1 Introduction

1.1 Boomerang provides its Services subject to the terms and conditions in this Terms of Service (“Agreement”) by accepting this Terms of Service you are entering into an Agreement with BOOMERANG I-COMMS LTD incorporated and registered in England and Wales with company number 08217867 whose registered office is at Regina House, 124 Finchley Road, London NW3 5JS ( "Boomerang");

Agreed terms

1. Interpretation

1.1 The definitions and rules of interpretation in this clause apply in this Agreement.

"Authorised Users"

those employees, agents and independent contractors of the Customer who are authorised by the Customer to use the Services and the Documentation.

"Business Day"

a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

"Change of Control"

shall be as defined in section 1124 of the Corporation Tax Act 2010, and the expression change of control shall be construed accordingly.

"Confidential Information"

information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause ‎11.

“Communication Address”

Means a code, telephone number, email and/or any other identifier and/or address from which a Message is sent and/or received;

“Credits”

Means the monetary value paid by the Customer to Boomerang and from which Boomerang will deduct payment for Messages sent by the Customer and service components selected by the Customer;

"Customer Data"

the data owned by the Customer and inputted by the Customer, Authorised Users, or Boomerang specifically on the Customer's behalf for the purpose of the Customer using the Services or facilitating the Customer's use of the Services.

"Documentation"

All and/or any documentation, manuals, information and/or data (and/or any part thereof including all updates and/or modifications) made available to the Customer by Boomerang from time to time in relation to and/or in connection with the Services and the user instructions in relation to the Services.

"Effective Date"

the date of this Agreement.

"Fees"

the fees (and/or any part of them) payable by the Customer to Boomerang for the Services.

“Intellectual Property Rights”

All and/or any patents, utility models, rights to inventions, copyright and related rights, trade marks and service marks, trade names and domain names, rights in get-up, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software and data, database rights, rights to preserve the confidentiality of information (including know-how and trade secrets) and any other intellectual property rights, including all applications for (and rights to apply for and be granted), renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist, now or in the future, in any part of the world.

“Messages”

Means an MMS, SMS, email, instant message, voice message and voice calls, data transmission, social media message and/or any other message (including the content of that message) and/or messaging process conveyed by use of the Services.

"Normal Business Hours"

9.00 am to 5.00 pm local UK time, each Business Day.

“Plug In”

Means a software module which is specifically described and designated in writing as a plug-in by Boomerang and which is provided by Boomerang to the Customer and which is designed to carry out certain functions and which can be installed by the Customer into the Customer’s computer systems.

“Policy" or “Policies”

Boomerang's policies attached in Schedule 2 together with any other policies introduced by Boomerang of which the Customer is notified relating to the Services, as these may be updated or amended by notification to the Customer from time to time.

“Renewal Term”

Means the 12 month period starting from the last day of the Subscription Term and then each 12 month period beginning on the anniversary of the last day of the Subscription Term.

“Services”

Means all and/or any of the services provided by Boomerang (including any services relating to Plug-Ins) and visible in the organisation settings section of your Boomerang account here: https://boomerangui.com/organisation-settings ;

"Software"

The software applications (including any Plug-Ins) provided by Boomerang as part of the Services.

"Subscription Term"

Shall mean the 12 month period from and including the Effective Date together with any subsequent Renewal Terms.

“Third Party Suppliers”

Means all and/or any third party suppliers including network operators who provide or supply goods and/or services to or for Boomerang’s use in order to assist and/or facilitate Boomerang in Boomerang’s provision of the Services.

“Use Cases”

Means the use case or cases which are specifically agreed in writing between Boomerang and the Customer which identify the specific scope and nature of the use of the Services and Documentation that can be made by the Customer and which are set out in the Service Profile.

1.2 Clause, schedule and paragraph headings shall not affect the interpretation of this Agreement.

1.3 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality). A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.4 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

1.5 A reference to a statute or statutory provision is a reference to it as it is in force as at the date of this Agreement.

1.6 A reference to a statute or statutory provision shall include all subordinate legislation made as at the date of this Agreement under that statute or statutory provision.

1.7 A reference to writing or written includes faxes and email provided that if any notices are given by the Customer under this agreement which relate to major circumstances or events regarding the operation of this Agreement including any claims relating to material breach of this Agreement and/or termination of this Agreement then any email notices shall also be confirmed at the same time by fax and/or letter.

1.8 References to clauses and schedules are to the clauses and schedules of this Agreement; references to paragraphs are to paragraphs of the relevant schedule to this Agreement.

1.9 Any words following the terms including,include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

2. Authorised Users

2.1 Subject to the Customer purchasing and using the Services in accordance with and subject to the terms and conditions of this Agreement, Boomerang hereby grants to the Customer a non-exclusive, non-transferable right to permit the Authorised Users to use the Services and the Documentation during the Subscription Term solely for the Customer's internal business operations regarding Use Cases that are agreed in writing with Boomerang.

2.2 The Customer undertakes that:

2.2.1 the maximum number of Authorised Users in the Service Profile that it authorises to access and use the Services and the Documentation shall not exceed the agreed number of Authorised Users;

2.2.2 it will not allow or suffer any user subscription to be used by more than one individual Authorised User unless it has been reassigned in its entirety to another individual Authorised User, in which case the prior Authorised User shall no longer have any right to access or use the Services and/or Documentation;

2.2.3 each Authorised User shall keep a secure password for his use of the Services and Documentation, that such password shall be changed no less frequently than monthly and that each Authorised User shall keep his password confidential;

2.2.4 it shall maintain a written, up to date list of current Authorised Users and provide such list to Boomerang within 5 Business Days of Boomerang's written request at any time or times;

2.2.5 it agrees that it and all Authorised Users will follow and comply with all instructions, guidelines and/or provisions of the Documentation in relation to the use of the Services;

2.2.6 it agrees that Boomerang’s records regarding Customer’s use of the Services shall be accepted at all times as correct (save for manifest error) and that if there are any issues regarding the Services then the Customer shall permit Boomerang to audit the use of the Services in order to gather information and establish the facts relating to such issues. Boomerang shall in any event have the right to audit Customer’s use of the Services provided that such audit may be conducted no more than once per quarter, at Boomerang's expense, and this right shall be exercised with reasonable prior notice, in such a manner as not to substantially interfere with the Customer's normal conduct of business;

2.2.7 if any of the audits referred to in clause 2.2.6 reveal that any password has been provided to any individual who is not an Authorised User, then without prejudice to Boomerang's other rights, the Customer shall promptly disable such passwords and Boomerang shall not issue any new passwords to any such individual; and

2.2.8 if any of the audits referred to in clause 2.2.6 reveal that the Customer has underpaid Fees to Boomerang, then without prejudice to Boomerang's other rights, the Customer shall pay to Boomerang an amount equal to such underpayment as calculated in accordance with the prices referenced in the Service Profile within 10 Business Days of the date of the relevant audit.

2.3 The Customer shall not access, store, distribute or transmit any material, information, documentation, messages and/or viruses (including any destructive and/or disabling code) during the course of its use of the Services that:

2.3.1 is used in any way for, in relation to and/or in connection with emergency services (including 999 and 112 calls and/or where there could be a risk of personal injury or death) except to the extent that such use is expressly and specifically agreed by Boomerang and is stated in the Service Profile;

2.3.2 is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;

2.3.3 facilitates illegal activity;

2.3.4 depicts sexually explicit images;

2.3.5 promotes unlawful violence;

2.3.6 is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability;

2.3.7 is in breach of any agreement with any user, customer or client or any laws, regulations or other provisions that are applicable to the Customer, users, customers or clients in any territory; and/or

2.3.8 in a manner that is otherwise illegal or causes damage or injury to any person or property.

Boomerang reserves the right, without liability (of whatever nature and/or howsoever arising) and/or prejudice of whatever nature to any of its other rights to the Customer, to disable the Customer's access to any material that breaches the provisions of this clause.

2.4 The Customer shall not except as may be allowed by any applicable law which is incapable of exclusion by agreement between the parties and except to the extent expressly permitted under this Agreement:

2.4.1.1 attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software and/or Documentation (as applicable) in any form or media or by any means;

2.4.1.2 attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software;

2.4.2 access all or any part of the Services and Documentation in order to build a product or service which competes (directly or indirectly) with the Services and/or the Documentation;

2.4.3 use the Services and/or Documentation to provide services to third parties;

2.4.4 subject to clause ‎22.1, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Services and/or Documentation available to any third party except the Authorised Users; and/or

2.4.5 attempt to obtain, or assist third parties in obtaining, access to the Services and/or Documentation, other than as provided under this clause ‎2; and

2.4.6 shall not use any Plug-Ins apart from expressly authorised by Boomerang and shall follow all of Boomerangs instructions and directions regarding use of such Plug-Ins including any restrictions set out in the Service Profile.

2.5 The Customer shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and/or the Documentation and, in the event of any such unauthorised access or use, promptly notify Boomerang.

2.6 The rights provided under this clause ‎2 are granted to the Customer only, and shall not be considered granted to any subsidiary or holding company of the Customer.

3. Additional Services

3.1 Subject to clause ‎3.2, the Customer may, from time to time during any Subscription Term, purchase additional services in excess of the Services originally ordered under this Agreement and Boomerang shall grant access to such additional services and/or any additional authorised users in accordance with and subject to the provisions of this Agreement.

3.2 If the Customer wishes to purchase additional services, the Customer shall notify Boomerang in writing. Boomerang shall evaluate such request for additional services and/or authorised users and respond to the Customer with approval or rejection of the request.

4. Services

4.1 Boomerang shall, during the Subscription Term, provide the Services and make available the Documentation to the Customer on and subject to the terms of this Agreement.

