Supplier Terms & Conditions

• 1.1 In these T&Cs the following words have the following meanings: 

Authorised User means personnel of the Supplier’s Group who are authorised by the Supplier to access the Cimple Platform;

Buyer Offer Information means the details, description and other information relating to Buyer Offers advertised by Buyers and displayed on the Cimple Platform;

Cimple Brand means Cimple’s names and trade marks, any logos related to those names or stylised representations of those names and any other trading names, product names, logos and slogans adopted or used from time to time by Cimple in connection with the Cimple Platform or otherwise in its business;

Contract means a contract between a Buyer and a Supplier for the procurement of Supplier Products or Services (including by way of response to a Buyer Offer), awarded or concluded via the Cimple Platform;

Group means, in relation to any body corporate, a subsidiary or holding company or subsidiary of a holding company or subsidiary of a subsidiary and Group Company shall be interpreted accordingly. The terms subsidiary and holding company shall be as defined in the Companies Act 2006;

Inappropriate Content means unlawful, defamatory, offensive, misleading, obscene, discriminatory or racist products, services or content, products, services or content which are otherwise contrary to generally acceptable ethical or moral standards in the United Kingdom or contrary to any applicable industry code or otherwise objectionable and any products, services or content that infringe third party rights (including any third party IPRs) or which are advertised or sold in breach of any duty (including confidentiality duties) to third parties, or which are otherwise likely to give rise to third party liability;

IPRs means any and all intellectual and industrial property rights including patents, trade marks, designs, design rights, copyrights and neighbouring rights, database rights, rights in know-how, trade secrets and confidential information, trading names, internet domain names, email addresses, names of account and user names on digital services or social media services, and other signs and indications of origin, in each case whether registered or not and including pending applications and the right to apply for any of the foregoing and other industrial and intellectual property rights of the same or similar effect anywhere in the world;

Malicious Code means viruses, Trojan, software lock, drop-dead device, malicious logic or trap door, worms, time bombs, corrupted files or other computer programming routines that are intended to delete, disable, deactivate, damage, detrimentally interfere with, surreptitiously intercept, monitor or expropriate any systems, data, personal information or property of another;

Platform-Generated Data means any data arising from or relating to the use of the Cimple Platform by Buyers, the Supplier and its Authorised Users or any other merchants or their authorised users which may be recorded or collated by Cimple including, without limitation, data obtained through Supplier Accounts, surveys, questionnaires, profile sheets, and other communications with Cimple, data relating to the frequency and mode of use of the Cimple Platform, the manner in which the Supplier and its Authorised Users, Buyers and other merchants and their authorised users set preferences and personalise the Cimple Platform, the time spent on different elements of the Cimple Platform and other statistical information;

Supplier Brand means the Supplier’s names and trade marks, any logos related to those names or stylised representations of those names and any other trading names, product names, logos and slogans adopted or used from time to time by the Supplier in connection with the Supplier Products or Services or otherwise in its business; and 

Supplier Data means any personal or financial data, business information, contracting information and other data which the Supplier or its Authorised Users may provide either when setting up or during the use of the Supplier Account, or when using the Cimple Platform or via any communications with Cimple.

Subject to the Supplier’s compliance with these T&Cs, including full payment of the Cimple Fees (as defined in clause 10.2), the Supplier and its Authorised Users may access and use the Cimple Platform to advertise and offer for sale Supplier Products or Servicesto search the Cimple Platform and apply through the Cimple Platform to fulfil Buyer Offers and to conclude Contracts with Buyers, in each case so long as the Supplier Account is not terminated or suspended in accordance with these T&Cs.

• 3.1 Access to the Cimple Platform may be limited to a defined number of Authorised Users and/or to named Authorised Users. The Supplier (where relevant) may be required to inform Cimple of the number and/or the identity of Authorised Users via the Supplier Account. 

• 3.2 User names and passwords and other log-in credentials for the Cimple Platform (“Account Credentials”) are unique to each Buyer and Supplier using the Cimple Platform and must not be made available to any person other than Authorised Users and must not be shared outside the Supplier’s organisation (including where relevant, consultants appointed as Authorised Users). Account Credentials shall be kept secure and confidential by the Supplier and its Authorised Users. The Supplier shall use reasonable endeavours to prevent unauthorised access to the Cimple Platform through its Authorised Users or using its Account Credentials or those of its Authorised Users. If Account Credentials are lost or in the event of any suspected unauthorised access by any person to any Account Credentials, the Supplier must immediately inform Cimple to allow it to revoke those Account Credentials and issue replacement ones. 

• 4.1 The facilities of the Cimple Platform are made available to the Supplier in order to enable and assist it with advertising and offering the Supplier Products or Services, to search and respond to Buyer Offers through the offer and sale of Supplier Products or Services and for concluding Contracts. The use of the Cimple Platform for purposes which are inconsistent with the foregoing is not permitted. 

• 4.2 The Supplier shall ensure that: (a) the Supplier Products or Services offered on the Cimple Platform; and (b) the Authorised Users’ access and use of the Cimple Platform, comply with these T&Cs in all respects. The Supplier shall be responsible for any abuse or misuse of the Cimple Platform by its Authorised Users or its other personnel. 

• 4.3 Cimple makes available the Cimple Platform to Buyers and Suppliers as a tool for publishing and communicating Buyer Offers and Supplier Products or Services and as a digital platform for managing tenders and other competitive bidding processes. Except as aforesaid, Cimple is not involved in management or administration of such tenders or competitive bidding processes including in the Buyer Offers or Supplier’ bids. Accordingly, it is the Supplier’s sole responsibility to respond to all enquiries and to resolve any complaints and disputes relating to the Supplier Products or Services, to respond to any Buyer Offers or other Buyer communications and to manage, administer and perform any Contracts concluded with Buyers on the Cimple Platform. 

• 4.4 Any breach of these T&Cs by the Supplier, its Authorised Users or any of its other personnel may result in either suspension or termination of the Supplier’s Account and its access to the Cimple Platform as determined by Cimple in its sole discretion. 

• 4.5 Any of the following is strictly prohibited and may result in the immediate termination of the Supplier’s access to the Cimple Platform without liability and may be reported to regulatory authorities: 

  • 4.5.A the unlawful use of the Cimple Platform or its use: (i) for unlawful purposes; or (ii) in a manner intended to overload or disrupt it; 

  • 4.5.B using the Cimple Platform, or obtaining any content from the Cimple Platform, through automatic means (that is, access or use controlled by “bots” or other computer software without an individual 3 Supplier or Authorised User controlling each step of the use of the Cimple Platform through a standard browser), except where such processes are arranged by mutual consent with Cimple; and 

  • 4.5.C the insertion, distribution or infection of the Cimple Platform with any Malicious Code. 

• 4.6 The Supplier may act on its own behalf in using the Supplier Account and offering its own Supplier Products or Services to Buyers and it may act on behalf of third party Suppliers in offering such third party Supplier Products or Services in response to Buyer Offers.

• 5.1 The Supplier assumes full liability for all its activities on the Cimple Platform including any information, advertising or representations made or provided thorough the Platform in relation to the Supplier Products or Services (including in response to Buyer Offers), the supply, safety, quality, quantity and performance of Supplier Products or Services and its performance and compliance with any Contracts awarded or concluded via the Cimple Platform. 

