Last updated March 31, 2023
This Agreement governs your (the Organisation’s) use of the Services and Materials. By using the Services and Materials, you confirm that you accept this Agreement and that you agree to abide and be bound by it. You may not use the Services and Materials unless you agree to be bound by this Agreement.
1 Interpretation
1.1 In this Agreement:
“Agreement” means: (i) for Clients, an Order Form together with these Terms of Service, and (ii) for Suppliers, these Terms of Service;
“Authorised User” means any employee, agent, contractor or representative of the Organisation authorised by the Organisation to access and use the Services, using their own unique identifier provided by Risk Ledger;
“Business Days” means any day other than a Saturday or Sunday or public holiday in England on which banks are physically open for the transaction of general banking business in London;
“Charges” means, for Clients, Risk Ledger’s fees for the Services, as stated in the Order Form, together with, for Clients and potentially Suppliers, such other additional fees as may be charged in accordance with this Agreement or otherwise agreed between the parties from time to time;
“Client” means an Organisation using the Services to view and manage information from Suppliers via the Services in connection with its cyber security risk management procedures;
“Confidential Information” means information that is proprietary or confidential to a party and is disclosed by it to the other party in connection with this Agreement, as this definition is supplemented by clause 6 (Confidential Information);
“Contract Year” means the 12-month period following the Effective Date and each succeeding 12-month period;
“Documentation” means Risk Ledger’s then-current technical and functional documentation for the relevant Services, including (where applicable) as referred to in the Order Form or otherwise made available in writing to the Organisation, and as may be updated in accordance with clause 19;
“Effective Date” means the earlier of the date specified as such on the Order Form (if any) and the date on which the Organisation starts using the Services;
“Initial Term” means, for Clients, the period stated as the initial term in the Order Form (if any). There shall be no Initial Term applicable to Suppliers;
“Intellectual Property” means any and all patents, copyrights (including future copyrights), design rights, trade marks, service marks, domain names, trade secrets, know-how, database rights, and all other intellectual property rights, whether registered or unregistered, and including applications for any of the foregoing and all rights of a similar nature which may exist anywhere in the world;
“Materials” means written documentation and content, verbal, electronic and other information, databases, computer software, Software, designs, drawings, pictures or other images (whether still or moving), the Site, sounds or any other record of any information in any form belonging to Risk Ledger but for the avoidance of doubt not including any Organisation Data or Participant Data;
“Order Form” means an ordering document or online order specifying the Services to be provided, that is entered into between a Client and Risk Ledger;
“Organisation” means the person or entity that has registered to use the Services (via its Authorised Users) in accordance with this Agreement;
“Organisation Data” means any information or data that the Organisation shares with Participants on or through the Services, including through Profiles and responses to questions (as applicable);
“Participant” means any organisation other than the Organisation using the Services to collect and/or share cyber security risk management information;
“Participant Data” means any information or data shared with the Organisation by Participants on or through the Services, including Profiles, questions, and responses to them (as applicable);
“Profile” means a survey, form, or other structured request for information used by an Organisation via the Services;
“Renewal Term” has the meaning given to it in clause 12.1.1;
“Risk Ledger” means Risk Ledger Ltd, a company registered in England and Wales with company registration number 10831970 and its registered office at Adam House, 7-10 Adam Street, London, United Kingdom, WC2N 6AA;
“Scheduled Maintenance” means any work notified to the Organisation to be carried out by Risk Ledger or on its behalf that may cause the Services to be temporarily suspended or disrupted;
“Services” means, for Clients, the cloud services to be provided by Risk Ledger under this Agreement as set out in the Order Form. The Services made available to Suppliers are as set out in clause 2.6;
“Site” means Risk Ledger's website at https://riskledger.com, or other websites that Risk Ledger operates and provides Services through;
“SLA” means Appendix 1 to this document that defines the service levels to be provided by Risk Ledger under this Agreement;
“Software” means Risk Ledger's data management and manipulation software made available by Risk Ledger to the Organisation as part of the Services;
“Supplier” means an Organisation using the Services to provide information about its cyber security risk measures to Clients;
“VAT” means value added tax chargeable under English law and any similar additional tax, and any similar tax levied in any jurisdiction; and
“Working Hours” means 9am to 5pm UK time on Business Days.
1.2 Any reference in these terms to 'writing' or related expressions includes fax and email.
1.3 Except where the context requires otherwise:
1.3.1 the singular includes the plural and vice versa; a reference to one gender includes all genders; words denoting persons include a natural person, corporate or unincorporated body (whether or not having separate legal personality); a reference to a ‘company’ includes any company, corporation or other body corporate, wherever and however incorporated or established; and a reference to a ‘party’ includes that party’s personal representatives, successors and permitted assigns; and
1.3.2 any words that follow “include”, “includes”, “including”, “in particular” or any similar words and expressions shall be construed as illustrative only and shall not limit the sense of any word, phrase, term, definition or description preceding those words.
1.4 Any reference to an English legal term for any action, remedy, method of judicial proceeding, legal document, legal status, court, official or any legal concept or thing shall, in respect of any jurisdiction other than England, be deemed to include a reference to what most nearly approximates in that jurisdiction to the English legal term.
1.5 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time. A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.
2 Use of the Services
2.1 Subject to the Organisation’s payment of any applicable Charges, Risk Ledger grants to the Organisation a limited, personal, non-exclusive and non-transferable (save in accordance with clause 14.2) licence to use the Services and Materials for the duration of this Agreement strictly in accordance with its terms. The Organisation shall not be entitled to use the Services or Materials for any other purpose. In particular and without limitation, the Organisation shall have no right to copy, translate, reproduce, adapt, reverse engineer, decompile, disassemble, or create derivative works of the Software or the Materials except as permitted by applicable law. Further, the Organisation shall have no right to sell, rent, lease, transfer, assign, or sublicense the Services, the Materials or its rights under this Agreement without Risk Ledger’s prior written consent.
2.2 Each Client is entitled to add Suppliers to its Risk Ledger account up to the maximum number stated in the Order Form. In addition, Risk Ledger operates a fair use policy under which a Client may add up to 5% more Suppliers to its Risk Ledger account during a Contract Year. If the Client exceeds the fair use policy, Risk Ledger may (in its discretion) either (i) invoice the Client for the number of Suppliers added in excess of the number stated in the Order Form, or (ii) or terminate this Agreement if the Client does not reduce the number of Suppliers to within the fair use policy within 14 days of Risk Ledger’s request to do so.
2.3 Where the Site or Services contain links to other sites and resources provided by third parties (including other Organisations), these links are provided for information only on an “as is” basis. Risk Ledger has no control over the availability or content of such other sites or resources and has no responsibility or liability for them or for any loss or damage that may arise from the Organisation's use of third party sites or resources.
2.4 The Organisation recognises that Risk Ledger is always finding ways to improve the Services and add features and agrees that Risk Ledger may change the Services from time to time, provided that any such changes do not fundamentally alter the nature of the Services.
