End User Licence Agreement

 

Please read carefully before registering to use the Mailock service:

This licence agreement (Licence) is a legal agreement between you (Licensee or you) and Beyond Encryption Limited, (company number 08814096) of 1 Gloster Court, Whittle Avenue, Fareham, Hampshire, PO15 5SH (Licensor, us or we) for:

  • Mailock secure email system which enables users, in accordance with compatible software, to apply encryption to their existing email (Services); and
  • online electronic documents telling you about the Services (Documents).

We license use of the Services and Documents to you on the basis of this Licence. We do not sell the Services or Documents to you. We remain the owners of the Services and Documents at all times.

 

Important notice to all users:

By registering for your Mailock account you agree to the Terms of this Licence and the Terms of our Acceptable Use Policy which can be found at www.beyondencryption.com which will bind you and your employees. The terms of this Licence include, in particular, limitations on liability in Condition 5.1 and Condition 5.3.

  • If you do not agree to the Terms of this Licence, you must not register for your Mailock account and you may not access the Services or Documents.
  • At all times you remain responsible for determining whether the level of security you apply to your email when using the Services is sufficient for the communication and for determining whether any other security requirements should be applied or incorporated into your existing infrastructure.

To send secure communications using the Services you need any of the following;

  • the Outlook Add-in (an Adapter) if Outlook is your email app.
  • supported internet browser.
  • a Gateway solution which may be adopted for companies with multiple users and/or bulk volume sends.

The Services will be subject to minimum compatible mobile or computer device specifications and browser or operating system requirements. These requirements, together with information on increased accessibility for the Services through email Add-in and Applications can be found at www.beyondencryption.com. This also includes details of using the Services via a web browser.

You may want to print a copy of this Licence for future reference.

 

1.

Grant and scope of licence

1.1

In consideration of you agreeing to abide by the terms of this Licence and, where appropriate, paying the licence fee, we grant to you a non-exclusive, non-transferable licence to use the Services and the Documents on the terms of this Licence. Within the Services offered, there a two different licence types, suitable for both business (Mailock Pro) or end client use (Mailock Free), with variances in message functionality, ability to send secure email messages, methods of verification, message availability, company branding and message storage. Further details on our licence types and their comparative functionality can be found at our website www.beyondencryption.com or by contacting our Sales team at sales@beyondencryption.com.

1.2

You:

  1. may download, install and use the Services for your personal use or for your internal business purposes only;
  2. may download, install and use ‘Adapters’ on multiple email devices provided that all the email addresses used have been registered on your account and are used by the nominated user alone;
  3. will receive and use any free supplementary updates of the Services incorporating “patches” and corrections of errors as may be provided by us at our discretion from time to time; and
  4. use any Documents in support of the use permitted under Condition 1.2.

1.3

You shall:

  1. as the registered account holder, take all reasonable steps to ensure that nobody other than yourself as the registered user, access the Services using your user accounts, created with your username, password or Unipass ID.
  2. only use the Services in a manner that complies with applicable laws and regulations in your jurisdiction. Our Acceptable Use Policy sets out in detail the prohibited uses of our Services. You shall ensure that you and, where appropriate, your authorised users shall adhere to the terms of our Acceptable Use Policy. We reserve the right to disable your or your users’ access to the Services without further liability if you or any of your users breach any clauses within the Acceptable Use Policy or this EULA.
  3. use the Services in accordance with all restrictions concerning privacy, data protection and intellectual property rights.
  4. be responsible for the information technology and computer programs through which you, or any of your users access the Services.
  5. limit use of the Services by you and your users to fair usage which is a maximum of 100 sent messages per user per month which for Mailock Pro which could be averaged across all users within a given business / company as long as all users hold an individual licence. We reserve the right to charge for additional message bundles if these monthly limits are regularly exceeded.
  6. limit the use of SMS two factor authentication available to the sender of a secure message with Mailock Pro to 25 SMS messages per month which could be averaged across all users within a given business/company as long as all users hold an individual licence. We reserve the right to make additional charges if these limits are exceeded or when non-UK registered mobile numbers are used.

Where you have a Mailock Pro account you shall also:

  1. nominate at least one administrative user to utilise the administration console, as defined in the published guide available at www.beyondencryption.com, who will be granted system administration rights for the Services.
  2. accept that nomination of an administration user and any actions, instructions and configuration changes made by such user, are deemed to be on your behalf.
  3. understand and agree that administration users may invite additional users to the user subscription by way of a simple registration process.
  4. notify us as soon as possible when it comes to your attention that somebody has accessed either your or any of your users’ accounts. 
1.4  Please note that we reserve the right to deactivate accounts that remain inactive for an extended period, at our discretion and without prior notice. If you find that your account has been deactivated and you wish to continue to use the Services, please subscribe again in the usual way. 
   

2.

Restrictions

2.1

Except as expressly set out in this Licence or as permitted by any local law, you undertake:

  1. not to copy the Services, the underlying software or Documents except where such copying is incidental to normal use of the Services, or where it is necessary for the purpose of back-up or operational security;

  2. not to rent, lease, sub-license, loan, translate, merge, adapt, vary or modify the Services or Documents;

  3. not to make alterations to, or modifications of, the whole or any part of the Services, nor permit the Services or any part of it to be combined with, or become incorporated in, any other programs;

  4. not to disassemble, decompile, reverse-engineer or create derivative works based on the whole or any part of the Services nor attempt to do any such thing except to the extent that (by virtue of section 296A of the Copyright, Designs and Patents Act 1988) such actions cannot be prohibited because they are essential for the purpose of achieving inter-operability of the Services with another program, and provided that the information obtained by you during such activities:

    1. is not unnecessarily disclosed or communicated without our prior written consent to any third party; and

    2. is not used to create any service which is substantially similar to the Services;

  5. where applicable, to supervise and control use of the Services and ensure that the Services are used by your employees in accordance with the terms of this Licence. Please note that each employee will require their own licence to access the Services.