• 5.2 The Supplier warrants, represents, undertakes and confirms to Cimple on the following terms: 

  • 5.2.A all information supplied to Cimple on creation and ongoing management of a Supplier Account and via any user interface on the Cimple Platform or through any communications with Cimple, is and shall be true, complete, accurate and not misleading; 

  • 5.2.B the Supplier Products or Services offered by the Supplier on the Cimple Platform shall comply with all applicable laws, regulations, rules and guidance from any governmental or regulatory authority and, where applicable, shall have the applicable governmental or regulatory licences, approvals and authorisations, including, as applicable, in respect of the design, manufacturing, advertising, sale and use of such Supplier Product consistent with the advertising of such Supplier Products or Services or the Cimple Platform; 

  • 5.2.C the Supplier is and shall remain fully qualified, licensed and capable to offer and supply the Supplier Products or Services to Buyers and has never been disqualified, sanctioned and/or barred from offering or supplying the Supplier Products or Services; 

  • 5.2.D the Supplier Products or Services shall not constitute or comprise Inappropriate or Content; 

  • 5.2.E the Supplier Products or Services and the offering of such Supplier Products or Services by way of the Cimple Platform shall not infringe the IPRs or any other rights of any third party or any obligation of the Supplier under any agreement, contract, document or licence with a third party; 

  • 5.2.F all information provided by the Supplier in respect of the Supplier Products or Services (“Product Information”) shall be true, complete, accurate and not misleading; 

  • 5.2.G the Supplier Products or Services offered and supplied by the Supplier via the Cimple Platform shall conform in all respects to the Product Information. 

• 5.3 The Supplier further warrants, represents, acknowledges and agrees that, in relation to any Supplier Products or Services advertised or offered on the Cimple Platform: 

  • 5.3.A any Contract with a Buyer shall be entered into with the Supplier, not with Cimple, and the Supplier shall be responsible for and liable to the Buyer for fulfilling its obligations under the terms of that Contract; 

  • 5.3.B the Supplier shall comply with the terms of any Contract concluded via the Cimple Platform; and 

  • 5.3.C Cimple does not act as a reseller or distributor of Supplier Products or Services or any other products nor any agent or representative of Supplier (except in respect of the collection and handling of payments) and neither sells or supplies such products nor offers such products for sale or supply to Buyers. 

• 5.4 Cimple shall be entitled to refuse, block, remove, withdraw or discontinue the advertising or offering of any Supplier Products or Services on the Cimple Platform where Cimple determines in its sole discretion that such Supplier Products or Services breach any of these T&Cs or where Cimple, in its sole and unfettered discretion, considers such Supplier Products or Services to be unsuitable for the Cimple Platform.

• 6.1 Cimple is not a broker or offeror of Buyer Offers and is not responsible for providing any options displayed on the Cimple Platform or for setting or controlling any Buyer Offer terms displayed on the Cimple Platform. 

• 6.2 Cimple does not undertake any vetting, review or quality management of Buyers or Buyer Offers prior to publication on the Cimple Platform and any display of Buyer Offers on the Cimple Platform does not constitute a recommendation or endorsement by Cimple, its directors, employees, agents or subcontractors of either such Buyer or such Buyer Offers. 

• 6.3 Any pictures and images set out in Buyer Offers shown on the Cimple Platform are for illustrative purposes. The Buyer alone is responsible for any description relating to the Buyer Offers and for any images or other information provided or posted by the Buyer on the Cimple Platform. 

• 6.4 In operating the Cimple Platform, Cimple is not engaged in offering, selecting or approving of anything advertised, represented, referred to or offered by Buyers on the Cimple Platform and it will not be liable if Buyer Offers procured through the Cimple Platform are not suitable for Suppliers. 

• 6.5 Suppliers may not be qualified to respond to Buyer Offers and provide any Supplier Products or Services in relation thereto. If Suppliers do not feel they are suitably experienced or qualified in relation to any particular Buyer Offer they should not respond to such Buyer Offer. 

• 7.1 Buyer Offer Information is detailed and provided to Cimple by Buyers. Cimple has no control over the contents of the Buyer Offer Information and merely reproduces such information (as provided by Buyers) on the Cimple Platform. Under Cimple’s terms and conditions with Buyers, Buyers confirm to Cimple that such Buyer Offer Information is true, complete, accurate and not misleading, however, Cimple is not able to independently verify such information. Cimple will not knowingly include anything misleading or anything it believes to be untrue in the Buyer Offer Information. However, Cimple does not make any representations nor gives any guarantees that the Buyer Offer Information will always be error-free, accurate or reliable. The Supplier acknowledges and understands that all Buyer Offer Information or any other information, data and details displayed on the Cimple Platform is not an offer or inducement to contract with Cimple, is subject to change and should the Supplier wish to rely on such information, it should independently verify it. Accordingly, the Supplier hereby waives, to the fullest extent permitted by law, any and all claims, actions or similar against Cimple, its Group Companies, employees, directors officers and agents that may arise in connection with Buyer Offer Information posted or communicated through the Cimple Platform. 

  • 7.1.A 

• 7.2 The Supplier is responsible for ensuring that it can fulfil any Buyer Offer to which the Supplier responded on the Cimple Platform and that such responses to Buyer Offers are made by Authorised Users and those within the Supplier’s organisation with sufficient skill and experience to do so. 

• 7.3 Where the Cimple Platform contain links to other sites and resources provided by third parties including Buyers, these links are provided for the Supplier’s information only. Cimple has no control over the contents of those sites or resources and accept no responsibility for them or for any loss or damage that may arise from the Supplier’s use of them.

The Supplier shall supply an email address, telephone number and postal address to Buyers for the purpose of support, complaints and enquiries. In responding to and handling support, requests, enquiries and complaints, and in all communications with Buyers, the Supplier shall, and shall procure that its staff shall respond promptly and act in a professional and business-like manner. 

• 9.1 In the event that the Supplier or its Authorised Users have queries or complaints relating to Buyer Offers procured via the Cimple Platform, the Supplier or Authorised User should contact the Buyer. The Supplier understands and agrees that Cimple is not responsible for the provision of any support or information on behalf of Buyers or in respect of Buyer Offers and accordingly, the Supplier hereby waives, to the fullest extent permitted by law, any and all claims against Cimple in respect thereof. 

• 9.2 The Supplier may contact Cimple (on the details set out in clause 21 below) where it has any complaints in respect of the Cimple Platform. Cimple shall use reasonable endeavours to understand and investigate the Supplier complaints and comments and to address such matters.

• 9.3 If a Supplier has any complaints regarding copyright or other intellectual property infringement, please contact Cimple at support@cimple.uk and Cimple shall consider such complaint and if necessary take appropriate action.

• 10.1 The pricing for Supplier Products or Services offered on the Cimple Platform (“Sale Price”)shall be determined solely by agreement between the Supplier and the Buyer in accordance with the Buyer’s Offer and the Supplier’s bid. 

