SaaS agreement DATE [Date] PARTIES 1. [[INDIVIDUAL NAME] of [address]] OR [[COMPANY NAME], a company incorporated in [England and Wales] (registration number [registration number]) having its registered office at [address]] OR [[PARTNERSHIP NAME], a partnership established under the laws of [England and Wales] having its principal place of business at [address]] (the "Provider"); and 2. [[INDIVIDUAL NAME] of [address]] OR [[COMPANY NAME], a company incorporated in [England and Wales] (registration number [registration number]) having its registered office at [address]] OR [[PARTNERSHIP NAME], a partnership established under the laws of [England and Wales] having its principal place of business at [address]] (the "Customer"). AGREEMENT 1. Definitions 1.1 In this Agreement[, except to the extent expressly provided otherwise]: "Account" means an account enabling a person to access and use the Hosted Services[, including both administrator accounts and user accounts]; "Agreement" means this agreement including any Schedules, and any amendments to this Agreement from time to time; "Business Day" means any weekday other than a bank or public holiday in [England]; "Business Hours" means the hours of [09:00 to 17:00 GMT/BST] on a Business Day; "Charges" means the following amounts: (a) [the amounts specified in Part 2 of Schedule 1 (Hosted Services particulars)]; (b) [such amounts as may be agreed in writing by the parties from time to time]; and (c) [amounts calculated by multiplying the Provider's [standard time-based charging rates (as notified by the Provider to the Customer before the date of this Agreement)] by the time spent by the Provider's personnel performing [the Support Services] (rounded [down by the Provider to the nearest quarter hour])]; [additional list items] "Customer Confidential Information" means: (a) any information disclosed by [or on behalf of ]the Customer to the Provider [during the Term] OR [at any time before the termination of this Agreement] (whether disclosed in writing, orally or otherwise) that at the time of disclosure: (i) was marked[ or described] as "confidential"; or (ii) should have been reasonably understood by the Provider to be confidential; and (b) [the Customer Data]; [additional list items] "Customer Data" means [all data, works and materials: uploaded to or stored on the Platform by the Customer; transmitted by the Platform at the instigation of the Customer; supplied by the Customer to the Provider for uploading to, transmission by or storage on the Platform; or generated by the Platform as a result of the use of the Hosted Services by the Customer (but excluding analytics data relating to the use of the Platform and server log files)]; "Customer Personal Data" [means any Personal Data that is processed by the Provider on behalf of the Customer in relation to this Agreement][, but excluding [data] with respect to which the Provider is a data controller]; "Data Protection Laws" means [all applicable laws relating to the processing of Personal Data including, while it is in force and applicable to Customer Personal Data, the General Data Protection Regulation (Regulation (EU) 2016/679)]; "Documentation" means [the documentation for the Hosted Services produced by the Provider and delivered or made available by the Provider to the Customer]; "Effective Date" means [the date of execution of this Agreement]; "Force Majeure Event" means [an event, or a series of related events, that is outside the reasonable control of the party affected (including failures of the internet or any public telecommunications network, hacker attacks, denial of service attacks, virus or other malicious software attacks or infections, power failures, industrial disputes affecting any third party, changes to the law, disasters, explosions, fires, floods, riots, terrorist attacks and wars]); "Hosted Services" means [name of hosted services][, as specified [in the Hosted Services Specification],] which will be made available by the Provider to the Customer as a service via the internet in accordance with this Agreement; "Hosted Services Defect" means a defect, error or bug in the Platform having [an adverse effect] OR [a material adverse effect] on [ the appearance, operation, functionality or performance] of the Hosted Services[, but excluding any defect, error or bug caused by or arising as a result of: (a) [any act or omission of the Customer or any person authorised by the Customer to use the Platform or Hosted Services]; (b) [any use of the Platform or Hosted Services contrary to the Documentation, whether by the Customer or by any person authorised by the Customer]; (c) [a failure of the Customer to perform or observe any of its obligations in this Agreement]; and/or (d) [an incompatibility between the Platform or Hosted Services and any other system, network, application, program, hardware or software not specified as compatible in the Hosted Services Specification];] "Hosted Services Specification" means the specification for the Platform and Hosted Services set out in [Part 1 of Schedule 1 (Hosted Services particulars) and in the Documentation]; "Intellectual Property Rights" means [all intellectual property rights wherever in the world, whether registrable or unregistrable, registered or unregistered, including any application or right of application for such rights (and these "intellectual property rights" include copyright and related rights, database rights, confidential information, trade secrets, know-how, business names, trade names, trade marks, service marks, passing off rights, unfair competition rights, patents, petty patents, utility models, semi-conductor topography rights and rights in designs)]; "Maintenance Services" means the general maintenance of the Platform and Hosted Services, and the application of Updates and Upgrades; "Mobile App" means the mobile application known as [mobile application name] that is made available by the Provider through [the Google Play Store and the Apple App Store]; "Personal Data" [has the meaning given to it in the Data Protection Laws][ applicable in [the United Kingdom] from time to time]; "Platform" means [the platform managed by the Provider and used by the Provider to provide the Hosted Services][, including [the application and database software for the Hosted Services, the system and server software used to provide the Hosted Services, and the computer hardware on which that application, database, system and server software is installed]]; "Schedule" means any schedule attached to the main body of this Agreement; "Services" means [any services that the Provider provides to the Customer, or has an obligation to provide to the Customer, under this Agreement]; "Support Services" means support in relation to [the use of, and the identification and resolution of errors in, the Hosted Services, but shall not include the provision of training services]; "Supported Web Browser" means [the current release from time to time of Microsoft Edge, Mozilla Firefox, Google Chrome or Apple Safari][, or any other web browser that the Provider agrees in writing shall be supported]; "Term" means [the term of this Agreement, commencing in accordance with Clause 3.1 and ending in accordance with Clause 3.2]; "Update" means [a hotfix, patch or minor version update to any Platform software]; and "Upgrade" means [a major version upgrade of any Platform software]. 2. Credit 2.1 This document was created using a template from SEQ Legal (https://seqlegal.com). You must retain the above credit. Use of this document without the credit is an infringement of copyright. However, you can purchase from us an equivalent document that does not include the credit. 3. Term 3.1 This Agreement shall come into force upon the Effective Date. 3.2 This Agreement shall continue in force [indefinitely] OR [until [date], at the beginning of which this Agreement shall terminate automatically] OR [until [event], upon which this Agreement shall terminate automatically], subject to termination in accordance with Clause 18 or any other provision of this Agreement. 4. Hosted Services 4.1 [The Provider shall ensure that the Platform will[, on the Effective Date,] automatically generate an Account for the Customer and provide to the Customer login details for that Account.] OR [The Provider shall create an Account for the Customer and shall provide to the Customer login details for that Account[ on or promptly following the Effective Date].] 4.2 The Provider hereby grants to the Customer a [worldwide, non-exclusive] licence to use the Hosted Services[ by means of [a Supported Web Browser]][ for [the internal business purposes of the Customer]][ in accordance with the Documentation] during the Term. 4.3 The licence granted by the Provider to the Customer under Clause 4.2 is subject to the following limitations: (a) [the Hosted Services may only be used by [the officers, employees, agents and subcontractors of the Customer]]; (b) [the Hosted Services may only be used by the named users identified in [Schedule 1 (Hosted Services particulars)] OR [[identify document]], providing that the Customer may change, add or remove a designated named user in accordance with [the procedure set out therein]]; and (c) [the Hosted Services must not be used at any point in time by more than the number of concurrent users specified in [Schedule 1 (Hosted Services particulars)] OR [[identify document]], providing that the Customer may add or remove concurrent user licences in accordance with [the procedure set out therein]]. [additional list items] 4.4 Except to the extent expressly permitted in this Agreement or required by law on a non-excludable basis, the licence granted by the Provider to the Customer under Clause 4.2 is subject to the following prohibitions: (a) [the Customer must not sub-license its right to access and use the Hosted Services]; (b) [the Customer must not permit any unauthorised person to access or use the Hosted Services]; (c) [the Customer must not use the Hosted Services to provide services to third parties]; (d) [the Customer must not republish or redistribute any content or material from the Hosted Services]; (e) [the Customer must not make any alteration to the Platform[, except as permitted by the Documentation]]; and (f) [the Customer must not conduct or request that any other person conduct any load testing or penetration testing on the Platform or Hosted Services [without the prior written consent of the Provider]]. [additional list items] 4.5 The Customer shall use reasonable endeavours, including reasonable security measures relating to[ administrator] Account access details, to ensure that no unauthorised person may gain access to the Hosted Services using an[ administrator] Account. 