  6. not to provide or otherwise make available the Services in whole or in part, in any form to any person without prior written consent from us; and

  7. to comply with all applicable technology control or export laws and regulations.
   

3.

Intellectual property rights  

3.1

You acknowledge that all intellectual property rights in the Services and the Documents anywhere in the world belong to us, that rights in the Services are licensed (not sold) to you, and that you have no rights in, or to, the Services or the Documents other than the right to use them in accordance with the terms of this Licence. 

3.2

You acknowledge that you have no right to have access to the Services in source code form.

 

 

4.

Unipass identification

4.1

Users of the Services will be given the option to sign in with their Unipass Identity.

4.2

If the Trust Unipass option is enabled, an automatic check to see if the recipient holds a Unipass Identity that has been linked to a Mailock account occurs during the sending of all secure email messages.

4.3

This information will be revealed to the sender of the message so that the appropriate level of challenge can be applied to the email. This ensures the correct and secure handling of the message.

 

 

5.

Limitation of liability  

5.1

You acknowledge that the Services have not been developed to meet your individual requirements, including any particular cybersecurity requirements you might be subject to under law or otherwise, and that it is therefore your responsibility to ensure that the facilities and functions of the Services as described in the Documents meet your requirements.

5.2

We only supply the Services and Documents for personal or internal business use by you and your authorised users, and you agree not to use the Services or Documents for any re-sale purposes.

5.3

We shall not in any circumstances whatever be liable to you, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with the Licence for:

  1. loss of profits, sales, business, or revenue;

  2. business interruption;

  3. loss of anticipated savings;

  4. wasted expenditure;

  5. loss or corruption of data or information;

  6. loss of business opportunity, goodwill or reputation;

where any of the losses set out in Condition 5.3(a) to Condition 5.3(f) are direct or indirect; or

  1. any special, indirect or consequential loss, damage, charges or expenses.

5.4

Other than the losses set out in Condition 5.3 (for which we are not liable), our maximum aggregate liability under or in connection with this Licence whether in contract, tort (including negligence) or otherwise, shall in all circumstances be limited to a sum equal to 10% of the licence fees paid by you in respect of the current 12 month term of the Services. This maximum cap does not apply to Condition 5.5. 

5.5

Nothing in this Licence shall limit or exclude our liability for:

  1. death or personal injury resulting from our negligence;

  2. fraud or fraudulent misrepresentation;

  3. any other liability that cannot be excluded or limited by English law.

5.6

This Licence sets out the full extent of our obligations and liabilities in respect of the supply of the Services and Documents. Except as expressly stated in this Licence, there are no conditions, warranties, representations or other terms, express or implied, that are binding on us. Any condition, warranty, representation or other term concerning the supply of the Services and Documents which might otherwise be implied into, or incorporated in, this Licence whether by statute, common law or otherwise, is excluded to the fullest extent permitted by law.

 

 

6.

Limited warranty

6.1

We take all reasonable efforts to ensure that our Services, our infrastructure and our technology are completely secure. We do not guarantee, represent or warrant that they are and you, as the user, must take responsibility for how you use the technology and Services.

6.2

 We do not warrant or give any assurance that the Services or our means of delivery are compatible with your computer configuration or email provider. It is your responsibility to evaluate and ensure that the Services are the correct solution for your individual circumstances and requirements. Our support team will endeavour to provide assistance to you according to our SLAs and where reasonable, work with any third-party IT supplier you may use to ensure the delivery of the Services to you but we will not be responsible for any costs which you may incur from any source without prior agreement. 

6.3

 You acknowledge and agree that:
  1. the Services use ‘Encryption Keys’, a mathematical method used to safeguard data, to encrypt/decrypt messages including all attachments but excluding email addresses and message subject description in the subject line.
  2. when sending and receiving secure messages transported using the Services, not all encryption keys pass through our infrastructure thereby deriving greater privacy and as such this is the recommended method of usage.
  3. where a “web browser” is utilised to read or reply to a secure message, all message encryption keys pass through, but not all are stored within, our infrastructure. The transient nature of the unstored keys, during a secure read session, may lead you to determine that a lower level of security is derived.
  4. any messages you may receive via the Services are provided and controlled by the sending party and subject to the provisions described in section 8.3 (Storage and Message Availability).
  5. we will not accept responsibility for maintaining message access beyond the terms noted in this Licence.

 

  

7.

Term and termination

 

 If you have a Mailock Pro account:

7.1

 If you purchased a monthly subscription directly from us, after completion of the initial free trial period, a 1-month notice period is required to cancel your subscription for the Services and all licence fees are due and payable during this time.

7.2

 If you have purchased a yearly subscription, you may cancel the subscription on 1-months’ notice but please note that there will be no refund of licence fees for a cancellation mid-year.

7.3

 Upon cancelling your subscription for the Services, your account will be closed and message availability, thereafter, is set out in section 8.3 below.

7.4

 For our corporate clients, a cancellation request can only be made by the account administrator through the company administrator console.

7.5

You may terminate this Licence with immediate effect, by written notice to us if;

  • we breach this Licence in any material way, and we do not correct or fix the situation within 14 days of you asking us.
  • we go into liquidation or a receiver or an administrator is appointed over our assets or we become insolvent and cease trading.
  • we are affected by a matter beyond our control, but which affects your use of the Services for longer than 14 days.
  • we change the terms of this Licence to your material disadvantage.

7.6

In these circumstances we will refund to you the proportion of any licence fees that you have paid in advance of your agreed termination date which relate to the period following termination.

 

 

 

If you have a Mailock Free account:

7.7

You may cancel your subscription for the Services (i) during your trial period at any time and it will terminate at the end of that month or (ii) once your trial period has ended and your subscription becomes live, with one month notice.

 

 

 

 If you have a Mailock guest account:

7.8

You won’t be registered with us anyway, so you can cancel at any time!

 

 

 

Our Termination rights:

7.9

We may terminate this Licence with immediate effect by written notice to you if;

  • you do not pay us amounts which you owe to us within 10 days after the due date.