• 10.2 In consideration for making the Cimple Platform available to the Supplier, the Supplier shall pay to Cimple fees and other charges which are communicated by Cimple separately and agreed as part of the Supplier’s subscription for the Cimple Platform (the “Cimple Fees”). Subject to specific fee arrangements agreed with Buyers and Suppliers in specific cases, the basic Cimple Fee charged to Suppliers comprise a fee in an amount equal to 1% of the Sale Price of any products or services offered through the Cimple Platform. The basic fee is waived where the Supplier uses the Cimple Platform in connection with a Dynamic Purchasing System or Framework set up by a Buyer or where it uses the Cimple platform to participate in a mini-competition arranged by a Buyer. Cimple may charge Buyers fees relating to the setting up of Dynamic Purchasing System or Frameworks on the Cimple Platform Except where expressly stated otherwise, the rates displayed on the Cimple Platform in respect of the Cimple Fees are exclusive of VAT (as defined below). 

• 10.3 The Supplier hereby agrees to pay Cimple the Cimple Fees. 

• 11.1 The Supplier shall indemnify Cimple, its officers, directors, employees, agents and Group Companies (“Indemnified Parties”) and keep the Indemnified Parties indemnified on demand against any claim, or any and all costs, losses, damages, liabilities, penalties and expenses (including reasonable legal and other adviser fees) that any of them may suffer or incur as a result of: (a) any failure by the Supplier, its directors, managers, officers, employees, contractors, consultants, Group Companies or agents to comply with any of the Supplier’s obligations in relation to any tax; or (b) any action or omission by an Indemnified Party as a consequence of such Indemnified Party relying on the Supplier’s instructions on any matter relating to any tax. Without limiting the scope of this clause 11.1, any loss or damage shall include professional fees incurred in dealing with communications or enquiries from any tax authority. All sums due to the Indemnified Parties under this indemnity shall be payable in addition to fees and charges provided for elsewhere in these T&Cs. 

• 11.2 All amounts payable under these T&Cs shall be paid in full without any withholding or deduction on account of any taxes, duties, levies or charges, unless a Buyer or Cimple is required by law to make such deduction or withholding. If any such withholding or deduction is required, a Buyer or Cimple shall make the withholding or deduction as required by law and shall provide certificates or documentation relating to the payment to the Supplier.

• 12.1 Save as in accordance with clause 20, no licence for the use of the Cimple Brand shall be implied from these T&Cs.

•  12.2 As between the parties, Cimple is and shall remain the sole owner of all IPRs in all elements of the Cimple Platform (and the sole licensee of any elements of the Cimple Platform licensed from a third party), including the Platform-Generated Data and the Cimple Brand and any goodwill relating thereto (together, the “Cimple IP”). All rights and goodwill arising from the use of the Cimple Brand in connection with the Cimple Platform shall inure solely to the benefit of Cimple. 

• 12.3 The Supplier shall be responsible for the offer and supply of Supplier Products or Services on the Cimple Platform including, without limitation, that such Supplier Products or Services do not infringe third party IPRs and shall indemnify Cimple, its officers, employees, agents and representatives and shall keep them indemnified, up to an a total maximum amount of £1,000,000 for any single event or series of related events, on demand against any liability in respect of any Supplier Products or Services infringing any third party IPRs and against any claims, proceedings, investigations or complaints relating thereto and against any costs, damages, losses, expenses (including legal and other professional costs) incurred in connection therewith. 

• 12.4 The Supplier shall not and shall procure that its Group Companies do not: 

  • 12.4.A register or file any applications to register IPRs or otherwise claim to own any IPRs in or relating to the Cimple IP anywhere in the world; 6 

  • 12.4.B use any name, sign or logo incorporating, containing or consisting of the Cimple Brand, or any name or sign confusingly similar thereto, anywhere in the world, in relation to any product or service, save for the use of the Cimple Brand in accordance with this clause 12; or 

  • 12.4.C do or cause to be done anything which may in any way damage, depreciate, tarnish, jeopardise, or otherwise prejudice the goodwill or reputation of the Cimple IP or the Cimple Brand or the goodwill or reputation associated therewith. 

• 12.5 In the event of a claim in relation to a third party’s copyright infringement, the Supplier agrees that Cimple shall have the right to remove, at its sole discretion, the Supplier Account from the Cimple Platform without prior consent from the Supplier. 

• 12.6 Cimple shall be entitled to use, process, reproduce, communicate to the public, package, sell, rent or hire to any person, for any purpose whatsoever including, but not limited to, for the purpose of analysis or benchmarking, any Platform-Generated Data and to generate, reproduce, communicate and distribute any aggregated and anonymised data, analysis, research, statistics and other derivative content based on such data, provided that any such data will not be disclosed to third parties in a form that discloses its connection to the Supplier or any of its personnel. 

• 12.7 Supplier Data shall be treated by Cimple as Supplier Confidential Information in accordance with clause 16 below. Cimple shall be entitled to use the Supplier Data for the purpose of administering the Cimple Platform and for its internal business purposes including managing the Supplier Account and its relationship with the Supplier and for maintaining business records and general internal use including for the purpose of enforcing these Ts&Cs. To the extent that any IPRs exist in any Supplier Data, the Supplier hereby grants Cimple a royalty-free, worldwide licence to use the Supplier Data in this manner. 

• 12.8 To the extent any IPRs exist in the Platform-Generated Data, all such IPRs shall belong solely to Cimple which shall have the exclusive right to exploit such data and the Supplier hereby waives any right, title or interest in or to such data.

• 13.1 Cimple shall use all reasonable endeavours to ensure the availability and operation of all key functionalities of the Cimple Platform from 7am to 7pm on working days (which shall mean week days in which banks are generally open for business in London excluding any English public holidays) (“Normal Working Hours”) such availability, such availability, subject to clauses 13.3 and 18 below, not to falls below 95% of Normal Working Hours in each calendar month. 

• 13.2 Without derogation from clause 13.1 above, Cimple makes efforts to avoid and to fix any technical issues that may limit Suppliers’ ability to use the functionalities offered through the Cimple Platform. However, such technical failures may occur and Cimple does not represent or warrant that Suppliers’ access to or use of the Cimple Platform will be uninterrupted or error free or that all functionalities will always be fully operational. 

• 13.3 Clause 13.1 notwithstanding, the Cimple Platform and/or the Supplier’s or Authorised Users’ access to the Cimple Platform may be suspended, disrupted or blocked in the circumstances set out below: 

  • 13.3.A upon reasonable notice and insofar as practicable, outside of Normal Working Hours, for scheduled downtime to permit Cimple to conduct maintenance to the Cimple Platform; 

  • 13.3.B for the duration of any unanticipated or unscheduled downtime, as a result of technical failures including system breakdown, communication or network problems, server overloading or other technical issues or any Force Majeure Event (as defined in clause 18); 

  • 13.3.C in order to protect the Cimple Platform from unauthorised access or attack, or in order to prevent fraud or any unauthorised or unlawful access or use of the service, to prevent any unlawful use of the Cimple Platform, or if it determines that the Cimple Platform is being used (by the Supplier, an Authorised User or any other person) in breach of applicable law or these T&Cs; or if such suspension is required in response to an order or direction of any court of law, governmental or regulatory body or other official enforcement or investigation authority; or 

  • 13.3.D in other circumstances where it might be reasonable or necessary to suspend, disrupt or block the Cimple Platform.

