X |
|
|
|
X |
X |
|
3 |
Access Control Management |
Requesting Access |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
3 |
Information Protection |
Data Encryption |
X |
X |
X |
x |
|
X |
|
|
|
X |
X |
|
4 |
Information Protection |
Data Masking and Anonymization |
X |
X |
X |
|
|
|
|
|
|
|
|
|
4 |
Information Protection |
Mapping Information and Data Flows |
X |
X |
X |
|
|
|
|
|
|
|
|
|
4 |
Information Protection |
Backup Protection |
X |
X |
X |
|
|
|
|
|
|
|
X |
|
4 |
Information Protection |
Integrity Validation |
X |
X |
X |
|
|
|
|
|
|
|
|
|
4 |
Information Protection |
Activity Interruption |
X |
X |
X |
|
|
|
X |
|
|
|
X |
|
4 |
Information Protection |
Information Transportation |
X |
X |
X |
X |
|
|
X |
|
|
X |
|
|
4 |
Information Protection |
Information Storage |
X |
X |
X |
X |
X |
|
|
|
|
|
|
|
5 |
Communications, Operations and Systems Security |
Cyberattack Protection Systems |
X |
X |
X |
X |
X |
X |
|
|
|
X |
X |
|
Communications, Operations and Systems Security |
Network and Data Segregation |
X |
X |
X |
X |
X |
X |
|
|
|
X |
X |
|
|
5 |
Communications, Operations and Systems Security |
Protecting Communications between Systems and Components |
|
X |
X |
X |
X |
|
|
|
|
|
X |
|
5 |
Communications, Operations and Systems Security |
Protection of Communications between Systems and Components - Increased |
X |
|
|
|
|
|
|
|
|
|
|
|
5 |
Communications, Operations and Systems Security |
Cryptographic Key Management |
X |
|
|
|
X |
|
|
|
|
|
X |
|
5 |
Communications, Operations and Systems Security |
Security Vulnerability Management |
|
X |
X |
X |
X |
X |
X |
X |
X |
X |
X |
|
5 |
Communications, Operations and Systems Security |
Security Vulnerability Management - Increase |
X |
|
|
|
|
|
|
|
|
|
|
|
5 |
Communications, Operations and Systems Security |
Update Management |
X |
X |
X |
X |
X |
X |
|
X |
X |
X |
X |
|
5 |
Communications, Operations and Systems Security |
Hardening and Unnecessary Services |
X |
X |
X |
X |
X |
|
|
|
|
|
X |
|
5 |
Communications, Operations and Systems Security |
Operational Monitoring |
X |
X |
X |
X |
X |
|
|
|
|
|
|
|
6 |
Applicational Security |
Systems Development and Change |
X |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
|
6 |
Applicational Security |
Security Best Practices |
X |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
|
6 |
Applicational Security |
Data Validation |
X |
X |
X |
|
|
|
X |
X |
|
X |
X |
|
6 |
Applicational Security |
Preventing Malicious Actions in Applications |
X |
X |
X |
|
|
|
X |
X |
|
X |
X |
|
6 |
Applicational Security |
Website Methods |
X |
X |
X |
|
|
|
X |
X |
|
X |
X |
|
6 |
Applicational Security |
Error Control |
X |
X |
X |
|
|
|
X |
X |
|
X |
X |
|
6 |
Applicational Security |
Application Security Vulnerability Management |
X |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
|
6 |
Applicational Security |
Change Management |
X |
X |
X |
X |
|
|
X |
X |
X |
X |
X |
|
6 |
Applicational Security |
Source Code Ownership |
X |
X |
X |
X |
X |
|
|
|
|
|
|
|
7 |
Tracking and Monitoring |
System Activity Traceability |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
7 |
Tracking and Monitoring |
Log Retention |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
7 |
Tracking and Monitoring |
Log Protection |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
7 |
Tracking and Monitoring |
Centralized Log Management System |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
7 |
Tracking and Monitoring |
System Monitoring |
X |
X |
X |
X |
X |
|
|
|
|
X |
X |
|
8 |
Termination of Contract or Service Cancellation |
Data and Information Portability |
|
X |
X |
X |
X |
|
X |
|
|
X |
X |
|
8 |
Termination of Contract or Service Cancellation |
Data and Information Portability - Increase |
X |
|
|
|
|
|
|
|
|
|
|
|
8 |
Termination of Contract or Service Cancellation |
Data and Information Removal |
X |
X |
X |
X |
X |
X |
X |
|
|
X |
X |
|
8 |
Termination of Contract or Service Cancellation |
Access Removal |
|
X |
X |
X |
X |
X |
|
|
|
|
X |
|
8 |
Termination of Contract or Service Cancellation |
Access Removal - Increase |
X |
|
|
|
|
|
|
|
|
|
|
|
9 |
Termination of Contract or Service Cancellation |
SLA Compliance Verification |
X |
X |
|
X |
X |
|
|
|
|
|
X |
|
9 |
Supply of Digital Evidence |
Digital Evidence |
X |
|
|
|
|
|
|
|
|
|
|
|
9 |
Supply of Digital Evidence |
Format and Content of Evidence |
X |
|
|
|
|
|
|
|
|
|
|
|
9 |
Supply of Digital Evidence |
Availability |
X |
|
|
|
|
|
|
|
|
|
|
|
9 |
Supply of Digital Evidence |
Integrity and Authenticity |
X |
|
|
|
|
|
|
|
|
|
|
In this Schedule:
“Provider” and “Supplier” shall mean the Second Contracting Party.
