The parties to the Agreement are: (i) Bright Interactive Ltd, a company incorporated in England and Wales (registration number 03865036) having its registered office at Ninth Floor, Tower Point, 44 North Road, Brighton, East Sussex BN1 1YR, UK ("we", and "us" and "our" shall be construed accordingly); and (ii) the person (natural or legal) who is specified as the customer in the Proposal ("you", and "your" and "yours" shall be construed accordingly).
1. Definitions
1.1 In the Agreement:
"Admin Account" means an administrator account on the Platform enabling you to create user accounts and configure aspects of the Hosted Services;
"Agreement" means the agreement between the parties for the provision of the Hosted Services and/or On-premises Software incorporating:
including any variations from time to time;
"Business Day" means any weekday other than a bank or public holiday in England;
"Business Hours" means between 09:00 and 17:00 London time on a Business Day;
"Charges" means the amounts payable by you to us under or in relation to the Agreement, as specified in the Proposal or elsewhere in the Agreement;
"Client Data" means all digital assets, files, works and materials uploaded to, stored on, processed using or transmitted via the Platform by you or on your behalf;
"Cloud Services" means the Hosted Services plus the Support Services provided in relation to those Hosted Services;
"Confidential Information" means, in respect of a party, any information disclosed by that party to the other party during the Term that at the time of disclosure is marked as confidential, is described as confidential by the disclosing party, or should have been understood as confidential by the recipient party (acting reasonably); and providing that the Client Data shall be your Confidential Information and any third party service provider contracts that we supply to you shall be our Confidential Information;
"Customisations" means any new software developments, updates, upgrades, modules, libraries and APIs that are:
“Data Exporter” means the person (natural or legal) who is specified as the customer in the Services Order Form, and acts as such in Annex 1;
“Data Importer” means Bright Interactive Ltd, and acts as such in Annex 1;
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data including, for the period during which they are in force and applicable to the Personal Data, the UK's Data Protection Act 2018 and Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
"Defect" means a critical issue or major issue (as defined in the SLA) in the Hosted Services and/or On-premises Software, or a failure of the Hosted Services and/or On-premises Software to conform with the specification set out in the Proposal in some material way;
"Effective Date" means the date of execution of the Agreement, being the date upon which a paper copy or electronic copy of the signature page is signed by the second of the parties to sign;
"Force Majeure Event" means an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet, hacker attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars);
"Hosted Services" means:
"Intellectual Property Rights" means all intellectual property rights wherever in the world, whether registered or unregistered, including any application or right of application for such rights (and these "Intellectual Property Rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing-off rights, unfair competition rights, patents, petty patents, utility models and rights in designs);
"Minimum Term" means the period of 12 months beginning on the Effective Date;
"On-premises Software" means the software known as Asset Bank that we own and license;
"Permitted Purposes" means the purposes of uploading, tagging, organising, storing, searching, manipulating, accessing, sharing and downloading digital files;
"Personal Data" means any personal data (as defined in the Data Protection Laws) that we process on your behalf under the Agreement;
"Platform" means the hardware, system software, server software, database software and application software that we use to provide the Hosted Services, whether shared or dedicated;
"Proposal" means the proposal we issue to you setting out the particulars of the Agreement;
"Services" means all the services provided or to be provided by us to you under the Agreement, including any Hosted Services, Set-up Services and Support Services;
"Set-up Services" means the installation, integration and configuration of the Hosted Services and/or On-premises Software, and the provision of any associated training and consultancy services specified in the Proposal;
"SLA" means the service level agreement;
"Support Services" means:
"Support Services Limit" has the meaning given to it in the SLA;
"Term" means the term of the Agreement;
"Third Party Services" means any hosted or cloud service owned and operated by a third party that may transmit data to and/or from the Hosted Services and/or On-premises Software under a contract or arrangement between you and the relevant third party; and
"Upgrades" means new versions of, and updates to, the Hosted Services and/or On-premises Software, whether for the purpose of fixing an error, bug or other issue or enhancing the functionality of the Hosted Services and/or On-premises Software.
2. Term
2.1 The Agreement will come into force on the Effective Date.
2.2 The Agreement will continue in force indefinitely, unless and until terminated in accordance with its express provisions.