4.6 The Provider shall use[ all] reasonable endeavours to maintain the availability of the Hosted Services to the Customer [at the gateway between the public internet and the network of the hosting services provider for the Hosted Services], but does not guarantee 100% availability. 4.7 For the avoidance of doubt, downtime caused directly or indirectly by any of the following shall not be considered a breach of this Agreement: (a) a Force Majeure Event; (b) a fault or failure of the internet or any public telecommunications network; (c) a fault or failure of the Customer's computer systems or networks; (d) any breach by the Customer of this Agreement; or (e) scheduled maintenance carried out in accordance with this Agreement. [additional list items] 4.8 The Customer must comply with Schedule 2 (Acceptable Use Policy), and must ensure that all persons using the Hosted Services with the authority of the Customer or by means of an[ administrator] Account comply with Schedule 2 (Acceptable Use Policy). 4.9 The Customer must not use the Hosted Services in any way that causes, or may cause, damage to the Hosted Services or Platform or impairment of the availability or accessibility of the Hosted Services. 4.10 The Customer must not use the Hosted Services: (a) in any way that is unlawful, illegal, fraudulent or harmful; or (b) in connection with any unlawful, illegal, fraudulent or harmful purpose or activity. 4.11 For the avoidance of doubt, the Customer has no right to access the software code (including object code, intermediate code and source code) of the Platform, either during or after the Term. 4.12 The Provider may suspend the provision of the Hosted Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least [30 days'] written notice, following the amount becoming overdue, of its intention to suspend the Hosted Services on this basis. 5. Maintenance Services 5.1 The Provider shall provide the Maintenance Services to the Customer [during the Term]. 5.2 The Provider shall where practicable give to the Customer [at least 10 Business Days'] prior written notice of scheduled Maintenance Services that are likely to affect the availability of the Hosted Services or are likely to have a material negative impact upon the Hosted Services, without prejudice to the Provider's other notice obligations under this main body of this Agreement. 5.3 The Provider shall give to the Customer [at least 10 Business Days'] prior written notice of the application of an Upgrade to the Platform. 5.4 The Provider shall give to the Customer written notice of the application of any security Update to the Platform and [at least 10 Business Days'] prior written notice of the application of any non-security Update to the Platform. 5.5 The Provider shall provide the Maintenance Services [with reasonable skill and care] OR [in accordance with the standards of skill and care reasonably expected from a leading service provider in the Provider's industry] OR [[specify standard(s)]]. 5.6 The Provider may suspend the provision of the Maintenance Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least [30 days'] written notice, following the amount becoming overdue, of its intention to suspend the Maintenance Services on this basis. 6. Support Services 6.1 The Provider shall provide the Support Services to the Customer [during the Term]. 6.2 The Provider shall make available to the Customer a helpdesk in accordance with the provisions of this main body of this Agreement. 6.3 The Provider shall provide the Support Services [with reasonable skill and care] OR [in accordance with the standards of skill and care reasonably expected from a leading service provider in the Provider's industry] OR [[specify standard(s)]]. 6.4 The Customer may use the helpdesk [for the purposes of requesting and, where applicable, receiving the Support Services]; and the Customer must not use the helpdesk for any other purpose. 6.5 The Provider shall respond promptly to all requests for Support Services made by the Customer through the helpdesk. 6.6 The Provider may suspend the provision of the Support Services if any amount due to be paid by the Customer to the Provider under this Agreement is overdue, and the Provider has given to the Customer at least [30 days'] written notice, following the amount becoming overdue, of its intention to suspend the Support Services on this basis. 7. Customer Data 7.1 The Customer hereby grants to the Provider a non-exclusive licence to [copy, reproduce, store, distribute, publish, export, adapt, edit and translate] the Customer Data to the extent reasonably required for the performance of the Provider's obligations and the exercise of the Provider's rights under this Agreement[. The Customer also grants to the Provider the right to sub-license these rights [to its hosting, connectivity and telecommunications service providers,] subject to any express restrictions elsewhere in this Agreement]. 7.2 The Customer warrants to the Provider that [the Customer Data] OR [the Customer Data when used by the Provider in accordance with this Agreement] will not infringe the Intellectual Property Rights[ or other legal rights] of any person[, and will not breach [the provisions of any law, statute or regulation],] in [any jurisdiction and under any applicable law]. 7.3 The Provider shall create a back-up copy of [the Customer Data] at least [daily], shall ensure that each such copy is sufficient to [enable the Provider to restore the Hosted Services to the state they were in at the time the back-up was taken], and shall [retain and securely store each such copy for a minimum period of 30 days]. 7.4 [Within the period of 1 Business Day following receipt of a written request from the Customer], the Provider shall [use all reasonable endeavours to] restore to the Platform the Customer Data stored [in any back-up copy created and stored by the Provider in accordance with Clause 7.3]. The Customer acknowledges that this process will overwrite the Customer Data stored on the Platform prior to the restoration. 8. Mobile App 8.1 The parties acknowledge and agree that the use of the Mobile App, the parties' respective rights and obligations in relation to the Mobile App and any liabilities of either party arising out of the use of the Mobile App shall be subject to separate terms and conditions, and accordingly this Agreement shall not govern any such use, rights, obligations or liabilities. 9. No assignment of Intellectual Property Rights 9.1 Nothing in this Agreement shall operate to assign or transfer any Intellectual Property Rights from the Provider to the Customer, or from the Customer to the Provider. 10. Charges 10.1 The Customer shall pay the Charges to the Provider in accordance with this Agreement. 10.2 If the Charges are based in whole or part upon the time spent by the Provider performing the Services, the Provider must obtain the Customer's written consent before performing Services that result in any estimate of time-based Charges given to the Customer being exceeded or any budget for time-based Charges agreed by the parties being exceeded; and unless the Customer agrees otherwise in writing, the Customer shall not be liable to pay to the Provider any Charges in respect of Services performed in breach of this Clause 10.2. 10.3 All amounts stated in or in relation to this Agreement are, unless the context requires otherwise, stated [inclusive of any applicable value added taxes] OR [exclusive of any applicable value added taxes, which will be added to those amounts and payable by the Customer to the Provider]. 10.4 The Provider may elect to vary [any element of the Charges] by giving to the Customer not less than [30 days'] written notice of the variation[ expiring [on any anniversary of the date of execution of this Agreement]][, providing that no such variation shall result in an aggregate percentage increase in the relevant element of the Charges during the Term that exceeds[[ 2]% per annum over] the percentage increase, during the same period, in [the Retail Prices Index (all items) published by the UK Office for National Statistics]]. 11. Payments 11.1 The Provider shall issue invoices for the Charges to the Customer [in advance of the period to which they relate] OR [from time to time during the Term] OR [on or after the invoicing dates set out in Part 2 of Schedule 1 (Hosted Services particulars)]. 11.2 The Customer must pay the Charges to the Provider within the period of [30 days] following [the issue of an invoice in accordance with this Clause 11] OR [the receipt of an invoice issued in accordance with this Clause 11][, providing that the Charges must in all cases be paid before the commencement of the period to which they relate]. 11.3 The Customer must pay the Charges by [debit card, credit card, direct debit, bank transfer or cheque] (using such payment details as are notified by the Provider to the Customer from time to time). 11.4 If the Customer does not pay any amount properly due to the Provider under this Agreement, the Provider may: (a) charge the Customer interest on the overdue amount at the rate of [8% per annum above the Bank of England base rate from time to time] (which interest will accrue daily until the date of actual payment and be compounded at the end of each calendar month); or (b) claim interest and statutory compensation from the Customer pursuant to the Late Payment of Commercial Debts (Interest) Act 1998. 