4.2 Boomerang shall use commercially reasonable endeavours to make the Services available 24 hours a day, seven days a week, except for:

4.2.1 planned maintenance carried out during the maintenance window which is outside of Normal Business Hours;

4.2.2 unscheduled maintenance performed outside Normal Business Hours, provided that Boomerang has used reasonable endeavours to give the Customer at least 2 hours’ notice in advance; and/or

4.2.3 in circumstances where Boomerang believes that Services need to be maintained and/or suspended due to urgent actions required by Boomerang to safeguard and/or secure the Services and/or ensure the continued proper operation of the Services (including any emergency situations, denial of service attacks and/or changes made by any Third Party Suppliers (including network operators) and in such circumstances Boomerang will give the Customer as much notice as reasonably practicable.

4.3 Boomerang will allocate Communication Addresses to the Customer as Boomerang deems necessary or desirable. This will depend (in part) upon the nature and type of Services that are required by the Customer, the availability of Communication Addresses, the business operations and practices of Third Party Suppliers (including network operators) and the directions and guidelines of regulators. The Customer hereby acknowledges and agrees that in certain circumstances Boomerang may need to change the Communication Addresses (for example telephone numbers) which it has allocated to the Customer including when Third Party Suppliers (including network operators) have issues regarding the transmission and/or receipt of Messages (for example texts) from Communication Addresses (for example telephone numbers) which have been allocated to the Customer. In such circumstances Boomerang will provide the Customer with as much notice as reasonably practicable regarding any such changes to Communication Addresses.

4.4 Boomerang will notify the Customer about significant updates to the Documentation that have been made no less frequently than the later of once every quarter and/or in the next version release of that Documentation. If Boomerang believes that there are significant and material issues that need to be notified to the Customer in relation to the Documentation then Boomerang will notify the Customer of such issues from time to time and as and when Boomerang deems necessary.

4.5 Boomerang may, as part of the Services and subject to agreement regarding the terms, content and price of the services, provide the Customer with Boomerang's basic customer support services during Normal Business Hours in accordance with Boomerang's Policy in effect at the time that the Services are provided. Boomerang may amend the Policy in its sole and absolute discretion from time to time. The Customer may purchase enhanced support services separately at Boomerang's then current rates.

5. Customer data

5.1 The Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.

5.2 Boomerang shall follow its archiving procedures for Customer Data as set out in Boomerang’s Policy as such document may be amended by Boomerang in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's exclusive remedy shall be for Boomerang to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by Boomerang in accordance with the archiving procedure described in Boomerang’s Policies. Boomerang shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except to the extent that those third parties have been sub-contracted by Boomerang to perform services related to Customer Data maintenance and back-up).

5.3 Boomerang shall, in providing the Services, comply with its Policy relating to the privacy and security of the Customer Data.

5.4 If Boomerang processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the parties hereby record their intention and agreement that the Customer shall be the data controller and Boomerang shall be a data processor. The obligations of the data controller and the data processor are set out in Schedule 1. In any such case:

5.4.1 the Customer acknowledges and agrees that the personal data may be transferred or stored within the EEA or the country where the Customer and/or the Authorised Users and/or recipients are located in order to carry out the Services and Boomerang's other obligations under this Agreement;

5.4.2 the Customer shall ensure at all times that the Customer is entitled to process and transfer the relevant information and personal data to Boomerang and that Boomerang can lawfully use, process and transfer the relevant information and personal data in order to provide the Services and/or in relation to this Agreement;

5.4.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their irrevocable and explicit consent to such use, processing, and transfer as required by all applicable data protection legislation. In particular, the Customer agrees that Messages must only be delivered to recipients and third parties who have given their prior explicit consent to the quantity, frequency and type of Messages to be delivered via the Services. Customer shall have informed recipients and/or third parties beforehand and on an ongoing basis about their right at any time to opt-out of receiving Messages and will comply at all times with such instructions from recipients and/or third parties; and

5.4.4 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage and the Customer will at all times keep the information and personal data which it uses in relation to the Services up to date and not keep it for any longer than is necessary under applicable data protection legislation.

6. Third party providers

6.1 The Customer acknowledges that the Services may enable or assist it to access the website content of, correspond with, use, download and purchase products and services from third parties via third-party websites and applications and that the Customer does so solely at its own risk.

6.2 Boomerang makes no representation or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with and/or downloading in relation to any such third-party website and/or applications, or any transactions completed, and any contract entered into by the Customer, with any such third party.

6.3 Any contract entered into and any transaction completed via any third-party website and/or application and/or download is between the Customer and the relevant third party, and not Boomerang. Boomerang recommends that the Customer refers to the third party's website and/or application related terms and conditions and privacy policy prior to using the relevant third-party website and/or application. Boomerang does not endorse or approve any third-party website, application and/or download nor the content of any of the third-party website, application and/or download made available via the Services.

6.4 The Customer agrees and acknowledges that the Services provided are dependent upon the goods and/or services of Third Party Suppliers (including network operators) and, as such, if those third party providers change the way that they operate, their terms and conditions and/or the structure or ways in which they charge for their services (for example by introducing different message lengths or storage volume restrictions etc.) then this will have an impact on the Services and, as such, Boomerang reserves the right to change, amend and/or update the way in which it provides the Services to the Customer (including in relation to pricing) in order to reflect the way that Boomerang has been impacted by such third party changes and in such circumstances Boomerang will provide no less than 7 days prior written notice to the Customer of such changes provided that in the case of immediate or changes at short notice by such Third Party Suppliers, Boomerang will provide the Customer with as much notice as reasonably practicable.

6.5 The Customer hereby agrees, acknowledges and accepts that Third Party Suppliers (including network operators) may apply service restrictions and limitations from time to time in relation to and/or in connection with the Services. Such restrictions and limitations may include:

(i) imposing restrictions upon the length of a message (for example the number of characters). Where the Message content exceeds any limit the Message may be delivered and may be abbreviated based on the maximum characters allowed);

(ii) blocking Messages where the content of the Message is repeated across high volumes of messages or high volumes are submitted to the same recipient or recipients; and/or

(iii) blocking Messages based on the originating / sender id associated to or with the Message and/or amending the originating / sender Id associated to or with the Message, preventing any replies being returned to Boomerang.

Pricing and payment terms and monies due, owing or payable to Boomerang shall be in accordance with this Agreement regardless of any restrictions and limitations that may be imposed by, relate to and/or be connected with Third Party Suppliers (including network operators).

6.6 The Customer hereby expressly agrees that it will indemnify Boomerang for all costs, charges, fees and losses (of whatever nature and howsoever arising) that are claimed by any Third Party Suppliers (including network operators) and/or regulatory bodies and organisations (of whatever nature) and/or third parties from and/or against Boomerang in relation to the Customer’s use of the Services and/or the services provided by Third Party Supplier (including network operators) to the Customer.

7. Boomerang's obligations

7.1 Boomerang undertakes that the Services will be performed substantially in accordance with the Documentation and with reasonable skill and care.

7.2 The undertaking at clause ‎7.1 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to Boomerang's instructions, or modification or alteration of the Services by any party other than Boomerang or Boomerang's duly authorised contractors or agents. If the Services do not conform with the foregoing undertaking, Boomerang will, at its expense, use its reasonable commercial endeavours to correct any such non-conformance promptly, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer's sole and exclusive remedy for any breach of the undertaking set out in clause ‎7.1. Notwithstanding the foregoing, Boomerang:

7.2.1 does not warrant that the Customer's use of the Services will be uninterrupted or error-free and/or that the Services, Documentation and/or the information obtained by the Customer through the Services will meet all and/or any of the Customer's requirements; and

7.2.2 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities; and

7.2.3 is not responsible for checking, advising upon, notifying and/or ensuring that the use of the Services by the Customer will achieve the benefits (of whatever nature) that the Customer is seeking to achieve and/or that use of the Services by the Customer is in accordance with and complies with any rules, regulations and/or codes which the Customer is subject to including any advertising, financial services and/or data protection laws and regulations.

7.3 This Agreement shall not prevent or hinder Boomerang from entering into similar agreements with third party customers or others, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this Agreement.

8. Customer's obligations

8.1 The Customer shall provide Boomerang:

8.1.1 with all reasonable co-operation, information and assistance in relation to this Agreement. In particular, it will appoint a representative who shall have the authority to contractually bind the Customer on all matters relating to this Agreement and the Customer shall use reasonable endeavours to ensure the continuity of the Customer’s representative;

8.1.2 with all necessary access to such information as may be required by Boomerang in order to provide the Services, including but not limited to Customer Data, security access information and configuration services; and

8.1.3 prior to the date of this Agreement with a written list of delivery destinations and territories where the Customer intends to send Messages to and/or receive Messages from using the Services and this shall be listed in the Service Profile. The Customer hereby agrees that if the Customer subsequently sends Messages to and/or receives Messages from destinations and territories which are not in in the list in the Service Profile then the Customer will pay Boomerang the relevant additional charges and/or fees in relation to using the Services and/or Messages regarding those destinations and territories. The Customer and Boomerang may agree to update the destinations and territories in the Service Profile at any time subject to the Customer paying the relevant charges and fees regarding such updates (where such charges and fees will be higher than if the Customer had listed those destinations and territories in the Service Profile at the start of this Agreement).

8.2 The Customer shall at all times:

8.2.1 comply with all applicable laws and regulations with respect to its activities under this Agreement;

8.2.2 comply the with Policies set out in this Agreement

8.2.3 carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, Boomerang may adjust any agreed timetable or delivery schedule as reasonably necessary;

8.2.4 ensure that the Authorised Users use the Services and the Documentation in accordance with the terms and conditions of this Agreement and the Customer shall be responsible for any Authorised User's breach of this Agreement and/or misuse, unauthorised use and/or damage to the Services by Authorised Users.

