Buyer Terms & Conditions

1.1 In these T&Cs the following words have the following meanings: 

Authorised User means personnel of the Buyer’s Group who are authorised by the Buyer to access the Cimple Platform; 

Buyer Account has the meaning given in the Introduction;

Buyer Brand means the Buyer’s names and trade marks, any logos related to those names or stylised representations of those names and any other trading names, product names, logos and slogans adopted or used from time to time by the Buyer in connection with a Buyer Offer or otherwise in its business; 

Buyer Data means any personal or financial data, business information, contracting information and other data which Buyers or Authorised Users may provide either as part of the subscription process or when using the Cimple Platform or via any communications with Cimple;

Cimple Brand means Cimple’s names and trade marks, any logos related to those names or stylised representations of those names and any other trading names, product names, logos and slogans adopted or used from time to time by Cimple in connection with the Cimple Platform or otherwise in its business;

Contract means a contract between a Buyer and a Supplier for the procurement of Supplier Products or Services (including by way of response to a Buyer Offer) awarded or concluded via the Cimple Platform; 

Group means, in relation to any body corporate, a subsidiary or holding company or subsidiary of a holding company or subsidiary of a subsidiary and Group Company shall be interpreted accordingly.  The terms subsidiary and holding company shall be as defined in the Companies Act 2006;

Inappropriate Content means unlawful, defamatory, offensive, misleading, obscene, discriminatory or racist products, services or content, products, services or content which are otherwise contrary to generally acceptable ethical or moral standards in the United Kingdom or contrary to any applicable industry code or otherwise objectionable and any products, services or content that infringe third party rights (including any third party IPRs) or which are advertised or sold in breach of any duty (including confidentiality duties) to third parties, or which are otherwise likely to give rise to third party liability; 

IPRs means any and all intellectual and industrial property rights including patents, trade marks, designs, design rights, copyrights and neighbouring rights, database rights, rights in know-how, trade secrets and confidential information, trading names, internet domain names, email addresses, names of account and user names on digital services or social media services, and other signs and indications of origin, in each case whether registered or not and including pending applications and the right to apply for any of the foregoing and other industrial and intellectual property rights of the same or similar effect anywhere in the world;

Malicious Code means viruses, Trojan, software lock, drop-dead device, malicious logic or trap door, worms, time bombs, corrupted files or other computer programming routines that are intended to delete, disable, deactivate, damage, detrimentally interfere with, surreptitiously intercept, monitor or expropriate any systems, data, personal information or property of another;

Platform-Generated Data means any data arising from or relating to the use of the Cimple Platform by Suppliers, the Buyer and its Authorised Users or any other subscriber or their authorised users which may be recorded or collated by Cimple including, without limitation, data obtained from the Buyer and its Authorised Users through Buyer Accounts, surveys, questionnaires, profile sheets, and other communications with Cimple, data relating to the frequency and mode of use of the Cimple Platform, the manner in which preferences are set and the Cimple Platform is personalised, the time spent on different elements of the Cimple Platform and other statistical information; 

Product Information means the details, description and other information relating to Supplier Products or Services supplied by Suppliers and displayed on the Cimple Platform; and

Suppliers means prospective and actual merchants and suppliers of Supplier Products or Services which are advertised and/or offered for sale on the Cimple Platform.

Subject to the Buyer’s compliance with these T&Cs, the Buyer and its Authorised Users may access and use the Cimple Platform to browse and to procure or award Supplier Products or Services, advertise and make available to Suppliers Buyer Offers, or to conclude Contracts so long as the Buyer Account is not terminated or suspended in accordance with these T&Cs.

3.1 

User names and passwords and other log-in credentials for the Cimple Platform (“Account Credentials”) are unique to each Buyer and Supplier using the Cimple Platform and must not be made available to any person other than Authorised Users and must not be shared outside the Buyer’s organisation.  Account Credentials shall be kept secure and confidential by the Buyer and its Authorised Users.  The Buyer shall use reasonable endeavours to prevent unauthorised access to the Cimple Platform through its Authorised Users or using its Account Credentials or those of its Authorised Users.  If Account Credentials are lost or in the event of any suspected unauthorised access by any person to any Account Credentials, the Buyer must immediately inform Cimple to allow it to revoke those Account Credentials and issue replacement ones.  

4.1 The facilities of the Cimple Platform are made available to the Buyer in order to enable and assist it with browsing Supplier Products or Services, advertising and making available to Suppliers Buyer Offers, and concluding Contracts including through schemes such as frameworks, dynamic markets and competitions. The use of the Cimple Platform for purposes which are inconsistent with the foregoing is not permitted.

4.2 The Buyer shall ensure that: (a) any Buyer Offer advertised on the Cimple Platform; and (b) the Authorised Users’ access and use of the Cimple Platform, comply with these T&Cs in all respects.  The Buyer shall be responsible for any abuse or misuse of the Cimple Platform by its Authorised Users or its other personnel. 

4.3 Cimple makes available the Cimple Platform to Buyers and Suppliers as a tool for publishing and communicating Buyer Offers and Supplier Products or Services and as a digital platform for managing tenders and other competitive bidding processes. Except as aforesaid, Cimple is not involved in management or administration of such tenders or competitive bidding processes including in the Buyer Offers or Supplier’ bids. Accordingly, it is the Buyer’s sole responsibility to respond to all enquiries and to resolve any complaints and disputes relating to a Buyer Offer or Supplier’s bids and to respond to other Supplier communications and to manage, administer and perform Contracts concluded on the Cimple Platform.  

4.4 Any breach of these T&Cs by the Buyer, its Authorised Users or any of its other personnel may result in either suspension or termination of the Buyer Account and its access to the Cimple Platform as determined by Cimple in its sole discretion.

4.5 Any of the following is strictly prohibited and may result in the immediate termination of the Buyer’s access to the Cimple Platform without liability and may be reported to regulatory authorities: 

a. the unlawful use of the Cimple Platform or its use: (i) for unlawful purposes; or (ii) in a manner intended to overload or disrupt it;

b. using the Cimple Platform, or obtaining any content from the Cimple Platform, through automatic means (that is, access or use controlled by “bots” or other computer software without an individual Supplier or Authorised User controlling each step of the use of the Cimple Platform through a standard browser), except where such processes are arranged by mutual consent with Cimple; 

c. the insertion, distribution or infection of the Cimple Platform with any Malicious Code; and

d. the posting by the Buyer to the Cimple Platform of any Buyer Offer which infringes third party IPRs.  If this clause 4.5.D is breached, the Buyer shall indemnify Cimple, its Group Companies, officers, employees, agents and representatives and shall keep them indemnified on demand against any liability in respect of any Buyer Offer infringing any third party IPRs and against any claims, proceedings, investigations or complaints relating thereto and against any costs, damages, losses, expenses (including legal and other professional costs) incurred in connection therewith.

5.1 Cimple is not a broker or offeror of Supplier Products or Services and is not responsible for providing any options displayed on the Cimple Platform or for setting or controlling the prices or other terms and conditions relating to Supplier Products or Services displayed on the Cimple Platform.  

5.2 Cimple does not undertake any vetting, review or quality management of Suppliers or Supplier Products or Services prior to such products or services being offered on the Cimple Platform and the display of Supplier Products or Services on the Cimple Platform does not constitute a recommendation or endorsement by Cimple, its directors, employees, agents or subcontractors of either such Supplier or such Supplier Products or Services.