2.5 The annual Charges stated in an Order Form will only cover the Services described in the Order Form. Risk Ledger and the Organisation will agree pricing for any additional services provided by Risk Ledger.
2.6 The Services available to Suppliers are as set out here: https://www.riskledger.com/suppliers.
3 Charges & Payment
3.1 To use the Services as a Client, the Organisation must enter into an Order Form with Risk Ledger, and the provisions of this clause shall apply. Risk Ledger provides the Services’ functionality described in clause 2.6 for Suppliers at no cost.
3.2 The Organisation shall pay the Charges for the Services (if any) in accordance with this Agreement. Payment shall be made in the currency indicated on the Order Form or, if not specified, GBP.
3.3 All Charges quoted to the Organisation for the provision of the Services are exclusive of any VAT.
3.4 If the Organisation requires a purchase order number on invoices, it shall provide a purchase order number on the Order Form or as soon as reasonably practicable following the date the Order Form (or other Charges) are agreed. If the Organisation does not provide a purchase order number as required under this clause, the Organisation shall pay any related invoices without a purchase order number and may not withhold or delay payment of an invoice due to the absence of, or the Organisation’s delay in providing, a purchase order number. Any terms stated by the Organisation on or otherwise to be applicable to a purchase order shall not apply to the Services or this Agreement.
3.5 Risk Ledger will invoice the Charges to the Organisation in advance on an annual basis for payment within 30 days of the date of receipt of any such invoice, unless expressly stated otherwise on the Order Form or extended on the invoice. Sums shall be paid in full without set off or deduction. Risk Ledger’s first provision of the Services is subject to its receipt of payment for the first Contract Year.
3.6 Without limiting Risk Ledger’s ability to charge a Client for adding additional Suppliers to its account under clause 2.2, if the Initial Term is one year or less, the Charges will increase by 5% of the then current annual fee on the commencement of each Renewal Term without the need for notice; or if the Initial Term is more than one year, the Charges will increase by 5% of the then current annual fee at the commencement of each Contract Year of the Initial Term and on the commencement of each Renewal Term, without the need for notice. For any other increase or addition to the Charges (other than an increase in accordance with clause 2.2), Risk Ledger shall provide the Organisation with at least 60 days’ written notice prior to the start of the Renewal Term to which the increase or addition will apply.
3.7 No payment shall be deemed to have been made until Risk Ledger has received such payment in cleared funds from the Organisation.
3.8 If the Organisation fails to pay Risk Ledger any Charges by the due date, then without prejudice to its other rights and remedies Risk Ledger shall be entitled to charge interest on the outstanding amount at the rate of 4% above the base rate of the Bank of England (whether before or after any judgment), accruing daily and compounded quarterly, from the later of due date for payment or 30 days from the date of the Organisation’s receipt of the invoice, until the outstanding amount is paid in full.
4 Organisation's Obligations
4.1 The Organisation shall not and shall ensure that its Authorised Users shall not:
4.1.1 use the Services, Materials or Participant Data in any way so as to bring Risk Ledger or any other party into disrepute;
4.1.2 use the Services, Materials or Participant Data in a manner which is unlawful, harmful, threatening, abusive, harassing, tortious, indecent, obscene, libellous or menacing;
4.1.3 use the Services, Materials or Participant Data in a manner which infringes the Intellectual Property, proprietary or personal rights of any third party, including data subjects;
4.1.4 misuse the Site or Software by introducing viruses, trojans, worms, logic bombs or other material which is technologically harmful;
4.1.5 attempt to gain unauthorised access to the Site, Software or Services, the server on which the Site, Software or Services are stored or any server, computer or database connected to the Site, Software or Services;
4.1.6 attack the Site, Software or Services via a denial-of-service attack or a distributed or malicious denial-of service attack; or
4.1.7 access the Software, Services or the Site in order to build a product or services which competes with the Software, Site or Services; or
4.1.8 use the Services, Materials or Participant Data, or disclose them to third parties, except as authorised in writing by Risk Ledger or as permitted under this Agreement.
4.2 The Organisation will keep its password and other access details for use with the Services confidential and restricted to those members of staff who need to know such details and shall ensure all such staff are aware of the confidential nature of such information and treat it accordingly. The Organisation shall notify Risk Ledger immediately if it believes that such information is no longer secret. The Organisation is solely responsible for all activities that occur using the Organisation's authentication credentials. The Organisation shall not permit any person to access the Services for any unauthorised purpose that would constitute a breach of this Agreement if such a breach was carried out by the Organisation, and remains responsible in full for any such unauthorised use.
4.3 The Organisation will take all reasonable steps to ensure that nobody other than Authorised Users accesses the Services using Authorised User accounts. Authorised User accounts may not be shared between individuals. Clients may have up to the number of Authorised Users stated on the Order Form. Suppliers may have up to 5 Authorised Users. Either type of Organisation may also be able to purchase additional Authorised User accounts from Risk Ledger upon request.
5 Ownership & use of the Intellectual Property
5.1 The Organisation acknowledges and Risk Ledger warrants that:
5.1.1 Risk Ledger is as between the Organisation and Risk Ledger the proprietor of the Intellectual Property in the Site, the Services and Materials; and
5.1.2 so far as Risk Ledger is aware the Intellectual Property in the Site, the Services and Materials, and their use as permitted in this Agreement, do not infringe the Intellectual Property rights of any third party.
5.2 The Organisation agrees to Risk Ledger collecting via the Services, and grants to Risk Ledger a worldwide, non-exclusive, royalty-free licence (with the right to sublicense) to use, the following data for the corresponding uses:
5.2.1 Analytics – Subject to the terms of this Agreement, Risk Ledger may analyse and process Organisation Data (including the contents of Profiles and the responses to questions) in order to distil behaviours, trends and patterns (“Analytics”), the results and learnings of such Analytics. Risk Ledger uses these Analytics to improve risk assessments given to Buyers as part of the Services; to indicate potential areas for improvement of Participants’ information security practices; to develop; improve the Risk Ledger service and to produce anonymised, pseudonymised or aggregated statistical reports and research.
5.2.2 System usage – Risk Ledger will use the number of Authorised Users, and data relating to the volume and categories of Organisation Data processed through the Services, to calculate and verify the Charges. Risk Ledger may analyse Authorised Users' login metadata (including IP address, concurrent logins, and similar indicators) for security purposes to monitor the Organisation's compliance with clause 4.3.
5.2.3 The Organisation, on behalf of itself and its Authorised Users, assigns to Risk Ledger all Intellectual Property rights in all suggestions or feedback given by any means to Risk Ledger in relation to the Site, Software, Services and Materials.
5.3 If the Organisation becomes aware that any other person, firm or company alleges that the Intellectual Property in the Site, the Services and/or Materials is invalid or that use of such Intellectual Property and/or Materials infringes any Intellectual Property rights of another party the Organisation shall as soon as reasonably possible give Risk Ledger full particulars in writing thereof and shall make no comment or admission to any third party in respect thereof.