8.2.5 hereby grant Boomerang all licences, consents and permissions to process, store, transmit and/or copy information and data (including Messages) as Boomerang may require from time to time in relation to performing its obligations in relation to this Agreement;

8.2.6 obtain and shall maintain all required and/or necessary licences, consents, and permissions that may be required for Boomerang, its contractors and agents to perform their obligations under this Agreement, including without limitation the Services. This will include Customer obtaining permissions or consents from the relevant users and/or third parties where required and complying with local laws including in relation to data protection and privacy;

8.2.7 ensure that its network and systems are fully operational and in proper working order and comply with the relevant specifications provided by Boomerang from time to time;

8.2.8 be entirely responsible for procuring and maintaining and monitoring its network connections and telecommunications links from its systems to Boomerang's data centres and networks, and all problems, conditions, delays, delivery failures and all other loss or damage arising from and/or relating to the Customer's network connections or telecommunications links and/or issues caused by or arising from the Customer’s use of the internet; and

8.2.9 inform Authorised Users and/or third parties that Customer is the provider of the Services to them as between Boomerang and Customer, and Customer hereby agrees that Customer is solely responsible for any Messages that are originated from and/or transmitted to end users and/or third parties using the Services.

9. Charges and payment

9.1 The Customer shall pay the Fees to Boomerang for the Services in accordance with this clause ‎9 and the Service Profile.

9.2 Fees are based (in part) upon charges that are charged by Third Party Suppliers (including network operators) and so are not subject to discounts or credits. Third Party Suppliers (including network operators) will charge Boomerang for various services which Boomerang will in turn charge the Customer for which shall include: (i) Messages transmitted but not received for whatever reason; and (ii) long messages which are billed as separate Messages; (iii) Messages which are billed according to the encoding of the characters contained in the body of the Message and the network technology used by the destination Third Party Supplier (including network operators). For example, a single part, billable message, may contain a maximum of 160 GSM encoded characters and a multi-part message is billed in segments of 153 characters. A single part message containing Unicode characters may contain only 70 characters and (iv) Boomerang reserves the right to change the methods by which it charges for services (including billing in units for different types of Services).

9.3 The Customer shall on the Effective Date provide to Boomerang accurate, valid, up-to-date and complete payment details (which may include credit card, paypal, direct debit, standing order and/or any other payment method and process) and/or approved purchase order information acceptable to Boomerang and any other relevant accurate, valid, up-to-date and complete contact and billing details and, if the Customer provides:

9.3.1 its payment details to Boomerang, the Customer hereby expressly authorises Boomerang to bill the Customer using such payment details on the Effective Date for the Fees payable in respect of the Subscription Term and any Renewal Term periods; and

9.3.2 its approved purchase order information to Boomerang, Boomerang shall invoice the Customer:

9.3.2.1 on the Effective Date for the Fees payable in respect of the Initial Subscription Term; and

9.3.2.2 subject to clause ‎14.1, at least 30 days prior to each anniversary of the Effective Date for the Fees payable in respect of the next Renewal Term, and the Customer shall pay each invoice according to the payment notice period set out in the Service Profile.

9.4 If Boomerang has not received payment within 7 days after the due date, and without prejudice to any other rights and remedies of Boomerang:

9.4.1 Boomerang may after providing 5 Business Days’ written notice to the Customer, without any liability (of whatever nature and howsoever arising) to the Customer, disable the Customer's password, account and access to all or part of the Services and Boomerang shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and

9.4.2 interest shall accrue on a daily basis on such due amounts at an annual rate equal to 5% over the then current base lending rate of HSBC Bank plc from time to time, commencing on the due date and continuing until fully paid, whether before or after judgment.

9.5 All amounts and fees stated or referred to in this Agreement:

9.5.1 shall be payable in the currency agreed with Boomerang;

9.5.2 are non-cancellable and non-refundable;

9.5.3 are exclusive of value added tax (where applicable), which shall be added to Boomerang's invoice(s) at the appropriate rate.

9.6 If, at any time whilst using the Services, the Customer exceeds the amount of storage space specified in the Documentation and/or incurs additional charges by not complying with the Policies, Boomerang shall (at Boomerang’s absolute discretion) charge the Customer, and the Customer shall pay, Boomerang's then current excess data usage, management and/or storage fees and fees due as a result of not complying with the Policies. Boomerang's excess data usage, management and/or storage fees current as at the Effective Date are set out in the Service Profile .

9.7 Boomerang shall be entitled to increase the fees payable in respect of the additional Services purchased pursuant to clause 3 and/or the excess storage fees payable pursuant to clause 9.6 at the start of each Renewal Term upon no less than 30 days' prior notice to the Customer and the Service Profile shall be deemed to have been amended accordingly.

9.8 All invoices will be compiled from Boomerang’s records and will be deemed to be correct unless disputed by the Customer within 20 days of the date of the invoice with details of the reasons for the dispute.

9.9 In the event that Customer disputes any invoice in relation to any charges made by a Third Party Supplier (including a network operator) then Customer shall pay that invoice but Boomerang will investigate the nature of the dispute and raise this with the relevant Third Party Supplier (including a network operator) and if that Third Party Supplier (including any network operator) refunds any amounts then Boomerang will refund the appropriate amounts (less Boomerang fees and charges) to the Customer.

9.10 Where the Customer is a credit customer payment must be made for subscription fees, Message charges and any other charges or fees within 14 days of Boomerang’s invoice.

9.11 Where the Customer is a pre-payment customer: (i) the Customer shall pre-purchase Credits as may be agreed between the parties and Boomerang will allocate the corresponding number of Credits accordingly; (ii) the Credits are only valid for the Subscription Term and fees incurred over and above the pre-paid Credits will be paid by Customer to Boomerang and payable according to the payment notice period set out in the Service Profile; (iii) Customer is solely responsible for pre-payment Credits purchased and must ensure it has sufficient Credits to for its requirements from time to time and Boomerang shall not be liable or responsible if the Customer has insufficient Credits for its requirements and/or exceeds the number of pre-paid credits; and (iv) if Customer changes its subscription it will be invoiced by Boomerang for the new subscription and this must be paid by Customer according to the payment notice period set out in the Service Profile.

9.12 Customer hereby expressly agrees that it will indemnify Boomerang for all costs, charges and fees (of whatever nature and howsoever arising) that are claimed by any Third Party Suppliers (including network operators) from Boomerang in relation to Customer’s use of the Services.

9.13 After the first 12 months of this Agreement Boomerang may increase any of the Fees on giving the Customer no less than 30 days’ notice of any such increase and the Customer may terminate this Agreement within 30 days of receiving any such notice of any increase by giving notice to take effect no sooner than the date on which the increase in Fees was to become effective.

10. Proprietary rights

10.1 The Customer acknowledges and agrees that Boomerang and/or its licensors own all right, title and interest (including all Intellectual Property Rights) in relation to and/or in connection with the Services (including the Communication Addresses) and the Documentation (and all modifications, updates and/or changes to all of the foregoing).

10.2 Except as expressly stated herein, this Agreement does not grant the Customer any rights to, or in, any Intellectual Property Rights and/or or any other rights or licences in respect of the Services or the Documentation.

10.3 Boomerang confirms that it has all the rights in relation to the Services and the Documentation that are necessary to grant all the rights it purports to grant under, and in accordance with, the terms of this Agreement.

11. Confidentiality and compliance with policies

Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party's Confidential Information shall not be deemed to include information to the extent that it:

11.1.1 is or becomes publicly known other than through any act or omission of the receiving party;

11.1.2 was in the other party's lawful possession before the disclosure;

11.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure;

11.1.4 is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.

11.2 Each party shall hold the other's Confidential Information in confidence and, unless and to the extent required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of this Agreement.

11.3 Each party shall take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of this Agreement.

11.4 Neither party shall be responsible and/or liable for any loss, destruction, alteration and/or disclosure (of whatever nature and howsoever arising) of Confidential Information caused (directly or indirectly) by the acts and/or omissions of any third party that is not under a written duty of confidentiality to the relevant party hereto.

11.5 The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute Boomerang's Confidential Information.

11.6 Boomerang acknowledges that the Customer Data is the Confidential Information of the Customer.

11.7 No party shall make, or permit any person to make, any public announcement and/or statement (whether in writing or otherwise) concerning this Agreement without the prior written consent of the other parties (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including, without limitation, any relevant securities exchange), any court or other authority of competent jurisdiction provided that Boomerang may refer to the Customer and this deal and/or transaction on Boomerang’s website and/or in Boomerang promotional documentation and materials.

11.8 The above provisions of this clause ‎11 shall survive termination of this Agreement, however arising.

11.9 In performing its obligations under this Agreement the Customer shall comply with the Policies.

12. Use of Services

12.1 The Services must not in any circumstances be used for emergency services (e.g 999 calls or 112 calls) and/or in circumstances where, should there be any issues with the Services (for example delays with Messages) any party or person could suffer death or personal injury provided that such use may be allowed by Boomerang where this is expressly and specifically set out and agreed in the the Service Profile. If, notwithstanding this prohibition (and even if such use is expressly permitted in the Service Profile), the Customer will be entirely responsible for such use and such use shall be at the Customer’s own risk and the provisions of this clause 12 shall also apply to such use.

12.2 The Customer shall be entirely responsible for and shall defend, indemnify and hold harmless Boomerang against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with any claims brought against Boomerang by any third parties in relation to or in connection with the Customer’s use of the Services and/or this Agreement (including the sending and/or receiving of any Messages and/or in relation to the content of any Messages) provided that:

12.2.1 the Customer is given notice of any such claim by Boomerang;

12.2.2 Boomerang provides reasonable co-operation to the Customer in the defence and settlement of such claim, at the Customer's expense; and

12.2.3 the Customer is given sole authority to defend or settle the claim provided that the terms and/or consequences of settlement do not in any way adversely affect Boomerang.