12. Provider's confidentiality obligations 12.1 The Provider must: (a) keep the Customer Confidential Information strictly confidential; (b) not disclose the Customer Confidential Information to any person without the Customer's prior written consent[, and then only under conditions of confidentiality [approved in writing by the Customer] OR [no less onerous than those contained in this Agreement]]; (c) use the same degree of care to protect the confidentiality of the Customer Confidential Information as the Provider uses to protect the Provider's own confidential information of a similar nature, being at least a reasonable degree of care; (d) [act in good faith at all times in relation to the Customer Confidential Information]; and (e) [not use any of the Customer Confidential Information for any purpose other than [specify purposes]]. 12.2 Notwithstanding Clause 12.1, the Provider may disclose the Customer Confidential Information to the Provider's [officers, employees, professional advisers, insurers, agents and subcontractors] [who have a need to access the Customer Confidential Information for the performance of their work with respect to this Agreement and ]who are bound by a written agreement or professional obligation to protect the confidentiality of the Customer Confidential Information. 12.3 This Clause 12 imposes no obligations upon the Provider with respect to Customer Confidential Information that: (a) is known to the Provider before disclosure under this Agreement and is not subject to any other obligation of confidentiality; (b) is or becomes publicly known through no act or default of the Provider; or (c) [is obtained by the Provider from a third party in circumstances where the Provider has no reason to believe that there has been a breach of an obligation of confidentiality]. 12.4 The restrictions in this Clause 12 do not apply to the extent that any Customer Confidential Information is required to be disclosed by any law or regulation, by any judicial or governmental order or request, or pursuant to disclosure requirements relating to the listing of the stock of the Provider on any recognised stock exchange. 12.5 The provisions of this Clause 12 shall continue in force [indefinitely following the termination of this Agreement] OR [for a period of [5 years] following the termination of this Agreement, at the end of which period they will cease to have effect]. 13. Data protection 13.1 [The Provider] OR [Each party] shall comply with the Data Protection Laws with respect to the processing of the Customer Personal Data. 13.2 The Customer warrants to the Provider that it has the legal right to disclose all Personal Data that it does in fact disclose to the Provider under or in connection with this Agreement. 13.3 The Customer shall only supply to the Provider, and the Provider shall only process, in each case under or in relation to this Agreement, the Personal Data of data subjects falling within the categories specified in Part 1 of Schedule 3 (Data processing information) and of the types specified in Part 2 of Schedule 3 (Data processing information); and the Provider shall only process the Customer Personal Data for the purposes specified in Part 3 of Schedule 3 (Data processing information). 13.4 The Provider shall only process the Customer Personal Data during the Term[ and for not more than [30 days] following the end of the Term], subject to the other provisions of this Clause 13. 13.5 The Provider shall only process the Customer Personal Data on the documented instructions of the Customer (including with regard to transfers of the Customer Personal Data to [any place outside the European Economic Area])[, as set out in [this Agreement or any other document agreed by the parties in writing]]. 13.6 The Provider shall promptly inform the Customer if, in the opinion of the Provider, an instruction of the Customer relating to the processing of the Customer Personal Data infringes the Data Protection Laws. 13.7 Notwithstanding any other provision of this Agreement, the Provider may process the Customer Personal Data if and to the extent that the Provider is required to do so by [applicable law]. In such a case, the Provider shall inform the Customer of the legal requirement before processing, unless that law prohibits such information[ on important grounds of public interest]. 13.8 The Provider shall ensure that persons authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 13.9 The Provider and the Customer shall each implement appropriate technical and organisational measures to ensure an appropriate level of security for the Customer Personal Data[, including those measures specified in Part 4 of Schedule 3 (Data processing information)]. 13.10 The Provider must not engage any third party to process the Customer Personal Data without the prior specific or general written authorisation of the Customer. In the case of a general written authorisation, the Provider shall inform the Customer at least [14 days] in advance of any intended changes concerning the addition or replacement of any third party processor, and if the Customer objects to any such changes before their implementation, then [the Provider must not implement the changes] OR [the Customer may terminate this Agreement on [7 days'] written notice to the Provider, providing that such notice must be given within the period of [7 days] following the date that the Provider informed the Customer of the intended changes] OR [specify consequences of objection]. The Provider shall ensure that each third party processor is subject to [the same] OR [equivalent] legal obligations as those imposed on the Provider by this Clause 13. 13.11 As at the Effective Date, the Provider is hereby authorised by the Customer to engage, as sub-processors with respect to Customer Personal Data, [the third parties identified in] OR [third parties within the categories identified in] OR [the third parties, and third parties within the categories, identified in] Part 5 of Schedule 3 (Data processing information). 13.12 The Provider shall, insofar as possible and taking into account the nature of the processing, take appropriate technical and organisational measures to assist the Customer with the fulfilment of the Customer's obligation to respond to requests exercising a data subject's rights under the Data Protection Laws. 13.13 The Provider shall assist the Customer in ensuring compliance with [the obligations relating to the security of processing of personal data, the notification of personal data breaches to the supervisory authority, the communication of personal data breaches to the data subject, data protection impact assessments and prior consultation in relation to high-risk processing under the Data Protection Laws]. The Provider shall report any Personal Data breach relating to the Customer Personal Data to the Customer within [24 hours] following the Provider becoming aware of the breach. [ The Provider may charge the Customer [at its standard time-based charging rates] for any work performed by the Provider at the request of the Customer pursuant to this Clause 13.13.] 13.14 The Provider shall make available to the Customer all information necessary to demonstrate the compliance of the Provider with [its obligations under this Clause 13 and the Data Protection Laws]. 13.15 The Provider shall, at the choice of the Customer, delete or return all of the Customer Personal Data to the Customer after the provision of services relating to the processing, and shall delete existing copies save to the extent that [applicable law] requires storage of the relevant Personal Data. 13.16 The Provider shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer[ in respect of [the compliance of the Provider's processing of Customer Personal Data with the Data Protection Laws and this Clause 13]].[ The Provider may charge the Customer [at its standard time-based charging rates] for any work performed by the Provider at the request of the Customer pursuant to this Clause 13.16.] 13.17 If any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to processing of Personal Data carried out under this Agreement, then the parties shall use their best endeavours promptly to agree such variations to this Agreement as may be necessary to remedy such non-compliance. 14. Warranties 14.1 The Provider warrants to the Customer that: (a) [the Provider has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement]; (b) [the Provider will comply with all applicable legal and regulatory requirements applying to the exercise of the Provider's rights and the fulfilment of the Provider's obligations under this Agreement]; and (c) [the Provider has or has access to all necessary know-how, expertise and experience to perform its obligations under this Agreement]. [additional list items] 14.2 The Provider warrants to the Customer that: (a) [the Platform and Hosted Services will conform in all[ material] respects with the Hosted Services Specification]; (b) [the Hosted Services will be free from Hosted Services Defects]; (c) [the application of Updates and Upgrades to the Platform by the Provider will not introduce any Hosted Services Defects into the Hosted Services]; (d) [the Platform will be free from viruses, worms, Trojan horses, ransomware, spyware, adware and other malicious software programs]; and (e) [the Platform will incorporate security features reflecting the requirements of good industry practice]. [additional list items] 14.3 The Provider warrants to the Customer that the Hosted Services[, when used by the Customer in accordance with this Agreement,] will not breach [any laws, statutes or regulations applicable under English law]. 14.4 The Provider warrants to the Customer that the Hosted Services, when used by the Customer in accordance with this Agreement, will not infringe the Intellectual Property Rights of any person [in any jurisdiction and under any applicable law]. 14.5 If the Provider reasonably determines, or any third party alleges, that the use of the Hosted Services by the Customer in accordance with this Agreement infringes any person's Intellectual Property Rights, the Provider may at its own cost and expense: (a) modify the Hosted Services in such a way that they no longer infringe the relevant Intellectual Property Rights; or (b) procure for the Customer the right to use the Hosted Services in accordance with this Agreement. 