If applicable, depending on the services provided
In accordance with the provisions of this contract, the Provider shall implement the following minimum-security measures to guarantee an adequate level of security for Subscriber:
I. Security Management and Governance
a. Information Security Management System
The Provider undertakes to have the necessary mechanisms for implementing, maintaining and monitoring appropriate information security controls. The Provider must also ensure that there are processes for reviewing and improving them.
b. Information Security Policies
The Provider must ensure the existence of an information security policy, define objectives and rules that guarantee the confidentiality, integrity and availability of information and information systems. The policies defined must also comply with international standards and best practices or be recognized by certification bodies that demonstrate compliance with national and international standards and regulations.
c. Defined Security Responsibilities
The Provider must ensure, depending on the size and context of the data processing, that there is an information security officer who guarantees control of the security processes to ensure the protection of the confidentiality, integrity and availability of information and information systems. The contracts of internal employees and service providers with the Provider must also ensure the inclusion of confidentiality clauses that bind and subject them to the same information security obligations.
d. Asset Management
The Supplier must ensure the existence of processes that define rules for the management and handling of information security assets, identifying all assets containing information related to or obtained from Subscriber and providing for different rules depending on the assets being stored at the Supplier's premises or outside of them. The afore mentioned processes must also establish the provisions to be applied for the transportation of data outside the in-house systems, identifying the type of media and respective identification number, the authorised senders/recipients, data type and respective classification.
The Supplier must also stipulate policies for the destruction and reuse of equipments that contain Subscriber information assets, defining times and safe places for the retention and destruction of information, in accordance with legal and regulatory requirements, so that the retention, archive, purge and destruction of records and documents are carried out to guarantee the security of Subscriber information.
e. Security Risk Management
The Provider undertakes to conduct an ongoing cyber and information security risk management process. All identified risks that may have an impact on Subscriber' information or infrastructure must be communicated and managed.
f. Security in Human Resources Processes
The Provider undertakes to guarantee a process for verifying the suitability, references, technical qualifications and recommendations of employees involved in the execution of the Contract or who in any way have access to Subscriber information, which ensures the standards of qualification, diligence and care applicable to the specific case in accordance with the legislation in force.
g. Information Security Training Program
The Supplier undertakes to provide regular training on issues related to the security of information and applicability of security policies in the company.
The Supplier undertakes to transmitting Subscriber' Acceptable Use Policy to employees with access to information assets. Subscriber' Acceptable Use Policy is provided as an annex to this Contract
h. Information Protection Measures
The Provider undertakes to adopt methodologies for treating Subscriber information as confidential and guaranteeing the adoption of protection mechanisms during the processes of collection, transmission, sharing, retention and destruction of information.
i. Security Incident Management and Reporting
The Provider undertakes to adopt mechanisms that guarantee the prevention, detection and efficient response to security incidents. It also guarantees that all security incidents with a possible impact on Subscriber must be properly managed and reported to Subscriber immediately, without exceeding the deadlines defined by law. The incident must also be reported to the e-mail address csirt@ageas.pt.