3. Set-up Services
3.1 We shall provide the Set-up Services to you promptly following the Effective Date.
3.2 The Cloud Services or On-premises Software shall be configured in accordance with your licence tier (Essential, Professional or Enterprise Unlimited), and shall be subject to the resource limitations applicable to your licence tier, as specified in the Proposal.
4. Cloud Services
4.1 This Clause 4 applies if the Proposal specifies that we have agreed to supply Cloud Services to you.
4.2 We shall complete the installation of your Asset Bank and create one or more Admin Accounts for you after the Effective
4.3 Date, enabling you to access the Hosted Services.
Subject to Clauses 4.5 to 4.7, we hereby grant to you a non-exclusive licence to use the Hosted Services on the Platform for the Permitted Purposes via:
in each case during the Term.
4.4 You may permit your own customers to use the Hosted Services on the Platform for the Permitted Purposes via any supported web browser, whether on a free or paid basis, providing that you shall be responsible for your customers' use of the Hosted Services and that all the other limitations and prohibitions relating to your use of the Hosted Services shall apply to your customers' use.
4.5 Your use of the Hosted Services must not exceed the user limitations and storage resources limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.
4.6 Your use of the non-storage resources for the Hosted Services (bandwidth, processing power and API calls) must not be excessive. For the purposes of this Clause 4.6, usage will be excessive if:
and if your use is excessive, we may give you written notice of this. From time to time during the Term we may agree with you changes to the resources available to you. Increases may be subject to additional Charges. Notwithstanding the preceding provisions of this Clause 4.6, we may use technical measures to ensure that the usage of non-storage resources is not excessive.
4.7 Except to the extent mandated by applicable law or expressly permitted in the Agreement or in any reseller agreement between us and you, the licence granted under Clause 4.3 is subject to the following prohibitions:4.8 All Intellectual Property Rights in the Platform and Hosted Services shall, as between the parties, be our exclusive property.
4.9 You must ensure that no unauthorised person accesses the Platform or Hosted Services using any Admin Account or your API access credentials (if we supply these to you).
4.10 We shall use reasonable endeavours to ensure that the Hosted Services are available 99.9% of the time during each calendar month, subject to downtime for scheduled maintenance under Clause 6. Hosted Services uptime shall be measured and calculated by us using any reasonable methodology, and reported to you promptly following our receipt of a written request from you.
4.11 For the avoidance of doubt, you have no right to access the object code or source code of the Platform or Hosted Services, either during or after the Term.
5. On-premises Software
5.1 This Clause 5 applies if the Proposal specifies that we have agreed to supply On-premises Software to you.
5.2 Subject to Clauses 5.3 and 5.4, we grant to you a worldwide, non-transferable, non-exclusive, non-expiring (subject to Clause 20.6) licence from the Effective Date to:
5.3 Your use of the On-premises Software must not exceed the user limitations referred to in the Agreement. We may use technical measures to enforce those limitations. From time to time during the Term we may agree with you changes to those limitations. Increases may be subject to additional Charges.
5.4 Except as required by applicable law on a mandatory basis, you must not:
5.5 You must use reasonable technical and organisational security measures to prevent the disclosure of the On-premises Software code to any unauthorised person.
5.6 For the avoidance of doubt, you have no right to access the source code of the On-premises Software, either during or after the Term.
5.7 You will be responsible for enabling us to apply Upgrades to the On-premises Software. We may from time to time by written notice grant to you the right to apply Upgrades to the On-premises Software, but we shall have no obligation to do so.
5.8 If a critical security Upgrade is not applied to the On-premises Software within 7 days following release as a result of any act or omission by you, then, subject to Clause 18.1, we will not be liable to you in respect of any loss or damage that may arise out of the failure to apply the Upgrade.
6. Support Services
6.1 If you are entitled to Cloud Services, then we will provide Support Services to you in respect of the Hosted Services in accordance with the SLA; and if the Proposal specifies that you are entitled to Support Services in respect of On-premises Software, then we will provide the Support Services to you in respect of the On-premises Software in accordance with the SLA.