14.6 The Customer warrants to the Provider that it has the legal right and authority to enter into this Agreement and to perform its obligations under this Agreement. 14.7 All of the parties' warranties and representations in respect of the subject matter of this Agreement are expressly set out in this Agreement. To the maximum extent permitted by applicable law, no other warranties or representations concerning the subject matter of this Agreement will be implied into this Agreement or any related contract. 15. Acknowledgements and warranty limitations 15.1 The Customer acknowledges that complex software is never wholly free from defects, errors and bugs; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be wholly free from defects, errors and bugs. 15.2 The Customer acknowledges that complex software is never entirely free from security vulnerabilities; and subject to the other provisions of this Agreement, the Provider gives no warranty or representation that the Hosted Services will be entirely secure. 15.3 The Customer acknowledges that the Hosted Services are designed to be compatible only with that software and those systems [specified as compatible in the Hosted Services Specification]; and the Provider does not warrant or represent that the Hosted Services will be compatible with any other software or systems. 15.4 The Customer acknowledges that the Provider will not provide any [legal, financial, accountancy or taxation advice] under this Agreement or in relation to the Hosted Services; and, except to the extent expressly provided otherwise in this Agreement, the Provider does not warrant or represent that the Hosted Services or the use of the Hosted Services by the Customer will not give rise to any legal liability on the part of the Customer or any other person. 16. Limitations and exclusions of liability 16.1 Nothing in this Agreement will: (a) limit or exclude any liability for death or personal injury resulting from negligence; (b) limit or exclude any liability for fraud or fraudulent misrepresentation; (c) limit any liabilities in any way that is not permitted under applicable law; or (d) exclude any liabilities that may not be excluded under applicable law. 16.2 The limitations and exclusions of liability set out in this Clause 16 and elsewhere in this Agreement: (a) are subject to Clause 16.1; and (b) govern all liabilities arising under this Agreement or relating to the subject matter of this Agreement, including liabilities arising in contract, in tort (including negligence) and for breach of statutory duty, except to the extent expressly provided otherwise in this Agreement. 16.3 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any losses arising out of a Force Majeure Event. 16.4 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any loss of profits or anticipated savings. 16.5 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any loss of revenue or income. 16.6 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any loss of use or production. 16.7 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any loss of business, contracts or opportunities. 16.8 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any loss or corruption of any data, database or software[; providing that this Clause 16.8 shall not protect the Provider unless the Provider has fully complied with its obligations under Clause 7.3 and Clause 7.4]. 16.9 [Neither party shall be liable to the other party] OR [The Provider shall not be liable to the Customer] OR [The Customer shall not be liable to the Provider] in respect of any special, indirect or consequential loss or damage. 16.10 The liability of [each party to the other party] OR [the Provider to the Customer] OR [the Customer to the Provider] under this Agreement in respect of any event or series of related events shall not exceed the greater of: (a) [amount]; and (b) [the total amount paid and payable by the Customer to the Provider under this Agreement in the 12 month period preceding the commencement of the event or events]. 16.11 The aggregate liability of [each party to the other party] OR [the Provider to the Customer] OR [the Customer to the Provider] under this Agreement shall not exceed the greater of: (a) [amount]; and (b) [the total amount paid and payable by the Customer to the Provider under this Agreement]. 17. Force Majeure Event 17.1 If a Force Majeure Event gives rise to a failure or delay in either party performing any obligation under this Agreement[ (other than any obligation to make a payment)], that obligation will be suspended for the duration of the Force Majeure Event. 17.2 A party that becomes aware of a Force Majeure Event which gives rise to, or which is likely to give rise to, any failure or delay in that party performing any obligation under this Agreement, must: (a) promptly notify the other; and (b) inform the other of the period for which it is estimated that such failure or delay will continue. 17.3 A party whose performance of its obligations under this Agreement is affected by a Force Majeure Event must take reasonable steps to mitigate the effects of the Force Majeure Event. 18. Termination 18.1 Either party may terminate this Agreement by giving to the other party [at least 30 days'] written notice of termination. 18.2 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if the other party commits a material breach of this Agreement. 18.3 Either party may terminate this Agreement immediately by giving written notice of termination to the other party if: (a) the other party: (i) is dissolved; (ii) ceases to conduct all (or substantially all) of its business; (iii) is or becomes unable to pay its debts as they fall due; (iv) is or becomes insolvent or is declared insolvent; or (v) convenes a meeting or makes or proposes to make any arrangement or composition with its creditors; (b) an administrator, administrative receiver, liquidator, receiver, trustee, manager or similar is appointed over any of the assets of the other party; (c) an order is made for the winding up of the other party, or the other party passes a resolution for its winding up[ (other than for the purpose of a solvent company reorganisation where the resulting entity will assume all the obligations of the other party under this Agreement)]; or (d) [if that other party is an individual: (i) that other party dies; (ii) as a result of illness or incapacity, that other party becomes incapable of managing his or her own affairs; or (iii) that other party is the subject of a bankruptcy petition or order.] 19. Effects of termination 19.1 Upon the termination of this Agreement, all of the provisions of this Agreement shall cease to have effect, save that the following provisions of this Agreement shall survive and continue to have effect (in accordance with their express terms or otherwise indefinitely): [Clauses 1, 4.11, 8, 11.2, 11.4, 12, 13.1, 13.3, 13.4, 13.5, 13.6, 13.7, 13.8, 13.9, 13.10, 13.11, 13.12, 13.13, 13.14, 13.15, 13.16, 13.17, 16, 19, 22 and 23]. 19.2 Except to the extent that this Agreement expressly provides otherwise, the termination of this Agreement shall not affect the accrued rights of either party. 19.3 Within [30 days] following the termination of this Agreement for any reason: (a) the Customer must pay to the Provider any Charges in respect of Services provided to the Customer before the termination of this Agreement; and (b) the Provider must refund to the Customer any Charges paid by the Customer to the Provider in respect of Services that were to be provided to the Customer after the termination of this Agreement, without prejudice to the parties' other legal rights. 20. Notices 20.1 Any notice from one party to the other party under this Agreement must be given by one of the following methods (using the relevant contact details set out in Clause 20.2 and Part 3 of Schedule 1 (Hosted Services particulars)): (a) [[delivered personally or sent by courier], in which case the notice shall be deemed to be received [upon delivery]]; or (b) [sent by [recorded signed-for post], in which case the notice shall be deemed to be received [2 Business Days following posting]], [additional list items] providing that, if the stated time of deemed receipt is not within Business Hours, then the time of deemed receipt shall be when Business Hours next begin after the stated time. 20.2 The Provider's contact details for notices under this Clause 20 are as follows: [contact details]. 20.3 The addressee and contact details set out in Clause 20.2 and Part 3 of Schedule 1 (Hosted Services particulars) may be updated from time to time by a party giving written notice of the update to the other party in accordance with this Clause 20. 21. Subcontracting 21.1 The Provider must not subcontract any of its obligations under this Agreement without the prior written consent of the Customer[, providing that the Customer must not unreasonably withhold or delay the giving of such consent]. OR 21.1 Subject to any express restrictions elsewhere in this Agreement, the Provider may subcontract any of its obligations under this Agreement[, providing that the Provider must give to the Customer, promptly following the appointment of a subcontractor, a written notice specifying the subcontracted obligations and identifying the subcontractor in question]. 21.2 The Provider shall remain responsible to the Customer for the performance of any subcontracted obligations. 21.3 Notwithstanding the provisions of this Clause 21 but subject to any other provision of this Agreement, the Customer acknowledges and agrees that the Provider may subcontract [to any reputable third party hosting business the hosting of the Platform and the provision of services in relation to the support and maintenance of elements of the Platform]. 22. General 22.1 No breach of any provision of this Agreement shall be waived except with the express written consent of the party not in breach. 22.2 If any provision of this Agreement is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this Agreement will continue in effect. If any unlawful and/or unenforceable provision would be lawful or enforceable if part of it were deleted, that part will be deemed to be deleted, and the rest of the provision will continue in effect (unless that would contradict the clear intention of the parties, in which case the entirety of the relevant provision will be deemed to be deleted). 