• 14.1 Each of the parties warrants and represents to the other in the following terms: 

  • 14.1.A each of them has the right, power and authority and has taken all action necessary to execute, deliver and exercise its rights, and perform its obligations, under these T&Cs; 

  • 14.1.B neither the execution nor the performance of these T&Cs by either party is prohibited or restricted by any provision of law and will not be in breach of any obligation by any party to any third party.

• 15.1 Cimple warrants to the Supplier as follows: 

  • 15.1.A it has the right to provide the Cimple Platform; and 

  • 15.1.B it shall use commercially available technologies to ensure that the Cimple Platform is free from Malicious Code. 

• 15.2 Other than the warranties, representations and covenants expressly set out in these T&Cs, Cimple gives no warranty nor makes any representation in relation to the Supplier Account, the Cimple Platform or the Cimple IP and the parties expressly disclaim to the fullest extent permitted by law any representation or warranty relating to the Supplier Account, the Cimple Platform, the Product Comparison Service, the Offer Search Service or the Cimple IP that may be implied by these T&Cs, by custom or by law or otherwise and which is not expressly set out in these T&Cs or in the Supplier Account, including any implied warranties of quality, merchantability, title or entitlement, fitness for a particular purpose, non-infringement of third party IPRs, the ability to achieve a particular result or functionality, including any warranty or representation that the Supplier Account, the Cimple Platform, the Product Comparison Service, the Offer Search Service or the Cimple IP will be uninterrupted or error free, and all such implied terms or warranties are excluded from these T&Cs. 

• 15.3 The Supplier hereby indemnifies the Indemnified Parties, and shall keep the Indemnified Parties indemnified on demand, up to an a total maximum amount of £1,000,000 for any single event or series of related events, against any loss, cost, damage, liability or expense (including legal costs) arising to the Indemnified Parties out of: (i) the breach of any of its warranties, representations, acknowledgements or agreements detailed these T&Cs including without limitation the provisions of clauses 6, 7, 8 and 9 hereof; (ii) any negligent act or omission or wilful misconduct by the Supplier or its Authorised Users in connection with the use of the Cimple Platform, the offering or promotion of any Supplier Products or Services on the Cimple Platform or the conclusion or performance of any Contract or the fulfilment of any of the Supplier’s obligations in respect of any Contract; or (iii) any claim, action, proceedings or allegation relating to the Supplier Products or Services or to any Contracts that are concluded on the Cimple Platform (including any claim alleging misrepresentation, breach of contract, fraud or the infringement or misuse of any third party IPRs). 

• 15.4 Except as provided in clause 15.7, Cimple shall not be liable to the Supplier, its Authorised Users, employees, directors, officers, agents and Group Companies under these T&Cs or the Supplier Account, either for breach of contract, misrepresentation or negligence or under any warranty, and the Supplier waives any claim against Cimple or its Group Companies, employees, officers or subcontractors relating to or arising out of: 

  • 15.4.A any disruption to the Cimple Platform howsoever arising, except where such disruption constitutes a breach of clause 13.1; 

  • 15.4.B the loss or corruption of any data including, without limitation, Supplier Data; 

  • 15.4.C errors or inaccuracies in the Supplier Account, Supplier Data, Product Information, Buyer Offer, Buyer Information or any information displayed as part of the Product Comparison Service, the Offer Search Services or the Search Results; 

  • 15.4.D security breaches affecting the Supplier Account, the Cimple Platform, Product Information, Buyer Offer Information, third party interception of electronic communications, or any unauthorised access to or misuse of computer systems, unless such incident is caused as a result of Cimple’s failure to put in place reasonable security measures to protect the Cimple Platform; or 

  • 15.4.E damage caused by Malicious Code that may affect the Supplier Account, the Cimple Platform or any software or hardware used to access or use the Supplier Account or the Cimple Platform. 

• 15.5 Save as provided in clause 15.7, a party shall not be liable to the other in connection with the Supplier Account and these T&Cs either for breach of contract, misrepresentation or negligence or under any warranty, for any 8 indirect or consequential losses, or for punitive or exemplary damages, or for any loss of profits, interest, future business revenue, anticipated savings or business goodwill, or for any loss or corruption of data (in each case whether such loss is direct or indirect or consequential), even if a party is advised in advance of such loss. 

• 15.6 Save as provided in clause 15.7, Cimple’s maximum aggregate liability for any single event (or a series of related events) giving rise to a claim in connection with the Supplier Account and these T&Cs either for breach of contract, misrepresentation or negligence, shall be limited to an amount equal to the Cimple Fee paid by the Supplier to Cimple during the period of 12 months immediately preceding any incident giving rise to a claim in respect of the Supplier Account and these T&Cs, save that Cimple’s liability in respect of breaches of its confidentiality obligations under clause 16 below or its obligations under the Data Processing Annex shall be subject to a maximum aggregate amount of £1,000,000 for any single event or series of related events.

• 15.7 Notwithstanding anything to the contrary in these T&Cs, nothing in these T&Cs shall operate to exclude or restrict a party’s liability for death or personal injury resulting from negligence, fraud or fraudulent misrepresentation, or any liability that cannot be limited or excluded by law.

• 16.1 The Cimple IP, the Cimple Platform and any other information relating to Cimple’s business, financial, commercial, legal and other affairs, its business plans, staff, suppliers, partners, or to its other licensees or Suppliers or Buyers is confidential information of Cimple. The Supplier shall for the duration of the Supplier Account and for a period of 5 years thereafter keep confidential all information contained in the Cimple IP and other confidential information of Cimple and shall not use or disclose such information to any third parties other than as permitted by Cimple or as permitted under these T&Cs. 

• 16.2 The Supplier Data, Product Information, Supplier Products or Services and the Supplier Brand are confidential information of the Supplier. For the duration of the Supplier Account and for a period of 5 years thereafter, Cimple shall not disclose to any third parties such information other than as permitted by the Supplier or as permitted under these T&Cs. 

• 16.3 The requirements of this clause 16 shall not apply: (a) to any information to the extent that it is generally available to the public; (b) to any information to the extent that the receiving party receives it from a third party free from confidentiality obligations or develops it independently as can be demonstrated by documentary contemporary evidence; or (c) to any disclosure of information required by operation of law, by an order of a court or the requirements of a regulatory authority, provided that in the event that such disclosure is required, the party subject to the confidentiality obligation which is required to make such disclosure shall take reasonable steps to protect the confidentiality of the information and to limit the disclosure as much as possible (including, where it is reasonable and lawful to do so, by giving the other party notice of the disclosure requirement prior to making the disclosure). 

• 16.4 A party which is subject to a duty of confidentiality under this clause 16 shall: (a) procure that its Group and any recipients of such information observe the provisions of this clause 16 as fully as if they were parties to these T&Cs; and (b) apply such standards of confidentiality in relation to the confidential information of the other party at least as strict as those applied in relation to its own confidential information including adequate technical and organisational measures (including a system firewall protection, encryption of any data communicated electronically and password protection and access control in relation to data stored electronically).