  • you breach this Licence in any other material way, and you do not correct or fix the situation within 30 days of us asking you in writing.

  • you go into liquidation or a receiver or an administrator is appointed over your assets or you become insolvent or cease trading or you become bankrupt; or

  • you suspend or cease or threaten to suspend or cease, carrying on all or a substantial part of your business.

 

 

8.

Storage and message availability

8.1

Messages and associated attachments that are managed and processed by the Services are encrypted and stored as a binary large object (BLOB) in a storage location as selected by the sender, hereafter referred to as “The Store”.

8.2

The default storage location will be provisioned by us, within a Microsoft Azure environment, which will apply for all Mailock Free and Mailock Pro accounts.

8.3

The length of time messages and attachments remain accessible to the Recipient is outlined in the following table; 

Account Type Suitability Maximum Message Longevity (days from date of send) *
Guest For a recipient to read and reply without creating an account.  21
Free For end user or client. 21 
Pro For business users. 365*

* Business users with Mailock Pro accounts are able to select in their Administration Console the length of time, from sending, their messages will be available to the recipient, ranging from 7 days to 365 days.

8.4

Regardless of the maximum message longevity dates specified above, all emails will be retained indefinitely at our discretion for security and liability reasons.

 By accepting the terms of this Licence, you acknowledge that you are responsible for selecting the appropriate licence type for your requirements. 

8.5

The use of the Services will be subject to Microsoft Azure Terms and Conditions which may be found at https://azure.microsoft.com and may be subject to change.

 

 

9.

Communications between us 

9.1

We reserve the right to amend this Licence from time to time to reflect changes in law or changes in the way we run our business. The current version of the Licence is available on our website and we advise you regularly to check the terms. If the changes to this Licence notified to you are unacceptable to you, you can choose to terminate this Licence in accordance with the provisions of this Licence.

 Your continued use of the Services shall constitute your acceptance to the terms of this Licence, as varied. If you do not wish to accept the terms of the Licence (as varied) you must immediately stop using and accessing the Services and Document. Please be aware that we do not track or report user consumption. 

9.2

If we have to contact you, we will do so by email or by pre-paid post to the address you provided in accordance with your registration of the Services.

9.3

Note that any notice:

  1. given by us to you will be deemed received and properly served 24 hours after an email is sent, or three days after the date of posting of any letter; and

  2. given by you to us will be deemed received and properly served 24 hours after an email is sent, or three days after the date of posting of any letter.

9.4

In proving the services of any notice, it will be sufficient to prove, in the case of a letter, that such letter was properly addressed, stamped and placed in the post to the address of the recipient given for these purposes; and, in the case of an email, that such email was sent to the email address of the recipient given for these purposes.

 

 

10.

Events outside our control  

10.1

We will not be liable or responsible for any failure to perform, or delay in performance of, any of our obligations under this Licence that is caused by an Event Outside Our Control. An Event Outside Our Control is defined below in Condition 10.2.

10.2

An Event Outside Our Control means any act or event beyond our reasonable control, including without limitation failure of public or private telecommunications networks.

10.3

If an Event Outside Our Control takes place that affects the performance of our obligations under this Licence:

  1. our obligations under this Licence will be suspended and the time for performance of our obligations will be extended for the duration of the Event Outside Our Control; and

  2. we will use our reasonable endeavours to find a solution by which our obligations under this Licence may be performed despite the Event Outside Our Control.

 

 

11.

Personal data

 

If you are using the Services in your personal capacity and not for business or commercial purposes, we will process your personal data and any other personal data which we process as a result of your use of the Services in accordance with our Privacy Notice which is available on our website www.beyondencryption.com. It is important that you read our Privacy Notice.

If you are using the Services for business or commercial purposes and you are entering into this Licence on behalf of your organisation (as opposed to as an authorised user of your organisation) then the terms of Annex 1 to this Licence apply.

If you are using the Services for business or commercial purposes but your organisation has already entered into a Licence with us (“Master Licence”) and you are an invited user of your organisation then we may process your personal data in accordance with our Privacy Notice which is available on our website www.beyondencryption.com (and so it is important that you read our Privacy Notice) but otherwise all processing relating to your use of the Services shall be governed by the terms of the Master Licence.

 

 

12.

Other important terms  

12.1

This Licence, together with our Acceptable Use Policy and any other contractual arrangements connected with the provision of the Services, constitute an agreement between you and us. Such agreement supersedes and replaces all previous arrangements, promises, assurances, warranties, representations and understandings between us whether written or oral in relation to the subject matter of this Licence.

12.2

You acknowledge that in agreeing to the terms of this EULA you do not rely on any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in either this Licence, Acceptable Use Policy or the documents referred to in this Licence.

12.3

We may transfer our rights and obligations under this Licence to another organisation, but this will not affect your rights or our obligations under this Licence. We will always notify you in writing or posting on our website if this happens. You may only transfer your rights and your obligations under this Licence to another person if we agree in writing.

12.4

This Licence is between you and us. No other person shall have any rights to enforce any of its terms. Each of the paragraphs of this Licence operates separately. If any court or relevant authority decides that any of them are unlawful or unenforceable, the remaining paragraphs will remain in full force and effect. 

12.5

If we fail to insist that you perform any of your obligations under this Licence or if we do not enforce our rights against you or if we delay in doing so that will not mean that we have waived our rights against you.

12.6

You should check this Licence before signing up for and/or purchasing our Services as they may have changed since your last visit.

12.7

This agreement and any dispute or claim arising out of or in connection with it will be governed by English Law. The courts of England and Wales will have non-exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Licence agreement. 

 

Feb 2026

 

 

Annex 1 – Data Protection Addendum

 

1.