22.3 This Agreement may not be varied except by a written document signed by or on behalf of each of the parties. 22.4 Neither party may without the prior written consent of the other party assign, transfer, charge, license or otherwise deal in or dispose of any contractual rights or obligations under this Agreement. 22.5 This Agreement is made for the benefit of the parties, and is not intended to benefit any third party or be enforceable by any third party. The rights of the parties to terminate, rescind, or agree any amendment, waiver, variation or settlement under or relating to this Agreement are not subject to the consent of any third party. 22.6 Subject to Clause 16.1, this Agreement shall constitute the entire agreement between the parties in relation to the subject matter of this Agreement, and shall supersede all previous agreements, arrangements and understandings between the parties in respect of that subject matter. 22.7 This Agreement shall be governed by and construed in accordance with [English law]. 22.8 The courts of [England] shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this Agreement. 23. Interpretation 23.1 In this Agreement, a reference to a statute or statutory provision includes a reference to: (a) that statute or statutory provision as modified, consolidated and/or re-enacted from time to time; and (b) any subordinate legislation made under that statute or statutory provision. 23.2 The Clause headings do not affect the interpretation of this Agreement. 23.3 References in this Agreement to "calendar months" are to [the 12 named periods (January, February and so on) into which a year is divided]. 23.4 In this Agreement, general words shall not be given a restrictive interpretation by reason of being preceded or followed by words indicating a particular class of acts, matters or things. EXECUTION The parties have indicated their acceptance of this Agreement by executing it below. SIGNED BY [[individual name] on [...............], the Provider] OR [[individual name] on [...............], duly authorised for and on behalf of the Provider]: ........................................ SIGNED BY [[individual name] on [...............], the Customer] OR [[individual name] on [...............], duly authorised for and on behalf of the Customer]: ........................................   SCHEDULE 1 (HOSTED SERVICES PARTICULARS) 1. Specification of Hosted Services [Specify Hosted Services and any relevant usage limitations] 2. Financial provisions [Insert financial provisions] 3. Contractual notices [Customer contractual notices address details]   SCHEDULE 2 (ACCEPTABLE USE POLICY) 1. Introduction 1.1 This acceptable use policy (the "Policy") sets out the rules governing: (a) the use of [the website at [URL], any successor website, and the services available on that website or any successor website] (the "Services"); and (b) the transmission, storage and processing of content by you, or by any person on your behalf, using the Services ("Content"). 1.2 References in this Policy to "you" are to [any customer for the Services and any individual user of the Services] (and "your" should be construed accordingly); and references in this Policy to "us" are to [identify provider] (and "we" and "our" should be construed accordingly). 1.3 By using the Services, you agree to the rules set out in this Policy. 1.4 We will ask for your express agreement to the terms of this Policy before [you upload or submit any Content or otherwise use the Services]. 1.5 You must be [at least 18 years of age] to use the Services; and by using the Services, you warrant and represent to us that you are [at least 18 years of age]. 2. General usage rules 2.1 You must not use the Services in any way that causes, or may cause, damage to the Services or impairment of the availability or accessibility of the Services. 2.2 You must not use the Services: (a) in any way that is unlawful, illegal, fraudulent, deceptive or harmful; or (b) in connection with any unlawful, illegal, fraudulent, deceptive or harmful purpose or activity. 2.3 You must ensure that all Content complies with the provisions of this Policy. 3. Unlawful Content 3.1 Content must not be illegal or unlawful, must not infringe any person's legal rights, and must not be capable of giving rise to legal action against any person (in each case in any jurisdiction and under any applicable law). 3.2 Content[, and the use of Content by us in any manner licensed or otherwise authorised by you,] must not: (a) [be libellous or maliciously false]; (b) [be obscene or indecent]; (c) [infringe any copyright, moral right, database right, trade mark right, design right, right in passing off, or other intellectual property right]; (d) [infringe any right of confidence, right of privacy or right under data protection legislation]; (e) [constitute negligent advice or contain any negligent statement]; (f) [constitute an incitement to commit a crime, instructions for the commission of a crime or the promotion of criminal activity]; (g) [be in contempt of any court, or in breach of any court order]; (h) [constitute a breach of racial or religious hatred or discrimination legislation]; (i) [be blasphemous]; (j) [constitute a breach of official secrets legislation]; or (k) [constitute a breach of any contractual obligation owed to any person]. [additional list items] 3.3 You must ensure that Content is not and has never been the subject of any threatened or actual legal proceedings or other similar complaint. 4. Graphic material 4.1 Content must be appropriate for all persons who have access to or are likely to access the Content in question[, and in particular for children[ over 12 years of age]]. 4.2 Content must not depict violence[ in an explicit, graphic or gratuitous manner]. 4.3 Content must not be pornographic[ or sexually explicit]. 5. Factual accuracy 5.1 Content must not be untrue, false, inaccurate or misleading. 5.2 Statements of fact contained in Content and relating to persons (legal or natural) must be true[; and statements of opinion contained in Content and relating to persons (legal or natural) must be reasonable, be honestly held and indicate the basis of the opinion]. 6. Negligent advice 6.1 Content must not consist of or contain any [legal, financial, investment, taxation, accountancy, medical or other professional] advice, and you must not use the Services to provide any [legal, financial, investment, taxation, accountancy, medical or other professional] advisory services. 6.2 Content must not consist of or contain any advice, instructions or other information that may be acted upon and could, if acted upon, cause death, illness or personal injury, damage to property, or any other loss or damage. 7. Etiquette 7.1 Content must be appropriate, civil and tasteful, and accord with generally accepted standards of etiquette and behaviour on the internet. 7.2 Content must not be offensive, deceptive, threatening, abusive, harassing, menacing, hateful, discriminatory or inflammatory. 7.3 Content must not be liable to cause annoyance, inconvenience or needless anxiety. 7.4 You must not use the Services to send any hostile communication or any communication intended to insult, including such communications directed at a particular person or group of people. 7.5 You must not use the Services for the purpose of deliberately upsetting or offending others. 7.6 You must not unnecessarily flood the Services with material relating to a particular subject or subject area, whether alone or in conjunction with others. 7.7 You must ensure that Content does not duplicate other content available through the Services. 7.8 You must ensure that Content is appropriately categorised. 7.9 You should use appropriate and informative titles for all Content. 7.10 You must at all times be courteous and polite to other users of the Services. 8. Marketing and spam 8.1 You must not[ without our written permission] use the Services for any purpose relating to [the marketing, advertising, promotion, sale or supply of any product, service or commercial offering]. 8.2 Content must not constitute or contain spam, and you must not use the Services to store or transmit spam - which for these purposes shall include [all unlawful marketing communications and unsolicited commercial communications]. 8.3 You must not send any spam[ or other marketing communications] to any person using any email address[ or other contact details] made available through the Services or that you find using the Services. 8.4 You must not use the Services to promote, host or operate any chain letters, Ponzi schemes, pyramid schemes, matrix programs, multi-level marketing schemes, "get rich quick" schemes or similar letters, schemes or programs. 8.5 You must not use the Services in any way which is liable to result in the blacklisting of any of our IP addresses. 9. Regulated businesses 9.1 You must not use the Services for any purpose relating to [gambling, gaming, betting, lotteries, sweepstakes, prize competitions or any gambling-related activity]. 9.2 You must not use the Services for any purpose relating to [the offering for sale, sale or distribution of drugs or pharmaceuticals]. 9.3 You must not use the Services for any purpose relating to [the offering for sale, sale or distribution of knives, guns or other weapons]. 10. Monitoring 10.1 You acknowledge that [we may actively monitor the Content and the use of the Services] OR [we do not actively monitor the Content or the use of the Services]. 11. Data mining 11.1 You must not conduct any systematic or automated data scraping, data mining, data extraction or data harvesting, or other systematic or automated data collection activity, by means of or in relation to the Services. 12. Hyperlinks 12.1 You must not link to any material using or by means of the Services that would, if it were made available through the Services, breach the provisions of this Policy. 13. Harmful software 13.1 The Content must not contain or consist of, and you must not promote, distribute or execute by means of the Services, any viruses, worms, spyware, adware or other harmful or malicious software, programs, routines, applications or technologies. 