12.3 Boomerang shall defend the Customer, its officers, directors and employees against any damages awarded against Customer as a result of any third party claim that the Services or Documentation infringes any third party Intellectual Property Rights provided that:

12.3.1 Boomerang is given prompt written notice of any such claim;

12.3.2 the Customer provides reasonable co-operation to Boomerang in the defence and settlement of such claim, at Boomerang's reasonable expense; and

12.3.3 Boomerang is given sole authority to defend or settle the claim.

12.4 In the defence or settlement of any claim, Boomerang may procure the right for the Customer to continue using the Services, replace or modify the Services so that they become non-infringing or, if such remedies are not reasonably available, terminate this Agreement on 14 Business Days' notice to the Customer without any additional liability or obligation to pay liquidated damages or other additional costs to the Customer.

12.5 In no event shall Boomerang, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:

12.5.1 a modification and/or change of the Services and/or Documentation by anyone other than Boomerang;

12.5.2 the Customer's use of the Services and/or Documentation in a manner contrary to the instructions given to the Customer by Boomerang and/or in a manner contrary to any of the terms and conditions of this Agreement; and/or

12.5.3 the Customer's use of the Services or Documentation after notice of the alleged or actual infringement from Boomerang or any appropriate authority.

12.6 The foregoing state the Customer's sole and exclusive rights and remedies, and Boomerang's (including Boomerang's employees', agents' and sub-contractors') entire obligations and liability, for infringement of any Intellectual Property Rights.

13. Limitation of liability

13.1 This clause ‎13 sets out the entire liability of Boomerang (including any liability for the acts or omissions of its employees, agents and sub-contractors) to the Customer:

13.1.1 arising under or in connection with this Agreement;

13.1.2 in respect of any use made by the Customer of the Services and Documentation or any part of them; and

13.1.3 in respect of any representation, statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.

13.2 Except as expressly and specifically provided in this Agreement:

13.2.1 the Customer assumes the entire responsibility for results and outcomes obtained from the use of the Services and the Documentation by the Customer, including for benefits and/or conclusions drawn from such use;

13.2.2 Boomerang shall have no liability for delayed or failed delivery of any Message and/or any reply to any Message including where such delay or failure is due to user error, Third Party Suppliers (including network operators) and/or processing and/or transmission errors;

13.2.3 Boomerang shall have no liability for any damage caused by errors or omissions in any information, instructions or scripts provided to Boomerang by the Customer in connection with the Services, or any actions taken by Boomerang at the Customer's direction;

13.2.4 the Customer hereby expressly accepts and acknowledges that Boomerang will not be liable or responsible (in whatever way and howsoever arising) for:

(i) the operation and processing by Third Party Suppliers (including network operators) of Messages. The results of actions by Third Party Suppliers (including network operators) may include Messages being delayed, not being transmitted to recipients and/or not being received by recipients;

(ii) the correct operation of equipment, services, Communication Addresses and/or resources of senders and recipients of Messages (for example ensuring that user mobile phones and/or other devices are switched on). The results of this may include Messages being delayed or not being transmitted to and/or from recipients and/or not being received by recipients;

(iii) Customer and/or end user error, misuse (whether intentional or unintentional) and/or unauthorised use of the Services;

(iv) the Customer selection and/or use of the Services including where Customer’s use of the Services is for purposes for which the Services were not designed and/or for which they were not intended to be used; and/or

(v) any losses of whatever nature (and whether direct and/or indirect) which relate to or are connected with the Customer not achieving its anticipated benefits or advantages by using the Services.

13.2.5 all warranties, representations, conditions and all other terms of any kind whatsoever implied by statute or common law are, to the fullest extent permitted by applicable law, excluded from this Agreement; and

13.2.6 the Services and the Documentation are provided to the Customer on an "as is" basis. The Customer must check and satisfy itself that it is entitled to use the Services in its selected jurisdictions for the purposes which it requires and ensure that it complies at all times with all rules and regulations regarding the purposes and ways in which it uses the Services in its selected jurisdictions (including all rules and regulations relating to data protection and privacy).

13.3 Nothing in this Agreement limits and/or excludes the liability of Boomerang:

13.3.1 for death or personal injury caused by Boomerang's negligence;

13.3.2 for fraud or fraudulent misrepresentation; and/or

13.3.3 for events or circumstances to the extent to which they cannot be excluded or limited by law.

13.4 Subject to clause ‎13.2 and ‎13.3:

13.4.1 Boomerang shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation, restitution or otherwise for any loss of profits (whether direct and/or indirect), loss of business, loss of anticipated savings, depletion of goodwill and/or similar losses and/or loss or corruption of data or information;

13.4.2 Boomerang shall not be liable for any special, indirect and/or consequential loss, costs, damages, charges or expenses however arising under this Agreement; and

13.4.3 Boomerang's total maximum aggregate liability in contract (including in respect of the indemnity at clause ‎12.3), tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited to GBP£10,000.

13.5 The parties hereby expressly agree that the terms and conditions of this agreement (including those in clause 13) are reasonable and that each party has had the opportunity to negotiate these terms and take legal advice on them and the allocation of responsibility between the parties is reflected in the charges and that each party has entered into this agreement in its own respective commercial interests.

13.6 Neither party shall make any statements or claims which conflict with and/or are inconsistent and/or contrary to clause 13.6.

13.7 All references to "Boomerang" in this clause 13 shall, for the purposes of this clause and clause 13 only, be treated as including all employees, officers, subcontractors and agents of Boomerang, all of whom shall have the benefit of the exclusions and limitations of liability set out in this clause 13.

14. Term, Termination & Suspension

14.1 This Agreement shall, unless otherwise terminated as provided in this clause ‎14, continue for the Subscription Term and, thereafter, this Agreement be automatically renewed for successive Renewal Terms, unless:

14.1.1 either party notifies the other party of termination, in writing, at least 30 days before the end of the applicable Subscription Term or any applicable Renewal Term, in which case this Agreement shall terminate upon the expiry of the applicable Subscription Term or Renewal Term; or

14.1.2 otherwise terminated in accordance with the provisions of this Agreement;

14.2 Without affecting any other right or remedy available to it, either party may terminate this Agreement with immediate effect by giving written notice to the other party if:

14.2.1 the other party fails to pay any amount due under this Agreement on the due date for payment and remains in default not less than the payment notice period stated in the Service Profile after being notified in writing to make such payment;

14.2.2 the other party commits a material breach of any other term of this Agreement which breach is irremediable or (if such breach is remediable) fails to remedy that breach within a period of 30 days after being notified in writing to do so;

14.2.3 the other party suspends, or threatens to suspend, payment of its debts or is unable to pay its debts as they fall due or admits inability to pay its debts or is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986 and/or becomes insolvent and/or enters into any process or procedure which is similar to and/or equivalent to insolvency;

14.2.4 any event occurs, or proceeding is taken, with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 14.2.3; and/or

14.3 Boomerang may (without any liability of whatever nature and howsoever arising), suspend forthwith some or all of the Services to the Customer upon notice to the Customer if:

14.3.1 Boomerang is entitled to terminate this Agreement;

14.3.2 Boomerang is instructed or requested to do so by any governmental body or agency, an emergency services organisation, any competent authority and/or Court;

14.3.3 Any Third Party Supplier (including a network operator) ceases to provide services and/or changes the way it operates, does business and/or charges for its services;

14.3.4 Boomerang believes that it is necessary or desirable to do so for legal or other regulatory reasons including in relation to any issues relating to data protection and/or privacy laws and regulations;

14.3.5 The Customer is about to undergo any Change of Control; and/or

14.3.6 Boomerang believes or becomes aware that Customer or an Authorised User has breached the terms of this Agreement, is attempting to breach the terms of this Agreement and/or is planning to do so and/or Boomerang believes that the Customer is using the Services in such a way that could lead to Boomerang suffering or incurring liability and/or losses.

14.4 Any suspension of the Services by Boomerang shall entitle Boomerang to terminate this Agreement. Any suspension of the Services by Boomerang shall not exclude or affect any other right or remedy to which Boomerang may be entitled under this Agreement and the Customer shall still be obliged to pay all charges and fees that may be due, payable and/or owing in relation to this Agreement.

14.5 If the Service is suspended then Boomerang shall reinstate such Service as soon as reasonably practicable after the event giving rise to such suspension has been resolved or lifted to Boomerang’s reasonable satisfaction. If the Service is re-instated then Boomerang may charge a reconnection fee.

On termination of this Agreement for any reason:

14.5.1 all licences granted under this Agreement shall immediately terminate;

14.5.2 each party shall return and make no further use of any equipment, property, Documentation and other items (and all copies of them) belonging to the other party;

14.5.3 Boomerang may destroy or otherwise dispose of any of the Customer Data in its possession unless Boomerang receives, no later than ten days after the effective date of the termination of this Agreement, a written request for the delivery to the Customer of the then most recent back-up of the Customer Data. Boomerang shall use reasonable commercial endeavours to deliver the back-up to the Customer in such format and on such media as Boomerang selects within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and charges outstanding at and resulting from termination (whether or not these are due for payment at the date of termination). The Customer shall pay all reasonable expenses incurred by Boomerang in returning or disposing of Customer Data; and

14.5.4 any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination shall not be affected or prejudiced.