6.2 You acknowledge that from time to time we may apply Upgrades to the Hosted Services.
6.3 We may suspend access to the Hosted Services at any time in order to carry out scheduled maintenance to the Hosted Services and/or Platform. Our scheduled maintenance windows are published on the Asset Bank Help Centre and updated from time to time. Scheduled maintenance will usually be completed outside working hours in your jurisdiction.
6.4 Hosted Services downtime during any scheduled maintenance shall not be counted as downtime for the purposes of Clause 4.10.
6.5 Upgrades may result in changes to the appearance and/or functionality of the Hosted Services and/or On-premises Software. We will give you advanced written notice of the deprecation or removal of any major functionality by an Upgrade.
7. Other services
7.2 Unless we agree otherwise in writing, all such additional Services will be provided under and subject to the Agreement, and will be subject to additional Charges at our then current time and materials rates.
8. Your obligations
8.1 Save to the extent that we have agreed otherwise in writing, you must provide to us, or procure for us, such:
as are reasonably necessary to enable us to perform our obligations under the Agreement.
8.2 If we agree to supply On-premises Software to you, you must provide to us, or procure for us, such access to your computer hardware, software, networks and systems as may be reasonably required by us to enable us to perform our obligations under the Agreement.
9. Client Data
9.1 We will perform a back-up of Client Data once per day. At your request, we will promptly restore the Client Data in the Hosted Services database using the latest available back-up.
9.2 All the Intellectual Property Rights in Client Data will remain your property and the property of your licensors, subject to Clause 9.3.
9.3 You grant to us a non-exclusive licence to store, copy and otherwise use Client Data on and in relation to the Platform for the purposes of operating the Platform, providing the Services, fulfilling our obligations under the Agreement and exercising our rights under the Agreement. The exercise of our rights under this licence is subject to our obligations under Clause 15 in respect of Personal Data.
9.4 You warrant to us that Client Data, and its use by us in accordance with the terms of the Agreement, will not:
9.5 If we reasonably suspect that there has been a breach by you of the provisions of Clause 9.4, we may:
providing that we will give you advance notification of any such action if that notification does not prejudice our legal position.
9.6 Any breach by you of Clause 9.4 will be deemed to be a material breach of the Agreement for the purposes of Clause 19.
10. Integrations with Third Party Services
10.1 You will have the opportunity to activate integrations with Third Party Services; such integrations will not be active by default.
10.2 The supply of Third Party Services shall be under a separate contract or arrangement between you and the relevant third party. We do not contract to supply the Third Party Services and are not a party to any contract for, or otherwise responsible in respect of, the provision of any Third Party Services.
10.3 The use of some features of the Hosted Services and/or On-premises Software may depend upon you enabling and agreeing to integrations with Third Party Services.
10.4 We may remove, suspend or limit any Third Party Services integration at any time in our sole discretion.
10.5 You acknowledge that:
10.6 You warrant to us that the transfer of Client Data to a provider of Third Party Services in accordance with this Clause 10 will not infringe any person's legal or contractual rights and will not put us in breach of any applicable laws (including the Data Protection Laws).
10.7 Save to the extent that the parties expressly agree otherwise in writing and subject to Clause 18.1:
11. Customisations
11.1 This Clause 11 applies if we agree with you in writing, whether in the Proposal or otherwise, that we shall design and develop a Customisation or Customisations on your behalf.
11.2 Each Customisation will conform in all material respects with the specification for the Customisation agreed by us in writing.
11.3 We will use reasonable endeavours to ensure that each Customisation is made available or (if it forms part of the On-premises Software) delivered to you in accordance with any timetable or project plan agreed by the parties in writing.
11.4 All Intellectual Property Rights in the Customisations shall, as between the parties, be our exclusive property. However, this shall not affect the ownership of Intellectual Property Rights in your brands and/or logos, which shall belong to you.
11.5 From the time and date when a Customisation is first delivered or made available to you, the Customisation shall form part of the Hosted Services and/or On-premises Software, as the case may be, and accordingly from that time and date your rights to use the Customisation shall be governed by Clauses 4 and/or 5.
11.6 You acknowledge that we may make any Customisation available to any of our other customers or any other third party at any time.
12. Charges
12.1 You must pay the Charges to us in accordance with Clause 13.
12.2 All Charges and other amounts stated in or in relation to the Agreement are, unless the context requires otherwise, stated exclusive of any applicable value added taxes, which will be added to those amounts and payable by you to us.