13.2 The Content must not contain or consist of, and you must not promote, distribute or execute by means of the Services, any software, programs, routines, applications or technologies that will or may have a material negative effect upon the performance of a computer or introduce material security risks to a computer.   SCHEDULE 3 (DATA PROCESSING INFORMATION) 1. Categories of data subject [Specify the categories of data subject whose personal data may be processed] 2. Types of Personal Data [Specify types of personal data to be processed] 3. Purposes of processing [Specify purposes for which personal data may be processed] 4. Security measures for Personal Data [Specify the security measures used to protect personal data] 5. Sub-processors of Personal Data [Identify sub-processors of personal data]   Free SaaS agreement: drafting notes This is a short-form agreement covering the B2B provision of software-as-a-service. DATE • Insert the date of execution of the document. PARTIES Subsection 1 • Is the first party an individual, a company or a partnership? • What is the full name of the individual (including middle names)? • What is the postal address of the first party? • What is the full company name of the first party? • In which jurisdiction is the first party incorporated? • What is the registration number of the first party? • What is the registered office address of the first party? • What is the name of the first party partnership? • In which jurisdiction is the first party partnership established? • Where is the principal place of business of the first party? Subsection 2 • Is the second party an individual, a company or a partnership? • What is the full name of the individual (including middle names)? • What is the postal address of the second party? • What is the full company name of the second party? • In which jurisdiction is the second party incorporated? • What is the registration number of the second party? • What is the registered office address of the second party? • What is the name of the second party partnership? • In which jurisdiction is the second party partnership established? • Where is the principal place of business of the second party? AGREEMENT Clause 1: Definitions Clause 1.1 Definition of Account • What different types of account may be used to access the hosted services platform? Definition of Business Day • The bank and public holidays of which jurisdiction should be excluded from the definition of "Business Day"? Definition of Business Hours • What are business hours for the purposes of this document? Definition of Charges • What charges are payable under this document? • How should the time-based charging rates be described or specified? • Will all the services be subject to time-based charging, or only some of the services? • How are time-based charging units to be rounded? Definition of Customer Confidential Information • Might confidential information be disclosed to the first party by someone other than the second party, on behalf of the second party? • Information disclosed during which of these periods is or might be treated as confidential for the purposes of this document? Definition of Customer Personal Data • Specify those categories of data with respect to which the Provider is a data controller. Definition of Documentation • How should the hosted services documentation be identified? Definition of Effective Date • When will the contract come into force? Definition of Force Majeure Event • Specify particular examples of force majeure events. Definition of Hosted Services • Specify the name of the hosted services. • Will a detailed specification of the hosted services be provided? • Where will the detailed specification appear? Definition of Hosted Services Defect • Will non-material defects count as software defects for the purposes of this definition? • Negative effects upon what aspects of the hosted services might constitute defects for these purposes? • Should a set of general exclusions from this definition be included? • What exclusions should apply here? Definition of Hosted Services Specification • Where is the specification for the hosted services set out? Definition of Mobile App • What is the mobile application known as? • How is the mobile application made available? Definition of Platform • Do you wish to be more specific about the constituent elements of the hosted services platform? • Identify the elements of the hosted services platform. Definition of Services • Define "Services". Definition of Support Services • In relation to what exactly will support be provided? Definition of Supported Web Browser • Which web browsers are formally supported? • Is there a chance that the Provider will extend support to other browsers? Definition of Term • Define "Term", the period during which the contract will subsist. Definition of Update • Define "Update". Definition of Upgrade • Define "Upgrade". Clause 2: Credit Clause: Free documents licensing warning Optional element. Although you need to retain the credit, you should remove the inline copyright warning from this document before use. Clause 3: Term Clause 3.2 • Is the term of the contract indefinite, or will it come to an end upon some agreed date, or upon the occurrence of a defined event? • Upon what date will the contract terminate? • Upon the occurrence of what event will the contract terminate? Clause 4: Hosted Services Clause 4.1 • How will the Provider get an account for the hosted services? • When will automatic account creation take place? • When will manual account creation take place? Clause 4.2 • What sort of licence to use the hosted services is being granted? • Must the hosted services be used by some particular means (eg a web browser)? • Is the Customer only permitted to use the hosted services for some defined purpose, or may the hosted services be used for any purpose? • Must the hosted services be used in accordance with the documentation? • What means? • What purposes? Clause 4.3 Optional element. • Which of these licensing limitations apply? • Which classes of person are eligible to use the hosted services? • Where will named users be specified? • What procedure will be used to change, add or remove a named user? • Where are named user details stored? • Where will concurrent user limits be specified? • What procedure will be used to add or remove a concurrent user licence? • Where is the number of permitted concurrent users recorded? Clause 4.4 • What prohibitions apply to the use of the hosted services? • Will alterations be permitted in accordance with the documentation? Clause 4.5 Optional element. • Are these obligations restricted to administrator accounts? Clause 4.6 Optional element. • Will the Provider be required to use "all reasonable endeavours" to maintain availability, or merely "reasonable endeavours"? • At what point are the hosted services considered to be made available? Clause 4.7 Optional element. Clause 4.8 Optional element. • Is this obligation limited to administrator accounts? Clause 4.12 Optional element. • How much notice must the Provider give to the Customer of a suspension of services following non-payment? Clause 5: Maintenance Services Optional element. Clause 5.1 • During what period will the maintenance services be provided? Clause 5.2 Optional element. • How much prior written notice of the release of an update must be given to the Customer? Clause 5.3 Optional element. Will the Provider have an obligation to give to the Customer prior written notice of the application of an upgrade? • How much prior written notice of the release of an upgrade must be given to the Customer? Clause 5.4 Optional element. Will the Provider have an obligation to give to the Customer prior written notice of the application of updates? • How much prior written notice of the release of an update must be given to the Customer? Clause 5.5 Optional element. • What standard(s) must the maintenance services meet? • Specify the standard or standards the services must meet. Clause 5.6 Optional element. Will the Provider have a right to suspend the maintenance services in the event that the Customer fails to pay any amount due under the contract? • How much notice of an intention to suspend the maintenance services must the Provider give to the Customer? Clause 6: Support Services Optional element. Clause 6.1 • During what period will the support services be provided? Clause 6.2 Optional element. Clause 6.3 Optional element. • What standard(s) must the support services meet? • Specify the standard or standards the support services must meet. Clause 6.4 Optional element. • For what purposes may the helpdesk be used? Clause 6.5 Optional element. Clause 6.6 Optional element. • How much notice must the Provider give to the Customer of a suspension of services following non-payment? Clause 7: Customer Data Optional element. Clause 7.1 • What may the Provider do with the Customer's materials? • Will the Provider have the right to sub-license its rights under this provision? • To whom may the licensed rights be sub-licensed? Clause 7.2 Optional element. • Do the warranties relating to legality apply to the Customer's data generally, or just to uses permitted by this document? • Will this warranty extend to legal rights other than intellectual property rights? • Should a warranty of legality be included? • What (if any) jurisdictional limitations and applicable law limitations should apply to these warranties? Clause 7.3 Optional element. • Back-ups of what will be created by the Provider? • How often will back-ups be created? • What functional standard should the back-ups meet? • How long will the back-up copies be retained? Clause 7.4 Optional element. • When will the Provider's obligations under this provision be engaged? • What standard of performance is expected here? • What exactly is to be restored? Clause 8: Mobile App Optional element. Clause 9: No assignment of Intellectual Property Rights Optional element. Clause 10: Charges Clause 10.2 Optional element. Clause 10.3 Optional element. • Are payment amounts stated inclusive or exclusive of VAT? Clause 10.4 Optional element. Will the Provider