This addendum
1.1

This Data Protection Addendum (DPA) forms part of the Licence and reflects the Parties’ agreement relating to the processing of Protected Data. By signing (or otherwise agreeing to the terms of) the Licence, the Licensee enters into this DPA.
1.2 Notwithstanding anything to the contrary in the Licence, the Parties agree that this DPA:

  1. shall survive termination (for any reason) or expiry of the Licence;

  2. prevails over the other terms of the Licence to the extent of any inconsistency; and

  3. supersedes all prior and contemporaneous data processing agreements or data processing terms in any agreements, proposals or representations, written or oral, concerning the processing of Protected Data for the purposes of the Licence.
1.3

Capitalised terms used in this DPA which are not defined in this DPA shall have the meaning given to them in the Licence and, except where the context makes it clear that a rule is not intended to apply, the rules of interpretation in the Licence apply to this DPA.
1.4 Where the Licence or the Services involve the processing of Protected Data relating to individuals that are subject to data protection legislation other than the Data Protection Laws (Additional Legal Requirements), the Licensee is responsible for making Licensor aware of such Additional Legal Requirements before entering into the Licence and agrees that Licensor shall not be obliged to comply with, or be liable to the Licensee for failure to comply with, any Additional Legal Requirements (including those relating to international transfers of Personal Data) unless those requirements are expressly set out in writing and agreed by an authorised representative of Licensor prior to entry into or agreement of the Licence. If any Additional Legal Requirements require the execution of additional documentation by one or both of the Parties (for example because the Licensee is located in a territory other than the UK (being the country of incorporation of Licensor)), the Parties will discuss and agree in advance of entry into the Licence what documentation is reasonably required to ensure legal compliance. If, after entry into the Licence, the Licensee requests documentation is entered into by Licensor to legitimise any international transfer of Protected Data then Licensor will consider such request but the Licensee shall be responsible for all costs incurred by Licensor in relation to such request.
   

2.

Definitions and interpretation

2.1

For the purposes of this DPA:

Applicable Law means (a) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a Party is subject and/or which is applicable in any jurisdiction that the Services are provided to or in respect of; (b) the common law and laws of equity as applicable to the Parties (or either of them) from time to time; (c) any binding court order, judgment or decree as applicable to the Parties (or either of them) from time to time; or (d) any applicable direction, policy, rule or order that is binding on a Party and that is made or given by any regulatory body having jurisdiction over that Party or any of that Party’s assets, resources or business.

Controller, Personal Data, International Organisation, processing, Processor and Data Subject have the meanings as defined in Data Protection Laws.

BE Data means any Personal Data which Licensor (or its Sub-Processors) process in connection with or as a result of the Services, the Licensee’s use of the Services or Licensor’s performance of the Licence where such processing is carried out by Licensor in the capacity of a Controller which may include:

  1. Personal Data relating to the Licensee’s, and its users’, accounts including contact and billing information and contract details;
  2. Personal Data relating to how the Licensee and its users and recipients of messages interact with and use the Services which may include:
    1. information about senders of messages and messages sent using the Services (e.g. email address sent from and to (from which names and the sender’s organisation may be ascertainable), file type and size, date / time message sent, and whether the recipient interacted with the message e.g. date and time of access and multifactor authentication information and actions); and
    2. information about recipients of messages and messages received via the Services (e.g. email address from and to (from which names and the sender and recipient organisation may be ascertainable), file type and size, date/time of receipt, how the recipient interacts with the message e.g. whether the message was opened and for how long and multifactor authentication information (including telephone number if SMS verification is used) and actions; and
  3. Personal Data in technical information about use of our Services, including login data, URL, IP address, browser type and version, requesting domain and country of origin of requesting domain, time zone setting and location, browser plug-in types and versions, operating system and platform, device data, and other technology on the devices used to access the Services and Personal Data collected through cookies and similar technologies used by the Services.

Data Protection Laws means:

  1. the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI20032426); and
  2. if the EU GDPR applies to the processing of any Protected Data by any Party pursuant to the Licence, the EU GDPR and the e-Privacy Directive (2002/58/EC),

and any associated national implementing laws, regulations and secondary legislation.

Data Protection Losses means all liabilities, including all: (a) costs (including legal costs), claims, demands, actions, settlements, interest, charges, procedures, expenses, losses and damages (including relating to material or non-material damage) and (b) to the extent permitted by Data Protection Laws and/or any Applicable Law: (i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; (ii) compensation which is paid to a Data Subject and (iii) the costs of compliance with investigations by a Supervisory Authority.

EU GDPR means the General Data Protection Regulation ((EU) 2016/679).

EEA means the European Economic Area.

Licensor Affiliate means any company which is a subsidiary of Licensor or which is a holding company of Licensor or a subsidiary of such holding company (as those expressions are defined in section 1159 of the Companies Act 2006), in each case from time to time.

Party and Parties means the Licensor and Licensee or as the context requires either of them;

Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data.

Protected Data means any Personal Data which Licensor (or any Sub-Processor) receives, accesses, collects or otherwise processes pursuant to, as a result of or in connection with the performance, or use by the Licensee, of the Services or the performance of the Licence when the Licensor processes that Personal Data in the capacity as a Processor on behalf of the Licensee as Controller.

Sub-Processor means any Processor engaged by Licensor (or by any other Sub-Processor) for carrying out any processing activities in respect of Protected Data on behalf of Licensor.

Supervisory Authority means any regulator, authority or body responsible for administering Data Protection Laws.

Transfer shall have the same meaning as the word ‘transfer’ in Article 44 of UK GDPR or, where applicable, Article 44 of the EU GDPR and related terms such as Transferred and Transferring shall be construed accordingly.

UK means the United Kingdom of Great Britain and Northern Ireland.

UK GDPR means the United Kingdom General Data Protection Regulation, as it forms part of the law of the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018.

2.2

References in this DPA to the terms “for example”, “include” and “including” (or similar term) shall be construed as illustrative and shall not limit the sense of the words preceding those terms. 

2.3

A reference to legislation or a legislative provision in this DPA is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that legislation or legislative provision.

 

 

3.