12.3 We may elect to vary any element of the Charges (including any time-based charging rate) by giving to you not less than 90 days' written notice of the variation, providing that:
12.4 You acknowledge that we may charge for new functionality added to Hosted Services or On-premises Software. Customers who do not wish to upgrade will be able to continue with their legacy package at the original charge.
13. Payments
13.1 We will issue invoices for the Charges in accordance with the Proposal; and, save to the extent specified otherwise in the Proposal, you must pay the Charges to us within 30 days following the date of issue of the relevant invoice.
13.2 Charges must be paid by bank transfer or by such other means as we may authorise from time to time.
13.3 If more than one payment due under the Agreement is not received by us by the due date and you are signed-up for quarterly or 6-monthly invoicing, we may by written notice to you move your invoicing frequency to annual and issue your next invoice on this basis.
13.4 If you do not pay any amount properly due to us under or in connection with the Agreement, we may claim interest and statutory compensation from you pursuant to the Late Payment of Commercial Debts (Interest) Act 1998.
13.5 We may suspend the provision of any Services if any amounts due to be paid by you to us under the Agreement are overdue, and we have given you at least 5 Business Days' written notice of our intention to suspend Services on this basis.
14. Confidentiality
14.1 Each party must:
14.2 Notwithstanding Clauses 14.1, a party's Confidential Information may be disclosed by the other party to that other party's officers, employees, professional advisers, insurers, agents and subcontractors who have a need to access the Confidential Information that is disclosed for the performance of their work and who are bound by a written agreement or professional obligation to protect the confidentiality of the Confidential Information that is disclosed.
14.3 No obligations are imposed by this Clause 14 with respect to a party's Confidential Information if that Confidential Information:
14.4 The restrictions in this Clause 14 do not apply to the extent that any Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of either party on any recognised stock exchange.
14.5 The provisions of this Clause 14 shall continue in force indefinitely following the termination of the Agreement.
15. Personal Data and the General Data Protection Regulation
15.1 The parties agree that:
15.3 We warrant to you that:
15.4 You hereby give to us a general authorisation to appoint sub-processors of Personal Data in the following categories:
Details of appointed processors are set out in the Asset Bank Help Centre. You acknowledge that some of our appointed sub-processors are multi-national corporations with facilities in jurisdictions around the world, and hereby consent to the transfer of Personal Data outside the UK and EEA to or by sub-processors, providing that: (i) the principal database for the Hosted Services shall be located within the UK or EEA, unless you expressly agree otherwise in writing; (ii) all such transfers shall be made only for the purpose of providing services to you; and (iii) all such transfers shall be protected by appropriate safeguards in accordance with the Data Protection Laws.
15.5 If:then the standard contractual clauses set out in Annex 1 shall apply with respect to that Personal Data, in addition to the provisions of this Clause 15.
15.6 We shall notify you in accordance with the Data Protection Laws, using the contact details set out in this Agreement or any alternative breach notification contact details supplied by you, promptly and in any case within 24 hours of becoming aware of the issue, if:
15.7 We shall co-operate with you in relation to:
in each case at your cost and expense.
15.8 We shall ensure that access to the Personal Data is limited to those of our personnel who have a reasonable need to access the Personal Data to enable us to perform our duties under the Agreement; any access to the Personal Data shall be limited to such part or parts of the Personal Data as are strictly necessary.
15.9 We shall take reasonable steps to ensure the reliability of any of our personnel who have access to the Personal Data. Without prejudice to this general obligation, we shall ensure that all relevant personnel are informed of the confidential nature of the Personal Data, are subject to confidentiality obligations in relation to the Personal Data, have undertaken training in the laws relating to handling Personal Data, and are aware of our duties in respect of that Personal Data.
15.10 Each party shall upon request make available to the other party all such information as may be necessary to demonstrate its compliance with the Data Protection Laws and the provisions of this Clause 15.