15. Force majeure

Boomerang shall have no liability to the Customer under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by acts, events, omissions or accidents beyond its reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes (whether involving the workforce of Boomerang or any other party), failure of a utility service or transport or telecommunications network, acts and/or omissions of Third Party Suppliers (including network operators), acts of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant, machinery and/or the internet, fire, flood, storm and/or acts or omissions of third parties, provided that the Customer is notified of such an event and its expected duration. Nothing in this clause shall entitle the Customer to delay, withhold and/or not pay any monies that may be due, owing and/or payable to Boomerang.

16. Conflict

If there is an inconsistency between any of the provisions in the main body of this Agreement and the Schedules, the provisions in the main body of this Agreement shall prevail.

17. Variation

No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

18. Waiver

No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

19. Rights and remedies

Except as expressly provided in this Agreement, the rights and remedies provided under this Agreement are in addition to, and not exclusive of, any rights or remedies provided by law.

20. Severance

20.1 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

20.2 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

21. Entire agreement

21.1 This Agreement, and any documents referred to in it, constitute the whole agreement between the parties and supersede any previous discussions, negotiations, proposals, product information, arrangements, agreements, understandings, and/or course of trade or conduct (whether in writing or otherwise) between them relating to the subject matter they cover.

21.2 Each of the parties expressly acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in writing in this Agreement.

21.3 Any terms and conditions contained in any Customer purchase order, agreement and/or document shall be invalid and shall not be relevant to this Agreement unless expressly agreed to in writing by Boomerang and signed by Boomerang.

21.4 All dates and times that are given in relation to the Services are estimates only and Boomerang shall have no liability in relation to meeting such times and dates.

21.5 Nothing in this clause shall exclude or limit any liability or responsibility in relation to any fraudulent misrepresentations.

22. Assignment

22.1 Subject to clause 22.2, neither party shall without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.

22.2 Boomerang may at any time assign, transfer, sub-contract and/or deal in any other manner with all and/or any of its rights or obligations under this Agreement in respect of or to: (i) any Boomerang group company or connected company; and/or (b) to any successor or assignee of Boomerang through any merger or acquisition of assets, provided that Boomerang shall remain primarily liable to the Customer for the performance of Boomerang’s obligations in this Agreement. A Boomerang group company shall include any other person controlling, controlled by or under common control with Boomerang where “control” and related terms means the ability to direct the affairs of Boomerang whether by means of the holding of shares, or the possession of voting power, by virtue of any powers conferred by its constitutional or corporate documents or otherwise.

23. No partnership or agency

Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).

24. Third party rights

This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.

25. Notices

25.1 Any notice required to be given under this Agreement shall be in writing and shall be delivered by hand or sent by pre-paid first-class post or recorded delivery post to the other party at its address set out in this Agreement, or such other address as may have been notified by that party for such purposes, or sent by fax to the other party's fax number as set out in this Agreement.

25.2 A notice delivered by hand shall be deemed to have been received when delivered (or if delivery is not in business hours, at 9 am on the first business day following delivery). A correctly addressed notice sent by pre-paid first-class post or recorded delivery post shall be deemed to have been received at the time at which it would have been delivered in the normal course of post. A notice sent by fax shall be deemed to have been received at the time of transmission (as shown by the timed printout obtained by the sender).

26. Set Off

The Customer hereby waives any and all existing and future set offs against any of the Fees and agrees to pay the Fees and any other sums due hereunder regardless of any set off or cross claim that the Customer may have against Boomerang and/or any third party.

27. Governing law and Jurisdiction

This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales and each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims) and provided that Boomerang shall be entitled to enforce its rights and remedies (including its intellectual property rights) both within and/or outside England against the Customer and unless otherwise provided for in the Service Profile.

SERVICE PROFILE

1 Effective Date

1.1 The date on which this Agreement is accepted by the Customer.

2 Fees

2.1 As provided by Boomerang and charged to a credit or debit card provided by the Customer or submitted by the Customer as a bank transfer [1]

3 Additional services

3.1 Additional Services may be purchased by the Customer in accordance with clause ‎3 at Boomerang’s then current prices for those Services at the time that any order is placed for such Services and visible in the organisation settings section of your Boomerang account here: https://boomerangui.com/organisation-settings

4 Fees for other services [2]

4.1 As provided by Boomerang and charged to a credit or debit card provided by the Customer or submitted by the Customer as a bank transfer

5 service selections

SERVICE SELECTIONS

Subscription Term:

A period of 12 months from and including the Effective Date [3]

Nature and Number of Authorised Users: Unlimited[4]

Emergency Use: This is not permitted except as follows and subject to the following conditions [5] Not applicable

Payment Notice Period: means 30 Days [6]

Plug-In Restrictions: Not Applicable [7]

Use Cases: Digital messaging [8]

Territories that Messages are to be sent to and/or received from using the Services are:

Globally where services are available [9]

Law: The provisions of the governing law and jurisdiction shall be as set out in this Agreement [10]

Schedule 1– GDPR PROCESSOR CLAUSES

1 Data Protection

1.1. Definitions: In this Clause, the following terms shall have the following meanings:

(a) "controller", "processor", "data subject", "personaldata" and "processing" (and " process") shall have the meanings given in Applicable Data Protection Law; and

(b) "Applicable Data Protection Law" shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

1.2. Relationship of the parties: The Customer (the controller) appoints Boomerang as a processor to process the personal data that is the subject of this Agreement (the "Data"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.

1.3. Purpose limitation: Boomerang shall process the Data as a processor as necessary to perform its obligations under this Agreement and strictly in accordance with the documented instructions of the Customer (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to the Customer. In no event shall Boomerang process the Data for its own purposes or those of any third party.

1.4. International transfers: Boomerang shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area ("EEA") unless (i) it has first obtained the Customer's prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

1.5. Confidentiality of processing: Boomerang shall ensure that any person that it authorises to process the Data (including the customer's staff, agents and subcontractors) (an " Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Boomerang shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

1.6. Security: The processor shall implement appropriate technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a " Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:

(a) the encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

1.7. Subprocessing: The Customer agrees that Boomerang may engage third parties to process personal data in order to assist Boomerang to deliver the services on behalf of the Customer provided that: (i) Boomerang provides at least 30 days' prior notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the following URL: https://boomerangmessaging.com/sub-processors (ii) Boomerang imposes data protection terms on any subprocessor it appoints that protect the Data to the same standard provided for by this Clause; and (iii) Boomerang remains fully liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. If the Customer refuses to consent to Boomerang's appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Boomerang will not appoint the subprocessor or the Customer may elect to suspend or terminate this Agreement.

1.8. Cooperation and data subjects' rights: Boomerang shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to the Customer to enable the Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Boomerang, Boomerang shall promptly inform the Customer providing full details of the same.

1.9. Data Protection Impact Assessment: If Boomerang believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform the Customer and provide the Customer with all such reasonable and timely assistance as the Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.

1.10. Security incidents: Upon becoming aware of a Security Incident, Boomerang shall inform the Customer without undue delay and shall provide all such timely information and cooperation as the Customer may require in order for the Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Boomerang shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep the Customer informed of all developments in connection with the Security Incident.

1.11. Deletion or return of Data: Upon termination or expiry of this Agreement, Boomerang shall (at the Customer 's election) destroy or return to the Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Boomerang is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Boomerang shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

1.12. Audit: Boomerang shall permit the Customer (or its appointed third party auditors) to audit Boomerang's compliance with this Clause, and shall make available to the Customer all information, systems and staff necessary for the Customer or its third party auditors) to conduct such audit. Boomerang acknowledges that the Customer (or its third party auditors) may enter its premises for the purposes of conducting this audit, provided that the Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Boomerang's operations. Boomerang reserves the right to charge a daily rate for professional services during an onsite audit. The Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) the Customer believes a further audit is necessary due to a Security Incident suffered by Boomerang.

1.13. Indemnity: Each party (the "Indemnifying Party") shall indemnify the other (the " Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage (" Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of the data protection provisions set out in this Clause, and provided that: (i) the Indemnified Party gives the Indemnifying Party prompt notice of any circumstances of which it is aware that give rise to an indemnity claim under this Clause; and (ii) the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach.

Schedule 2- Policies

BOOMERANG FAIR AND ACCEPTABLE USE POLICY

The obligations in this policy are (and in each case will be interpreted as being) placed upon the Customer and Authorised Users and end users and the Customer and Authorised Users and end users must comply with the obligations in this policy.

This Fair and Acceptable Use Policy (“FAUP”) applies to all users of Services provided by Boomerang, including third party services based on the Services. References to “us”, “we” and “our” are to any company within the Boomerang group of companies that provides those Services. The FAUP sets out certain rules and requirements governing use of the services provided by Boomerang. Capitalised terms used but not defined in this FAUP shall have the meaning given in this Agreement.

1 In relation to Software

1.1 You may use our Services only for lawful purposes in compliance with (i) all Applicable Laws; (ii) all applicable licences and authorisations required to be held by you or us; and (iii) all directives of competent authorities and applicable codes of conduct applicable in any country where the services are provided and/or to or from which messages are sent (including without limitation the Mobile Marketing Association Code, the CAP Code and PhonepayPlus Code concerning premium rate services).