5.3 Cimple does not guarantee that the Supplier Products or Services on the Cimple Platform are in stock and are immediately available for Buyers to purchase or that Suppliers have the capacity or qualification to supply such Supplier Products or Services in response to Buyer Offers.

5.4 Pictures and images of Supplier Products or Services shown on the Cimple Platform are for illustrative purposes. The Supplier alone is responsible for the description of the Supplier Products or Services and for any images or other information provided or posted by the Supplier on the Cimple Platform. 

5.5 In operating the Cimple Platform, Cimple is not engaged in offering, selecting or approving of products or services advertised, represented, referred to or offered for sale by Suppliers on the Cimple Platform and it will not be liable if Supplier Products or Services procured through the Cimple Platform are not suitable for Buyer’s needs.

5.6 The pricing for Supplier Products or Services offered on the Cimple Platform  (“Offer Price”) shall be determined solely by Suppliers and subject to agreement between the Supplier and the Buyer.

5.7 Supplier Products or Services are offered on the relevant applicable terms and conditions as may be agreed by the Buyer and the Supplier and subject to such disclaimers, notices or warnings that Suppliers may communicate to or agree with Buyers. Quotes, offers or estimates given by Suppliers may be based on a set of assumptions.  Buyers should ensure that they understand applicable terms and conditions proposed by Suppliers and be aware that such quotations, offers or estimates are typically affected by market movements and may change substantially before the Supplier enters into any Contract with the Buyer. 

5.8 Not all products or services shown on the Cimple Platform are suitable for everyone and Buyers should therefore ensure the Supplier Products or Services meet their needs.  If Buyers do not feel they are suitably experienced or qualified in relation to any particular product or service they wish to acquire or procure from a Supplier they should check the suitability, adequacy, accuracy and completeness of any products or services with a suitably qualified adviser.

6.1 The Buyer assumes full liability for all its activities on the Cimple Platform including any information, advertising or representations made or provided through the Cimple Platform in relation to Buyer Offers, and its performance and compliance with any Contracts awarded or concluded via the Cimple Platform.

6.2 The Buyer warrants, represents, undertakes and confirms to Cimple on the following terms:

a. all information supplied to Cimple on creation and ongoing management of a Buyer Account and via any user interface on the Cimple Platform or through any communications with Cimple, is and shall be true, complete, accurate and not misleading;

b. any Buyer Offer posted by the Buyer on the Cimple Platform shall comply with all applicable laws, regulations, rules and guidance from any governmental or regulatory authority and, where applicable, shall have the applicable governmental or regulatory licences, approvals and authorisations;

c. the Buyer Offer shall not constitute or comprise Inappropriate Content or require the Supplier to provide Inappropriate Content;

d. all information provided by the Buyer in respect of any Buyer Offer (“Buyer Offer Information”) shall be true, complete, accurate and not misleading; and

e. any Buyer Offer posted by the Buyer via the Cimple Platform shall conform in all respects to the Buyer Offer Information.

6.3 The Buyer further warrants, represents, acknowledges and agrees that, in relation to any Buyer Offer posted on the Cimple Platform:

a. any Contract with a Supplier shall be entered into with the Buyer, not with Cimple, and the Buyer shall be responsible for and liable to the Supplier for fulfilling its obligations under the terms of that Contract;

b. the Buyer shall comply with the terms of any Contract concluded via the Cimple Platform; and

c. Cimple does not act as an agent or representative of Buyer (except, where applicable, in respect of the collection and handling of payments) or Suppliers

6.4 Cimple shall be entitled to refuse, block, remove, withdraw or discontinue the advertising or posting of any Buyer Offer on the Cimple Platform where Cimple determines in its sole discretion that such Buyer Offer breaches any of these T&Cs or where Cimple, in its sole and unfettered discretion, considers such Buyer Offer to be unsuitable for the Cimple Platform.

7.1 Product Information is provided to Cimple by Suppliers. Cimple has no control over the contents of the Product Information and merely reproduces such information (as provided by Suppliers) on the Cimple Platform.  Under Cimple’s terms and conditions with Suppliers, Suppliers confirm to Cimple that such Product Information is true, complete, accurate and not misleading, however, Cimple is not able to independently verify such information.  Cimple will not knowingly include anything misleading or anything it believes to be untrue in the Product Information.  However, Cimple does not make any representations nor gives any guarantees that the Product Information will always be error-free, accurate or reliable.  The Buyer acknowledges and understands that all Product Information or any other information, data and details included on the Cimple Platform is not an offer or inducement to contract with Cimple, is subject to change and should the Buyer wish to rely on such information, it should independently verify it.  Accordingly, the Buyer hereby waives, to the fullest extent permitted by law, any and all claims, actions or similar against Cimple, its Group Companies, employees, directors officers and agents that may arise in connection with any Product Information posted or communicated through the Cimple Platform

7.2 The Buyer is responsible for ensuring that the Supplier Products or Services are suitable for its needs and purposes.

7.3 Where the Cimple Platform contain links to other sites and resources provided by third parties including Suppliers, these links are provided for the Buyer’s information only.  Cimple has no control over the contents of those sites or resources and accept no responsibility for them or for any loss or damage that may arise from the Buyer’s use of them.

8.1 In the event that the Buyer or its Authorised Users have queries or complaints relating to Supplier Products or Services, Contracts or the delivery of any Supplier Products or Services procured via the Cimple Platform, the Buyer or Authorised User should contact the Supplier.  The Buyer understands and agrees that Cimple is not responsible  for the provision of any support or information in respect of the Supplier Products or Services and accordingly, hereby waives, to the fullest extent permitted by law, any and all claims against Cimple in respect thereof.

8.2 The Buyer may contact Cimple (on the details set out in clause 20 below) where it has any complaints in respect of the Cimple Platform.  Cimple shall use reasonable endeavours to understand and investigate complaints and comments and to address such matters.

8.3 If a Buyer has any complaints regarding copyright or other intellectual property infringement, please contact Cimple at support@cimple.uk and Cimple shall consider such complaint and if necessary take appropriate action.

The Buyer shall supply an email address, telephone number and postal address to Buyers for the purpose of support, complaints and enquiries. In responding to and handling support, requests, enquiries and complaints, and in all communications with Suppliers the Buyer shall, and shall procure that its staff shall, respond promptly and act in a professional and business-like manner. 

10.1 Certain functionalities of the Cimple Platform and data relating to Supplier Goods and Services on the Cimple Platform are available to access free of charge by a Buyers that open Buyer Accounts and by their Authorised Users. Other functionalities and/or data can be accessed and used by Buyers subject to the payment of fees. The applicable rates or premium account packages (“Pricing Plan”) are available from time to time on the Cimple website at https://help.cimple.uk or will otherwise be communicated to Buyers when opening Buyer Accounts or upgrading to premium accounts. Cimple reserves the right to update its rates and the Pricing Plan from time to time subject to reasonable notice to Buyers. Cimple may also communicate the Pricing Plan or any updates thereto through communication features within the Buyer Account portal, or through other means of communications with Buyers. The free-of-charge access to the Cimple Platform is subject to conditions as set out in the Pricing Plan.