15.11 We shall upon request make available to you all such information as may be necessary to facilitate the carrying out of an audit of our compliance with the Data Protection Laws and the provisions of this Clause 15. For this purpose, we will provide to you a completed security questionnaire, in a form to be determined by us (acting reasonably). We shall ensure that the completed security questionnaire includes all the information that is necessary to enable you to assess our compliance. We will also provide, upon request, evidence of the most recent independent audit(s) carried out to verify GDPR compliance and ISO 27001 compliance. Other than the provision of this security questionnaire, and audit evidence, we may charge you at our standard time and materials rates for any work performed at your request when fulfilling our obligations under this Clause 15.11
15.12 In the event of changes to the Data Protection Laws that affect the terms of the Agreement, the parties shall act reasonably to agree any necessary changes to the Agreement.
15.13 We shall, if requested by you, provide to you a copy of the Personal Data in accordance with Clause 20.3; and, unless applicable law requires otherwise, we shall delete all the Personal Data from our systems and storage media at the end of the period of 4 months following termination.
16. Warranties
16.1 Each party warrants to the other party that:
16.2 We warrant to you that:
16.3 We warrant to you that we will use reasonable endeavours to ensure that the Hosted Services and the On-premises Software will be supplied free from Defects, and we will endeavour to resolve any Defects and other issues in accordance with the SLA. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from defects, errors and bugs, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such defects, errors and bugs.
16.4 We warrant to you that we will ensure that the Hosted Services and the On-premises Software will incorporate security measures reflecting the requirements of good industry practice. Without prejudice to this warranty, you acknowledge that complex software is never wholly free from security vulnerabilities, and we give no warranty or representation that the Hosted Services or On-premises Software will be wholly free from such vulnerabilities.
16.5 All of the parties' warranties and representations in respect of the subject matter of the Agreement are expressly set out in the terms of the Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of the Agreement will be implied into the Agreement.
17. Additional acknowledgements
17.1 You acknowledge that, subject to the express warranties set out in the Agreement:
18.3 Neither party will be liable to the other for any indirect or consequential loss.
18.4 Neither party will be liable to the other party for any loss of business, contracts or commercial opportunities.
18.5 Neither party will be liable to the other party for any loss of or damage to goodwill or reputation.
18.6 Subject to our compliance with Clause 9.1 and excluding any loss of the most recent back-up copy of the Client Data we make in accordance with Clause 9.1, we will not be liable to you in respect of any loss or corruption of any Client Data.
18.7 Neither party will be liable to the other party for any losses arising out of a Force Majeure Event. Where a Force Majeure Event gives rise to a failure or delay in either party performing its obligations under the Agreement (other than the obligation to make payment), those obligations will be suspended for the duration of the Force Majeure Event.
18.8 Neither party's liability to the other party in relation to any event or series of related events will exceed the greater of:
18.9 Neither party's aggregate liability to the other party will exceed GBP 2,000,000.
19. Termination
19.1 The Agreement may only be terminated for convenience after the end of the Minimum Term in accordance with this Clause 19.1. You may terminate the Agreement by giving to us at least 30 days' written notice of termination expiring after the end of the Minimum Term; and we may terminate the Agreement by giving to you at least 120 days' written notice of termination expiring after the end of the Minimum Term.
19.2 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:
19.3 Either party may terminate the Agreement immediately by giving written notice of termination to the other party if:
19.4 We may terminate the Agreement immediately by giving written notice to you if:
20. Effects of termination
20.1 Upon termination of the Agreement, all the provisions of the Agreement will cease to have effect, save that the following provisions of the Agreement will survive and continue to have effect (in accordance with their terms or otherwise indefinitely): Clauses 1, 4.11, 5 (if applicable and subject to Clause 20.6), 10.7(b), 13.4, 14, 15, 18, 20, 23 and 24.
20.2 Termination of the Agreement will not affect either party's accrued liabilities and rights as at the date of termination.
20.3 You may download a copy of the Client Data from the Platform at any time before the date of termination. We will retain a copy of the Client Data for a period of at least 30 days following the date of termination. During this period, if you request that we provide you with a copy of the Client Data, we will do so, subject to payment of charges (calculated using our standard time-based charging rates). At any time following the end of that 30 day period, we may delete from our computer systems all Client Data. You acknowledge that, if you have not retrieved Client Data from the Platform before termination or requested it before deletion, you will lose that Client Data.