It also undertakes to ensure that existing procedures comply with the legislation applicable to the process of investigating and reporting security incidents.
j. Security Incident Management and Reporting - Increment
The Supplier undertakes to adopt mechanisms that guarantee the prevention, detection and efficient response to security incidents. It also guarantees that all security incidents with a possible impact on Subscriber must be duly managed and reported to Subscriber immediately and within the following timeframes, without exceeding the timeframes defined by law:
· Incidents that require Subscriber containment actions – maximum period of 4 hours after the incident is detected;
· Other incidents - maximum period of 24 hours after the incident is detect.
Notification of the incident should also be sent to csirt@ageas.pt email address.
It further ensures that the existing procedures are compliant with the legislation applicable to the investigation and reporting of security incidents.
k. Support for the investigation of Subscriber Security Incidents
The Supplier undertakes to support Subscriber in its investigation and incident resolution process, responding to requests within the following time frames:
· Incidents under the Incidents under the General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament and Council, of 27 April 2016 (“RGPD”), regarding personal data – 4 hours
· Other incidents – 24 hours
l. Certification Management
The Supplier, if applicable, must ensure the maintenance of existing certifications. It further ensures to share with Subscriber the respective evidence and information regarding the renewals obtained.
II. Equipment protection (containing Subscriber information)
If applicable, depending on the services provided:
a. Physical and Environmental Security
The Supplier undertakes to adopt special care that safeguards the physical integrity of the equipment, protecting it against loss and destruction, of human or environmental origin. It must also ensure the appropriate mechanisms that physically restrict contact with sensitive Subscriber information.
b. Workstation Maintenance
The Supplier undertakes to protect all of its workplaces that contain information from Subscriber with the available security mechanisms such as antivirus and anti-malware, firewall, operating system and software and firmware updates.
It also undertakes to encrypt the hard disk of mobile equipments and to use adequate anti-theft protection mechanisms in fixed equipment.
c. Datacenter Equipment Maintenance
The Provider undertakes to keep all its equipment protected with the appropriate security tools (anti-virus, anti-malware, firewall, etc.). It must also guarantee security processes, such as installing and updating the latest versions of firmware, software and operating system on computer equipment, compatible with Subscriber' systems. All equipment must be of an appropriate level in line with good practices in the securitization/hardening market, must be monitored regularly and the necessary security patches must be prioritized and installed as a matter of urgency.
d. Datacenter Equipment Maintenance - Increase
The Provider undertakes to keep all its equipment protected with the appropriate security tools (anti-virus, anti-malware, firewall, etc.). It must also guarantee security processes, such as installing and updating the latest versions of firmware, software and operating system on computer equipment, compatible with Subscriber' systems. All equipment must be of an appropriate level in line with good practices in the securitization/hardening market, must be monitored regularly and the necessary security patches must be prioritized and installed as a matter of urgency, taking into account the criticality and exposure of the asset, up to a maximum of 5 days for assets with lower risk.
III. Access Control Management
If applicable, depending on the services provided, the Supplier undertakes to:
a. Physical Access Management
Adopt the appropriate mechanisms for controlling physical access, so that access to Subscriber information, whether physical or digital, is secure, ensuring at least identification, authorization and registration in this process.
b. Segregation of Functions
Ensure that the assignment of access to in-house employees and service providers follows a policy of segregation of functions, with the aim of ensuring that accesses that present incompatibilities are not attributed to the same user, avoiding conflicts of interest, fraudulent behaviour and unauthorized or malicious activities.
c. Identity, Role and Profile Management
Adopt an identity management process based on access profiles by functions and levels of access and respecting the concept of minimal access and minimal privileges for the exercise of the function in question. The accesses attributed to each user are based on and appropriate to the respective functions in accordance with the principles of "need to know" and "need to do".
d. User Management
Adopt efficient user management processes, check-in, check-out, changes and revisions of accesses and privileges. Reviews of nominal access must have an annual frequency and privileged accesses with a minimum periodicity of semi-annual.
Undertake to adopt unique user IDs and to ensure the inhibition of their sharing, to ensure an unequivocal responsibility.
Adopt efficient processes for managing users, check-in, check-out, changes and reviews of access and privileges. Reviews of nominal accesses must take place annually and privileged accesses at least every six months.