5.4 Risk Ledger shall have the conduct of all proceedings relating to the Intellectual Property in the Site, the Services and/or Materials and shall in its sole discretion decide what action if any to take in respect of any matter arising under Clause 5.3 or any action to bring any claim of infringement of such Intellectual Property brought by a third party to an end. Such action may include: (i) procuring the rights to use that portion of the Services alleged to be infringing; (ii) replacing the alleged infringing portion of the Services with a non-infringing alternative; (iii) modifying the alleged infringing portion of the Services to make it non-infringing; or (iv) terminating the allegedly infringing portion of the Services or this Agreement. Any actions taken by Risk Ledger in accordance with this clause 5.4(i) – (iii) may only be taken provided they do not materially adversely affect the functional capabilities of the Services.
5.5 The Organisation shall reasonably assist Risk Ledger upon Risk Ledger’s reasonable request in any proceedings brought by or against Risk Ledger. Risk Ledger agrees to reimburse the Organisation's reasonable expenses incurred in complying with this clause 5.5.
6 Confidentiality and Participant Data
6.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party's Confidential Information shall not include information that:
6.1.1 is or becomes publicly known other than through any act or omission of the receiving party; or
6.1.2 was in the other party's lawful possession before the disclosure; or
6.2.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure; or
6.2.4 is independently developed by the receiving party, which independent development can be shown by written evidence; or
6.2.5 is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.
6.2 Each party shall hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement.
6.3 Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its personnel in violation of the terms of this Agreement.
6.4 The Organisation acknowledges that the Software, the Risk Ledger Data and the Materials constitute Risk Ledger's Confidential Information.
6.5 The Organisation agrees that its Organisation Data will be shared with such Participants as the Organisation’s Authorised Users indicate through their use of the Services.
6.6 As part of the Services, the Organisation may receive Participant Data. The Organisation undertakes to Risk Ledger that it and its Authorised Users will treat all Participant Data as Confidential Information, and will not use Participant Data for any reason other than to evaluate and respond to the relevant Participant regarding that Participant’s information security practices and/or requirements.
6.7 No party shall use the other party’s trade marks or make any public announcement concerning this Agreement, without the prior written consent of the other party. Risk Ledger may use the Organisation's name and logo for the limited purpose of identifying the Organisation as a customer of Risk Ledger.
6.8 This clause 6 shall remain in force in perpetuity unless agreed otherwise in writing between the parties.
7 Data protection
7.1 Appendix 2 applies in respect of personal data that is processed in the performance of this Agreement.
8 Warranties
8.1 Each party shall comply with all laws and regulations applicable to it in connection with:
8.1.1 in the case of Risk Ledger, the operation of Risk Ledger’s business as it relates to the Services; and
8.1.2 in the case of the Organisation, the Organisation Data and the Organisation’s use of the Services.
8.2 In respect of the Services that it provides to Clients, Risk Ledger warrants that it will:
8.2.1 provide the Services with reasonable skill and care and in substantial conformance with the Documentation; and
8.2.2 use commercially reasonable efforts to maintain the availability of the Services as set out in the SLA, and to provide reasonable notice in advance of any Scheduled Maintenance.
9 Indemnities
9.1 Where the Organisation is a Client, subject to clauses 5.3–5.5 (and the Organisation complying with its obligations therein), Risk Ledger will defend the Client against any third party claim that the Client’s use of the Services or Materials as permitted by this Agreement infringes a third party’s intellectual property rights ("Infringement Claim"), and will indemnify the Client against the amount of any adverse final judgment or settlement. Risk Ledger shall not be liable under this indemnity for any claim to the extent it arises from the Client’s (i) breach of this Agreement, (ii) use of Organisation Data or Participant Data, or (iii) use of the Services or Materials with systems, data or materials not supplied or approved in writing by Risk Ledger. Risk Ledger's indemnification obligations set out in this clause 9.1, and any action taken by Risk Ledger pursuant to clause 5.4, shall be the Client's sole and exclusive remedy in respect of an Infringement Claim.
9.2 The Organisation will indemnify Risk Ledger against any liabilities, costs, expenses, damages and losses (including reasonable legal fees, settlements, and judgments) incurred by Risk Ledger in connection with all third party claims that relate to (i) the Organisation’s breach of clauses 4.1.1, 4.1.2, 4.1.3, 4.1.8 and/or 6 of this Agreement, or (ii) Organisation Data.
10 Disclaimer and Limitation of Liability
10.1 Nothing in this Agreement limits or excludes the liability of either party:
10.1.1 for death or personal injury caused by Risk Ledger's negligence;
10.1.2 for the Organisation’s payment obligations under clause 3;
10.1.3 for its obligations under clause 9;
10.1.4 for fraud or fraudulent misrepresentation; or
10.1.5 any other liability that cannot be limited or excluded under applicable law.
10.2 The Organisation acknowledges that the Services provides a platform for the Organisation and Participants to share risk management information with each other. It is the sole responsibility of the Organisation to verify such information and to ensure that it manages its own cyber risks appropriately and in accordance with applicable laws and codes of practice. Except as expressly and specifically provided in this Agreement:
10.2.1 the Organisation assumes sole responsibility for results obtained from the use of the Services, the Software, the Site, the Materials or any part of them, and for conclusions drawn from such use. Risk Ledger shall, subject to clause 10.1, have no liability for any damage caused by errors or omissions in any information, instructions or scripts shared using the Services, or any actions taken by Risk Ledger at the Organisation's direction; and
10.2.2 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement.
10.3 Without limiting the effect of Clause 10.2.2, Risk Ledger does not warrant that:
10.3.1 the supply of the Participant Data and the Services will be free from interruption;
10.3.2 any Participant Data is accurate, up to date, complete, reliable, useful, fit for purpose or timely; or
10.3.3 using the Services will meet any statutory obligations of the Organisation.
10.4 Subject to clause 10.1 and clause 10.2:
10.4.1 neither party will be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation (whether innocent or negligent), restitution or otherwise for any (i) loss of profits, business, business opportunities, revenue, turnover, reputation or goodwill (ii) loss or corruption of data or information; (iii) loss of anticipated savings or wasted expenditure; or (iv) indirect, incidental, consequential, exemplary, punitive or special damages;
10.4.2 Risk Ledger will not be liable for any Organisation’s losses or damages caused by Services that are provided free of charge; and
10.4.3 each party’s total liability under or in connection with this Agreement, whether in contract, tort (including negligence), misrepresentation, restitution, under statute or otherwise, in respect of any and all events arising in a Contract Year, that first give rise to a claim, shall in no event exceed the higher of (i) £100 or (ii) the total Charges paid or payable by the Organisation to Risk Ledger under this Agreement for that Contract Year.
11 Force Majeure
11.1 Neither party shall be in breach of this Agreement or liable for delay in performing, or failure to perform, any of its obligations under this Agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances, the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 30 days or more, either party may terminate this Agreement by giving 7 days' written notice to the other party. Notwithstanding the foregoing, this clause shall not affect the Organisation’s payment obligations under clause 3.