20.4 You acknowledge that we may retain Client Data in our systems for a period of up to 4 months after the date of termination; and the licence set out in Clause 9.3 shall continue after termination to the extent necessary for us to exercise our rights under this Clause 20.4.
20.5 If the Agreement is terminated under Clause 15.3(f) or 19.1, then you will be entitled to a refund of any Charges paid to us with respect to Services that were to be provided to you after the date of effective termination, and you will be released from any liability to pay such Charges. The amount of the refund or release shall be calculated by us using any reasonable methodology. Subject to this, you will not be entitled to any refund of the Charges upon the termination of the Agreement, nor will you be released from any liability to pay Charges that have accrued before the date of effective termination.
20.6 If the Agreement is terminated under Clause 15.3(f) or 19.1, then any licence of On-premises Software under the Agreement shall continue notwithstanding such termination; if the Agreement is terminated in any other circumstances, then any licence of On-premises Software under the Agreement shall automatically and simultaneously terminate. If any licence of On-premises Software continues following termination of the Agreement, and it comes to our attention that you have breached any term of that licence, whether before or after termination of the Agreement, then we may by written notice to you terminate that licence.
21. Notices
21.1 Any notice under the Agreement must be in writing (whether or not described as "written notice" in the Agreement) and must be sent in accordance with this Clause 21.
21.2 Any notice that a party gives to the other party under the Agreement must be sent by email, courier or recorded signed-for post:
21.3 A party receiving from the other party a notice by email must acknowledge receipt by email promptly, and in any event within 2 Business Days following receipt of the notice.
21.4 A notice will be deemed to have been received:
21.5 You acknowledge that we may treat all instructions received by us in relation to this Agreement from any user with an Admin Account as fully authorised by you.
22. Subcontractors
22.1 We may subcontract the provision of hosting services and any other of our obligations under the Agreement, subject to our obligations in relation to the appointment of sub-processors of Personal Data.
22.2 We shall remain responsible to you for the performance of any subcontracted obligations.
23. General
23.1 No breach of any provision of the Agreement will be waived except with the express written consent of the party not in breach.
23.2 If a Clause of the Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other Clauses of the Agreement will continue in effect. If any unlawful and/or unenforceable Clause would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the Clause will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant Clause will be deemed to be deleted).
23.3 The Agreement may be varied as follows:
23.4 Either party may freely assign the entirety of its contractual rights and obligations under the Agreement to any group company of the assigning party or to any successor to all or a substantial part of the business of the assigning party. The assigning party must give to the other party written notice of any assignment upon or before the date of the assignment. Save as provided in this Clause 23.4, neither party may without the other party's prior written consent assign, transfer, charge, license or otherwise dispose of or deal in the Agreement or any contractual rights or obligations under the Agreement.
23.5 The Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate or rescind, or agree any amendment, waiver, variation or settlement under or relating to, the Agreement are not subject to the consent of any third party.
23.6 Subject to Clause 18.1:
23.7 The Agreement will be governed by and construed in accordance with English law; and the courts of England and Wales will have exclusive jurisdiction to adjudicate any dispute arising under or in connection with the Agreement.
24. Interpretation
24.1 In the Agreement, a reference to a statute or statutory provision includes a reference to:
24.2 The Clause headings do not affect the interpretation of the Agreement.
24.3 In the Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Parties
Name of the data exporting organisation: [The Data Exporter, as defined in the Agreement] |
Fax: N/A
|
Address: N/A | Email: N/A |
Telephone: N/A | Other information needed to identify the organisation: N/A |
(the data exporter)
and
Name of the data importing organisation: Bright Interactive Ltd |
Fax: N/A |
Address: 9th Floor, 44 Tower Point, Brighton, BN1 1YR, UK | Email: info@bright-interactive.com |
Telephone: +44 (0) 1273 923 150 |
Other information needed to identify the organisation: N/A |
(the data importer)
each a 'party'; together 'the parties',
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
(1) The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
(2) The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
(3) The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(4) The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;
(j) that it will ensure compliance with Clause 4(a) to (i).
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
(1) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
(2) If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
(3) If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(1) The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
(2) The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
(1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
(2) The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
(3) The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
(1) The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
(2) The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
(3) The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
(4) The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
(1) The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
(2) The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
The parties are able to add additional commercial clauses.