Role of the parties  

3.1

By entering into the Licence, the Licensee consents (and shall procure all required consents from relevant Data Subjects) to:

  1. all actions taken by the Licensor in connection with the processing of Protected Data for the purposes of and in accordance with the terms of the licence; and

  2. the processing of BE Data by Licensor (including all such processing envisage by Licensor’s then current Privacy Notice available at https://www.beyondencryption.com/privacy-policy (Licensor PN)) and agrees to provide a link to the Licensor PN to all relevant Data Subjects whose Personal Data forms part of (or may form part of) the BE Data. In the event of any inconsistency or conflict between the terms of the Licensor PN and the Licence, the Licensor PN will take precedence.

3.2

The Licensee agrees to limit the extent to which Licensor (and its Sub-Processors) is provided with access to or the ability to view, or otherwise required to process, Personal Data as a consequence of the Licence to only what is reasonably necessary in order for Licensor to properly perform its obligations pursuant to the Licence.  

3.3

The Licensee acknowledges and agrees that Licensor (and/or its Sub-Processors) may process Protected Data (in an anonymised and aggregated form) (Aggregated Data) and BE Data for Licensor's (and/or its Sub-Processors’) legitimate business purposes, including for testing, development, control and operation of the Services (or any part of them) and for product development, data analytics and statistical reporting and Licensor (and/or its Sub-Processors) may share and retain any such data in their discretion. Aggregated Data shall, if it constitutes Personal Data and when processed for the purposes set out in this paragraph, be treated as BE Data.  

3.4

If the Licence provides for the use by the Licensee of third party products or services (Third Party Services) then the Licensee acknowledges and agrees that separate data processing terms may apply between Licensee and the relevant vendor of the Third Party Services (each a Third Party Vendor) in relation to the processing of Personal Data in and by those Third Party Services and that the Third Party Vendor, and not Licensor, shall be responsible for any processing of Personal Data relating to those Third Party Services. As a result, Licensor shall have no liability to the Licensee in respect of the Third Party Services or any processing of Personal Data via Third Party Services or by a Third Party Vendor. 

 

 

4.

Compliance with data protection laws  

4.1

The licensee agrees it will comply with all Applicable Law in respect of Personal Data, its receipt and use of the Services and its performance of the Licence. This DPA is in addition to, and does not relieve, remove or replace, the Licensee’s obligations under Data Protection Laws. 

4.2

Without prejudice to paragraph 4.1, the Licensee shall:

  1. ensure that all necessary rights and all necessary and appropriate consents that all necessary rights and all necessary and appropriate consents and notices in place to enable the lawful transfer to, and the lawful collection, creation and processing by, Licensor (and its Sub-Processors) of the Protected Data and BE Data;

  2. have sole responsibility for the accuracy, quality and legality of the Protected Data and the means by which the Licensee acquires (or has acquired) and processes the Protected Data;

  3. ensure that all instructions given by it to Licensor (or any Sub-Processor) in respect of the Protected Data (including the terms of the Licence and the Licensee’s configuration of the Services) are at all times in accordance with all Applicable Law; and

  4. promptly notify Licensor if it receives any enquiry, complaint, claim, notice, request or other communication (each a Communication) which is related directly or indirectly to the processing of BE Data and shall provide Licensor with full information and co-operation in relation to any such Communication.

4.3

The Licensee shall not unreasonably withhold, delay or condition its agreement to any change to the Services and/or the Licence requested by Licensor in order to ensure the Services and Licensor (and its Sub-Processors) comply/can comply with the Data Protection Laws.  

4.4

The Licensee shall indemnify and keep indemnified Licensor in respect of all Data Protection Losses suffered or incurred by, or awarded against, Licensor and/or any Licensor Affiliates arising from or in connection with any:

  1. non-compliance by the Licensee with Applicable Law (including Data Protection Laws);

  2. breach by the Licensee of any of its obligations in this DPA or any of its data protection law obligations in the Licence; or

  3. processing carried out by Licensor or any Sub-Processor pursuant to a documented instruction given or on behalf of the Licensee in respect of the processing of Protected Data.

 

 

5.

Processing of protected data by licensor

5.1

Licensor shall, in relation to any Protected Data processed by it in connection with the performance by Licensor of its obligations under the Licence:

  1. ensure that any personnel engaged and authorised by Licensor to process Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  2. to the extent legally required and permitted and to the extent Licensor has been able to identify that the request comes from a Data Subject whose Personal Data forms part of the Protected Data, promptly notify the Licensee if Licensor receives a request from a Data Subject in relation to the exercise of any Data Subject right relating to the Protected Data (Data Subject Request). Licensor is authorised to confirm (if it wishes to do so) to the Data Subject that it has passed the Data Subject Request to the Licensee, but Licensor will not be responsible for handling or executing the Data Subject Request (but the Licensee acknowledges and agrees that Licensor shall be entitled to deal with Data Subject requests which relate to BE Data in its absolute discretion);

  3. upon the Licensee’s reasonable written request, subject to the Licensee providing a reasonable timescale for Licensor to comply and at the Licensee’s cost, assist the Licensee insofar as this is possible (taking into account the nature of the processing and the information available to Licensor), in fulfilling its obligations:

    1. to respond to a Data Subject Request; and

    2. under Data Protection Laws with respect to security, breach notifications, data protection impact assessments and consultations with Supervisory Authorities,

    but only to the extent the Licensee does not otherwise have or have access to the relevant information, and to the extent such information is available to Licensor;

  4. provide reasonable assistance to the Licensee insofar as this is reasonably possible (taking into account the nature of the processing and the information available to Licensor), at the Licensee's cost and only on the Licensee’s reasonable written request, in responding to any request from a Data Subject in respect of Protected Data and in ensuring the Licensee's compliance with its obligations in respect of the Protected Data under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with Supervisory Authorities; and

  5. at the written direction of the Licensee (and at the cost of the Licensee), delete / dispose of or return Protected Data once Licensor ceases to provide the Services or require the Protected Data in order to fulfil its obligations pursuant to the Licence (whichever is later) (Processing End Date) unless Licensor is required by Applicable Law to continue to process that Protected Data. For the purposes of this paragraph 5.1.5 Protected Data shall be considered deleted where it (and all copies of it) is put beyond further use by Licensor. To the extent the Licensee has not notified Licensor within 7 days of the Processing End Date that it requires the return of any Protected Data, Licensor may at any time securely delete / dispose of the Protected Data at the Licensee’s cost.