10.2 Except where expressly stated otherwise, the rates set out in the Pricing Plan are exclusive of value added tax, sales taxes or any similar or equivalent taxes in any relevant country payable on the supply of goods or services.

10.3 The Buyer agrees to pay the fees to Cimple in accordance with the Pricing Plan save where its use of the Cimple Platform is strictly limited to use within the free-of-charge conditions.

10.4 Where a Buyer signs up to a premium account, or where it uses features of the Cimple Platform which are subject to the payment of fees or otherwise uses the Cimple Platform in a manner which is subject to the payment of fees under the Pricing Plan, or where the conditions for free-of-charge use as stated on the Cimple website (or otherwise explained in the Pricing Plan) are not met, Cimple shall be entitled to charge the Buyer in accordance with the Pricing Plan including for any relevant period during which the Buyer made use of the chargeable features of the Cimple Platform, and the Buyer shall pay the fees as properly charged by Cimple.  

10.5 Cimple invoices its fees on a monthly basis or on such other intervals as may be stated in the Pricing Plan or otherwise agreed with the Buyer. Payments can be made through such means as are indicate on the Cimple website are available included direct debit, credit card payment and electronic bank transfers. Where Cimple is not authorised by the Buyer to collect payment of its fees on its own (e.g., by using credit card details or through a direct debit authorisation), the Buyer shall pay the amounts charged by Cimple within 30 days of the date of each invoice. 

10.6 All amounts payable by the Buyer to Cimple in connection with the use of the Cimple Platform shall be paid in full without any withholding or deduction on account of any taxes, duties, levies or charges, unless the Buyer is required by law to make such deduction or withholding.  If it is so required the Buyer shall duly deduct or withhold the amount as required by law, provided that it shall give Cimple such assistance and co-operation, including the provision of documentation as may be required by any tax authority, as may be reasonably necessary to enable Cimple to obtain an exemption, reduction, repayment or tax accreditation in regard to any such deduction or withholding.

10.7 The Buyer shall not assert any credit, set-off or counterclaim against any payment obligations (or part thereof) under these T&Cs, except undisputed amounts due from Cimple to the Buyer, if such undisputed sums are fully quantified and are due and payable by the due date of payment of the amount due hereunder. Amounts in default may be subject to interest at an annual rate calculated on a daily basis, from the date on which the payment originally fell due until the date of receipt of payment in cleared funds, equal to the standard overdraft rate for commercial accounts charged by Cimple’s bank from time to time plus 1.5%

10.8 Cimple may charge fees from Suppliers as well as Buyers either generally for the use of the Cimple Platform or in respect of certain features of the platform in other circumstances.

11.1 As between the parties, Cimple is and shall remain the sole owner of all IPRs in all elements of the Cimple Platform (and the sole licensee of any elements of the Cimple Platform licensed from a third party), including the Platform-Generated Data and the Cimple Brand and any goodwill relating thereto (together, the “Cimple IP”).  All rights and goodwill arising from the use of the Cimple Brand in connection with the Cimple Platform shall inure solely to the benefit of Cimple. 

11.2 Subject to clause 19, no licence for the use of the Cimple Brand shall be implied from these T&Cs. 

11.3 The Buyer shall not and shall procure that its Group Companies do not:

a. register or file any applications to register IPRs or otherwise claim to own any IPRs in or relating to the Cimple IP anywhere in the world; 

b. use any name, sign or logo incorporating, containing or consisting of the Cimple Brand, or any name or sign confusingly similar thereto, anywhere in the world, in relation to any product or service, save for the use of the Cimple Brand in accordance with this clause 11; or

c. do or cause to be done anything which may in any way damage, depreciate, tarnish, jeopardise, or otherwise prejudice the goodwill or reputation of the Cimple IP or the Cimple Brand or the goodwill or reputation associated therewith.

11.4 In the event of a claim in relation to a third party’s copyright infringement, the Buyer agrees that Cimple shall have the right to remove, at its sole discretion, the Buyer Account from the Cimple Platform without prior consent from the Buyer.

11.5 Cimple shall be entitled to use, process, reproduce, communicate to the public, package, sell, rent or hire to any person, for any purpose whatsoever including, but not limited to, for the purpose of analysis or benchmarking, any Platform-Generated Data and to generate, reproduce, communicate and distribute any aggregated and anonymised data, analysis, research, statistics and other derivative content based on such data, provided that any such data will not be disclosed to third parties in a form that discloses its connection to the Buyer or any of its personnel. 

11.6 Buyer Data shall be treated by Cimple as Buyer Confidential Information in accordance with clause 15 below. Cimple shall be entitled to use the Buyer Data for the purpose of administering the Cimple Platform and for its internal business purposes including managing the Buyer Account and its relationship with the Buyer for and maintaining business records and general internal use including for the purpose of enforcing these Ts&Cs. To the extent that any IPRs exist in any Buyer Data, the Buyer hereby grants Cimple a royalty-free, worldwide licence to use the Buyer Data in this manner.

11.7 To the extent any IPRs exist in the Platform-Generated Data, all such IPRs shall belong solely to Cimple which shall have the exclusive right to exploit such data and the Buyer hereby waives any right, title or interest in or to such data.

12.1 Cimple shall use all reasonable endeavours to ensure the availability and operation of all key functionalities of the Cimple Platform from 7am to 7pm on working days (which shall mean week days in which banks are generally open for business in London excluding any English public holidays) ("Normal Working Hours") such availability, subject to clauses 12.3 and 17 below, not to falls below 95% of Normal Working Hours in each calendar month

12.2 Without derogation from clause 12.1 above, Cimple makes efforts to avoid and to fix any technical issues that may limit Buyers’ ability to use the functionalities offered through the Cimple Platform. However, such technical failures may occur and Cimple does not represent or warrant that Buyers’ access to or use of the Cimple Platform will be uninterrupted or error free or that all functionalities will always be fully operational. 

12.3 Clause 12.1 above notwithstanding, the Cimple Platform and/or the Buyer’s or an Authorised User’s access to the Cimple Platform may be suspended, disrupted or blocked by Cimple in the following circumstances: 

a. upon reasonable notice and insofar as practicable, outside of Normal Working Hours, for scheduled downtime to permit Cimple to conduct maintenance to the Cimple Platform;

b. for the duration of any unanticipated or unscheduled downtime, as a result of technical failures including system breakdown, communication or network problems, server overloading or other technical issues or any Force Majeure Event (as defined in clause 17); 

c. in order to protect the Cimple Platform from unauthorised access or attack, or in order to prevent fraud or any unauthorised or unlawful access or use of the service, to prevent any unlawful use of the Cimple Platform, or if it determines that the Cimple Platform is being used (by the Buyer, an Authorised User or any other person) in breach of applicable law or these T&Cs, or if such suspension is required in response to an order or direction of any court of law, governmental or regulatory body or other official enforcement or investigation authority; and 

d. in other circumstances where it might be reasonable or necessary to suspend, disrupt or block the Cimple Platform.

13.1 Cimple warrants to the Buyer as follows:

a. it has the right to provide the Cimple Platform; and

b. it shall use commercially available technologies to ensure that the Cimple Platform is free from Malicious Code.