When including additional commercial clauses, the parties should ensure that these clauses do not in any way:
Priority of standard contractual clauses
The Standard Contractual Clauses take priority over any other agreement between the parties, whether entered into before or after the date these Clauses are entered into.
Unless the Clauses are expressly referred to and expressly amended, the parties do not intend that any other agreement entered into by the parties, before or after the date the Clauses are entered into, will amend the terms or the effects of the Clauses, or limit any liability under the Clauses, and no term of any such other agreement should be read or interpreted as having that effect.
Effective date of the Standard Contractual Clauses
The parties intend that these Clauses should only become effective if Art 44 of the General Data Protection Regulation (the “GDPR”) applies to a transfer of personal data from the EEA to the UK, because the UK has left the European Union, and the transfer is not permitted under Art 45.
On that basis, the Clauses will become effective on:
(i) the first date Article 44 GDPR applies to a transfer of personal data from the EEA to the UK, and that transfer is not permitted under Article 45 GDPR; or
(ii) the date of the Standard Contractual Clauses, if later.
In this clause, 'a transfer of personal data' has the same meaning as in Article 44 of the GDPR.
On behalf of the data exporter:
Name (written out in full): [The Data Exporter, as defined in the Agreement] |
Address: N/A |
Position: N/A | Other information necessary in order for the contract to be binding(if any): N/A |
Signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses] | |
Date of the Standard Contractual Clauses: [The Effective Date, as defined in the Agreement] |
On behalf of the data importer:
Name (written out in full): Bright Interactive Ltd |
Address: 9th Floor, 44 Tower Point, Brighton, BN1 1YR, UK
|
Position: N/A | Other information necessary in order for the contract to be binding (if any): N/A |
Signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses] |
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter’s business or organisation type is (please specify): The customer of the data importer, Bright Interactive Ltd, who has executed this Standard Contractual Clause |
The data exporter is using the personal data which is being transferred for the following purposes or activities (please specify): Processing and storage in the software and services provided by Bright Interactive Ltd, for the purposes as controlled and defined by the data exporter |
The data importer is: Bright Interactive Ltd - a provider of software solutions, including digital asset management software solutions and associated services. |
The data importer’s activities for the data exporter, which are relevant to the transfer are: Bright Interactive Ltd processes data upon the instruction of the data exporter in order to deliver services, and to meet contractual obligations. This processing includes transfer and secure storage of data, and consultancy and support services. |
Data subjects: Each category includes current, past and prospective data subjects. Where any of the following is itself a business or organisation, it includes their staff. The personal data transferred concern the following categories of data subjects (please specify): Any user of the service as determined by the data exporter Any individuals whose personal data is contained within any assets or metadata uploaded to the service by the data exporter or any of its authorised users |
Categories of data: The personal data transferred concern the following categories of data (please specify): Names, emails and other account related data of users of the service Any personal data that is contained within any assets or metadata uploaded to the service by the data exporter or any of its authorised users. This personal data may include but is not limited to:
|
Special categories of data (if appropriate): The personal data transferred concern the following special categories of data (please specify): Data exporter may submit special categories of data to the data importer at the sole discretion of the data exporter (special categories include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.) |
Processing operations: The personal data transferred will be subject to the following basic processing activities (please specify): Data importer may undertake the following process activities:
All under instruction from the data exporter and in line with contractual obligations |
Data exporter
Company Name: [The Data Exporter, as defined in the Agreement]
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]
Date signed: [The Effective Date, as defined in the Agreement]
Data importer
Company name: Bright Interactive Ltd
Name: N/A
Title: N/A
Authorised signature: [By executing the Agreement, the parties also agree to these Standard Contractual Clauses]
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The following is the description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Data importer has in place appropriate security measures (both technical and organisational) to protect against unlawful or unauthorised processing of personal data and against loss or corruption of the personal data, including those measures specified in Bright's security policy as published in the Asset Bank Help Centre from time to time. Such measures include, but are not limited to:
Revision: 17 November 2020
Bright is the company behind Asset Bank and Dash. We are an established agile software company and Digital Asset Management (DAM) specialist. Established in 1999 and based in Brighton UK, we are proud to work with over 800 global clients including 20 FTSE 100.