5.2

Neither Licensor nor any Sub-Processor is obliged to undertake any unlawful Transfer or processing of Protected Data and shall not be liable to the extent that it (or any Sub-Processor) is delayed in or fails to perform any obligation under the Licence due to it (or any Sub-Processor) being unable (or reasonably believing it is unable) to undertake any Transfer or processing in a lawful manner. The licence fees payable to Licensor pursuant to the Licence shall not be discounted or set-off as a result of any delay or non-performance of any obligation in accordance with this paragraph 5.2.

 

 

6.

Processing instructions

6.1

Licensor shall process Protected Data only on, and in accordance with, the documented instructions of the Licensee unless Licensor is required by Applicable Law to process Protected Data otherwise than in accordance with the Licensee’s documented instructions. Where Licensor is relying on Applicable Law as the basis for processing Protected Data, Licensor shall use reasonable endeavours to notify the Licensee of this before performing the processing required by the Applicable Law unless the Applicable Law prohibits Licensor from notifying the Licensee on important grounds of public interest. 

6.2

Paragraph 14 of this DPA sets out the Licensee’s documented instructions in respect of Licensor’s processing of Protected Data and includes the scope and subject matter and nature and purpose of processing of Protected Data by Licensor for the purposes of the Licence, the duration of the processing and the types of Personal Data and categories of Data Subject. These processing instructions are the Licensee’s complete documented instructions to Licensor for the processing of Protected Data as at the date of the Licence, however:

  1. the Licensee’s configuration of the Services from time to time shall constitute an additional instruction to Licensor documented through applicable logs; and

  2. those instructions may be amended by the agreement in writing of the Parties from time to time.

6.3

Licensor shall inform the Licensee, without undue delay, if Licensor becomes aware of a documented instruction given by the Licensee under this paragraph 6 that, in Licensor’s opinion, infringes (or is likely to infringe) Data Protection Laws and Licensor shall be entitled to cease to carry out its impacted obligations under the Licence until the Parties have agreed appropriate amended instructions which are not infringing. The licence fees payable to Licensor pursuant to the Licence shall not be discounted or set-off as a result of any delay or non-performance of any obligation as a result of a suspension pursuant to this paragraph.

 

 

7.

Technical and organisational measures  

7.1

Licensor shall ensure that it has in place appropriate technical and organisational measures to seek to protect against unauthorised or unlawful processing of Protected Data and against accidental loss or destruction of, or damage to, Protected Data. 

7.2

During the period in which Licensor processes any Protected Data, the Licensee shall undertake a documented assessment at least every 12 months of whether the security measures implemented in accordance with this paragraph 7 are sufficient (taking into account the state of technical development and the nature of processing) to protect the Protected Data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access. The Licensee shall notify Licensor within 14 days of full details of the assessment and its outcome and of any additional measures the Licensee reasonable believes are required as a result of the assessment. Licensor shall not be obliged to implement any further or alternative measures except as agreed via a binding variation of the Licence and Licensor may only agree to implement such further or alternative measures at the Licensee’s cost (which may result in a change to the licence fees). 

 

 

8.

Personal data breach 

8.1

Licensor shall notify the Licensee by any method it deems appropriate (which may be via email or phone call to any representative of the Licensee) and without undue delay on becoming aware of a Personal Data Breach. 

8.2

Licensor shall make commercially reasonable efforts to identify the cause of a Personal Data Breach and take such steps as Licensor deems necessary and reasonable in order to remediate the cause of such Personal Data Breach, to the extent the remediation is within Licensor’s reasonable control. The obligation on Licensor to remediate the cause of a Personal Data Breach shall not apply to Personal Data Breaches that are caused (in whole or in part and whether directly or indirectly) by the Licensee or its personnel, agents, contractors, affiliates or users (Licensee Breach) and the Licensee shall be responsible for immediately reimbursing Licensor for any costs and expenses it incurs as a result of a Licensee Breach.  

8.3

Licensor shall not have any liability for a Personal Data Breach if the Personal Data Breach is caused by: (i) acts or omissions of the Licensee , or any person acting on behalf of or jointly with Licensee (including its users) (collectively, Licensee Representatives); (ii) any Licensee Representatives' instructions to Licensor; (iii) wilful, deliberate or malicious conduct by a third party; or (iv) a matter beyond the Licensor’s control. 

 

 

9.

Audit 

9.1

Licensor shall make available to the Licensee, on request and on reasonable notice, such information as is in its possession and as is (in its opinion) reasonably necessary to demonstrate Licensor’s compliance with the obligations of Processors under Data Protection Laws. 

9.2

Licensor shall allow for audits by the Licensee or the Licensee’s designated auditor (who must not be a competitor of Licensor and who must be approved in advance by Licensor as being appropriate to carry out the audit) for the purpose of verifying its compliance with the obligations of Processors under Data Protection Laws as follows:

  1. by Licensor providing, upon the Licensee’s written request, at reasonable intervals and subject to the confidentiality obligations set forth in the Licence, information regarding Licensor’s processing activities relating to Protected Data in the form of a copy of Licensor’s then most recent third-party audit or certification, as applicable, that Licensor makes available to its customers generally;

  2. to the extent required by Data Protection Laws, by Licensor allowing (at its option) the Licensee to perform a remote/virtual or on-site audit which shall be performed as follows:

    1. an audit of systems and facilities operated by Licensor, carried out during normal business hours with, so far as reasonably practicable, minimal disruption to Licensor’s business and the business of other customers of Licensor;