• 17.1 Cimple shall be entitled to suspend the Supplier’s Account or terminate the Supplier’s Account or its access to the Cimple Platform: (a) in the circumstances where such termination is provided for under these T&CS; (b) if the Supplier is otherwise in breach of these T&Cs and fails to remedy such breach within seven days of receipt of written notice of such breach (including where such notice is given by email or through the Cimple Platform); (c) if the Supplier is unable to pay its debts when they become due, or becomes insolvent, or is subject to an order or a resolution for its liquidation, administration, winding-up or dissolution (otherwise than for the purposes of a solvent amalgamation or reconstruction), or has an administrative or other receiver, manager, trustee, liquidator, administrator or similar officer appointed over all or any substantial part of its assets, or enters into or proposes any composition or arrangement with its creditors generally, or is subject to any analogous event or proceeding in any applicable jurisdiction; (d) to protect the operation of Cimple of the Platform; or (e) in any of the following circumstances:

  • 17.1.A where the Supplier uses the Cimple Platform in a disruptive, or inappropriate manner, or for any purpose other than the purposes for which the Cimple Platform is made available for Suppliers; 

  • 17.1.B where the Supplier is not the type of organisation for which the Cimple platform is designed, as may be determined by Cimple in its sole judgement; 

  • 17.1.C where Cimple determines in its sole discretion that the Supplier’s use of the Cimple Platform is inappropriate or inconsistent with honest and acceptable business practices; 

  • 17.1.D where the use of the Cimple Platform by the Supplier or its Authorised Users damages the reputation or hinders the operation of Cimple or the Cimple Platform or any Buyer or other Supplier, or to interfere with Cimple’s business or to interfere with the business of any Buyer or other Supplier; or 

  • 17.1.E where the use of the Cimple Platform by the Supplier is contrary to any law or regulation, including where the Supplier is subject to any economic sanctions imposed by any government or where export controls or other laws prohibit the use of the Cimple Platform by the Supplier or where such suspension or termination is otherwise justified by any law or regulation, by any decision of a judicial or regulatory authority or by any legal obligations applicable to Cimple, any Buyer or other Supplier. 

• 17.2 Cimple shall be entitled to refuse to open, block, take down or terminate a Supplier Account where it considers that the Supplier Products or Services advertised and offered for sale through such Supplier Account breach these T&Cs or are unsuitable for the Cimple Platform.

• 17.3 Upon termination of the Supplier Account or the Supplier’s access to the Cimple Platform: 

  • 17.3.A except as provided in this clause 17, these T&Cs shall forthwith terminate and have no further effect, and no party shall have any further rights, obligations or liabilities hereunder; and 

  • 17.3.B the Supplier and its Authorised Users shall cease any use of the Supplier Account and the Cimple Platform and the Offer Search Service and shall immediately, permanently and irreversibly destroy or delete any copies of Cimple IP and any materials displaying the Cimple Brand in its possession or control, (including any back-up media) and all copies of the Account Credentials 

  • 17.3.C the Supplier shall cease any use of its Supplier Account and shall not attempt to open another Supplier Account except with Cimple’s prior approval provided with full notice of the circumstances in which the Supplier’s access to the Cimple Platform and its original Supplier Account were terminated; 

  • 17.3.D the Supplier shall make no representation on any channel that its Supplier Product is available on the Cimple Platform and shall cease any use of the Cimple Brand; and 

  • 17.3.E the Supplier shall fulfil its obligations under the terms of any Contracts entered into with Buyers prior to termination taking effect. 

• • 17.4 The termination or expiry of the Supplier’s Supplier Account or its access to the Cimple Platform shall not affect any accrued rights or liabilities of any party and shall not affect any provision of these T&Cs intended to have effect after termination or necessary for its interpretation and in particular it shall not affect the provisions of clauses 4.1, 5, 6, 7.3, 8, 9.1, 10, 11.5, 12, 15 (excluding 15.1), 16, 17 or the remaining provisions of these T&Cs below.

Cimple shall not be in breach of these T&Cs, nor liable for any failure or delay in performing any obligations under these T&Cs arising from or attributable to matters beyond its reasonable control (“Force Majeure Event”) including an act of God, fire, flood, earthquake, windstorm or other natural disaster, explosion or accidental damage, war, threat of or preparation for war, armed conflict, imposition of sanctions, embargo, breaking off of diplomatic relations or similar actions, terrorist attack, civil war, civil commotion or riots, any failure or delay on the part of a third party supplier, industrial action or strike, power cuts, electronic or communication network breakdowns or government action.

The Supplier Account is personal to the Supplier and the Supplier shall not assign or transfer or attempt to transfer or assign its Supplier Account to any other party except, by written notice to Cimple, to a member of its Group or otherwise with the prior written consent of Cimple. Cimple shall be entitled to transfer its benefits under these T&Cs in relation 10 to any Supplier Account subject to its obligations to any Group Company or to any person acquiring Cimple’s business and such transfer shall be effective upon notice being given to the Supplier.

Subject to receiving the Supplier’s prior consent, Cimple may refer to the Supplierin its promotional materials (including its website and other digital marketing materials) and to display the Supplier’s logo solely to indicate that the Supplier is a user of the Cimple Platform and offers Supplier Products or Services for sale on the Cimple Platform. Where such consent is given by the Supplier, and where the Supplier wishes to refer to Cimple or to the Cimple Platform as part of its promotional activities, the party whose brand is concerned may provide instructions to the other party from time to time regarding the appropriate presentation of its logo in terms of artwork, colouring, the display of legal notices (such as indications of copyright or trade mark rights) and so forth. Each party shall not acquire any right, title or interest in the other party’s name and logo as a result of such use and the original owner shall remain the sole and exclusive owner of all such rights.

Any notice required to be made under or in connection with these T&Cs (“Notice”) shall be in writing. Cimple may provide any Notice to the Supplier through the Supplier’s contact details, email address and postal address as set out in the Supplier Account or as provided to Cimple by the Supplier from time to time. Notices to Cimple should be sent to Cimple Limited, Apartment 52, 3 Whitehall Court, London, SW1A 2EL, hello@cimple.uk.

• 22.1 Nothing in these T&Cs shall create, or be deemed to create, a partnership or joint venture and, except as expressly set out in these T&Cs, shall not be construed as giving rise to the relationship of principal and agent between the parties. Neither party shall represent itself as representative of the other or purport to assume obligations in the name of the other.

• 22.2 If at any time any provision of these T&Cs is or becomes illegal, invalid or unenforceable in any respect under the law of any jurisdiction, that shall not affect the legality, validity or enforceability in that jurisdiction or any other jurisdiction of any other provision of these T&Cs. 

• 22.3 Where these T&Cs include provisions intended expressly or by their nature to apply for the benefit of a Group Company of Cimple, such Group Companies shall be entitled to enforce such terms. Except as aforesaid, a person who is not a party to These T&Cs shall have no rights to enforce the provisions of these T&Cs under the Contracts (Rights of Third Parties) Act 1999. 