It also undertakes to adopt unique user IDs and to ensure that they are not shared, to guarantee unequivocal responsibility.
f. Password Management
Adopt a robust password policy in accordance to the best practices and recommendations of the market, considering but not limited to size, complexity, requirements for changing history, account lockouts and session expiration.
g. Password Encryption
Ensure that all the saved passwords or passwords transferred in systems or applications are encrypted.
h. Administration Groups
Ensure a clear distinction between the accounts of nominal users and accounts with privileged access, such as systems administrators, root, management consoles, inter alia.
i. Administration Accounts
Undertake to do a careful management of privileged accounts, ensuring:
· All the created accounts will follow a formalised process of validation and approval;
· These accounts will be protected with strong passwords, ssh-keys or MFA access certificates;
· The regular review of the users list, and respective access privileges.
j. Service Accounts
Undertake to do a careful management of the system and service accounts, where:
· Can only be used by authorized services, with interactive login disabled;
· The name must reflect the application environment that uses it. These accounts cannot be used by nominal users when operating the platform;
· The appointment of a responsible for the credential (or team responsible for its maintenance);
· The remaining criteria applied to the administration of accounts must be followed.
k. Changing Accounts and Default Passwords
Ensuring that, where possible, default accounts are renamed, as well as ensuring that default passwords are changed after the initial installation of operating systems, databases, software, applications and other systems.
l. Remote Access
Ensure that any kind of remote access will use VPN mechanisms and will be limited to identified and authorized users.
Keep records of the connections and of the actions executed to guarantee full traceability and ensure that all remote accesses are protected by robust authentication methods with MFA, tokens or One Time Password (OTP).
m. Requesting Access
If access to Subscriber information assets is required, the Provider undertakes to formally request access to them, indicating the list of employees of the service provider to be authorized and including any additional information deemed necessary by Subscriber.
IV. Information Protection
If applicable, depending on the services provided, the Supplier undertakes to:
a. Data Encryption
Encrypt all personal and confidential data of Subscriber information assets. whether in transit or at rest, regardless of the type of network (internet or intranet).
b. Data Masking and Anonymization
Use fictitious (dummy) data in non-productive environments. Alternatively, real data can be used if it is masked and randomly shuffled before being replicated to these environments.
c. Mapping Information and Data Flows
Establish processes for controlling and mapping existing information and data flows, identifying the type of data processed, the storage medium (hardcopy, digital, database, mobile devices, etc.), the methods of transmitting information internally and externally (email, phone, social media, website, etc.) and the location of that data. It must also establish the responsibility for the protection of such data under the legally applicable terms.
Adopt an appropriate backup policy that defines the requirements for backing up information, software and systems, including without limiting its subjection to regular tests to guarantee the integrity and availability of Subscriber information.
e. Integrity Validation
Use procedures and mechanisms to maintain and validate the integrity of Subscriber information.
f. Activity Interruption
Ensure that in case of insolvency, resolution or interruption of activities, the data held by the undertaking should be immediately recovered by Subscriber.
g. Information Transportation
Agrees to use appropriate means of security during the transportation of the information, whether in physical or logical format. This includes, but is not limited to, using end-to-end encryption mechanisms to protect data during transportation, as appropriate for the type of information and Subscriber' security requirements. All transported data must be protected against unauthorized access, interception and deletion by technological or physical means.
h. Information Storage
When provisioning Cloud services, should ideally store data relating to Subscriber within the European Economic Area. The intention to store data outside the European Economic Area must be communicated and aligned with Subscriber prior to its implementation.
V. Communications, Operations and Systems Security
If applicable, depending on the services provided, the Supplier undertakes to:
a. Cyberattack Protection Systems
Ensure the existence of robust systems for protection against cyber-attacks, which are specifically adequate and necessary to mitigate the risks of infrastructure or personal data breaches in terms of their confidentiality, integrity or availability. It must therefore ensure the implementation and management of security mechanisms, namely, but not exclusively: Firewall, IPS and IDS, AV and Anti-malware, Anti-DDoS, Web Filters, Email Filters, etc.
b. Network and Data Segregation
Adopt a secure systems architecture and configuration that guarantees the separation of non-production and production networks, to ensure that applications in non-production environments cannot communicate with production networks and vice versa.
Employ firewall segregation, considering the levels of risk and criticality of sensitive data.
Segregate and protect databases with sensitive information, locating them on an internal network and segregating them from other more exposed networks and DMZs.