be permitted to vary the charges, or any element of the charges, in any circumstances? • Which elements of the charges may be varied? • What notice period should apply to the variation of charges? • Must notice of the variation expire upon some specific date? • Should variations of charges be limited by reference to an index? • Specify the relevant date. • Will the charges variation cap exceed RPI by a defined percentage? • Identify the index in question. • Specify the relevant percentage. Clause 11: Payments Clause 11.1 • When should invoices be issued? Clause 11.2 • What is the period for payment of invoices? • When does the period for payment of an invoice begin to run? • What if any proviso is required to the standard payment terms? Clause 11.3 Optional element. • Using what methods should payments be made? Clause 11.4 Optional element. • What contractual interest rate should apply to late payments? Clause 12: Provider's confidentiality obligations Optional element. Clause 12.1 • In the event of a disclosure of confidential information made by the first party with the prior written consent of the second party, should the first party be bound to place confidentiality obligations upon the recipient of the information? • Will the second party have to give its written approval to the specific conditions under which confidential information is disclosed by the first party to a third party, or is it sufficient that such disclosures are made under conditions of confidentiality no less onerous than those set out in this document? • Should the Provider be required to act in good faith in relation to confidential information? • Should the first party be placed under an obligation to only use the information disclosed for a defined purpose? Clause 12.2 • To whom may the first party disclose confidential information supplied by the second party? • Should disclosures made under this provision be prohibited unless there is a "need to know"? Clause 12.3 • Should the first party be free to disclose all information received from third parties in circumstances where the first party has no reason to believe that there has been a breach of a confidentiality obligation? Clause 12.5 • Will the confidentiality obligations in this section continue indefinitely, or will they come to an end at some point following termination of the contract? • For what period following termination will the confidentiality obligations continue? Clause 13: Data protection Will the Provider process personal data on behalf of the Customer? This provision is designed to help the parties to a data processing arrangement to comply with the General Data Protection Regulation (GDPR), in force from 25 May 2018. In addition to a set of specific requirements, the GDPR includes a general obligation on data controllers to ensure compliance: "Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject." (Article 28(1)) One aspect of ensuring compliance is the use of an appropriate written contract: "Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller." (Article 28(3)) The drafting in these provisions closely reflects the language of the GDPR. Clause 13.1 Optional element. Clause 13.2 Optional element. Clause 13.5 Article 28(2)(a) of the GDPR provides that the controller-processor contract must stipulate that the controller "processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation ... ". Clause 13.6 Optional element. The final section of Article 28(3) of the GDPR reads: "With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions." The cross-reference in the legislation is presumably a mistake, and should point at Article 28(3)(a). In any case, it is not clear from the legislation whether this provision needs to be part of the processing contract. Clause 13.7 Article 28(2)(a) of the GDPR provides that the controller-processor contract must stipulate an exception to the general rule that personal data may only be processed on the data controller's instructions: " ... unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest". Note the distinction between "Union or Member State law" in the GDPR and "applicable law" in the draft provision. There is a possibility of conflict between legal obligations here. Similarly, if applicable law prohibits the notification to the controller of legally-mandated processing, then in principle that might not be on "important grounds of public interest". Clause 13.8 Article 28(3)(b) of the GDPR provides that the controller-processor contract must stipulate that the processor "ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality". Clause 13.9 Article 28(3)(c) of the GDPR provides that the controller-processor contract must stipulate that the processor "takes all measures required pursuant to Article 32". Article 32 provides that: "1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law." Clause 13.10 Article 28(2) of the GDPR provides that: "The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes". Article 28(4) provides that: "Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations." Article 28(3)(d) provides that the controller-processor contract should stipulate that the processor "respects the conditions referred to in paragraphs 2 and 4 for engaging another processor". Clause 13.11 Optional element. Clause 13.12 Article 28(3)(e) of the GDPR provides that controller-processor contracts must stipulate that the processor "taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III". Clause 13.13 Article 28(3)(f) of the GDPR provides that the controller-processor contract must stipulate that the processor "assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor". Clause 13.14 Article 28(3)(h): the contract must require that the data processor "makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article...". The draft clause here is wider, covering compliance with any data protection legislation. Clause 13.15 Article 28(3)(g) of the GDPR requires that the controller-processor contract stipulates that the processor "at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data". NB this is slightly different from the suggested contract provision, which refers instead to "applicable law". Clearly, there could be a conflict here between the requirements of the law of a non-EU jurisdiction and the requirements of EU law. Clause 13.16 Article 28(3)(h): the contract must require that the data processor "allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller". The suggested qualification to the scope of audits is not expressly permitted in the legislation. Clause 13.17 Optional element. Consider whether additional rights of termination may be required in the event that the parties are unable to agree a suitable variation. Clause 14: Warranties Optional element. Clause 14.1 Optional element. • What general warranties will the Provider give to the Customer? Clause 14.2 Optional element. • What warranties in relation to the platform and hosted services will the Provider give to the Customer? • Is this warranty subject to a materiality threshold? Clause 14.3 Optional element. • What is the scope of this warranty? Clause 14.4 Optional element. • What is the jurisdictional coverage of the warranty? Clause 14.5 Optional element. Clause 14.6 Optional element. Clause 15: Acknowledgements and warranty limitations Optional element. Clause 15.2 Optional element. Clause 15.3 Optional element. • Where will the compatibility of the hosted services be specified? Clause 15.4 Optional element. • What types of advice should be specified here? Clause 16: Limitations and exclusions of liability Contractual limitations and exclusions of liability are regulated and controlled by law, and the courts may rule that particular limitations and exclusions of liability in contracts are unenforceable. The courts are particularly likely to intervene where a party is seeking to rely on a limitation or exclusion of liability in its standard terms and conditions, but will also sometimes intervene where a term has been individually negotiated. The courts may be more likely to rule that provisions excluding liability, as opposed to those merely limiting liability, are unenforceable. If there is a risk that any particular limitation or exclusion of liability will be found to be unenforceable by the courts, that provision should be drafted as an independent term, and be numbered separately from the other provisions. It may improve the chances of a limitation or exclusion of liability being found to be enforceable if the party seeking to rely upon it specifically drew it to the attention of the other party before the contract was entered into. Exclusions and limitations of liability in UK contracts are primarily regulated by the Unfair Contract Terms Act 1977 ("UCTA"). Contracts regulated by UCTA cannot exclude or restrict a party's liability for death or personal injury resulting from negligence (Section 2(1), UCTA). Except insofar as the relevant term satisfies the requirements of reasonableness, such contracts cannot exclude or restrict liability: (i) for negligence (which includes a breach of an express or implied contractual obligation to take reasonable care or exercise reasonable skill) (Section 2(2), UCTA); or (ii) for misrepresentation (Section 3, Misrepresentation Act 1967). In addition, if a contract is regulated by UCTA, and one of the parties is dealing on the other's written standard terms of business, then except insofar as the relevant contractual term satisfies the requirements of reasonableness the other party cannot: (i) exclude or restrict his liability in respect of a breach of contract; or (ii) claim to be entitled to render a contractual performance substantially different from that which was reasonably expected of him; or (iii) claim to be entitled, in respect of the whole or any part of his contractual obligation, to render no contractual performance at all (see Section 3, UCTA). UCTA includes various other restrictions, particularly in the case of contracts for the sale of goods and contracts under which possession or ownership of goods passes. If you wish to try to limit/exclude for liability in respect of reckless, deliberate, personal and/or repudiatory breaches of contract, you should