13.2 Each of the parties warrants and represents to the other in the following terms:

a.  each of them has the right, power and authority and has taken all action necessary to execute, deliver and exercise its rights, and perform its obligations, under these T&Cs;

b. neither the execution nor the performance of these T&Cs by either party is prohibited or restricted by any provision of law and will not be in breach of any obligation by any party to any third party.

13.3 The Buyer represents, warrants and confirms to Cimple that, in concluding Contracts, it and its Authorised Users are acting for and on behalf of the Buyer and not in their individual or personal capacities.

14.1 Other than the warranties, representations and covenants expressly set out in these T&Cs, Cimple gives no warranty nor makes any representation in relation to the Cimple Platform, the Buyer Account, any features or functionalities of the Cimple Platform, the Buyer Offer or the Cimple IP and the parties expressly disclaim to the fullest extent permitted by law any representation or warranty relating to the Cimple Platform, the Product Comparison Service, the Offer Search Service, or any other features or functionalities,  the Buyer Account, the Buyer Offer or the Cimple IP that may be implied by these T&Cs, by custom or by law or otherwise and which is not expressly set out in these T&Cs or in the Buyer Account, including any implied warranties of quality, merchantability, title or entitlement, fitness for a particular purpose, non-infringement of third party IPRs, the ability to achieve a particular result or functionality, including any warranty or representation that the Cimple Platform, the Product Comparison Service, the Offer Search Service, or any other features or functionalities,  the Buyer Account, the Buyer Offer or the Cimple IP will be uninterrupted or error free, and all such implied terms or warranties are excluded from these T&Cs.

14.2 The Buyer hereby indemnifies the Indemnified Parties, and shall keep the Indemnified Parties indemnified on demand, up to an a total maximum amount of £1,000,000 for any single event or series of related events, against any loss, cost, damage, liability or expense (including legal costs) (“Loss”) arising to the Indemnified Parties out of: (i) the breach of any of its warranties, representations, acknowledgements or agreements detailed these T&Cs including without limitation the provisions of clauses 5, 6, 7 and 8 hereof; (ii) any negligent act or omission or wilful misconduct by the Buyer or its Authorised Users in connection with the use of the Cimple Platform, the posting or publishing of any Buyer Offer on the Cimple Platform or the conclusion or performance of any Contract or the fulfilment of any of the Buyer’s obligations in respect of any Contract; or (iii) any claim, action, proceedings or allegation relating to a Buyer Offer (including any claim alleging misrepresentation, breach of contract, fraud or the infringement or misuse of any third party Intellectual Property Rights); provided that the above indemnity shall not apply where the Loss was caused by the negligent or intentional misconduct of Cimple or the Indemnified Party.

14.3 Except as provided in clause 14.6, Cimple shall not be liable to the Buyer, its Authorised Users, employees, directors, officers, agents and Group Companies under these T&Cs or the Buyer Account, either for breach of contract, misrepresentation or negligence or under any warranty, and the Buyer waives any claim against Cimple or its Group Companies, employees, officers or subcontractors relating to or arising out of: 

a. any disruption to the Cimple Platform howsoever arising, except where such disruption constitutes a breach of clause 12.1;

b. the loss or corruption of any data, including without limitation, Buyer Data (the Buyer acknowledging that the Cimple Platform is not designed to provide a data storage facility and that it is the Buyer’s responsibility to maintain, independently from the Cimple Platform, records and back-up copies of any Buyer Data and other data processed on the Cimple Platform); 

c. errors or inaccuracies in any Buyer Offer, the Buyer Data, Buyer Offer Information, Product Information or in any information displayed as a part of the Product Comparison Service, the Offer Search Service,  or Search Results;

d. security breaches affecting the Buyer Account, Buyer Data, the Cimple Platform, the Product Information, third party interception of electronic communications, or any unauthorised access to or misuse of computer systems, unless such incident is caused as a result of Cimple’s failure to put in place reasonable security measures to protect the Cimple Platform; or 

e. damage caused by Malicious Code that may affect the Buyer Account, the Cimple Platform or any software or hardware used to access or use the Buyer Account or the Cimple Platform, except where such damage is caused as a result of Cimple’s breach of clause 14.1(b).

14.4 Save as provided in clause 14.6, a party shall not be liable to the other in connection with the operation or use of the Cimple Platform, the Buyer Account and otherwise in connection with these T&Cs, either for breach of contract, misrepresentation or negligence or under any warranty or indemnity, for any indirect or consequential losses, or for punitive or exemplary damages, or for any loss of profits, interest, future business revenue, anticipated savings or business goodwill, or for any loss or corruption of data, even if a party is advised in advance of such loss.

14.5 Save as provided in clauses 14.2 or 14.6, a party’s maximum aggregate liability for any single event (or a series of related events) giving rise to a claim in connection with the operation or use of the Cimple Platform, the Buyer Account or otherwise in connection with these T&Cs, either for breach of contract, misrepresentation or negligence, shall be limited to an amount equal to the fees paid by the Buyer to Cimple in relation to the use of the Buyer Account during the period of 12 months immediately preceding any incident giving rise to such claim, save that a party’s liability in respect of breaches of its confidentiality obligations under clause 15 below or its obligations under the Data Processing Annex shall be subject to a maximum aggregate amount of £10,000 for any single event or series of related events.

14.6 Notwithstanding anything to the contrary in these T&Cs, nothing in these T&Cs shall operate to exclude or restrict a party’s liability for death or personal injury resulting from negligence, fraud or fraudulent misrepresentation, or any liability that cannot be limited or excluded by law.

15.1 The Cimple IP, the Cimple Platform and any other information relating to Cimple’s business, financial, commercial, legal and other affairs, its business plans, staff, suppliers, partners, or to its other licensees or Suppliers or Buyers is confidential information of Cimple. The Buyer shall for the duration of the Buyer Account and for a period of 5 years thereafter keep confidential all information contained in the Cimple IP and other confidential information of Cimple and shall not use or disclose such information to any third parties other than as permitted by Cimple or as permitted under these T&Cs.

15.2 The Buyer Data, Buyer Offer Information, Buyer Offers and the Buyer Brand are confidential information of the Buyer.  For the duration of the Buyer Account and for a period of 5 years thereafter, Cimple shall not disclose to any third parties such information other than as permitted by the Buyer or as permitted under these T&Cs. 

15.3 The requirements of this clause 15 shall not apply: (a) to any information to the extent that it is generally available to the public; (b) to any information to the extent that the receiving party receives it from a third party free from confidentiality obligations or develops it independently as can be demonstrated by documentary contemporary evidence; or (c) to any disclosure of information required by operation of law, by an order of a court or the requirements of a regulatory authority, provided that in the event that such disclosure is required, the party subject to the confidentiality obligation which is required to make such disclosure shall take reasonable steps to protect the confidentiality of the information and to limit the disclosure as much as possible (including, where it is reasonable and lawful to do so, by giving the other party notice of the disclosure requirement prior to making the disclosure).

15.4 A party which is subject to a duty of confidentiality under this clause 15 shall: (a) procure that its Group and any recipients of such information observe the provisions of this clause 15 as fully as if they were parties to these T&Cs; and (b) apply such standards of confidentiality in relation to the confidential information of the other party at least as strict as those applied in relation to its own confidential information including adequate technical and organisational measures (including a system firewall protection, encryption of any data communicated electronically and password protection and access control in relation to data stored electronically).