12 Term, Suspension & Termination
12.1 This Agreement shall commence on the Effective Date and shall continue as follows, unless terminated earlier in accordance with this clause 12:
12.1.1 for Clients: this Agreement shall continue for the Initial Term and shall automatically extend for a further 12-month period (“Renewal Term”) at the end of the Initial Term and at the end of each Renewal Term. Either party may give written notice to the other party, not later than 30 days before the end of the Initial Term or the relevant Renewal Term, to terminate this Agreement at the end of the Initial Term or the relevant Renewal Term, as the case may be;
12.1.2 for Suppliers: this Agreement shall continue until it is terminated by either party giving written notice to the other party to terminate this Agreement on the date stated in such notice; or
12.1.3 for any Organisation that uses the Services as both a Client and a Supplier: this Agreement shall continue as set out in clause 12.1.1, except that either party may give written notice to the other party to terminate the Organisation’s use of the Services as a Supplier (but not as a Client) on the date stated in such notice.
12.2 Where an Order Form for a Client states that the Initial Term shall be a free trial, either party may terminate this Agreement at any time during the Initial Term by giving the other party not less than 7 days’ written notice. If the free trial is not so terminated, the Agreement shall automatically extend for its first Renewal Term as stated in clause 12.1.1.
12.3 Risk Ledger may (in its discretion) terminate this Agreement or suspend the Organisation’s or any of its Authorised Users’ right to access or use any portion or all of the Services immediately if:
12.3.1 the Organisation’s or any of its Authorised Users’ use of the Services (i) poses a security risk to the Services or any third party, (ii) could adversely impact Risk Ledger’s systems, the Services or the systems or content of a Participant, (iii) could subject Risk Ledger, its affiliates, or any third party to liability, or (iv) could be fraudulent. In all such cases Risk Ledger shall provide such notice of termination or suspension as it is able to do so in the circumstances;
12.3.2 the Organisation or any of its Authorised Users are in breach of this Agreement and do not cure the breach within 14 days' notice in writing from Risk Ledger requiring the Organisation to do so; or
12.4 Either party may terminate this Agreement immediately by giving written notice to the other party if:
12.4.1 the other party commits any material breach of this Agreement and (if capable of remedy) fails to remedy the breach within 14 days after being required by written notice so to do; or
12.4.2 the other party becomes insolvent or bankrupt, enters into an arrangement with creditors, has a receiver or administrator appointed or its directors or shareholders pass a resolution to suspend trading, wind up or dissolve that party other than for the purposes of amalgamation or reconstruction or it ceases, or threatens to cease, trading.
12.5 Any termination of this Agreement for any reason shall be without prejudice to any other rights or remedies a party may be entitled to at law or under this Agreement and shall not affect any accrued rights or liabilities of either party nor the coming into force or the continuance in force of any provision of this Agreement which is expressly or by implication intended to come into or continue in force on or after such termination.
12.6 The period during which Risk Ledger may suspend the Services in accordance with this Agreement will continue until the circumstances giving rise to Risk Ledger’s right to suspend the Services ceases to subsist or until this Agreement is terminated.
12.7 In the event that Risk Ledger suspends the provision of Services as permitted by clause 12.3 (up to the duration permitted by clause 12.6) the Organisation will continue to be obliged to pay any Charges owing or that arise during the period when the Service is suspended. Risk Ledger will end the suspension as soon as reasonably practicable once the cause of the suspension is rectified.
12.8 Risk Ledger reserves the right to terminate this Agreement with immediate effect if in its reasonable opinion: (i) the Organisation has built or is building a product or services which competes with the Software or Services provided by Risk Ledger; or (ii) the Organisation is using the Services in a manner which seeks to circumvent any contractual usage restrictions or in a manner which is not permitted in accordance with this Agreement.
13 Effects of Termination
13.1 Upon termination of this Agreement for any reason other than under clause 12.1.3:
13.1.1there shall be no refund of any element of the Charges to the Organisation, save for refunds pro-rata where the Organisation has terminated properly under clause 12.4 or where Risk Ledger has terminated under clause 5.4;
13.1.2 all unpaid Charges shall become immediately due to Risk Ledger (in whole or in part on a pro rata basis where part of a periodic charge which is charged in arrears is due), save in instances where the Organisation has terminated properly under clause 12.4 or where Risk Ledger has terminated under clause 5.4, in which case only the Charges due in relation to the period and usage prior to the effective date of termination shall become payable under this subclause;
13.1.3 save as contemplated in clause 13.1.6, Risk Ledger will be under no obligation to retain any data (including Organisation Data);
13.1.4 the Organisation shall immediately cease using Risk Ledger’s Intellectual Property and the Materials;
13.1.5 all licences granted to the Organisation under this Agreement shall immediately terminate; and
13.1.6 each party shall return or destroy (or erase from its computer systems) as notified to it in writing by the other party and make no further use of the data, the Materials or any Confidential Information then in its possession, with the exception that each party shall be entitled to retain such Confidential Information then in its possession for legal purposes or Analytics, subject to ongoing compliance with Clause 6. Upon the Organisation’s request, Risk Ledger will retain Organisation Data for up to 30 days and provide a copy of the Organisation Data to the Organisation subject to payment of reasonable fees incurred in providing such access. Otherwise, save as contemplated in paragraph 1.10 of Appendix 2 , it is agreed that Risk Ledger will erase or destroy all the Organisation Data or any Confidential Information following the termination of this Agreement, and will make no further use of such materials other than as part of the Analytics.
13.2 Upon termination of the Organisation’s use of the Services as a Supplier (but not as a Client) under clause 12.1.3, the Organisation shall become solely a Client, and this Agreement shall continue on its terms except that the Organisation’s right to use any of the Services’ functionality for Suppliers shall immediately cease.
14 Transfer & Subcontracting
14.1 Risk Ledger may assign, transfer or deal in any other manner with all or any of its rights under this Agreement or any part thereof to a third party. Risk Ledger may subcontract the Services or parts of them to third parties. Risk Ledger is responsible for breaches of this Agreement caused by its subcontractors.
14.2 Save as permitted by clause 14.1, neither party may assign, subcontract, sublicense or otherwise transfer any rights or obligations under this Agreement or any part thereof (except in connection with the sale or transfer of all, or substantially the whole, of its assets) without the prior consent in writing of the other party.
15 Bribery & Corruption
15.1 For the purposes of this clause 15 the expressions 'adequate procedures' and 'associated with' shall be construed in accordance with the Bribery Act 2010 and legislation or guidance published under it (the “Bribery Laws”).
15.2 Each party shall comply with applicable Bribery Laws including ensuring that it has in place adequate procedures to prevent bribery and ensure that:
15.2.1 all of that party’s personnel;
15.2.2 all others associated with that party; and
15.2.3 all of that party’s subcontractors;
15.2.4 involved in performing this Agreement so comply.