1.2 In your use of our Services, you shall not:

1.2.1 act maliciously or upload or transmit any material that is false, misleading or likely to mislead or deceive, defamatory, trade libellous, sexually suggestive or explicit, indecent, obscene, offensive, harmful to minors, coercive, hateful, inflammatory, unlawfully threatening, unlawfully discriminatory or unlawfully harassing or which are excessive in quantity or transmission of which could diminish or harm our reputation or that of any Network Operator;

1.2.2 infringe the rights (including Intellectual Property Rights, other proprietary rights or rights of publicity or privacy) of us or of a third party;

1.2.3 act or promote any action that is criminal, unlawful or fraudulent or do anything that has a criminal, unlawful or fraudulent effect;

1.2.4 violate any Applicable Laws including without limitation those regarding unfair competition, anti-discrimination or false advertising;

1.2.5 transmit any junk mail, chain letters or unsolicited or unauthorised advertising or promotional materials or other similar form of solicitation (spam) or to harvest or collect information about others without their consent (phishing) or conduct social engineering activities;

1.2.6 launch denial of service attacks or engage in mail bombing or flooding or transmit or disseminate any signal or impulse that could cause electrical, magnetic, optical or other technical harm to our equipment and facilities of those of any third party;

1.2.7 knowingly or negligently upload, transmit or disseminate any viruses, Trojan horses, worms, time bombs, keystroke loggers, spyware, adware, cancel bots or other malware or computer programming routines that are intended to damage, detrimentally interfere with, surreptitiously intercept or appropriate any system, data or personal information;

1.2.8 collect, harvest or mine any information or data from any Service, our systems or other networks or systems connected to our systems or attempt to decipher any transmissions to or from the servers running any Service;

1.2.9 access any part of the Services to which you do not have access rights or use any Service in a way that could damage, disable, overburden, impair or compromise our systems or security or interfere with other users or in a manner that is in any way prejudicial to the image of Boomerang and/or the Services;

1.2.10 launch, promote or operate any illegal or unlicensed prize draws, lotteries or betting or gaming activities; or

1.2.11 create a false identity of forged speed mail, mobile phone address or header or misrepresent or attempt to mislead others as to the identity of the sender or origin of the message.

1.3 Where the Services are used to send Messages for marketing, solicitation or promotional purposes you must:

1.3.1 Ensure you have valid current opt-in consent from each End User as required by Applicable Laws in the country or territory where such End User is located and verify Contact Details against any preference service operating in the destination country or territory;

1.3.2 Ensure that each Message identifies you as the sender and includes contact details;

1.3.3 Provide End Users with an easy method of opting-out of the receipt of Messages (which shall be at standard and not premium rate charges), implement all out-out requests promptly (and in any event no later than two (2) calendar days following their receipt) and record such opt-out requests using suppression.

1.4 We may require proof that you have opt-in consents and/or proof that opt-out requests are being processed and honoured as required above. We may also investigate and/or suspend Services to you if we consider that the number of opt-out requests received in respect of any Numbers allocated to your account is excessive. Upon our request, you agree to cooperate with us in identifying the source of and/or reasons for the excessive opt-out rate. For purposes of this section, your cooperation includes, but is not limited to, providing us with proof of opt-ins and sharing content of sample Messages sent to End Users (by you or an Authorised User). We may terminate any Contract with you with immediate effect and/or withdraw your use of the Services without further notice to you if we cannot determine the cause of the excessive rate, or if the cause is or appears to be due to conduct in breach of this FAUP or otherwise a breach of our Agreement. We may, in our sole discretion, allow you to continue using our Services should you make suitable changes such that the opt-out rate is not excessive.

1.5 We may (but are not obliged to) monitor your use of our Services with regard to messaging behaviour and content for operational purposes.

2 Excessive Use

2.1 Our Excessive Use policy as detailed in this section 2 has been implemented so that we can provide so far as possible a single pricing structure for customers in each territory which allows customers to use the Services and to pay a flat-rate charge for each Message sent regardless of its end destination.

2.2 Your use of our Services assumes an even distribution of Messages which is not ‘groomed’ or discriminated against based on time of day, geographic area or any other factor.

2.3 Some destinations are more expensive to send Messages to than other destinations. If you send a volume of Messages to expensive destinations that we consider excessive given your use of the Services, we may notify you and ask you to revert to an even distribution. If you continue such behaviour we may at our option either levy additional charges reflecting the increased cost of delivering Messages to such destinations which shall take effect from the date we first notified you of excessive use or suspend your use of the Services either to that destination or generally.

3 Changes to this FAUP

We may revise this FAUP at any time by posting the revised version on the Website. You are expected to check this page from time to time and to take note of any changes made.

DATA PROTECTION & PRIVACY POLICY

The obligations in this policy are (and in each case will be interpreted as being) placed upon the Customer and Authorised Users and end users and the Customer and Authorised Users and end users must comply with the obligations in this policy. Updates to this Policy are published at https://boomerangmessaging.com/privacy/

This policy explains how we collect, use, share and protect your personal information. There may be other privacy policies that apply to certain services we provide. You will find such policies in the terms of your contract with Boomerang.

1 Collecting your personal information

We can get your personal information when you:

  1. Buy a product or service from us
  2. Register in order to get information for a specific product or service
  3. Subscribe to newsletters, alerts or other services from us
  4. Ask us for more information about a product or service, or contact us with a question or complaint
  5. Use our products or services
  6. Visit our website
  7. We may also collect information about you from other organizations, if this is appropriate. These include fraud-prevention agencies, business directories and credit reference agencies. We may also collect information about you from other companies and our business partners.

We may also collect information about you from other organizations, if this is appropriate. These include fraud-prevention agencies, business directories and credit reference agencies. We may also collect information about you from other companies and our business partners..

2 Understanding what you want

We use cookies (small text files stored in your browser) and other techniques such as Cookies collect information that tells us how you use our websites, web-related products and services, providing us with information that helps us improve the user’s experience.

This, in turn, helps us make our website relevant to your interests and needs. We may use a persistent cookie (a cookie that stays linked to your browser) to record your details so we can recognise you if you visit our website again.

You can choose to refuse cookies or set your browser to let you know each time a website tries to set a cookie. Information regarding how to manage cookies is provided within the Boomerang website or Boomerang UI application.

3 The personal information we collect

The information we collect about you depends on the products and services you use and the way you navigate our website. It includes (but isn’t limited to) the following:

  1. Standard contact details, such as your name, work address, email, and contact phone numbers including a mobile number which is used to receive an authorisation code when creating a new Boomerang UI account
  2. Social media contact details, such as Facebook, Twitter, and LinkedIn
  3. Your role in the business you work in, including seniority and decision-making rights
  4. The name and contact details of any assistant that you delegate work through
  5. Your interest in receiving marketing, product, or technical alerts
  6. Contact details to which billing information is sent
  7. Contact details to which support or service related notifications maybe sent
  8. Our contact history with you (such as calls, SMS and emails), and details about your website browsing
  9. When upgrading from a trial or free account, we may ask for company information, including but not limited to a registered office, trading address, registration number and VAT number
  10. When you upgrade your account from a trial or free account, we’ll ask you to provide our payment processor with your payment method data such as your bank details, credit card information or your Paypal account information, and/or your billing address. Our payment processor, acting on our behalf, gathers this so that we can bill you for your use of our products and services
  11. Specific product related information relating to your intended use of the service that may be required in order to provision that service (e.g. dedicated SMS short-codes).

4 Service related data we collect

  1. We collect and store the API credentials (username, password and licence key) that are used to authenticate your requests to our APIs
  2. We will collect data relating to any service specific issues you have encountered to help us resolve any issues as quickly as possible. This may include information relating to how and why you are using the service, technical specifications and configurations that are local to your environment and business applications. Some of this information may be used for our internal ‘knowledge base’ that is used to help inform and train customer service representatives
  3. Boomerang communication functions used by your business applications and IP addresses for those applications communicating with Boomerang
  4. A username (email address) and password used to access the Boomerang UI online applications
  5. We allow you to add and / or import your customer data into Boomerang UI. This includes but is not limited to communication addresses (including email addresses, mobile telephone numbers and landline telephone numbers) and other custom data which may be used for personal data. Access to such data can be controlled using permission features within the application itself, to ensure that any sensitive data is only available on a need to know basis. Any such data will not be accessed or used by Boomerang.
  6. Expected message volumes and service usage to ensure that the Service has the capacity support the required usage
  7. Transactional message data used for reporting that includes (but not limited to); message content, the recipient’s communication address, the communication method, any associated identifiers, frequency of usage, the delivery status and any response messages associated to those transactions. Boomerang’s Service Agreements define content that is deemed as not acceptable when processing transactional message data through the Services
  8. Activity by carried out by individual system users including a record of when users accessed Boomerang’s applications and activities performed within the application so that an audit trail of user behaviour is available to the customer
  9. We may gather publicly-available information about companies that are our customers or competitors, such as where they are located, their website URL, their industry, and their size. Sometimes this type of customer account data is obtained through third-party service providers that specialize in pulling together publicly-available information about companies.

5 Using your personal information

Generally, we use all the data that you provide to us or that we collect from you to provide our products and services to you, to enable you to access and use our products and services, to deliver your communications to their intended destination, and to analyse our customers’ use of our products and services, to improve our products and services, and to detect fraudulent or unlawful activity in connection with Boomerang accounts.