specify this in relation to the relevant provision (for example, using the following wording: "The limitations and exclusions of liability in this Clause [number] will apply whether or not the liability in question arises out of any reckless, deliberate, personal and/or repudiatory conduct or breach of contract"). In many circumstances, however, the courts will find these types of limitations and exclusions to be unenforceable. Somewhat different rules apply to limitations of liability in contracts with consumers, and these provisions should not be used in relation to such contracts. These guidance notes provide a very incomplete and basic overview of a complex subject. Accordingly, you should take legal advice if you may wish to rely upon a limitation or exclusion of liability. Clause 16.1 Do not delete this provision (except upon legal advice). Without this provision, the specific limitations and exclusions of liability in the document are more likely to be unenforceable. Clause 16.2 Optional element. Clause 16.3 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.4 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.5 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.6 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.7 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.8 Optional element. • Which of the parties will be the beneficiary of this limitation of liability? • Are the Provider's protections under this provision subject to compliance with data back-up and restoration obligations? Clause 16.9 Optional element. "Consequential loss" has a special meaning in English law: it means any loss that, whilst not arising naturally from the breach, was specifically in the contemplation of the parties when the contract was made. • Which of the parties will be the beneficiary of this limitation of liability? Clause 16.10 Optional element. Do you want to include a per event liability cap in this document? Liability caps may be unenforceable in practice. • Which of the parties will be the beneficiary of this liability cap? • Do you want to include a per event liability cap in this document? • What monetary amount should be used in the liability cap? • What floating amount should be used in the liability cap? Clause 16.11 Optional element. Do you want to include an aggregate liability cap in this document? Liability caps may be unenforceable in practice. • Which of the parties will be the beneficiary of this liability cap? • What monetary amount should be used in the liability cap? • What floating amount should be used in the liability cap? Clause 17: Force Majeure Event Optional element. Clause 17.1 • Will obligations to make payments be excluded from the scope of the force majeure exception? Clause 17.2 Optional element. Clause 17.3 Optional element. Clause 18: Termination Clause 18.1 • What notice period will apply to termination without cause by either party? Clause 18.3 • Will the winding up of a party as part of a solvent company reorganisation give rise to a right of termination for the other party? • Will or might a party to the document be an individual, rather than a corporate entity? Clause 19: Effects of termination Clause 19.3 Optional element. This provision will not be suitable in all circumstances. The appropriate treatment of charges upon termination will vary from contract to contract. Note, also, that this provision only deals with charges in respect of services. • Within what period following termination must charges in respect of services be settled? Clause 20: Notices Optional element. Clause 20.2 • Insert the Provider's contact details for notices. Clause 21: Subcontracting Optional element. Clause 21.1 • Will the Customer only be permitted to withhold consent to subcontracting where it is reasonable to do so? Clause 21.1 • Will the Provider be obliged to notify the Customer of any subcontracting arrangements? Clause 21.2 Optional element. Clause 21.3 Optional element. • Describe what may be subcontracted, and if necessary to whom subcontracting is permitted. Clause 22: General Clause 22.1 Optional element. Clause 22.2 Optional element. Clause 22.3 Optional element. This is intended to prevent, for example, one party wrongfully claiming that a term of the contract was changed in a telephone call. Clause 22.4 Optional element. Clause 22.5 Optional element. This provision is designed to exclude any rights a third party may have under the Contracts (Rights of Third Parties) Act 1999. Clause 22.6 Optional element. Clause 22.7 This template has been drafted to work in the English law context. If you plan to change the governing law, you should have the document reviewed by someone with expertise in the law of the relevant jurisdiction. • Which law will govern the document? Clause 22.8 Optional element. As a practical matter, it makes sense for the courts with expertise in the relevant law to have the right to adjudicate disputes. Where one of the parties is outside England (or at least the UK), you may want to grant the courts of their home jurisdiction the right to adjudicate disputes, as this could ease enforcement in some circumstances. • The courts of which jurisdiction will have the exclusive right to adjudicate disputes relating to the document (subject to applicable law)? Clause 23: Interpretation Should provisions concerning the interpretation of the document be included? Clause 23.1 Optional element. Clause 23.2 Optional element. Clause 23.3 Optional element. Clause 23.4 Optional element. This provision is designed to exclude the application of a rule of interpretation known as the ejusdem generis rule. That rule may affect the interpretation of contractual clauses that list particular examples or instances of some more general idea, by limiting the scope of the general idea by reference to those particular examples or instances. EXECUTION Subsection: Execution of contract by first party (individual, company or partnership) • Will the contract be signed by the (first party) contracting individual, or a person on behalf of the (first party) contracting entity? • What is the full name of the first party signatory? • On what date is the first party signing the contract? • Add the full name of the person who will sign the document on behalf of the first party. • On what date is the contract being signed on behalf of the first party? Subsection: Execution of contract by second party (individual, company or partnership) • Will the contract be signed by the (second party) contracting individual, or by a person on behalf of the (second party) contracting entity? • What is the full name of the second party signatory? • On what date is the second party signing the contract? • Add the full name of the person who will sign the document on behalf of the second party. • On what date is the contract being signed on behalf of the second party? SCHEDULE 1 (HOSTED SERVICES PARTICULARS) Part 1: Specification of Hosted Services • Insert the specification for the hosted services. Part 2: Financial provisions • Insert financial provisions. Part 3: Contractual notices Optional element. • Insert details to be used for sending contractual notices to the Customer. SCHEDULE 2 (ACCEPTABLE USE POLICY) Optional element. Part 1: Introduction Paragraph 1.1 • The use of which services is to be governed by the acceptable use policy? • Specify the URL of the relevant website. Paragraph 1.2 • Whose behaviour does the policy regulate? • Identify the provider of the services. Paragraph 1.3 Optional element. Paragraph 1.4 Optional element. • At what point will the express agreement to the terms of the policy be sought? Paragraph 1.5 Optional element. Do any age restrictions apply to the use of the services? • What is the minimum age for service users? Part 3: Unlawful Content Paragraph 3.1 This very general prohibition against unlawful user content may be supplemented by rules relating to specific kinds of illegality, as well as prohibitions upon lawful but undesirable content. Paragraph 3.2 Optional element. Paragraph 3.3 Optional element. Part 4: Graphic material Optional element. Paragraph 4.1 • Do you want to specify that content must be suitable for children (or children over some defined age)? • What, if any, age floor should be specified? Paragraph 4.2 Optional element. • Is the prohibition of violent content limited to explicit, graphic and/or gratuitous violence? Paragraph 4.3 Optional element. • Is non-pornographic but sexually explicit material permitted? Part 5: Factual accuracy Optional element. Paragraph 5.2 Optional element. • Should wording designed to prohibit opinions that may, if defamatory, be indefensible under the "honest opinion" defence be included? Part 6: Negligent advice Optional element. Paragraph 6.1 Optional element. Paragraph 6.2 Optional element. Part 7: Etiquette Optional element. Paragraph 7.1 Optional element. Paragraph 7.2 Optional element. Paragraph 7.3 Optional element. Paragraph 7.4 Optional element. Paragraph 7.5 Optional element. Paragraph 7.6 Optional element. Paragraph 7.7 Optional element. Paragraph 7.8 Optional element. Paragraph 7.9 Optional element. Paragraph 7.10 Optional element. Part 8: Marketing and spam Optional element. Paragraph 8.1 • Might permission be granted in some cases in relation to these otherwise prohibited activities? • Specify the marketing-related purposes that are specifically prohibited. Paragraph 8.2 • What does "spam" include? Paragraph 8.3 • Should this prohibition cover only spam, or all marketing communications? • Should this prohibition relate only to email addresses, or should it cover all types of contact information? Part 9: Regulated businesses Optional element. Paragraph 9.1 Optional element. • What, specifically, is prohibited here? Paragraph 9.2 Optional element. Paragraph 9.3 Optional element. Part 10: Monitoring Optional element. Paragraph 10.1 • Will the content and services be monitored? Part 11: Data mining Optional element. Part 12: Hyperlinks Optional element. Part 13: Harmful software Optional element. Paragraph 13.2 Optional element. SCHEDULE 3 (DATA PROCESSING INFORMATION) Optional element. Part 4: Security measures for Personal Data Optional element. Part 5: Sub-processors of Personal Data Optional element.