15.3 Without limitation to clause 15.2, neither party shall make or receive any bribe (as defined in the Bribery Act 2010) or other improper payment, or allow any such to be made or received on its behalf, either in the United Kingdom or elsewhere, and shall implement and maintain adequate procedures to ensure that such bribes or payments are not made or received directly or indirectly on its behalf.
15.4 Each party shall immediately notify the other as soon as it becomes aware of a breach or possible breach of any of the requirements in this clause 15.
16 Anti-slavery
16.1 Each party recognises that it is bound by laws relating to anti-slavery and human trafficking and warrants that it has in place and complies with policies and procedures that enable it to comply with those laws.
16.2 Each party shall notify the other party as soon as it becomes aware of any actual or suspected slavery or human trafficking in a supply chain which has a connection with this Agreement.
17 Communication & Notices
17.1 All notices will be in writing and given when delivered to (unless otherwise instructed by the relevant party in writing):
17.1.1 For Risk Ledger, Adam House, 7-10 Adam Street, London, WC2N 6AA, or if sent by email, to legal@riskledger.com.
17.1.2 For an Organisation, the contact details provided by the Organisation at the time of registration on the Site.
17.2 Any such notice shall be deemed to have been received:
17.2.1 if delivered personally, at the time of delivery;
17.2.2 if sent by email, at the time of transmission;
17.2.3 if sent by post within the United Kingdom, 2 Business Days after posting; and
17.2.4 if sent by airmail 5 Business Days after posting,
provided that if deemed receipt occurs before 9am or after 5pm on a Business Day then the notice shall be deemed to have been given on the next Business Day.
18 Governing Law and Jurisdiction
18.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
18.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims), save that Risk Ledger may elect to bring proceedings against the Organisation in the courts of any jurisdiction where the Organisation or any of its assets may be found or located.
19 Amendments to the Terms
19.1 Risk Ledger may make commercially reasonable changes to these terms and any connected documents from time to time, providing at least 30 days’ notice by one of more of the following methods prior to any material changes taking effect:
19.1.1 email to Authorised Users; and/or
19.1.2 providing a notification of the forthcoming update in the Services.
19.2 Any notice given under clause 19.1 shall be deemed to have been given at the time of sending or posting, as applicable.
19.3 Where a change to these terms by Risk Ledger under clause 19.1 affects the terms related to data privacy or security, such changes shall not reduce the overall security of the Services.
20 General
20.1 Except where otherwise expressly stated herein, this Agreement constitutes the entire agreement between the parties relating to the subject matter of this Agreement and supersedes any previous agreement or understanding whatsoever whether oral or written relating to the subject matter of this Agreement.
20.2 Unless otherwise stated, in the case of any conflict between the Order Form and these Terms of Service the Order Form shall prevail.
20.3 Except as amended pursuant to clause 19, no variation of the provisions of this Agreement will be valid unless confirmed in writing by the authorised signatories of both parties on or after the date of the last required signature on this Agreement.
20.4 Each party warrants to the other that they have the power and authority to enter into this Agreement and perform its obligations under this Agreement, and that entering into and performing its obligations under this Agreement will not cause it to breach any legal obligations.
20.5 This Agreement shall not be deemed to create any partnership or employment relationship between the parties.
20.6 Other than a Participant protecting its Confidential Information pursuant to clause 6 (Confidentiality and Participant Data), a person who is not party to this Agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 or otherwise to enforce any term of this Agreement. The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person.
20.7 No act, failure or delay to act, or acquiescence by Risk Ledger or the Organisation in exercising any of its rights under this Agreement shall be deemed to be a waiver of that right or in any way prejudice any right of Risk Ledger or the Organisation under this Agreement, and no waiver by Risk Ledger of any breach of this Agreement by the Organisation shall be considered as a waiver of any subsequent breach of the same or any other provision. Any waiver or relaxation whether partly or wholly of any of the terms or conditions of this Agreement shall be valid only if in writing and signed by or on behalf of Risk Ledger and shall apply only to a particular occasion and shall not be continuing and further shall not constitute a waiver or relaxation of any other terms or conditions of this Agreement.
20.8 The rights and remedies provided in this Agreement for Risk Ledger are cumulative and not exclusive of any rights and remedies provided by law.
20.9 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement.
The following sections provide relevant details on service availability, monitoring of in-scope Services and related components.
1 Service Availability 1.1 Web based Services
1.2 Email Support
1.3 Support requests will be dealt with on a priority basis as determined by Risk Ledger. Priority is determined through a combination of impact and urgency, as described below. Support requests do not include new feature requests.
1.4 Priority Definitions:
Coverage parameters specific to the service(s) covered in this Agreement are as follows:
Risk Ledger’s web-based Services will be available for a minimum of 98% of time within each calendar month. Scheduled Maintenance will be excluded from downtime. “Available” means that the Site is operating, and all basic functions are accessible.
Email support is provided during Working Hours. Emails received outside of Working Hours will be collected, however no action can be guaranteed until commencement of Working Hours on the next Business Day.
Contact details for support are as follows: support@riskledger.com
Each support request shall be assigned a priority on receipt by Risk Ledger:
1.5 Target Response and Resolution Targets
Risk Ledger aims to respond and to satisfactorily resolve 90% of issues submitted to it within the targeted time, as specified below.
Target response and resolution times referenced above will be measured from whichever is the latter of:
1.6 Exceptions
When a support request requires information or support from an external vendor or more information from the Organisation, Risk Ledger may take longer than the above periods to resolve such issues. Such additional time will not be counted as part of the target resolution times.
2 Scheduled Maintenance
Risk Ledger will endeavour to provide the following minimum levels of notice in respect of Scheduled Maintenance:
1 Data Protection
1.1 Definitions
1.1.1 References to a “paragraph” in this Appendix are to the relevant paragraph of this Appendix indicated. The following additional definitions apply in this Appendix:
“Appropriate Safeguards” means such legally enforceable mechanism(s) for transfers of personal data as may be permitted under Data Protection Laws from time to time;
"C2C Transfer" means a transfer of personal data on a Controller to Controller basis;
"C2P Transfer" means a transfer of personal data on a Controller to Processor basis for the Data Importer to process such personal data on behalf of the Data Exporter;
“Controller”, “Processor”, “data subject”, “personal data” and “processing” shall have the meanings ascribed to them in the applicable Data Protection Laws;
"Data Exporter" means a party that transfers personal data (acting as a Controller) to another party in accordance with this Agreement;
"Data Importer" means a party that receives personal data (acting as a Controller or a Processor) from another party in accordance with this Agreement.
"Data Processing" means the specified acts of processing upon personal data by the Data Importer that are set out at Annex 1B.