We may use and analyse your information to:

  1. Bill you for using our products or services
  2. Respond to any questions or concerns you may have about using our products or services
  3. Protect our systems and manage the volume of texts and other use of our systems
  4. Understand how you use our products and services to help us develop more interesting and relevant products and services
  5. Carry out research and statistical analysis including to monitor how customers use our products and services on an anonymous or personal basis
  6. Prevent and detect fraud or other crimes, recover debts or trace those who owe us money
  7. Keep you informed generally about new products and services (unless you choose not to receive our marketing messages)
  8. Contact you with offers or promotions based on how you use our products and services
  9. To send you service related notifications that relate to use of our products and services, such as low credit warnings, account expiration warnings and undelivered messages
  10. Customer Content - We use customer content for the purposes that you allow us access to it, like conveying it to and from telecommunications carrier networks or recording and transcribing it per your instruction. We may also use customer content stored on our systems to troubleshoot issues such as call quality concerns
  11. Customer Account Information - We use your email address in connection with your account password to authenticate your account to allow you to access your account data through the Boomerang UI application
  12. We will use publicly-available customer account data about your company, such as your industry, the size of your company, and your company’s website URL, to help us understand our customer base better and to tailor information we send you about other Boomerang products, services, or events
  13. If you provide us with a physical address in order to obtain a number for which Boomerang is required to have your physical address on file, we’ll use that address so that we can confirm we can allow you to have that number. We may also check the physical address you provide and/or your billing address, as well as other information you provide or that we obtained from your use of our service about your identity such as your name, email address, and IP address, with our fraud prevention and identity validation providers (to confirm you have provided us with accurate details). We may also use your address information to calculate taxes. We may also have to share these addresses with the telecommunications provider from whom Boomerang obtained the phone number or local authorities upon their request. Unless prohibited from doing so by law, we’ll let you know if we have to share your address information like this
  14. We use your payment information so we can bill you and be paid for your use of our products and services

15. We use transactional message data processed through your account to generate reports and to provide an itemised bill of your messaging activity.

We’ll store your information for as long as we have to by law. If there’s no legal requirement, we’ll only store it for as long as we need it. We’ll also keep some personal information for a reasonable period after the provision of products and services has finished – just in case you decide to use our services again.

6 Sharing your personal information

Unless you give us your permission, we won’t share your customer content, customer account data, or customer usage data with third parties, except as described below:

  1. Message carriers and operators as necessary for proper routing and connectivity. Therefore, customer content and certain customer usage data is shared with and received from telephony operators to the extent necessary to route and connect those communications from the sender to the intended recipient. How those telephony operators handle your customer content and customer usage data is generally determined by those operators’ own policies and local regulations.
  2. Other communications service providers for proper routing and connectivity. Boomerang may also allow you to use its products and services to send or receive communications through communications service providers that do not use the PSTN, such as Telegram, Facebook Messenger (often referred to as Over-the-Top (OTT) communications service providers). If you choose to use Boomerang’s products and services to send or receive communications by way of these providers, Boomerang will share and receive customer content and customer usage data with these providers to the extent necessary to route and connect those communications from the sender to the intended recipient. How those communications service providers handle your customer content and customer usage data is determined their own policies.
  3. Third-party service providers or consultants. We may share your data stored on our systems with third-party service providers or consultants who need access to the data to perform their work on Boomerang’s behalf, like sharing relevant customer account data with our payment processor so it can process payments on our behalf, or our storage provider for storing your data on our behalf. These third-party service providers are limited to only accessing or using this data to provide services to us and must provide reasonable assurances that they will appropriately safeguard the data.
  4. Compliance with Laws. We may disclose your data stored on our systems to a third party if (i) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or a government request (including to meet national security or law enforcement requirements), (ii) to enforce our agreements and policies, (iii) to protect the security or integrity of our services and products, (iv) to protect ourselves, our other customers, or the public from harm or illegal activities, or (v) to respond to an emergency which we believe in good faith requires us to disclose data to assist in preventing a death or serious bodily injury. If Boomerang is required by law to disclose any of your data that directly identifies you, then we will use reasonable efforts to provide you with notice of that disclosure requirement, unless we are prohibited from doing so by statute, subpoena or court or administrative order. Further, we object to requests that we do not believe were issued properly.
  5. Business transfers. If we go through a corporate sale, merger, reorganization, dissolution or similar event, customer data we gather from you may be part of the assets transferred or shared in connection with the due diligence for any such transaction. Any acquirer or successor of Boomerang may continue to use your data as set forth in this notice.
  6. Credit reference, fraud prevention or business scoring agencies, or other credit scoring agencies
  7. Debt collection agencies or other debt recovery organizations

We do not share your data (including, but not limited to, the personal data of your end users) with third parties for their direct marketing purposes, unless you give us your consent to do so

7 Storage and transfer of data

Please note that all Boomerang customer account data is stored on servers and equipment located in the UK. In performing its duties as a service provider Boomerang may need to pass customer content (transactional message data) to suppliers located outside of the UK.

8 Information from Children

We do not knowingly collect any personal information directly from children. If we discover we have received any personal information from a child in violation of this policy, we will take reasonable steps to delete that information as quickly as possible. If you believe we have any information from or about anyone a child, please contact operations@boomcomms.com.

9 How we secure your data

We work to recognised security standards and constantly review and improve our measures to protect your personal information from unauthorized access, accidental loss, disclosure or destruction.

We work with suppliers who have the appropriate security controls in place to protect your data from unauthorized access, accidental loss, disclosure or destruction. These organisations won’t be entitled to use your personal information for their own purposes.

We use appropriate measures to protect your data based on the sensitivity of the information that we collect, process and store and the current state of technology. Please note though that no service is completely secure. So, while we strive to protect your data, we cannot guarantee that unauthorized access, hacking, data loss or a data breach will never occur.

We work to help our customers protect their data, by providing access confidential data such as usernames and passwords securely and we provide access to security controls within the Boomerang UI application and across the Boomerang messaging gateway that allows customers to overwrite any sensitive data such as messages content and communication addresses.

Communications over the Internet (such as emails) are not secure unless they’ve been encrypted. Your communications may go through a number of countries before being delivered – as this is the nature of the Internet. We can’t accept responsibility for any unauthorized access or loss of personal information that’s beyond our control.

10 Changes to this policy

Should we elect to change our privacy policy we will publish these changes on our Boomerang UI application and our company website. Where the changes are significant, we may also choose to email all customers with the new details. Where required by law, will we obtain your consent to make these changes.

11 Your privacy rights

You can write to us at any time to get a copy of the personal information we hold about you and we will process your request as quickly as possible. If you believe we’re holding inaccurate information about you, please contact us at operations@boomcomms.com

If you no longer want to receive marketing messages from us please write to us at this email address or use the unsubscribe option provided in the relevant email.

Please note that even if you opt out of promotional communications, we may still send you messages relating to access to and use of the services and products and things like updates to our terms of service or privacy notices, security alerts, and other notices.

To request deletion of your Boomerang account, email us at operations@boomcomms.com Deleting your Boomerang account will result in you permanently losing access to your account and all customer data to which you previously had access through your account. Please note that certain data associated with that account may nonetheless remain on Boomerang’s servers in an aggregated or anonymized form that does not specifically identify you. Similarly, data associated with your account that we are required by law to maintain will also not be deleted.

If you are an end user of an application that uses Boomerang’s services, you should direct requests for access and/or deletion of your data associated with that application to the relevant service provider in accordance with that application provider’s own privacy policy.

INFORMATION SECURITY POLICY

The obligations in this policy are (and in each case will be interpreted as being) placed upon the Customer and Authorised Users and end users and the Customer and Authorised Users and end users must comply with the obligations in this policy.

1 Risk Management

An overall risk assessment of the information systems should be performed at least annually. Risk assessments must identify, quantify and prioritize the risks according to relevant criteria for acceptable risks.

Risk assessments are to be carried out when implementing changes impacting information security. Recognized methods of assessing risks should be employed

An appointed officer with the requisite knowledge and experience will be responsible for ensuring that the risk management processes are coordinated in accordance with the policy.

The same officer is responsible for ensuring that risk assessments are implemented in accordance with the policy.

Risk management is to be carried out according to pre-approved criteria.

Risk assessments must be approved.

All risks must be recorded and tracked and a mitigation strategy must be formulated to address each risk, as per a Risk Management policy.

If a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level.

2 Classification and control of assets

"Assets" include both information assets, process assets and physical assets.

Information and infrastructure should be classified according to security level and access control.

Assets should be classified as one of three categories for confidentiality:

Sensitive : Information of a sensitive variety where unauthorised access (including internally) may lead to considerable damage for individuals, the company or their interests.

Internal :
Information which may harm the company or be inappropriate for a third party to gain knowledge of. An appointed officer with the requisite knowledge and experience decides who may access and how to implement that access.

Open : Other information is open.

The company shall carry out risk analyses in order to classify information based on how critical it is for operations (criticality).

Routines for classification of information and risk analysis must be developed.

Users administrating information on behalf of the company should treat said information according to classification.

Sensitive documents should be clearly marked.

A plan for electronic storage of essential documentation should be developed.

Information that is vital for operations should be accessible independent of which systems the informati on was created or processed in.

3 Information security in connection with employees and contractors

3.1 Prior to employment

Security responsibility and roles for employees and contractors should be described.

A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information.

IT regulations should be accepted for all employment contracts and for s ystem access for third parties.

3.2 During employment

The IT regulations refer to the organisation’s information security requirements and the users' responsibility for complying with these regulations.

The IT regulations should be reviewed regularly with all users and with all new staff.

All employees and third-party users should receive adequate training and updating regarding the Information security policy and procedures. The training requirements may vary.

Breaches of the Information security policy and accompanying guidelines will normally result in sanctions (documented in the organisation’s handbook)

Information systems and other assets should only be utilised for their intended purpose. Necessary private usage is permitted.

Private IT equipment may only be connected where explicitly permitted. All other use must be approved in advance by the IT department.

Use of IT infrastructure for personal commercial activities is under no circumstances permitted.

All employees and third-party users are responsible for the security of their information systems and assets (PCs, laptops, mobile devices, documentation etc.). Electronic devices containing sensitive information must not be left unattended for long periods while signed-on. Employees must keep passwords secure and must not share accounts. Authorised users are responsible for the security of their passwords and system accounts.

3.3 Termination or change of employment

The responsibility for termination or change of employment should be clearly defined in a separate routine with relevant circulation forms.

Assets should be handed in at the conclusion of the need for the use of these assets.

Access rights should be changed or terminated at termination or change of employment. A routine should be present for handling alumni relationships.