Effectively segregate Subscriber data from that of other clients.
c. Protection of Communications between Systems and Components
Ensure that communication between systems, components and users containing confidential information uses secure and encrypted protocols recognized in the market as being the most recent and without known vulnerabilities.
d. Protection of Communications between Systems and Components - Increased
Ensure that communication between systems, components and users containing confidential information uses secure, encrypted protocols that are recognized in the market as being the latest with no known vulnerabilities. To address the use of ciphers that are no longer recognized as secure by the market, the mitigation mentioned in this chapter regarding Security Vulnerability Management requirements is required.
e. Cryptographic Key Management
Ensure that the renewal of the Cryptographic key is carried out in accordance with the best market practices and within a maximum period of 2 years.
f. Security Vulnerability Management
Ensure that there are regular processes for the identification and correction of vulnerabilities in accordance with each manufacturer's recommendation and the criticality of the vulnerability identified.
g. Security Vulnerability Management - Increase
Ensure the existence of regular vulnerability identification process, with intrusions test ate the least annually. If vulnerabilities are identified, the Supplier undertakes to communicate them to Subscriber, in a timely manner, within a maximum period of 24 hours and to maintain a vulnerability correction process in accordance with the recommendation of each manufacturer and the criticality of the identified vulnerability, which cannot exceed the following deadlines:
· 15 days for Critical Vulnerabilities
· 30 days for High Vulnerabilities
· 90 days for Medium Vulnerabilities
· 120 days for Low Vulnerabilities
Subscriber reserves the right to be able to carry out intrusions tests if situations are identified that could lead to compromised information security controls established in the contract. In this situation, the deadlines established for the correction of identified vulnerabilities apply.
h. Update Management
Ensure the existence of regular and scheduled installation of software, operating system and firmware updates.
Undertake not to use systems for which there is no longer support given by the manufacturer.
i. Hardening and Unnecessary Services
Ensure the existence of hardening processes, in accordance with industry and security best practices, including the removal or deactivation of all services and components that are not necessary for the normal operation of the activity.
j. Operational Monitoring
Guarantee the existence of processes to monitor the performance, capacity and availability of the technological components used to provide services.
It undertakes, on the basis of this monitoring, to make the necessary adjustments to ensure the agreed operational level for the provision of services.
VI. Aplicational Security
If applicable, depending on the services provided, the Supplier undertakes to:
a. Systems Development and Change
Ensure the existence of processes that promote the management of systems in all their life stages (analysis, design, implementation, testing and production), in order to guarantee correct and secure operation, in line with the security requirements of the Subscriber’s application and system development life cycle. All software systems developed internally or externally by the Provider must be subjected to source code review processes, functionality tests and vulnerability identification tests (through vulnerability scans or intrusion tests (pentest)) before being acquired or put into production by Subscriber.
The implementation of new systems must be managed at project level and submitted to security validations and approvals at the various stages of the project.
b. Security Best Practices
Consider the best practices of secure programming during the development of any software or application, acting in accordance with the laws and regulations, industry best practices and security in force, such as those issued by the SDLC Process (System Development Life Cycle) or OWASP (Open Web Application Security Project).
c. Data Validation
Ensure that the systems and applications developed or managed by the Supplier perform the necessary validations at server level before accepting any commands from the customer.
It must be ensured that all data is validated before any entry into or exit from the systems.
In cases where such applications have forms, validation processes that attest to their integrity must be ensured. In case there is still the possibility of sending attachments, the appropriate formats must still be validated.
It must also ensure the protection via CAPTCHA of all forms placed externally on websites accessed through published URLs, to avoid the massive submission of data automatically.
d. Preventing Malicious Actions in Applications
Ensure the existence of prevention mechanisms against malicious actions in all systems and applications, in particular against possible malicious code injections or malicious file uploads. Also as preventive measures, the use of harmful characters in software and application code must be avoided and limits on the number of parameters sent by users must be established. In case of sending attachments, the attachments’ format must be validated, and anti-virus scans performed.
e. Website Methods
Disable all HTTP methods and functions that are unnecessary for the websites’ operation.
f. Error Control
Ensure that all systems and applications developed and/or managed possess mechanisms for recording errors, to ensure that such errors are detected, identified and corrected. Any error messages visible to the user must be customised and based on a data minimisation approach.
Messages regarding any exception policies must not be visible to the user.
g. Application Security Vulnerability Management
Ensure that all systems are subjected to vulnerability and intrusion tests before going into production. This requirement also applies whenever changes are made that have an impact on existing information security controls, involve changes to the infrastructure, have external exposure or contain personal or confidential data.