“Data Protection Laws” means any applicable privacy and data protection law(s), including, if and where applicable, EU Data Protection Laws and UK Data Protection Laws;
“Data Subject Request” means a request made by a data subject to exercise any rights of data subjects under Data Protection Laws;
"EU Adequacy Finding" means a decision by the European Commission under Article 45 of the EU GDPR in relation to a country, territory or international organisation or one or more specified sectors ensures an adequate level of protection for personal data to which the EU GDPR applies;
"EU Data Protection Laws" means:
(i) all EU regulations applicable (in whole or in part) to the processing of personal data (such as Regulation (EU) 2016/679 (the "EU GDPR"));
(ii) the national laws of each EEA member state implementing any EU directive applicable (in whole or in part) to the Processing of Personal Data (such as Directive 2002/58/EC (the "e-Privacy Directive")); and
(iii) any other national laws of each EEA member state applicable (in whole or in part) to the Processing of Personal Data,
as amended or superseded from time to time;
"EU SCCs" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council;
"EU/UK Data Transfer Provisions" means the terms that apply when a Data Exporter transfers personal data subject to the EU GDPR and/or the UK GDPR to a Data Importer, as set out in Annex 3 of this Agreement.
"Minimum Security Measures" means the security measures specified in Annex 2 as may be updated or reissued by Risk Ledger from time to time;
“Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any personal data processed under this Agreement in its capacity as Processor;
"Standard Contractual Clauses" means:
(i) (i) where the EU GDPR applies, the EU SCCs; and
(ii) (ii) where the UK GDPR applies, the UK SCCs;
“Sub-Processor” means another Processor engaged by Risk Ledger to carry out processing activities in respect of the Protected Data on behalf of the Organisation;
“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws;
"UK Adequacy Finding" means any regulations made by the Secretary of State under Section 17A of the Data Protection Act 2018 that a country, territory, sector or international organisation ensures an adequate level of protection for personal data to which the UK GDPR applies;
"UK Data Protection Laws" means:
as such may be amended or superseded from time to time;
"UK SCCs" means standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR.
1.2 Compliance, Controller and Processor
1.2.1 Each party shall process any personal data involved in the performance of this Agreement in compliance with:
a) their respective obligations under the Data Protection Laws; and
b) the terms of this Agreement.
1.2.2 Risk Ledger is the Controller with respect to Authorised Users’ account details and the contents of logs. For information about how Risk Ledger processes and protects such information, please see its Privacy Policy at https://riskledger.com/legal/privacy/.
1.2.3 In order to request a Supplier to complete a Profile, an Authorised User may need to input the business contact details of a Participant’s member of staff into the Services (“Protected Data”). For Protected Data, details of which are set out in Annex 1 to this Appendix, the Organisation is the Controller and Risk Ledger is the Processor. The remainder of this Appendix applies in respect of the Protected Data.
1.2.4 The Organisation warrants that:
a) its Authorised Users will only input Protected Data into the Services to the minimum extent that is reasonably required for the Organisation to make proper use of the Services in accordance with this Agreement; and
b) all Protected Data provided to Risk Ledger for processing pursuant to this Agreement shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Organisation ensuring that any required fair processing information and all necessary consents have been given to and received from the data subjects), with the Data Protection Laws.
1.2.5 Nothing in this Agreement shall require Risk Ledger to check or monitor the accuracy, contents or the Organisation’s use of any Protected Data.
1.3 Instructions and details of processing
1.3.1 Insofar as Risk Ledger processes Protected Data on behalf of the Organisation, Risk Ledger:
a) unless required to do otherwise by Data Protection Laws, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Organisation’s documented instructions as set out in this Appendix or as submitted by the Organisation in writing including via the Site or Services, and updated from time to time in accordance with the terms of this Agreement (the “Processing Instructions”);
b) if any applicable UK or EU member state law requires it to process Protected Data other than in accordance with the Processing Instructions, Risk Ledger shall notify the Organisation of any such requirement before undertaking such processing of the Protected Data (unless such applicable law prohibits such information on important grounds of public interest); and
c) shall inform the Organisation if Risk Ledger becomes aware of a Processing Instruction that, in Risk Ledger’s opinion, infringes any Data Protection Laws, provided that this shall be without prejudice to paragraph 1.2.4 and to the maximum extent permitted by mandatory law, Risk Ledger shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Organisation's Processing Instructions following the Organisation's receipt of that information.
1.4 Technical and organisational measures
1.4.1 Risk Ledger shall implement and maintain, at its cost and expense, the technical and organisational measures:
a) appropriate to the risk of processing, including the Minimum Security Measures set out in Annex 2 to this Appendix; and
b) taking into account the nature of the processing, to assist the Organisation insofar as is possible in the fulfilment of their obligations to respond to Data Subject Requests.
1.5 Using staff and other processors
1.5.1 The Organisation grants to Risk Ledger general authorisation to appoint Sub-Processors, and additional or replacement Sub-Processors. The Sub-Processors used by Risk Ledger are identified at: https://riskledger.com/privacy. Risk Ledger will provide 30 days' advance notice of its intention to appoint a new (or change) each Sub-Processor, and the Organisation may object to any such appointment or change.
1.5.2 Where the Organisation objects to the proposed appointment of a Sub-Processor under paragraph 1.5.1, Risk Ledger shall consider the reasons for the objection and take appropriate steps to ensure that the proposed appointment or change in Sub-Processors does not prevent Risk Ledger’s implementation of appropriate technical and organisational measures relating to data processing.
1.5.3 Risk Ledger shall:
a) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract enforceable by Risk Ledger containing materially the same obligations as under this Agreement;
b) ensure each such Sub-Processor complies with all such obligations; and
c) remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
1.5.4 Risk Ledger shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
1.6 Assistance with Organisation's compliance and data subject rights
1.6.1 Risk Ledger shall provide such reasonable assistance as the Organisation reasonably requires (taking into account the nature of processing and the information available to Risk Ledger), to the Organisation in ensuring compliance with the Organisation's obligations under Data Protection Laws (and the Organisation will pay to Risk Ledger such costs as are reasonable in the circumstances) with respect to:
1.6.2 Risk Ledger shall refer all Data Subject Requests and any relevant notices and correspondence from a Supervisory Authority which it receives to the Organisation within three Business Days of receipt of the request.
a) security of processing;
b) data protection impact assessments (as such term is defined in Data Protection Laws);
c) prior consultation with a Supervisory Authority regarding high risk processing;
d) responding to Data Subject Requests; and
e) notifications to the Supervisory Authority and/or communications to data subjects by the Organisation in response to any Personal Data Breach.
1.7 International data transfers
1.7.1 Due to the international nature of supply chains, the Organisation agrees that Risk Ledger may transfer Protected Data to any country, provided all transfers by Risk Ledger of Protected Data shall (to the extent required under Data Protection Laws) be effected by way of Appropriate Safeguards and in accordance with Data Protection Laws.
1.7.2 If the Organisation is based in or is transferring to Risk Ledger personal data held by it in, an EEA member state, the provisions of paragraphs 1.7.3 and 1.7.4 shall apply. For this purpose, the Organisation shall be the Data Exporter, andRisk Ledger the Data Importer.
1.7.3 Where the Data Exporter performs a C2P Transfer of personal data to the Data Importer and the personal data is:
(a) subject to the EU GDPR; and/or
(b) subject to the UK GDPR;
then the parties shall additionally comply with Part B (C2P Transfers) and Part C (Supplemental EU/UK transfer requirements) of the EU/UK Data Transfer Provisions.