16.1 Cimple shall be entitled to suspend the Buyer’s Account or terminate the Buyer’s Account or its access to the Cimple Platform: (a) in the circumstances where such termination is provided for under these T&CS; (b) if the Buyer is otherwise in breach of these T&Cs and fails to remedy such breach within seven days of receipt of written notice of such breach (including where such notice is given by email or through the Cimple Platform); (c) if the Buyer is unable to pay its debts when they become due, or becomes insolvent, or is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction), or has an administrative or other receiver, manager, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets, or enters into or proposes any composition or arrangement with its creditors generally, or is subject to any analogous event or proceeding in any applicable jurisdiction; (d) to protect the operation of Cimple of the Platform; or (e) in any of the following circumstances:

a. where the Buyer uses the Cimple Platform in a disruptive, or inappropriate manner, or for any purpose other than the purposes for which the Cimple Platform is made available for Buyers;

b. where the Buyer is not the type of organisation for which the Cimple platform is designed, as may be determined by Cimple in its sole judgement;

c. where Cimple determines in its sole discretion that the Buyer’s use of the Cimple Platform is inappropriate or inconsistent with honest and acceptable business practices;

d. where the use of the Cimple Platform by the Buyer or its Authorised Users is damages the reputation or hinders the operation of Cimple or the Cimple Platform or any Supplier or other Buyer, or to interfere with Cimple’s business or to interfere with the business of any Supplier or other Buyer; or

e. where the use of the Cimple Platform by the Buyer is contrary to any law or regulation, including where the Buyer is subject to any economic sanctions imposed by any government or where export controls or other laws prohibit the use of the Cimple Platform by the Buyer or where such suspension or termination is otherwise justified by any law or regulation, by any decision of a judicial or regulatory authority or by any legal obligations applicable to Cimple, any Buyer or any Supplier.  

16.2 Cimple shall be entitled to refuse to open, block, take down or terminate a Buyer Account where it considers that a Buyer Offer advertised through such Buyer Account breaches these T&Cs or is unsuitable for the Cimple Platform.

16.3 The Buyer may terminate its subscription for the Buyer Account immediately upon written notice to Cimple , unless the Buyer Account or any premium account subscription is purchased on an annual basis, in which case the Buyer may terminate the annual subscription upon six months’ written notice to Cimple. 

16.4 Upon termination of the Buyer Account subscription or the Buyer’s access to the Cimple Platform: 

a. except as provided in this clause 16, the Agreement shall forthwith terminate and have no further effect, and no party shall have any further rights, obligations or liabilities hereunder; and

b. the Buyer and its Authorised Users shall cease any use of the Buyer Account and the Cimple Platform and the Product Comparison Service and shall immediately, permanently and irreversibly destroy or delete any copies of Cimple IP and any materials displaying the Cimple Brand in its possession or control, (including any back-up media) and all copies of the Account Credentials.

c. the Buyer shall not attempt to open another Buyer Account except with Cimple’s prior approval provided with full notice of the circumstances in which the Buyer’s access to the Cimple Platform and its original Buyer Account were terminated;

d. the Buyer shall make no representation on any channel that its Buyer Offers are available on the Cimple Platform and shall cease any use of the Cimple Brand; 

e. the Buyer shall fulfil its obligations under the terms of any Contracts entered into with Suppliers prior to termination taking effect;

16.5 The termination or expiry of the Buyer’s Buyer Account or the Buyer’s access to the Cimple Platform shall not affect any accrued rights or liabilities of any party and shall not affect any provision of these T&Cs intended to have effect after termination or necessary for its interpretation and in particular it shall not affect any provisions granting a party rights or licences expressed to be granted in perpetuity or the provisions of clauses 4.1, 4.2, 5, 6, 7, 8, 10, 11, 12, 13.2, 14 (excluding 14.1), 15, this clause 16 or the remaining provisions of these T&Cs below.

Cimple shall not be in breach of these T&Cs, nor liable for any failure or delay in performing any obligations under these T&Cs arising from or attributable to matters beyond its reasonable control (“Force Majeure Event”) including an act of God, fire, flood, epidemic, pandemic, earthquake, windstorm or other natural disaster, explosion or accidental damage, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, breaking off of diplomatic relations or similar actions, terrorist attack, civil war, civil commotion or riots, any failure or delay on the part of a third party supplier, industrial action or strike, power cuts, electronic or communication network breakdowns or government action.

The Buyer Account is personal to the Buyer and the Buyer shall not assign or transfer or attempt to transfer or assign its Buyer Account to any other party except, by written notice to Cimple, where the Buyer is a company, to a member of its Group or, if it is a public authority, to an associated department or office holder, or otherwise with the prior written consent of Cimple. Cimple shall be entitled to transfer its benefits under these T&Cs in relation to any Buyer Account subject to its obligations to any Group Company or to any person acquiring Cimple’s business and such transfer shall be effective upon notice being given to the Buyer.

Subject to receiving the Buyer’s prior consent, Cimple may refer to the Buyer in its promotional materials (including its website and other digital marketing materials) and to display the logo to indicate that the Buyer is a user of the Cimple Platform and offers access to Buyer Offers on the Cimple Platform. Where such consent is given by the Buyer, and where the Buyer wishes to refer to Cimple or to the Cimple Platform as part of its promotional activities, the party whose brand is concerned may provide instructions to the other party from time to time regarding the appropriate presentation of its logo in terms of artwork, colouring, the display of legal notices (such as indications of copyright or trade mark rights) and so forth.  Each party shall not acquire any right, title or interest in the other party’s name and logo as a result of such use and the original owner shall remain the sole and exclusive owner of all such rights.

Any notice required to be made under or in connection with these T&Cs (“Notice”) shall be in writing. Cimple may provide any Notice to the Buyer through the Buyer’s contact details, email address and postal address as set out in the Buyer Account or as provided to Cimple by the Buyer from time to time. Notices to Cimple should be sent to hello@cimple.uk. 

21.1 Nothing in these T&Cs shall create, or be deemed to create, a partnership or joint venture and, except as expressly set out in these T&Cs, shall not be construed as giving rise to the relationship of principal and agent between the parties. Neither party shall represent itself as representative of the other or purport to assume obligations in the name of the other.  

21.2 If at any time any provision of these T&Cs is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, the provision shall be deemed deleted in respect of that jurisdiction and such deletion shall not affect the legality, validity or enforceability in that jurisdiction or any other jurisdiction of any other provision of these T&Cs. Where a provision is deleted in accordance with the preceding sentence, the parties shall negotiate in good faith to agree a replacement provision (in respect of the jurisdiction in question) that, to the greatest extent possible, achieves the intended commercial result of the original provision.

21.3 Where these T&Cs include provisions intended expressly or by their nature to apply for the benefit of a Group Company of Cimple, such Group Companies shall be entitled to enforce such terms. Except as aforesaid, a person who is not a party to these T&Cs shall have no rights to enforce the provisions of these T&Cs under the Contracts (Rights of Third Parties) Act 1999.

21.4 No modification, alteration or waiver of any of the provisions of these T&Cs shall be effective unless in writing and signed on behalf of each of the parties.