• 22.4 No modification, alteration or waiver of any of the provisions of these T&Cs shall be effective unless in writing and signed on behalf of each of the parties. 

• 22.5 No omission or delay on the part of either party in exercising any right, power or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise of any such right, power or privilege preclude any other or further exercise thereof or of any other right, power or privilege. The rights and remedies herein provided are cumulative with and not exclusive of any right or remedies provided by law. 

• 22.6 These T&Cs constitute the entire agreement between the parties and supersede all other agreements, statements, letters and other arrangements between the parties in relation to the subject matter hereof. Each party acknowledges that it has not relied on or been induced to enter these T&Cs by a representation other than those expressly set out in these T&Cs. This clause does not affect a party’s liability in respect of a fraudulent misrepresentation. 

• 22.7 These T&Cs are governed by English law and the parties submit to the exclusive jurisdiction of the courts of England and Wales in relation to any dispute between them arising out of the subject matter of these T&Cs including claims on non-contractual grounds.

1. DEFINED TERMS 

1.1 In this Data Processing Annex, the following words and expressions shall, unless the context otherwise requires, have the meaning given to them below: 

“Applicable Law” means the Data Protection Legislation and any other laws in force where the Controller’s Data may be processed under these T&Cs or to which Cimple or Buyer may be subject. 

“Controller’s Data” means Personal Data collected by Cimple from Data Subjects on behalf of Buyer or obtained from Buyer relating to Data Subjects who sign up for the Platform through their account with Buyer. 

“Data Protection Legislation” means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable law or regulation relating to the processing, privacy and/or use of Personal Data, and any laws or regulations which implement, supplement, replace, extend, re-enact, consolidate or amend any of the foregoing . 

“Data Subjects” means the Authorised Users and other users of the Platform. 

“Permitted Purposes” means the delivery of the Platform to Buyer and Authorised Users as further set out in the Data Processing Details. 

“Personal Data” has the meaning given to such term in the Data Protection Legislation. 

“Sub-processor” means any person who processes the Controller’s Data on behalf of Cimple. 

“UK GDPR” has the meaning given to it in the Data Protection Act 2018.

2. DATA PROCESSING 

2.1 The parties agree that as between them, for the purpose of the Data Protection Legislation, Buyer shall be deemed the controller and Cimple shall be deemed the processor in relation to any Controller’s Data processed by Cimple (or its Sub-processors) under this DP Annex or for the purpose of these T&Cs and it shall be the responsibility of Buyer to ensure compliance with the obligations imposed by the Data Protection Legislation on the controller of the Controller’s Data. 

2.2 Cimple shall process the Controller’s Data in accordance with this DP Annex (including the Data Processing Details) and Applicable Laws and solely for the Permitted Purposes. 

2.3 Cimple shall process the Controller’s Data on behalf of Buyer and in accordance with the written instructions of Buyer unless required otherwise by law or upon the requirement of a governmental authority under Applicable Law. For the avoidance of doubt, Buyer hereby authorises Cimple to process the Controller’s Data as set out in the Data Processing Details and as required to fulfil Cimple’s obligations under these T&Cs.

2.4 In the event that Cimple is required by law in upon the requirement of a governmental authority under Applicable Law to carry out any processing of the Controller’s Data not in accordance with the written instructions of Buyer, Cimple shall inform Buyer of that legal requirement before carrying out the processing, unless that law prohibits such information on important grounds of public interest. 

2.5 Cimple shall treat the Controller’s Data processed under this DP Annex as Buyer Confidential Information in accordance with clause 16 of the T&Cs and shall ensure that its employees, consultants, Sub-processors, affiliates and other persons authorised by Cimple to process the Controller’s Data are bound by confidentiality obligations (whether contractual or imposed under Applicable Law) in respect of the processing of such data. 

2.6 Buyer acknowledges and agrees that, in respect of any Personal Data received from Buyer, Cimple will rely on Buyer and that it is Buyer’s sole responsibility to ensure that the Controller’s Data is and will remain accurate, up-to-date, relevant and suitable for the purpose of processing and that it is processed for lawful purposes in accordance with Applicable Laws.

3. CO-OPERATION 

3.1 Each party, at the other party’s reasonable request, shall, so far as reasonably possible given the purpose of the processing, provide reasonable assistance to the requesting party in ensuring compliance with the requesting party’s obligations under the Data Protection Legislation, in particular in relation to its obligations concerning: (a) Data Subject requests for information and requests for erasure, rectification or limitation of processing of the Controller’s Data or the exercise of other Data Subject rights in relation to the Controller’s Data; (b) maintaining the security of the Controller’s Data processed under this DP Annex; (c) notifications to regulatory authorities and communications to affected Data Subjects required in relation to events resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Controller’s Data (“Data Breach”); and (d) the preparation of data protection impact assessments and prior consultation with the regulatory authorities, where applicable. 

3.2 In the event Cimple becomes aware of a Data Subject request as referred to in paragraph 3.1(a) above or of any Data Breach affecting the Controller’s Data, it shall notify Buyer without undue delay. 

3.3 Clause 3.1 of this DP Annex shall not be construed as requiring a party to modify its automated processes, computer systems or databases or to develop new processes, computer systems or databases for the purpose of providing the requisite assistance but a party shall not unreasonably refuse to make minor changes to its systems where it would be proportionate and reasonable to do so. Where a party agrees to make such modifications or developments in response to the other party’s request, the requesting party shall bear the costs of doing so. 

3.4 Save as provided in clauses 3.3 and 3.4 of this DP Annex, any assistance provided by a party under clause 3.1 of this DP Annex shall be provided at that party’s cost.

4. SUB-PROCESSORS 

4.1 Cimple shall not engage a Sub-processor in relation to the processing of the Controller’s Data without prior written consent of Buyer. 

4.2 Buyer hereby authorises Cimple to appoint the Sub-processors listed in the Data Processing Details to process the Controller’s Data for the purposes indicated in the Data Processing Details. 

4.3 Cimple shall inform Buyer of any intended changes concerning the addition or replacement of Sub-processors. Unless an objection to such change or appointment is notified to Cimple within seven days of the receipt of such notification, Buyer shall be deemed to have consented to and authorised the change or appointment. 

4.4 In the event that Cimple engages a Sub-processor with Buyer consent, Cimple shall enter into a written data processing agreement with the Sub-processor containing requirements equivalent to those set forth in clauses 2, 3, 4, 5, 6 and 7 of this DP Annex and clause 16 of the T&Cs. 

4.5 Notwithstanding the appointment of Sub-processors, Cimple will remain fully responsible and liable to Buyer for any breach of its obligations under this DP Annex in relation to the processing of the Controller’s Data.

5. DATA SECURITY 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of any risk, Cimple shall implement appropriate technical and organisational measures to ensure an appropriate level of security for the Controller’s Data processed under this DP Annex particularly against the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, including (as appropriate): (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

6. INTERNATIONAL TRANSFERS 

Cimple shall not transfer the Controller’s Data to a country outside the United Kingdom or the European Economic Area, unless Buyer has expressly authorised such transfer in writing and then only subject to putting in place adequate safeguards as required under the Data Protection Legislation. Buyer hereby authorises Cimple to transfer the Controller’s Data to Cimple’s affiliates and authorised Sub-processors for processing in the countries outside the United Kingdom and the European Economic Area as specified in the Data Processing Details. 