Notification on employment termination or change should be carried out through the procedures defined in the personnel system.

4 Information security relating to physical conditions

IT equipment and information that require protection should be placed in secure physical areas. Secure areas should have suitable access control to ensure that only authorised personnel have access.

Data centres should be properly secured against damage caused by fire, water, explosions, vibrations, etc.

A nominated manager (e.g. the IT Manager) is responsible for approving physical access to technical computer rooms.

A designated manager will be responsible for the approval of physical access to secure areas other than technical computer rooms.

All of the company's offices and data centres should be secured according the appropriate classification, using adequate security systems, including suitable tracking/logging.

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities should be adopted.

The clear desk and clear screen policy should take into account the information classifications, legal and contractual requirements and Code of Conduct.

Management should ensure that work performed by third parties in secure zones is suitably monitored and documented.

All personnel or third parties accessing data centres should be able to be identified and wear personal access cards. The ID cards are personal, and must not be transferred to a third party or to colleagues.

Access cards may be supplied to workmen, technicians and others after proper identification [and a signed confidentiality agreement].

Visitors to the data centres must be escorted and / or monitored, e.g. with cameras.

Visitors to the data centres must be signed in and out

Any member of staff receiving visitors at the Company offices are responsible for their supervision

All external doors and windows must be closed and locked at the end of the work day

5 Securing equipment

Secure IT equipment must be protected against environmental threats (fires, flooding, temperature variations, etc.). Classification of equipment should be based on risk assessments.

Information classified as "sensitive" must not be stored on portable computer equipment (e.g. laptops, cell phones, memory sticks, etc.). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department.

During travel, portable computer equipment should be treated as carry-on luggage.

Areas classified as "red" must be secured with suitable fire extinguishing equipment with appropriate alarms.

Fire drills shall be carried out on a regular basis.

6 IT communications and operations management

6.1 Operational procedures and areas of responsibility

Purchase and installation of IT equipment must be approved by the IT department. 


Purchase and installation of software for IT equipment must be approved by the IT department.

The IT department should ensure documentation of the IT systems according to required standards.

Changes in IT systems should only be implemented if well-founded from a business and security standpoint.

The IT department should have emergency procedures in order to minimize the effect of unsuccessful changes to the IT systems.

Operational procedures should be documented. Documentation must be updated following all substantial changes.

Before a new IT system or service is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place.

Duties and responsibilities should be separated in a manner reducing the possibility of unauthorised or unforeseen abuse of assets.

Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorised access or changes, and in order to reduce the risk of error conditions.

6.2 Third party services


All contracts regarding outsourced IT systems should include:

6.3 System planning and acceptance

Requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed for change management and system development/maintenance.

IT systems must be dimensioned according to capacity requirements. The load should be monitored in order to apply upgrades and adjustments in a timely manner. This is especially important for business-critical systems.

6.4 Protection against malicious code

Computer equipment must be safeguarded against virus and other malicious code. This is the responsibility of a senior manager.

6.5 Backup

The IT department is responsible for carrying out regular backups and restore of these backups, as well as data storage on IT systems according to their classification.

Users must always save data and files on the network as opposed to the local hard disk. This ensures that regular backups must be taken and must be available for recovery purposes.

Users must be made aware that data saved on the local hard disk is not backed up by the IT Department/relevant IT resource.

Backups should be stored externally or in a separate, suitably protected area.

6.6 Network administration

The IT department has the overall responsibility for protecting the internal network.

There should be an asset inventory containing all equipment connected to wired networks.

All access to networks should be logged.

6.7 Management of storage media

There should be procedures in place for the management of removable storage media.

Implementation is the responsibility of each employee.

Storage media should be disposed of securely and safely when no longer required, using formal procedures.

6.8 Exchange of information

Procedures and controls should be established for protecting exchange of information with third parties and information transfer. Third party suppliers must comply with these procedures.

The right to access personal e-mail and other personal data stored on company computer networks according to the Data Protection Act 1998 is available.

6.9 Use of encryption

Storage and transfer of sensitive information should be encrypted or otherwise protected.

6.10 Electronic exchange of information

Information exchanged across public networks in connection with e-commerce, should be protected against fraud, contractual discrepancies, unauthorised access and changes.

The IT department should ensure that publicly accessible information, e.g. on web services, is adequately protected against unauthorised access.

6.11 Monitoring of system access and usage

Access and use of IT systems should be logged and monitored in order to detect unauthorised information processing activities.

Usage and decisions should be traceable to a specific entity, e.g. a person or a specific system.

The IT department should register substantial disruptions and irregularities of system operations, along with potential causes of the errors.

Capacity, uptime and quality of the IT systems and networks should be sufficiently monitored in order to ensure reliable operation and availability.

The IT department should log security incidents for all essential systems.

The IT department should ensure that system clocks are synchronized to the correct time.

6.12 Off-Boarding customers

The process for off-boarding customers should be clearly defined and approved.

All customer data should be removed from company systems in accordance with the requirements of the customer and disposed of securely.

Requests for retrieval of customer data should be carried in a timely manner that is proportionate to the request made.

6.13 Disposal of data

Any decision whether to retain or dispose of a Customer data should be taken in accordance with the retention/disposal protocol. This protocol consists of:

6.13.1 The key disposal/retention considerations criteria checklist, set out in Section 1 of Appendix 1 to this policy. Essentially no document should be disposed of unless all these have been considered in relation to the document.

6.13.2 The Retention Schedules (taken from the Records Management Society) contained in Section 2 of Appendix 1 to this policy. These provide guidance on recommended and mandatory minimum retention periods for specific classes of documents/records.

7 Access control

7.1 Business requirements

Written guidelines for access control and passwords based on business and security requirements should be in place. Guidelines should be re-evaluated on a regular basis.

Guidelines should contain password requirements (frequency of change, minimum length, character types which may/must be utilised, etc.) and regulate password storage.

7.2 User administration and responsibility

Users accessing systems must be authenticated according to guidelines. 


Users should have unique combinations of usernames and passwords. 


Users are responsible for any usage of their usernames and passwords. Users should keep their passwords confidential and not disclose them unless explicitly authorized to do so.

7.3 Access control and authorisation

Access to information systems should be authorised by line management. This includes access rights, including accompanying privileges. Authorisations should only be granted on a "need to know" basis, and regulated according to role.

The line manager should alert the system administrator about granting access and changes in accordance with the directives from the IT Department.

7.4 Network access control

The IT department is responsible for ensuring that network access is granted in accordance with access policy.

Users should only have access to the services they are authorised for. 


The access to privileged accounts and sensitive areas should be restricted. 


Users should be prevented from accessing unauthorised information.

7.5 Mobile equipment and remote workplaces

Remote access to computer equipment and services is only permitted if the security policy has been read and understood.

Remote access to the company network may only take place through security solutions approved by the IT department.

Mobile units should be protected using adequate security measures.

Information classified as sensitive must be encrypted if stored on portable media, such as memory sticks, PDAs, DVDs and cell phones.

8 Information systems acquisition, development and maintenance

8.1 Security requirements for information systems

Definitions of operational requirements for new systems or enhancements to existing systems must contain security requirements.

8.2 Cryptographic controls

Guidelines for administration and use of encryption for protecting information should be in place.

9 Security in development and maintenance

Systems developed for or by the company must satisfy definite security requirements, including data verification, securing the code before being put in production, and use of encryption.

All software should be thoroughly tested and formally accepted by the Operations Director and the IT department before being transferred to the production environment.

10 Information security incident management

10.1 Responsibility for reporting

All breaches of security, along with the use of information systems contrary to routines, should be treated as incidents.

All employees are responsible for reporting breaches and possible breaches of security. Incidents should be reported to management.

10.2 Measurements

Routines are to be developed for incident management and reporting. The routines should contain measures for preventing repetition as well as measures for minimizing the damage.

There should be routines in place for defining the cost of security incidents.

10.3 Collection of evidence

A process defining simple routines for collecting evidence should be in place.

APPENDIX 1

1 Data Disposal / retention considerations

1.1 Has the document / data been appraised?

1.2 Is retention required to fulfil statutory or other regulatory requirements?

1.3 Is retention required to evidence events in the case of a dispute?

1.4 In retention required to meet the operational needs of Boomerang

2 Suggested retention period for different types of data

2.1 The table below provides recommendations regarding the retention period for documentation and customer data:

Type of record

Suggested retention period

Accident records

3 years after end of investigation

Any information private to any individual

Destroy when no longer required

Bank records

7 years

Company records

Permanent

CVs and job applications not hired

6 months after notification

Disciplinary records

5 years following end of employment

Employer's liability insurance certificate

40 years

General email correspondence

6 months unless likely that it will be need to retained for longer

Historical records relating to Boomerang

Permanent

Medical and safety records

7 years

Personnel files

5 years following end of employment

Property records, trust deeds

Permanent

Redundancy records

6 years after redundancy

Sickness/sick pay records

3 years

Software and hardware inventory details

7 years

Tax records - self-employed or partnership

5 years from last tax date

Tax records – companies

6 years from last accounting period

Transactional message data

2 years*

*Default is 2 years although transactional message data can be overwritten according to a customer’s specific requirements



[1] See clause 9 regarding payment of Fees

[2] See clause 3 regarding additional services

[3] See definition of Subscription Term and clause 2.1, 3.1, 4.1 and also cross references in various clauses in this Agreement to Subscription Term

[4] See definition of Authorised Users, clause 2 and clause 2.2.1

[5] See clauses 2.3.1, 12 and 14.3.2

[6] See clause 14.2.1

[7] See definition of “Plug-In”, “Services” and “Software” and also clause 2.4.6

[8] See definition of “Use Cases” and clause 2.1

[9] See clause 8.1.3

[10] See clause 27