21.5 No omission or delay on the part of either party in exercising any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power or privilege preclude any other or further exercise thereof or of any other right, power or privilege.  The rights and remedies herein provided are cumulative with and not exclusive of any right or remedies provided by law.

21.6 These T&Cs constitute the entire agreement between the parties and supersede all other agreements, statements, letters and other arrangements between the parties in relation to the subject matter hereof. Each party acknowledges that it has not relied on or been induced to enter these T&Cs by a representation other than those expressly set out in these T&Cs. This clause does not affect a party’s liability in respect of a fraudulent misrepresentation.

21.7 These T&Cs are governed by English law and the parties submit to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute between them arising out of the subject matter of these T&Cs including claims on non-contractual grounds.

21.8 Any dispute arising out of or in connection with these T&Cs, including any question regarding their existence, validity or termination, shall be referred to and finally resolved by arbitration under the arbitration rules adopted from to time by the London Court of International Arbitration (“LCIA”) (“Rules”), which Rules are deemed to be incorporated by reference into this Clause. The number of arbitrators shall be one. The Tribunal shall be appointed by mutual consent within 15 days of a party requesting the other party to agree the sole arbitrator, failing which by the LCIA shall appoint the Tribunal in accordance with the Rules. The seat and legal place of arbitration shall be in England and Wales. The language to be used in the arbitral proceedings shall be English. The Tribunal shall be entitled to award costs against the losing party as may be deemed appropriate considering all relevant circumstances. Nothing in the foregoing shall prevent a party from seeking urgent, conservatory or similar interim relief from any court of competent jurisdiction.

1. DEFINED TERMS 

In this Data Processing Annex, the following words and expressions shall, unless the context otherwise requires, have the meaning given to them below:

“Applicable Law” means the Data Protection Legislation and any other laws in force where the Controller’s Data may be processed under these T&Cs or to which Cimple or Buyer may be subject.

“Controller’s Data” means Personal Data collected by Cimple from Data Subjects on behalf of Buyer or obtained from Buyer relating to Data Subjects who sign up for the Platform through their account with Buyer.

“Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable law or regulation relating to the processing, privacy and/or use of Personal Data, and any laws or regulations which implement, supplement, replace, extend, re-enact, consolidate or amend any of the foregoing .

“Data Subjects” means the Authorised Users and other users of the Platform.

“Permitted Purposes” means the delivery of the Platform to Buyer and Authorised Users as further set out in the Data Processing Details.

“Personal Data” has the meaning given to such term in the Data Protection Legislation.

“Sub-processor” means any person who processes the Controller’s Data on behalf of Cimple.

“UK GDPR” has the meaning given to it in the Data Protection Act 2018.

2. DATA PROCESSING 

2.1 The parties agree that as between them, for the purpose of the Data Protection Legislation, Buyer shall be deemed the controller and Cimple shall be deemed the processor in relation to any Controller’s Data processed by Cimple (or its Sub-processors) under this DP Annex or for the purpose of these T&Cs and it shall be the responsibility of Buyer to ensure compliance with the obligations imposed by the Data Protection Legislation on the controller of the Controller’s Data.   

2.2 Cimple shall process the Controller’s Data in accordance with this DP Annex (including the Data Processing Details) and Applicable Laws and solely for the Permitted Purposes.

2.3 Cimple shall process the Controller’s Data on behalf of Buyer and in accordance with the written instructions of Buyer unless required otherwise by law or upon the requirement of a governmental authority under Applicable Law. For the avoidance of doubt, Buyer hereby authorises Cimple to process the Controller’s Data as set out in the Data Processing Details and as required to fulfil Cimple’s obligations under these T&Cs.

2.4 In the event that Cimple is required by law in upon the requirement of a governmental authority under Applicable Law to carry out any processing of the Controller’s Data not in accordance with the written instructions of Buyer, Cimple shall inform Buyer of that legal requirement before carrying out the processing, unless that law prohibits such information on important grounds of public interest. 

2.5 Cimple shall treat the Controller’s Data processed under this DP Annex as Buyer Confidential Information in accordance with clause 16 of the T&Cs and shall ensure that its employees, consultants, Sub-processors, affiliates and other persons authorised by Cimple to process the Controller’s Data are bound by confidentiality obligations (whether contractual or imposed under Applicable Law) in respect of the processing of such data.

2.6 Buyer acknowledges and agrees that, in respect of any Personal Data received from Buyer, Cimple will rely on Buyer and that it is Buyer’s sole responsibility to ensure that the Controller’s Data is and will remain accurate, up-to-date, relevant and suitable for the purpose of processing and that it is processed for lawful purposes in accordance with Applicable Laws.

3. CO-OPERATION 

3.1 Each party, at the other party’s reasonable request, shall, so far as reasonably possible given the purpose of the processing, provide reasonable assistance to the requesting party in ensuring compliance with the requesting party’s obligations under the Data Protection Legislation, in particular in relation to its obligations concerning: (a) Data Subject requests for information and requests for erasure, rectification or limitation of processing of the Controller’s Data or the exercise of other Data Subject rights in relation to the Controller’s Data; (b) maintaining the security of the Controller’s Data processed under this DP Annex; (c) notifications to regulatory authorities and communications to affected Data Subjects required in relation to events resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Controller’s Data (“Data Breach”); and (d) the preparation of data protection impact assessments and prior consultation with the regulatory authorities, where applicable.

3.2 In the event Cimple becomes aware of a Data Subject request as referred to in paragraph 3.1(a) above or of any Data Breach affecting the Controller’s Data, it shall notify Buyer without undue delay.

3.3 Clause 3.1 of this DP Annex shall not be construed as requiring a party to modify its automated processes, computer systems or databases or to develop new processes, computer systems or databases for the purpose of providing the requisite assistance but a party shall not unreasonably refuse to make minor changes to its systems where it would be proportionate and reasonable to do so. Where a party agrees to make such modifications or developments in response to the other party’s request, the requesting party shall bear the costs of doing so.

3.4 Save as provided in clauses 3.3 and 3.4 of this DP Annex, any assistance provided by a party under clause 3.1 of this DP Annex shall be provided at that party’s cost.

4. SUB-PROCESSORS 

4.1 Cimple shall not engage a Sub-processor in relation to the processing of the Controller’s Data without prior written consent of Buyer.

4.2 Buyer hereby authorises Cimple to appoint the Sub-processors listed in the Data Processing Details to process the Controller’s Data for the purposes indicated in the Data Processing Details. 

4.3 Cimple shall inform Buyer of any intended changes concerning the addition or replacement of Sub-processors. Unless an objection to such change or appointment is notified to Cimple within seven days of the receipt of such notification, Buyer shall be deemed to have consented to and authorised the change or appointment.

4.4 In the event that Cimple engages a Sub-processor with Buyer consent, Cimple shall enter into a written data processing agreement with the Sub-processor containing requirements equivalent to those set forth in clauses 2, 3, 4, 5, 6 and 7 of this DP Annex and clause 16 of the T&Cs.  

4.5 Notwithstanding the appointment of Sub-processors, Cimple will remain fully responsible and liable to Buyer for any breach of its obligations under this DP Annex in relation to the processing of the Controller’s Data.