1.7.4 Where the Data Exporter performs a C2C Transfer of personal data to the Data Importer and the personal data is:
(a) subject to the EU GDPR; and/or
(b) subject to the UK GDPR;
then the parties shall additionally comply with Part A (C2c Transfers) and Part C (Supplemental EU/UK transfer requirements) of the EU/UK Data Transfer Provisions.
1.7.5 For any transfers of personal data between the Organisation and any other Participant via the Services involving an export of personal data from the EEA or the United Kingdom, where such transfer is not covered by another Appropriate Safeguard recognised in the Data Exporter’s jurisdiction, then until such time as another Appropriate Safeguard becomes applicable:
(a) the Organisation shall put in place the relevant Standard Contractual Clauses between the Organisation and other Participant; and
(b) where the Data Importer is processing personal data protected under the UK GDPR outside the UK in a territory not at that time subject to a UK Adequacy Finding, then the Organisation will ensure that the Data Importer complies with the terms of Clauses 14 and 15 of the EU SCCs or the equivalent.
1.7.6 If an alternative Appropriate Safeguard becomes available, an update of these terms to replace either or both of the Standard Contractual Clauses referenced in the EU/UK Data Transfer Provisions with such alternative Appropriate Safeguard (as is appropriate to the scope of that Appropriate Safeguard) shall be deemed reasonable for the purposes of Clause 19.1 of this Agreement.
1.8 Records, information and audit
1.8.1 Risk Ledger shall, in accordance with Data Protection Laws, make available to the Organisation such information as is reasonably necessary to demonstrate Risk Ledger's compliance with its obligations under this Appendix, and allow for and contribute to audits, including inspections, by the Organisation (or, subject to paragraph 1.8.2, another auditor mandated by the Organisation) for this purpose, subject to the Organisation:
a) being limited to one audit per year, except to the extent that the Data Protection Laws require more frequent audits;
b) giving Risk Ledger reasonable prior notice of such information request, audit and/or inspection being required by the Organisation;
c) ensuring that all information obtained or generated by the Organisation or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by the Data Protection Laws);
d) ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Risk Ledger's business and the business of its other customers; and
e) paying Risk Ledger's reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
1.8.2 If a third party is to conduct an audit under paragraph 1.8.1, the third party must be mutually agreed to by the Organisation and Risk Ledger (except if such third party is a Supervisory Authority). Risk Ledger will not unreasonably withhold its consent to a third party auditor requested by the Organisation. The third party must execute a written confidentiality agreement acceptable to Risk Ledger or otherwise be bound by a statutory or legal confidentiality obligation.
1.9 Breach notification
1.9.1 In respect of any Personal Data Breach, Risk Ledger shall, without undue delay:
a) notify the Organisation of the Personal Data Breach; and
b) provide the Organisation with details of the Personal Data Breach.
1.10 Deletion or return of Organisation Data and copies
1.10.1 Risk Ledger shall, at the Organisation's written request, either delete or return all the Protected Data to the Organisation in such form as the Organisation reasonably requests within a reasonable time after the earlier of:
a) the end of the provision of the relevant Services related to processing; or
b) once processing by Risk Ledger of any Protected Data is no longer required for the purpose of Risk Ledger's performance of its relevant obligations under this Agreement, and
delete existing copies (unless storage of any data is required by applicable laws and, if so, Risk Ledger shall inform the Organisation of any such requirement).
Risk Ledger Limited is registered with the UK’s Information Commissioner’s Office (“ICO”) with reference number ZA485622.
Risk Ledger’s Data Protection Policy is published here: https://riskledger.com/privacy
For data protection matters please contact us by email at data@riskledger.com.
Subject matter: Protected Data as defined in paragraph 1.2.3.
Duration of Processing Activities: For the length of this Agreement to facilitate the Organisation’s use of the Services. Some Protected Data may be stored in encrypted backups for no longer than 1 month after termination of this Agreement.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous
Nature and Purpose of the Processing Activities: To enable the Organisation and Participants to get into contact with each other in relation to the Services.
Types of Personal Data: Business contact details.
Categories of Data Subject: Participants’ members of staff.
Identify the competent supervisory authority/ies in accordance with Clause 13
For transfers made under the EU SCCs, the competent supervisory authority will be determined in accordance with Clause 13 of the EU SCCs.
For transfers made under the UK SCCs, the competent supervisory authority will be the United Kingdom Information Commissioner's Office.
Measures of pseudonymisation and encryption of personal data
Data is encrypted at rest and in transit using AES-256 encryption.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Our system architecture is subject to regular penetration testing and we have a full information security programme implemented.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
We maintain a full IT disaster recovery process and business continuity process. This is tested annually.
We follow a strict backup policy which includes both online and offline backups.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
We run regular vulnerability scans of our internal and external environment. We conduct regular penetration testing of our production application and hosting infrastructure.
Measures for the protection of data during transmission
We enforce multifactor authentication on all user accounts. We technically enforce a complex password policy.
Measures for the protection of data during storage
Data is encrypted at rest and in transit using AES-256 encryption. We enforce a TLS version of 1.2 or greater.
Measures for ensuring physical security of locations at which personal data are processed
Data is encrypted at rest and in transit using AES-256 encryption. Our data is stored within secure data centres with strong physical security controls.
Measures for ensuring events logging
Data is stored within our production environment that has strict physical security policies in place. Physical controls include CCTV, alarmed perimeters, and armed security.
Measures for user identification and authorisation
We utilise a gold standard logging solution that centralises all our events and logs from across our environment. These are monitored with automated alerts triggered if thresholds are met.
Measures for ensuring system configuration, including default configuration
System configuration is maintained by using a defined CI/CD pipeline (with security and quality testing built in) with infrastructure as code, subject to multiple approvals before deployment.
Measures for internal IT and IT security governance and management
We maintain a full ISMS which covers a full suite of security policies and processes. Security is managed by our CEO with support from defined members of staff with their roles documented.
Measures for certification/assurance of processes and products
Risk Ledger undertakes regular internal reviews of it’s security, and regular external reviews for certification against a variety of standards, including Cyber Essentials and Cyber Essentials Plus.
Measures for ensuring data minimisation
We conduct regular reviews of the data we collect to ensure we have a need to collect it. This is further supported by us enforcing the principle of least privilege across the company.
Measures for ensuring limited data retention
We enforce data validation on all input fields.
Measures for allowing data portability and ensuring erasure]
All data is retained in line with our data retention schedule which is technically enforced.
Measures for ensuring data quality
We require all users to have their user account with a unique ID. We keep auditable logs of events and actions within the platform. We enforce multi-factor authentication on all user accounts.
Measures for ensuring accountability
We have a defined process for ensuring data portability in line with our GDPR requirements. Upon request, personal data is deleted from our platform using a secure delete script.