All identified vulnerabilities must be corrected before going into production.
If vulnerabilities are identified in a productive environment, the Supplier undertakes to communicate them to Subscriber in a timely manner and to maintain a process for correcting identified vulnerabilities according to their criticality:
· 15 days for Critical Vulnerabilities
· 30 days for High Vulnerabilities
· 90 days for Medium Vulnerabilities
· 120 days for Low Vulnerabilities
At project handover or contract end, it is necessary to ensure that all identified vulnerabilities are corrected.
h. Change Management
Ensure the existence of change control and management procedures to ensure the assessment, authorization and planning of all changes made with potential impacts on Subscriber' systems or Customers.
i. Source Code Ownership
During the development process and in the event of dissolution or termination of the contract, all source code developed by the Provider within the scope of providing services to Subscriber will be the exclusive property of Subscriber together with the respective intellectual rights.
VII. Tracking and Monitoring
If applicable, depending on the services provided, the Supplier undertakes to:
a. System Activity Traceability
Ensure that all systems are configured to audit and keep records of the activities carried out on the system, including regular, administration and system users and that ensure that it is possible to answer the following fundamental questions such as: Who? Where? When? Who?
b. Log Retention
c. Log Protection
Ensure the protection of activity records, with the necessary and appropriate mechanisms to ensure their integrity, confidentiality and availability. It also undertakes to protect such records against improper access, change or removal.
d. Centralized Log Management System
Ensure that, whenever possible, systems are configured to capture and send activity records to a central and single repository. It should also, whenever possible, implement a SIEM (Security Information and Event Manager) system to ensure the correlation of events and logs.
e. System Monitoring
Ensure a process of monitoring systems, applications or infrastructures in order to detect in a timely manner system degradation, potential failures in security controls, threats, cyber-attacks and other anomalous behavior.
VIII. Termination of Contract or Service Cancellation
If applicable, depending on the services provided, the Supplier undertakes to:
a. Data and Information Portability
Guarantee data portability and transfer to Subscriber, at the latter's request or after the end of this Contract.
b. Data and Information Portability - Increase
Guarantee data portability and transfer to Subscriber, at the latter's request or after the end of this Contract, within a maximum period of 90 days.
c. Data and Information Removal
Ensure the adequate and complete destruction of Subscriber information assets, upon request by the latter or after the termination of the contract.
d. Access Removal
Guarantee the revocation of access to all Subscriber information assets used during the execution of this Contract, whether internal or external, such as: access supported by other entities, accessible on the web or cloud, among others.
e. Access Removal - Increase
Guarantee the revocation of access to all Subscriber information assets used during the execution of this Contract, whether internal or external, such as: access supported by other entities, accessible on the web or cloud, among others, within a maximum period of 90 days.
f. SLA Compliance Verification
a. The Supplier expressly undertakes to provide proof of the compliance with the SLAs expressed in this Agreement whenever request by Subscriber, within 10 days
b. The Provider expressly undertakes to provide proof of certifications based on international standards, audit reports from recognized third parties or internal audit reports that it possesses whenever requested to do so by Subscriber, within ten (10) days.
c. In the event of non-compliance with the obligations set out in this Annex, Subscriber shall notify the Provider in writing so that within eight (8) days it may remedy the situation, failing which it shall exercise the right of withdrawal provided for in the Contract.
IX. Provision of Digital Evidence
If applicable, depending on the services provided, the Provider undertakes to:
a. Digital Evidence
The Provider agrees to provide digital evidence as required by Subscriber in case of need and to support the forensic analysis of incidents. This digital evidence must be provided as far as possible and in accordance with recognized information security standards.
b. Format and Content of Evidence
Digital evidence must be provided in a format and structure suitable to support forensic analysis. This includes, but is not limited to, log records, access records, transaction records and any other relevant data related to the service provided by the Subcontractor.
c. Availability
The Provider agrees to keep the digital evidence accessible and available to Subscriber for as long as necessary to conduct the investigative work.
d. Integrity and Authenticity
The Provider guarantees that all digital evidence provided to Subscriber will be accurate, complete and authentic. Any changes or modifications to the digital evidence must be documented and notified to Subscriber immediately, together with a detailed explanation of the changes made.