5. DATA SECURITY 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of any risk, Cimple shall implement appropriate technical and organisational measures to ensure an appropriate level of security for the Controller’s Data processed under this DP Annex particularly against the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, including (as appropriate): (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

6. INTERNATIONAL TRANSFERS 

Cimple shall not transfer the Controller’s Data to a country outside the United Kingdom or the European Economic Area, unless Buyer has expressly authorised such transfer in writing and then only subject to putting in place adequate safeguards as required under the Data Protection Legislation. Buyer hereby authorises Cimple to transfer the Controller’s Data to Cimple’s affiliates and authorised Sub-processors for processing in the countries outside the United Kingdom and the European Economic Area as specified in the Data Processing Details.

7. INFORMATION AND AUDIT RIGHTS 

Cimple shall make available to Buyer information so far as reasonably necessary to demonstrate its compliance with Cimple’s requirements under this DP Annex and shall allow for and contribute to audits, including inspections, conducted by Buyer or an auditor mandated by Buyer. Where an audit requires Cimple to allocate more than minimal resources, it shall be entitled to charge Buyer for the time spent by its staff and any resources allocated for the audit and the provision of clause 3.4 of this DP Annex shall apply mutatis mutandis. 

8. WARRANTIES 

8.1 Cimple warrants, covenants and represents to Buyer that: (a) it has the required skills and resources to ensure processing of the Controller’s Data in accordance with this DP Annex and in compliance with its obligations under the Data Protection Legislation; and (b) it shall use reasonable skill and care in performing its obligations under this DP Annex.

8.2 Except as expressly provided in this DP Annex or in the T&Cs, Cimple makes no warranties, covenants or representations, express or implied, relating to the processing of Personal Data under this DP Annex and specifically disclaims any that may be implied by this DP Annex, the T&Cs, by custom or by law or otherwise.

8.3 Buyer warrants, covenants and represents to Cimple that: (a) it shall comply with the requirements of this DP Annex (including the Data Processing Details), the Data Protection Legislation and any Applicable Laws in connection with its own processing of the Controller’s Data including in connection with any instructions provided to Cimple and the provision of any Personal Data to Cimple; (b) the processing by Cimple of the Controller’s Data on Buyer instructions in accordance with this DP Annex shall be for lawful purposes which have been properly disclosed to Data Subjects in accordance with the Data Protection Legislation and, insofar as required, the Data Subjects’ consents have been obtained for such processing and records of such consents are and will be retained by Buyer; (c) it shall ensure that the Controller’s Data processed by Cimple are kept accurate and up-to-date and that it shall only be processed through the services of Cimple for as long as it is required for the lawful purposes for which it is so held and Buyer shall provide Cimple with instructions and updates to ensure the foregoing; and (d) insofar as any Controller’s Data is processed by Buyer as a processor on behalf of a third party Buyer (or third party processor), the processing of the data by Cimple in accordance with this DP Annex has been authorised by the relevant third party Buyer. 

9. GENERAL 

9.1 The limitations on liability applicable as between the parties under the T&Cs shall apply to their liability under this DP Annex mutatis mutandis.

9.2 This DP Annex shall commence upon the commencement of the processing of the Controller’s Data by Cimple for the purposes of the T&Cs and shall continue to have effect for so long as such processing continues.  This DP Annex shall not be terminated unless the T&Cs are terminated.  Clauses 1, 2.1, 2.5, and this clause 9 of the DP Annex shall survive termination of the T&Cs.  

9.3 In the event that it becomes a compulsory legal requirement under the Data Protection Legislation in the jurisdiction where Buyer has its place of business to put in place a data processing agreement between the parties on standard or statutory terms (“Standard clauses”), the parties agree to amend this DP Annex to incorporate such Standard clauses and insofar as the terms if this DP Annex are inconsistent with the Standard clauses, the Standard clauses shall prevail and such inconsistent provisions shall be deemed to have been superseded by the Standard clauses. 

1. TECHNICAL SECURITY MEASURES 

1.1 At-Rest Encryption.

a. Data on portable devices that have access to personal data is encrypted with folder or disk level encryption. 

b. Data at rest within a database server is anonymized by data element encryption (e.g. row, column or field). 

c. Data within a database server is encrypted at rest with transparent encryption (i.e. inherent to database software or via folder or disk level encryption by the OS).  

d. Data at rest on portable devices (e.g. USB memory stick or hard drive) used by individuals with access to ePHI and/or PII is encrypted with folder or device level encryption.

e. Controls are implemented to protect the confidentiality of the encryption keys stored within Company’ networks, facilities or systems, including Public Key Encryption.

1.2 Transit Encryption

a. Company uses Virtual Private Network (VPN) connections to connect to external systems or networks processing personal data. 

b. Web applications use Secure Sockets Layer (SSL) protocols to ensure authentication and integrity of personal data transferred over HTTP (HTTPS).

c. File Transfer Protocol (FTP) applications will use either SFTP, FTPS or Secure FTP.

2. ACCESS MANAGEMENT 

2.1 Access Management. Systems housing or processing data governed by legal, regulatory or contractual access control requirements:

a. Have a formal, documented account authorization, revocation, provisioning and deprovisioning process used to control access;

b. Assure that the least necessary privilege is approved and provided;

c. Default account privileges to no access;

d. Require secure log-in; and

e. Require proper authorization for access to systems, functionality and data; and maintain encryption at rest.

2.2 Access controls. Company uses secure passwords, automatic blocking/locking mechanisms, multi-factor authentication where appropriate, and encryption of all data carriers and storage media. 

2.3 Authentication. Access credentials are unique to users and applications and not shared. Default and temporary passwords are reset to unique passwords after first use. Passwords must meet complexity requirements and may expire after a certain period. Credentials validated against logs of approved users, and disabled upon termination or separation. 

2.4 Remote access. Workforce members may not remotely access systems or applications containing personal data from workstations, servers or devices that are not owned and directly managed by the Company. Remote access connections are authenticated using the workforce member’s account and password or other unique identifier. Remote access from a data trading partner is not allowed.

3. PHYSICAL SECURITY 

3.1 Employees. Physical access to areas controlled by Company is restricted only to authorised personnel and subcontractors that need access to the facilities to perform services. 

a. Employees are only provided access to personal data if their job duties require such access;

b. Public access doors to the Company offices remain locked at all times, requiring badge access; 

c. Entry to the Company Facility is verified; and

d. Systems storing or interacting with data including personal data isolated and secured, and individual systems are safeguarded to minimise inadvertent or unintentional viewing of personal data.

3.2 Visitors. In addition to the safeguards above, visitors, including vendors, are required to log into and out of any area with physical access to personal data in electronic or paper format. 

a. Visitors must wear visitor badges at all times; and 

b. Visitors must be escorted at all times

4. SYSTEM SECURITY 

4.1 Logs. Application-level login attempts, remote access attempts, and Security Alerts are recorded to system audit logs. Audit logs are periodically reviewed and documented. Access to view system audit logs is restricted based on job responsibility.

4.2 System configuration. Company maintains and monitors the configuration of systems or applications processing personal data. 

4.3 Configuration changes. Company’ maintains a change and qualification procedure to ensure that system changes are properly assess, tracked, executed, and operate as intended.