7. INFORMATION AND AUDIT RIGHTS 

Cimple shall make available to Buyer information so far as reasonably necessary to demonstrate its compliance with Cimple’s requirements under this DP Annex and shall allow for and contribute to audits, including inspections, conducted by Buyer or an auditor mandated by Buyer. Where an audit requires Cimple to allocate more than minimal resources, it shall be entitled to charge Buyer for the time spent by its staff and any resources allocated for the audit and the provision of clause 3.4 of this DP Annex shall apply mutatis mutandis. 

8. WARRANTIES 

8.1 Cimple warrants, covenants and represents to Buyer that: (a) it has the required skills and resources to ensure processing of the Controller’s Data in accordance with this DP Annex and in compliance with its obligations under the Data Protection Legislation; and (b) it shall use reasonable skill and care in performing its obligations under this DP Annex. 

8.2 Except as expressly provided in this DP Annex or in the T&Cs, Cimple makes no warranties, covenants or representations, express or implied, relating to the processing of Personal Data under this DP Annex and specifically disclaims any that may be implied by this DP Annex, the T&Cs, by custom or by law or otherwise.

8.3 Buyer warrants, covenants and represents to Cimple that: (a) it shall comply with the requirements of this DP Annex (including the Data Processing Details), the Data Protection Legislation and any Applicable Laws in connection with its own processing of the Controller’s Data including in connection with any instructions provided to Cimple and the provision of any Personal Data to Cimple; (b) the processing by Cimple of the Controller’s Data on Buyer instructions in accordance with this DP Annex shall be for lawful purposes which have been properly disclosed to Data Subjects in accordance with the Data Protection Legislation and, insofar as required, the Data Subjects’ consents have been obtained for such processing and records of such consents are and will be retained by Buyer; (c) it shall ensure that the Controller’s Data processed by Cimple are kept accurate and up-to-date and that it shall only be processed through the services of Cimple for as long as it is required for the lawful purposes for which it is so held and Buyer shall provide Cimple with instructions and updates to ensure the foregoing; and (d) insofar as any Controller’s Data is processed by Buyer as a processor on behalf of a third party Buyer (or third party processor), the processing of the data by Cimple in accordance with this DP Annex has been authorised by the relevant third party Buyer.  

9. GENERAL 

9.1 The limitations on liability applicable as between the parties under the T&Cs shall apply to their liability under this DP Annex mutatis mutandis. 

9.2 This DP Annex shall commence upon the commencement of the processing of the Controller’s Data by Cimple for the purposes of the T&Cs and shall continue to have effect for so long as such processing continues. This DP Annex shall not be terminated unless the T&Cs are terminated. Clauses 1, 2.1, 2.5, and this clause 9 of the DP Annex shall survive termination of the T&Cs. 

9.3 In the event that it becomes a compulsory legal requirement under the Data Protection Legislation in the jurisdiction where Buyer has its place of business to put in place a data processing agreement between the parties on standard or statutory terms (“Standard clauses”), the parties agree to amend this DP Annex to incorporate such Standard clauses and insofar as the terms if this DP Annex are inconsistent with the Standard clauses, the Standard clauses shall prevail and such inconsistent provisions shall be deemed to have been superseded by the Standard clauses. 

Supplier’s name, registered number and registered address:

Supplier’s commercial address:

Supplier’s contact person and email/fax:

Supplier’s data protection officer’s name:

Cimple’s name: Cimple Limited

Cimple’s commercial address: Apartment 52, 3 Whitehall Court, London, SE1A2EL

Cimple’s contact person and email/fax: Wyndham Plumptre – wyndham@cimple.uk

Cimple’s data protection officer’s name: Wyndham Plumptre – wyndham@cimple.uk

Name and date of service agreement in connection with which the Data Processing Agreement is entered: Terms and conditions for Cimple

Subject-matter of the processing activity: The subject matter of processing activity is to enable a user's experience on Cimple and the provision of the services of the Cimple platform. 

Nature and purpose of processing: The nature and purpose of processing Buyer User personal information is: - 

• To enable Cimple to identify a user account 

• To enable Cimple to send marketing information to a user account where they opt in 

• To enable Cimple to contact the user to inform them of progress on their competitions/opportunities that have been issued on Cimple 

• To enable Cimple to provide key contact details associated with a Buyer User to a Supplier (so that the Supplier can contact the Buyer) 

• To enable Cimple to send updates to the user in relation to any activity undertaken on Cimple e.g. notification of clarification questions being asked by the Supplier 

• To enable Cimple to identify the user if they wish to have their account deleted 

• To communicate the content of tender offers posted by buyers through the Cimple platform to potential suppliers and the content of bids placed by suppliers to buyers and to government procurement systems, such content potentially including personal data of contact persons nominated by buyers and suppliers. 

Duration of the processing of Personal Data: User personal data will be processed for the duration they are a user on Cimple and for 12months after they have deleted their profile on Cimple. The user can request for this to be shortened by contacting the Data Protection Officer referenced above. 

Personal data included in tender offers and in bids is processed for the duration of the tender process. 

Categories of Personal Data to be processed: The personal data that is held by Cimple is limited to: 

• A user name as entered by the user 

• A users email address as entered by the user 

• A users mobile number, if provided by the user, as entered by the user 

• Name, contact details, job title, address and other details that may be included by buyers and suppliers in materials uploaded to the Cimple platform 

Categories of data subjects whose Personal data is to be processed: Registered users of the Cimple platform. 

Contact individuals nominated by Buyers and Suppliers in documents posted on the Cimple platform. 

Data sources: The data sources are through the onboarding process where a user is requested to set up an account. The user then has the ability to update their personal data on their user profile. Personal data included in tender offers and in bids is obtained from buyers and suppliers using the Cimple platform.

Personal data to be provided to a Supplier in anonymised/pseudonymised form: No personal data is to be provided to a Supplier in anonymised or pseudonymised form due to the nature of the information held. 

Personal data to be provided in raw form to a Supplier and anonymised/pseudonymised by Cimple: No personal data is to be provided to a Supplier in anonymised or pseudonymised form due to the nature of the information held. 

Other special IT security requirements: A description of the security measures employed by Cimple to protect personal data are set out in the schedule to the Data Processing Annex.

Third parties to which Personal Data is to be made available: Significa Lda. - Technical Support Amazon Web Services (AWS) - Hosting Services. 

As part of its legal requirement to perform the service it offers in the UK. Cimpe has to push ‘notices’ to the UK Government Platforms called Contracts Finder and Find A Tender service. As part of that service Cimple will provide Contracts Finder and Find A Tender Service information about an organisations user as required by the platforms. 

As part of its ongoing assurance of its operations Cimple may provide access to Third Party assurers, auditors and insurers e.g. to re-certify for ISO standards. This is unlikely, but could require the sharing of access to personal data.