1.1 C2C Transfers – EU GDPR: Where the Data Importer is processing as a Controller personal data protected under the EU GDPR outside the EEA in a territory or sector not at that time subject to an EU Adequacy Finding then, the EU SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Exporter and that Data Importer in relation to that personal data and completed as follows:
a) Module One will apply;
b) in Clause 7, the optional docking Clause will not apply;
c) in Clause 11, the optional language will not apply;
d) in Clause 17 (Option 1), the EU SCCs will be governed by Irish law;
e) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
f) in Annex I:
(i) Part A: with the information set out in Annex 4 to this Agreement;
(ii) Part B: with the relevant Processing details set out in Annex 1 to this Agreement; and
(iii) Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
g) Annex II: with the Minimum Security Measures, in the format set out at Annex 2 to this Agreement.
1.2 C2C Transfers – UK GDPR: Where the Data Importer is processing as a Controller personal data protected under the UK GDPR outside the UK in a territory or sector not at that time subject to a UK Adequacy Finding, then the UK SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Exporter and that Data Importer in relation to that personal data and completed as follows:
a) For so long as it is lawfully permitted to rely on the standard contractual clauses for the transfer of personal data to controllers set out in the European Commission's Decision 2004/915/EC of 27 December 2004 (“Prior C2C SCCs”) for transfers of personal data from the United Kingdom, the Prior C2C SCCs shall apply between the transferring Data Exporter and the Data Importer on the following basis:
(i) in Clause II (h): the Data Importer and Data Exporter choose option (iii);
(ii) in Annex B: with the information set out in the relevant part of Annex 1 to this Agreement; and
(iii) the "Illustrative Commercial Clauses (Optional)" shall be deemed deleted.
b) Where sub-clause (a) above does not apply, but the Data Exporter and Data Importer are lawfully permitted to rely on the EU SCCs for transfers of UK personal data subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
(i) The EU SCCs, completed as set out above in clause 1.1 of this Part A, shall also apply to transfers of such personal data, subject to sub-clause (b)(ii) below;
(ii) The UK Addendum shall be deemed executed between the transferring Data Exporter and the Data Importer, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such personal data.
c) If neither sub-clause (a) or sub-clause (b) applies, then the transferring Data Exporter and the Data Importer shall cooperate in good faith to implement appropriate safeguards for transfers of such personal data as required or permitted by the UK GDPR without undue delay.
1.1 C2P Transfers – EU GDPR: Where the Data Importer is processing as a Processor personal data protected under the EU GDPR outside the EEA in a territory or sector not at that time subject to an EU Adequacy Finding then, the EU SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Exporter and that Data Importer in relation to that personal data and completed as follows:
(d) Module Two will apply;
(e) in Clause 7, the optional docking Clause will not apply;
f) in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in paragraph 1.5.1 of Appendix 2 to this Agreement;
g) in Clause 11, the optional language will not apply;
h) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by English law;
i) in Clause 18(b), disputes shall be resolved before the courts of England;
j) in Annex I:
(i) Part A: with the information set out in Annex 4 to this Agreement;
(ii) Part B: with the relevant Processing details set out in Annex 1 to this Agreement; and
(iii) Part C: in accordance with the criteria set out in Clause 13(a) of the EU SCCs;
k) Annex II: with the Minimum Security Measures.
1.2 C2P Transfers – UK GDPR: Where the Data Importer is processing as a Processor personal data protected under the UK GDPR outside the UK in a territory not at that time subject to a UK Adequacy Finding, then, the UK SCCs will be deemed entered into (and incorporated into this Agreement by this reference) between the transferring Data Exporter and that Data Importer in relation to that personal data and completed as follows:
a) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between the transferring Data Exporter and the Data Importer on the following basis:
(i) in Appendix 1: with the information set out in the relevant part of Annex 1 to this Agreement;
(ii) in Appendix 2: with Annex 2 (Minimum Security Measures) to this Agreement; and
(iii) the optional illustrative indemnification Clause will not apply.
b) Where sub-clause (a) above does not apply, but the Data Exporter and Data Importer are lawfully permitted to rely on the EU SCCs for transfers of UK personal data subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
(i) The EU SCCs, completed as set out above in paragraph 1.1 of this Part A, shall also apply to transfers of such personal data, subject to sub-paragraph (b)(ii) below;
(ii) The UK Addendum shall be deemed executed between the transferring Data Exporter and the Data Importer, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such personal data.
c) If neither sub-paragraph (a) or sub-paragraph (b) applies, then the transferring Data Exporter and the Data Importer shall cooperate in good faith to implement appropriate safeguards for transfers of such personal data as required or permitted by the UK GDPR without undue delay.
Part C: Supplemental EU/UK transfer requirements
1.1 Additional transfer requirements: The following additional terms shall also apply to the above-mentioned C2C Transfers and C2P Transfers:
d) If there is any conflict between this Agreement and the Standard Contractual Clauses applicable to the Data Exporter's transfer of personal data to a Data Importer, those Standard Contractual Clauses will prevail;
e) In the event that the European Commission or the UK government (as applicable) agrees a successor solution to the EU-US Privacy Shield and the Data Importer becomes lawfully able to receive or process the relevant personal data under such successor solution (whether by virtue of self-certification under it or otherwise), then:
(i) that successor solution shall automatically be deemed to apply to the transfer of personal data from the Data Exporter to the Data Importer from the EEA or the UK so long as it remains valid;
(ii) the relevant Standard Contractual Clauses shall no longer apply to that transfer; and
(iii) in the event that solution is terminated or becomes invalid, or is no longer applicable to the Data Importer, then the Standard Contractual Clauses shall once again apply.
f) Where the Data Importer is Processing personal data protected under the UK GDPR outside the UK in a territory not at that time subject to a UK Adequacy Finding, then Clauses 14 and 15 of the EU SCCs shall be deemed incorporated into this Agreement so as to also apply to that data with any changes deemed made to reflect the applicability of the UK GDPR to that data as opposed to the EU GDPR.
Name: The Organisation, as defined in the Agreement.
Address: As provided by the Organisation at the time of registration on the Site.
Contact person’s name, position and contact details: As provided by the Organisation at the time of registration on the Site.
Activities relevant to the data transferred under these Clauses: To enable the Organisation and Participants to contact each other in relation to the Services.
Signature and date: This Annex 4 shall be deemed executed upon the Organisation entering into the Agreement.
Role (controller/processor): Controller.
Name: Risk Ledger Ltd.
Address: Adam House, 7-10 Adam Street, London, WC2N 6AA, or if sent by email, to legal@riskledger.com.
Contact person’s name, position and contact details: Haydn Brooks, CEO. data@riskledger.com.
Activities relevant to the data transferred under these Clauses: To enable the Organisation and Participants to contact each other in relation to the Services.
Signature and date: This Annex 4 shall be deemed executed upon the Organisation entering into the Agreement.
Role (controller/processor): Risk Ledger is a processor in relation to Protected Data (as defined in the Agreement). Risk Ledger is a controller with respect to Authorised Users’ (as defined in the Agreement) account details and the contents of logs.
No organisation is an island.