    2. the audit shall not exceed one (1) day;
    3. the Licensee will provide Licensor with at least three weeks’ written notice prior to such audit;
    4. before the commencement of any audit, the Licensee and Licensor shall mutually agree upon the scope, cost and timing of the audit which must be limited to an audit of Licensor (and shall not extend to Sub-Processors, Third Party Vendors or other third parties) and its compliance with its data protection obligations under this DPA (and shall not extend to auditing compliance by Sub-Processors or Third Party Vendors or compliance of Third Party Services);
    5. the Licensee must ensure that all information obtained or generated by the Licensee or its auditor is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by Data Protection Laws);
    6. the Licensee shall promptly notify Licensor of the audit results including any non-compliance with the terms of the Licence or Applicable Law, discovered during the course of the audit;
    7. the Licensee may only carry out an audit once per year and may not carry out an audit once notice to terminate the Licence has been served by either Party or during the last 3 months of the Licence term;
    8. Licensor shall be permitted to withhold information from the Licensee and the scope of an audit (and to limit access to systems, information, documentation and facilities in order to do so) where it is commercially sensitive or confidential or outside of the scope of the audit; and
    9. Licensor’s contribution to the audit shall consist of Licensor’s reasonable cooperation and making relevant current employees of Licensor available to the Licensee where reasonably possible. 

9.3

Except as provided in paragraph 9.4, each of Licensor and the Licensee shall bear its own costs in connection with an audit unless agreed otherwise.

9.4

If the Licensee’s audit requirements exceed what is required by Data Protection Laws and if Licensor complies with or supports the Licensee in complying with such additional requirements (which it may choose to do or not do, in its absolute discretion) then the Licensee shall be responsible for all costs and expenses incurred by Licensor (and its Sub-Processors) in doing so and Licensor shall be entitled to invoice the Licensee in respect of such amounts (either in advance or in arrears).  

 

 

10.

Subcontractors

10.1

The Licensee acknowledges and agrees that Licensor will engage Sub-Processors in order to perform its obligations under the Licence.  

10.2

The Licensee hereby provides its prior, general authorisation for Licensor to appoint Sub-Processors to process the Protected Data, provided that Licensor:

  1. shall ensure that the terms on which it appoints such Sub-Processors comply with Data Protection Laws and are consistent with the obligations imposed on Licensor in this DPA. Upon the Licensee’s written request, Licensor may make a summary of Sub-Processor data protection terms available to Licensee (redacted, if necessary, to protect any commercially sensitive or confidential information);

  2. shall remain responsible for the acts and omission of any such Sub-Processor as if they were the acts and omissions of Licensor; and

  3. shall inform the Licensee of any intended changes concerning the addition or replacement of Sub-Processors (SP Change), thereby giving the Licensee the opportunity to object to such SP Change, provided that:

    1. the Licensee must raise an objection to an SP Change promptly following Licensor’s notification of the intended SP Change (and in any event within 14 days of such notification) and in writing in accordance with the ‘Communications between us’ clause in the Licence (SP Change Notice). The Licensee acknowledges that Licensor may provide notification of an SP Change by updating its list of Sub-Processors on its website, by sending a service announcement email (which will be sent to the email address provided by the Licensee for contact purposes when the Licensee entered into the Licence (and the Licensee shall be responsible for providing updated contact details to Licensor as necessary) or by including a banner announcement in the Services);

    2. Licensee may only object to an SP Change on the basis of the Licensee’s genuine and reasonable concern that the new or replacement Sub-Processor is not capable of providing the level of protection of Personal Data required by this DPA and in its SP Change Notice the Licensee must set out:

      1. the details of the objected to SP Change;

      2. the reason for the objection to the SP Change; and

      3. the reasonable, lawful and proportionate corrective steps which it proposes Licensor could take to remedy the objection.

    3.  If the Licensee does not validly object to an SP Change, Licensor may engage the new or replacement Sub-Processor to process Protected Data;  

    4.  If the Licensee does validly object to the SP Change, then Licensor may choose to:

      1. use reasonable efforts to make available to the Licensee a change in the Services or recommend a commercially reasonable change to the Licensee’s configuration or use of the Services to avoid processing of Protected Data in the manner envisaged by the SP Change without unreasonably burdening the Licensee , in which case Licensor shall be entitled to adjust the licence fees payable by the Licensee to reflect any increased costs or operational impact resulting from the change. If Licensor will be or is unable to make available such change within a reasonable period of time, Licensor may terminate the Licence with respect only to those Services which cannot be provided by Licensor without the use of the objected-to new Sub-Processor or the Licence as a whole, by providing written notice to the Licensee and without any further liability to the Licensee;

      2. take the corrective steps set out in the SP Change Notice and use the Sub-Processor as intended; or

      3. make available to the Licensee information evidencing the relevant proposed Sub-Processor’s ability to provide the level of protection of Personal Data required by this DPA which the Licensee shall promptly and in good faith consider and the Licensee shall notify Licensor in writing (in accordance with the ‘Communication between us’ clause in the Licence) within 7 days of receipt of that information if it still objects to the SP Change (in which case Licensor can then exercise its rights in paragraphs (A) or (B) above if it wishes) and the reasons why and if it doesn’t do so the SP Change Notice shall be deemed withdrawn by the Licensee and Licensor may continue to make the SP Change.

A current list of Licensor’s Sub-Processors can be found in paragraph 14 of this DPA but this list will be updated from time to time by Licensor in its absolute discretion. Updates will usually be notified via Licensor’s website and it is the Licensee’s sole responsibility to check Licensor’s website periodically for updates. Alternatively, updates may be provided by sending a service announcement email (which will be sent to the email address provided by the Licensee for contact purpose when the Licensee entered into the Licence (and the Licensee shall be responsible for providing updated contact details to Licensor as necessary) or by including a banner announcement in the Services).

10.3

If the Licensee objects to an SP Change but such objection does not comply with the terms of this paragraph 10 (an Invalid Objection), the Licensee shall indemnify Licensor for any losses, damages, costs (including legal fees) and expenses Licensor or any Licensor Affiliates may suffer in dealing with and/or accommodating the Invalid Objection and Licensor shall be entitled to adjust the licence fees payable by the Licensee pursuant to the Licence to reflect any increased costs or operational impact resulting from Licensor carrying out any actions pursuant to this paragraph 10 as a result of the Invalid Objection.  