Countries to which personal data may be transferred for processing (including a description of the processing activities to be undertaken in each country): Ireland (AWS cloud support) 

Portugal (access to data by employees of Significa Ltda in performing technology support services for Cimple)

Permitted Sub-processors (including a description of the purpose of the access to personal data given to each sub-processor): Significa Lda are permitted to be a sub-processor where they need to provide support in determining issues with specific user accounts. 

AWS – cloud services provider.

1. TECHNICAL SECURITY MEASURES 

• 1.1. At-Rest Encryption

  • i. Data on portable devices that have access to personal data is encrypted with folder or disk level encryption. 

  • ii. Data at rest within a database server is anonymized by data element encryption (e.g. row, column or field). 

  • iii. Data within a database server is encrypted at rest with transparent encryption (i.e. inherent to database software or via folder or disk level encryption by the OS). 

  • iv. Data at rest on portable devices (e.g. USB memory stick or hard drive) used by individuals with access to ePHI and/or PII is encrypted with folder or device level encryption. 

  • v. Controls are implemented to protect the confidentiality of the encryption keys stored within Company’ networks, facilities or systems, including Public Key Encryption. 

• 1.2. Transit Encryption 

  • i. Company uses Virtual Private Network (VPN) connections to connect to external systems or networks processing personal data. 

  • ii. Web applications use Secure Sockets Layer (SSL) protocols to ensure authentication and integrity of personal data transferred over HTTP (HTTPS). iii. File Transfer Protocol (FTP) applications will use either SFTP, FTPS or Secure FTP.

2. ACCESS MANAGEMENT 

• 2.1. Access Management. Systems housing or processing data governed by legal, regulatory or contractual access control requirements: 

  • i. Have a formal, documented account authorization, revocation, provisioning and deprovisioning process used to control access; 

  • ii. Assure that the least necessary privilege is approved and provided; 

  • iii. Default account privileges to no access; 

  • iv. Require secure log-in; and 

  • v. Require proper authorization for access to systems, functionality and data; and maintain encryption at rest. 

• 2.2. Access controls. Company uses secure passwords, automatic blocking/locking mechanisms, multi-factor authentication where appropriate, and encryption of all data carriers and storage media. 

• 2.3. Authentication. Access credentials are unique to users and applications and not shared. Default and temporary passwords are reset to unique passwords after first use. Passwords must meet complexity requirements and may expire after a certain period. Credentials validated against logs of approved users, and disabled upon termination or separation. 

• 2.4. Remote access. Workforce members may not remotely access systems or applications containing personal data from workstations, servers or devices that are not owned and directly managed by the Company. Remote access connections are authenticated using the workforce member’s account and password or other unique identifier. Remote access from a data trading partner is not allowed.

3. PHYSICAL SECURITY 

• 3.1. Employees. Physical access to areas controlled by Company is restricted only to authorised personnel and subcontractors that need access to the facilities to perform services. 

  • i. Employees are only provided access to personal data if their job duties require such access; 

  • ii. Public access doors to the Company offices remain locked at all times, requiring badge access; 

  • iii. Entry to the Company Facility is verified; and 

  • iv. Systems storing or interacting with data including personal data isolated and secured, and individual systems are safeguarded to minimise inadvertent or unintentional viewing of personal data. 

• 3.2. Visitors. In addition to the safeguards above, visitors, including vendors, are required to log into and out of any area with physical access to personal data in electronic or paper format. 

  • i. Visitors must wear visitor badges at all times; and 

  • ii. Visitors must be escorted at all times

4. SYSTEM SECURITY 

• 4.1. Logs. Application-level login attempts, remote access attempts, and Security Alerts are recorded to system audit logs. Audit logs are periodically reviewed and documented. Access to view system audit logs is restricted based on job responsibility.

• 4.2. System configuration. Company maintains and monitors the configuration of systems or applications processing personal data. 

• 4.3. Configuration changes. Company’ maintains a change and qualification procedure to ensure that system changes are properly assess, tracked, executed, and operate as intended.

5. TESTING & VULNERABILITY MANAGEMENT 

• 5.1. Testing. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing 

• 5.2. Vulnerability management and penetration testing. Vulnerability management and penetration testing is conducted periodically to identify risks to customer systems or applications that store personal data. 

• 5.3. Vulnerability remediation. All vulnerabilities will be ranked as to level of priority and addressed accordingly. Vulnerability treatment options shall include remediation (apply a patch, adjust system), configuration, removal of the affected component from service, and application of an alternative compensating control(s). 

6. ORGANISATIONAL CONTROLS

• 6.1. Security Officer. Company has designated a Security Officer responsible for the development, implementation and verification of the security policies and procedures and directs, manages and is responsible for the organisation’s security and compliance efforts. 

• 6.2. Incident management. Company’ Privacy and Security personnel regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports to maintain an ongoing understanding of activity in information systems that create, maintain, process or transmit ePHI and/or PII, and to undertake appropriate remedial action of any discrepancies identified. 

• 6.3. Information Security Policy. Company maintains a comprehensive written Information Security Policy designed to ensure that all of the company’s processes and products that involve personal data are subject to safeguards consistent with all applicable law and regulation regarding the security of such information. 

• 6.4. Enforcement. Company’ Information Security Policies and Manual assign responsibility for all information security requirements to relevant responsible individuals within the organisation.

7. DATA MANAGEMENT, RETENTION & DESTRUCTION 

• 7.1. Data minimization. All personal data is collected, accessed, and/or processed by the Company according to a strict “minimum necessary” standard. 

• 7.2. Maintaining data integrity. Company maintains policies and procedures designed to ensure the integrity of personal data over its entire life-cycle. 

• 7.3. Maintaining data availability. Company also maintains policies and procedures designed to ensure the availability of personal data over its entire life-cycle. In the case of an unplanned or emergency event, business continuity processes are initiated. 

• 7.4. Data Deletion. Company deletes personal data from clients on a regular schedule. Data is securely deleted using secure deletion methods and device destruction/disabling procedures appropriate to the medium/system where data is stored. 

• 7.5. Backup and Recovery Plan. Company’ Backup and Recovery Plan addresses items including: 

  • i. business impact analysis and recovery strategy and planning documents to meet business requirements; 

  • ii. Recovery plan testing; 

  • iii. Performing backups according to the backup strategy and schedule pertaining to needs of the particular environment; 

  • iv. Monitoring backups for successful completion and resolving backup failures; 

  • v. Providing IT disaster recovery planning consulting to system owners, business process owners, and ITOs; and 

  • vi. Creating policy deliverables as requested by system owners, business process owners, and the ITOs.

• 7.6. Business Continuity Plan. Company’ Business Continuity Plan (“BCP”) is designed to continue delivery of products or services at acceptable levels following a disruptive incident. The key elements of the BCM program are as follows: 

  • i. Analysing the impact of significant disruptions and development of the Business Impact Analysis (BIA); 

  • ii. Preparing and developing BCPs, strategies and solutions around the following, which is based on the output from the BIA: personnel/workforce disruption; facility disruption; supply chain disruption; and information technology disruption; 

  • iii. Sustaining the program by reviewing and updating the BIA, the BCP, strategies and solutions; 

  • iv. Maintaining team readiness by conducting regular training through exercises/ drills; and 

  • v. Ensuring continuous improvement of the BCP.