5. TESTING & VULNERABILITY MANAGEMENT 

5.1 Testing. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

5.2 Vulnerability management and penetration testing. Vulnerability management and penetration testing is conducted periodically to identify risks to  customer systems or applications that store personal data.

5.3 Vulnerability remediation. All vulnerabilities will be ranked as to level of priority and addressed accordingly. Vulnerability treatment options shall include remediation (apply a patch, adjust system), configuration, removal of the affected component from service, and application of an alternative compensating control(s).

6. ORGANISATIONAL CONTROLS

6.1 Security Officer. Company has designated a Security Officer responsible for the development, implementation and verification of the security policies and procedures and directs, manages and is responsible for the organisation’s security and compliance efforts. 

6.2 Incident management. Company’ Privacy and Security personnel regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports to maintain an ongoing understanding of activity in information systems that create, maintain, process or transmit ePHI and/or PII, and to undertake appropriate remedial action of any discrepancies identified.

6.3 Information Security Policy. Company maintains a comprehensive written Information Security Policy designed to ensure that all of the company’s processes and products that involve personal data are subject to safeguards consistent with all applicable law and regulation regarding the security of such information.

6.4 Enforcement. Company’ Information Security Policies and Manual assign responsibility for all information security requirements to relevant responsible individuals within the organisation.

7. DATA MANAGEMENT, RETENTION & DESTRUCTION 

7.1 Data minimization. All personal data is collected, accessed, and/or processed by the Company according to a strict “minimum necessary” standard.

7.2 Maintaining data integrity. Company maintains policies and procedures designed to ensure the integrity of personal data over its entire life-cycle.

7.3 Maintaining data availability. Company also maintains policies and procedures designed to ensure the availability of personal data over its entire life-cycle. In the case of an unplanned or emergency event, business continuity processes are initiated.

7.4 Data Deletion. Company deletes personal data from clients on a regular schedule. Data is securely deleted using secure deletion methods and device destruction/disabling procedures appropriate to the medium/system where data is stored.

7.5 Backup and Recovery Plan.Company’ Backup and Recovery Plan addresses items including: 

a. business impact analysis and recovery strategy and planning documents to meet business requirements;

b. Recovery plan testing;

c. Performing backups according to the backup strategy and schedule pertaining to needs of the particular environment;

d. Monitoring backups for successful completion and resolving backup failures;

e. Providing IT disaster recovery planning consulting to system owners, business process owners, and ITOs; and

f. Creating policy deliverables as requested by system owners, business process owners, and the ITOs.

7.6 Business Continuity Plan. Company’ Business Continuity Plan (“BCP”) is designed to continue delivery of products or services at acceptable levels following a disruptive incident. The key elements of the BCM program are as follows:

a. Analysing the impact of significant disruptions and development of the Business Impact Analysis (BIA);

b. Preparing and developing BCPs, strategies and solutions around the following, which is based on the output from the BIA: personnel/workforce disruption; facility disruption; supply chain disruption; and information technology disruption;

c. Sustaining the program by reviewing and updating the BIA, the BCP, strategies and solutions;

d. Maintaining team readiness by conducting regular training through exercises/ drills; and 

e. Ensuring continuous improvement of the BCP.

Buyer’s name, registered number and registered address:

Buyer’s commercial address: 

Buyer’s contact person and email/fax:

Buyer’s data protection officer’s name:

Cimple’s name: Cimple Limited

Cimple’s commercial address: First Floor, 5 Fleet Place, London, United Kingdom, EC4M 7RD

Cimple’s contact person and email/fax: Wyndham Plumptre – wyndham@cimple.uk 

Cimple’s data protection officer’s name: Wyndham Plumptre – wyndham@cimple.uk 

Name and date of service agreement in connection with which the Data Processing Agreement is entered: Terms and conditions for Cimple

Subject-matter of the processing activity: The subject matter of processing activity is to enable a user's experience on Cimple and the provision of the services of the Cimple platform. 

Nature and purpose of processing: The nature and purpose of processing Buyer User personal information is:

• To enable Cimple to identify a user account

• To enable Cimple to send marketing information to a user account where they opt in

• To enable Cimple to contact the user to inform them of progress on their competitions/opportunities that have been issued on Cimple

• To enable Cimple to provide key contact details associated with a Buyer User to a Supplier (so that the Supplier can contact the Buyer)

• To enable Cimple to send updates to the user in relation to any activity undertaken on Cimple e.g. notification of clarification questions being asked by the Supplier

• To enable Cimple to identify the user if they wish to have their account deleted

• To communicate the content of tender offers posted by buyers through the Cimple platform to potential suppliers and the content of bids placed by suppliers to buyers and to government procurement systems, such content potentially including personal data of contact persons nominated by buyers and suppliers. 

Duration of the processing of Personal Data: User personal data will be processed for the duration they are a user on Cimple and for 12months after they have deleted their profile on Cimple. The user can request for this to be shortened by contacting the Data Protection Officer referenced above. 

Personal data included in tender offers and in bids is processed for the duration of the tender process. 

Categories of Personal Data to be processed: The personal data that is held by Cimple is limited to: 

• A user name as entered by the user 

• A users email address as entered by the user 

• A users mobile number, if provided by the user, as entered by the user 

• Name, contact details, job title, address and other details that may be included by buyers and suppliers in materials uploaded to the Cimple platform 

Categories of data subjects whose Personal data is to be processed: Registered users of the Cimple platform. 

Contact individuals nominated by Buyers and Suppliers in documents posted on the Cimple platform. 

Data sources: The data sources are through the onboarding process where a user is requested to set up an account. The user then has the ability to update their personal data on their user profile. Personal data included in tender offers and in bids is obtained from buyers and suppliers using the Cimple platform.

Personal data to be provided to a Buyer in anonymised/pseudonymised form: No personal data is to be provided to a Buyer in anonymised or pseudonymised form due to the nature of the information held. 

Personal data to be provided in raw form to a Buyer and anonymised/pseudonymised by Cimple: No personal data is to be provided to a Buyer in anonymised or pseudonymised form due to the nature of the information held. 

Other special IT security requirements: A description of the security measures employed by Cimple to protect personal data are set out in the schedule to the Data Processing Annex.

Third parties to which Personal Data is to be made available: 

Significa Lda. - Technical Support

Studio Graphene LTD -Technical Support

Amazon Web Services (AWS) - Hosting Services.

As part of its legal requirement to perform the service it offers in the UK. Cimple has to push ‘notices’ to the UK Government Platforms called Contracts Finder and Find A Tender service. As part of that service Cimple will provide Contracts Finder and Find A Tender Service information about an organisations user as required by the platforms.

As part of its ongoing assurance of its operations Cimple may provide access to Third Party assurers, auditors and insurers e.g. to re-certify for ISO standards. This is unlikely, but could require the sharing of access to personal data.

Countries to which personal data may be transferred for processing (including a description of the processing activities to be undertaken in each country): Ireland (AWS cloud support) 

Portugal (access to data by employees of Significa Ltda in performing technology support services for Cimple)

Permitted Sub-processors (including a description of the purpose of the access to personal data given to each sub-processor): 

Significa Lda are permitted to be a sub-processor where they need to provide support in determining issues with specific user accounts. 

Studio Graphene is permitted to be a sub-processor where they need to provide support in determining issues with specific user accounts.

AWS – cloud services provider.