 

 

11.

International transfers 

 

The Licensee acknowledges that Licensor (and its Sub-Processors) may Transfer and process Protected Data outside of the UK (and to the extent the EU GDPR applies, outside the EEA) which may include the United States of America but Licensor shall ensure that any such Transfers are affected in accordance with Data Protection Laws. For these purposes, the Licensee shall promptly comply with any request from Licensor, including a request to enter into appropriate standard contractual clauses adopted by the EU Commission from time to time (where the EU GDPR applies) or adopted by UK from time to time (where the UK GDPR applies).

 

 

12.

Affiliates

12.1

For the purposes of this DPA:

Affiliate means any company which is a subsidiary of the Licensee or which is a holding company of the Licensee or a subsidiary of such holding company (as those expressions are defined in section 1159 of the Companies Act 2006), in each case from time to time.

Authorised Affiliate means any Affiliate which (i) is subject to Data Protection Laws, and (ii) is permitted by the Licence to request Licensor supply Services to it or to use the Services but has not signed its own licence agreement with Licensor or entered into a contract with Licensor for Services and is therefore not a “Licensee” as defined under the Licence.

12.2

By entering into the Licence, the Licensee enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name of, and on behalf of, its Authorised Affiliates, if and to the extent Licensor processes Protected Data for which such Authorised Affiliates qualify as the Controller. In this regard:

  1. the Parties agree that for the purposes of this DPA only, and except where indicated otherwise, the term Licensee shall include the Licensee and Authorised Affiliates;

  2. each Authorised Affiliate agrees to be bound by the obligations in this DPA and, to the extent applicable, the Licence;

  3. an Authorised Affiliate is not and does not become a Party to the Licence and is only a Party to this DPA. All access to and use of the Services by Authorised Affiliates must comply with the terms and conditions of the Licence and any breach of the terms and conditions of the Licence or this DPA by an Authorised Affiliate shall be deemed a breach by the Licensee that is the contracting Party to the Licence;

  4. the Licensee that is the contracting Party to the Licence shall remain responsible for co-ordinating all communication with Licensor under this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of itself and its Authorised Affiliates;

  5. except where Data Protection Laws require an Authorised Affiliate to exercise a right or seek any remedy under this DPA against Licensor directly itself, the Parties agree that:

    1. only the Licensee that is the contracting Party to the Licence shall exercise any such right (including any audit right) or seek any remedy on behalf of such Authorised Affiliate;

    2. only the Licensee that is the contracting Party to the Licence shall be entitled to exercise the rights of the Licensee and Authorised Affiliates under this DPA, Authorised Affiliates are not permitted to do so directly;

    3. when carrying out an audit, the Licensee shall carry out all reasonable actions and adopt all reasonable measures to limit the impact on Licensor (and its related third parties) of the audit by combining all audit requests carried out on behalf of different Authorised Affiliates in one single audit by the Licensee; and

  6. Licensor’s liability, taken together in the aggregate, arising out of or related to this DPA and all DPAs between Authorised Affiliates and Licensor, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ clause of the Licence, and any reference in such clause of the Licence to the liability of Licensor (whether by naming Licensor or where Licensor is ‘a Party’) means the aggregate liability of Licensor (and all Licensor Affiliates) under the Licence and all DPAs together and to the Licensee and all of its Authorised Affiliates.

 

 

13.

General 

13.1

Notwithstanding any other provision in the Licence:

  1. Licensor may at any time, in its absolute discretion, revise this DPA and if it does so the revised DPA shall form part of and apply to the Licence. Updates to this DPA shall be notified to the Licensee via Licensor’s website. It is the Licensee’s sole responsibility to check Licensor’s website periodically for updates. Alternatively, updates may be provided via email to the email address provided for contact purposes when the Licensee entered into the Licence (but without any obligation on Licensor to provide notices in this way) and the Licensee shall be responsible for providing updated contact details to Licensor as and when necessary; and

  2. Licensor is authorised to disclose this DPA to third parties to the extent necessary in order for it to comply with its obligations in the Licence and/or Applicable Law.

13.2

This DPA forms part of the Licence and therefore Licensor’s liability under this DPA is subject to exclusions and limitations of liability in the Licence including in the ‘Limitation of liability’ clause of the Licence and any reference in such clause to the liability of Licensor or of Licensor as a ‘Party’ means the aggregate liability of Licensor under the whole Licence which includes this DPA to the Licensee and all Authorised Affiliates.

13.3

This DPA shall be governed by the laws of the country stipulated for this purpose in the Licence.  

 

 

14.

Processing instructions for protected data only 

14.1

Subject matter processing

Licensor will process the Protected Data as necessary to perform the Licence in accordance with its terms and to provide the Services.

14.2

Nature and purpose of processing

Processing of Protected Data as required to perform the Licence and provide the Services.

14.3

Duration of the processing

For so long as necessary for / as agreed by the Parties for the purposes of the Licence.

14.4

Types of Protected Data

  • Email address of sender and recipient (and potentially also their names and employers)

  • Whether the message has an attachment and if so the title of the attachment

  • Message subject heading

  • Authentication method and whether authentication successful

  • Date and time message sent, authentication carried out and message opened (if it is opened)

14.5

Categories of Data Subject

  • Licensee

  • Licensee’s personnel and users

  • Recipients of messages via the Services

14.6

Retention

The Licensee is responsible for (and the Licensor shall no responsibility or liability for):

  1. Deleting messages held in the Licensee’s (and the Licensee’s users’) services accounts when they are no longer required and should no longer be retained. If the Licensee does not do so, the Licensee acknowledges that the messages will continue to be stored by the Licensor for future access by the Licensee if required if required in accordance with the Licensor’s retention periods (being such periods as the Licensor shall decide from time to time in its absolute discretion); and

  2. For specifying the length of time after a message is sent to a recipient that it will be available to them.

14.7

Sub-Processors

Microsoft Azure