1.1. This Agreement will become legally binding when you:

1.1.1. sign or approve a Proposal which states that the Cloud Gateway Master Services Agreement applies to the Proposal;

1.1.2. tick an opt-in acceptance box on a Cloud Gateway website or application; or

1.1.3. use any Cloud Gateway Services after your receipt of this Agreement,

on which date this Agreement will come into force (“Effective Date”) and will continue in force until terminated in accordance with its terms.

1.2 This Agreement sets out the full contractual basis of the parties’ relationship for all current and future dealings relating to the Cloud Gateway Services and Platform. It is the ‘entire agreement’ between the parties and therefore:

1.2.1 all communications before the Effective Date between the parties do not have legal effect;

1.2.2 the Agreement supersedes all previous contracts between the parties;

1.2.3 all Customer terms and conditions and policies do not have legal effect in relation to the Services; and

1.2.4 any terms implied by law, trade, custom or practice or from any previous dealings between the parties are excluded from this Agreement,

and by entering into this Agreement, the parties agree that only the terms set out in this document (or referred to within this document) have legal effect. Any pre-contractual discussions or communications will not have legal effect (even if a misstatement was made).

2.1. In the event that there are conflicting statements within this Agreement, the following order of priority will apply (documents listed higher in the list will take precedence over the documents listed underneath it):

2.1.1. a Contract Change Notice (CCN);

2.1.2. HSCN Connectivity Specific Terms (Schedule 3);

2.1.3. any Accepted Proposal (taking priority in reverse chronological order);

2.1.4. the Standard Terms & Conditions (Schedule 1);

2.1.5. any other Schedule, in descending order of appearance in this Agreement; and

2.1.6. the SLA.

2.2. In this Agreement, unless the context requires otherwise, the following rules of interpretation apply:

(i) clause headings (starting with the phrase ‘FOR CONTEXT’) are for reference purposes only. They do not have any legal effect and will not affect the interpretation of this Agreement;

(ii) any capitalised terms in this Agreement will have the meaning set out in Schedule 2 (Definitions), or alternatively, the meaning stated within the body of this Agreement (where a defined term has quotation marks);

(iii) any reference in a Schedule to a clause is to a clause within that Schedule, unless otherwise stated;

(iv) any reference to a statute or statutory provision includes reference to any subordinate legislation made under that statute or statutory provision, and includes any amendments, replacements or re-enactments made by law; and

(v) the terms ‘including’, ‘include’, ‘in particular’ or any similar expression shall be construed as illustrative and shall not limit the sense of the words preceding or following those terms.

3.1. You will pay us Fees for the Services that we provide to you in advance (unless otherwise mutually agreed in writing). We will raise invoices for the Services (as detailed in the Accepted Proposal) on a monthly or annual basis. Invoicing will commence 30 days from the date that the Accepted Proposal takes effect or from the date the Services becomes available to you (whichever is earlier). In the event that there is a delay in the provision of Services, the billing commencement date will be extended accordingly.

3.2. Where the Fees are calculated on a fixed price basis, the amount of the Fees will be set out in the Accepted Proposal.

3.3. Where the Fees are calculated on a time and materials basis:

3.3.1. our daily fee rates (as detailed in our rate card notified to you from time to time) (“Daily Fee Rate”) for each Representative are calculated on the basis of a seven and a half hour Business Day that is worked during Business Hours;

3.3.2. we shall be entitled to charge an overtime rate of 1.75 times the Daily Fee Rate on a pro-rata basis (subject to a minimum resource charge for non-Business Hours of half a day) for any time worked by Representatives that we engage on the Services outside normal Business Hours, and 2 times the Daily Fee Rate for Sundays, as you may request in writing. This is subject to our resource availability and you must provide your prior written instructions to proceed on the basis of the additional Fees, costs and/or expenses; and

3.3.3. we shall seek to ensure that every Representative who we engage for the Services on a time and materials basis (or as part of a Proposal) completes time sheets to record their time spent on the Services. We shall make available any time sheets or time summaries that are requested by you in writing within a reasonable timeframe.

3.4. In the event that you request any work that we reasonably consider to be outside the scope of an Accepted Proposal, we will notify you of this in writing in advance and you agree that we may invoice you for the additional work on a time and materials basis, in accordance with our then current rates in addition to the Fees set out in the Accepted Proposal.

3.5. All Fees must be paid in pounds sterling and are exclusive of all sales taxes (e.g. VAT), which are payable in addition to the Fees.

3.6. In addition to the Fees, you agree to reimburse us for any:

3.6.1. expenses that we reasonably incur in providing the Services (e.g. travel, accommodation and subsistence costs). We shall notify you of any such expenses in advance and we shall provide evidence of the expenditure upon request; and

3.6.2. third party costs / charges that we incur for third party materials and/or services, as set out in an Accepted Proposal.

3.7. The Fees are subject to change annually in accordance with clause 10.

3.8. If we have not received payment of an invoice (that you have not disputed in accordance with clause 3.9) within 30 days of the date of the invoice, we may use the following remedies (without restricting our other rights in the Agreement):

3.8.1. we may charge you interest and compensation for the outstanding amount in accordance with the Late Payment of Commercial Debts (Interest) Act 1998. Interest will accrue every day and will be compounded on a quarterly basis until payment is made (and this applies both before and after any judgement is made by a court). You agree to reimburse us for any debt recovery costs incurred in relation to each outstanding payment; and/or

3.8.2. we may lawfully suspend our Services. This may result in your Customer Materials not being distributed via the Platform and, consequently, you take sole risk and responsibility for the unavailability of any Customer Materials due to the suspension of the Services.

3.9 If you identify an issue with an invoice, you must notify us in writing as soon as possible (and no later than 14 days after the date of the invoice, otherwise you will be deemed to have accepted the invoice) with appropriate details of the issues identified. We will then assess your concerns and:

3.9.1 if we agree that there is a problem with the invoice, the invoice will be corrected and reissued; or

3.9.2 If we disagree that there is an issue with any part of the invoice, the dispute resolution procedure at clause 16 will apply, but for clarity, all undisputed sums must be paid by you by the due date of the original invoice.

3.10 All Fees due under this Agreement must be paid by you in full without any deductions (unless this is required by applicable tax laws). Where you allege that we have liability under this Agreement, you are not entitled to withhold the payment of Fees to ‘offset’ against our liability.

4.1. You warrant that you have the legal right and authority to enter into this Agreement and to comply with its terms.

4.2. You will:

4.2.1. only use the Services for lawful purposes and comply with all applicable laws;

4.2.2. appoint and notify us of a primary contact in relation to the Services;

4.2.3. notify us of any Representatives who have authority to legally bind you, and you must keep this list up to date;

4.2.4. cooperate with us in all matters relating to the Services. In particular, but without limitation, you will:

4.2.4.1. promptly and fully respond to all communications from us relating to the provision of the Services and ensure that appropriate and suitably qualified members of your staff are available at all reasonable times to liaise with us on matters relevant to the provision of the Services;

4.2.4.2. supply us with all Customer Materials and necessary information promptly and within sufficient time to enable us to provide the Services;

4.2.4.3. supply us with any applicable purchase order numbers before the agreed invoice point;

4.2.4.4. ensure that all Customer Materials are in the format requested by us and that they are accurate, complete and legally compliant; and

4.2.4.5. promptly provide us access to your systems, networks, personnel, premises and facilities as reasonably required for the provision of the Services;

4.2.5. notify us of any applicable health and safety requirements at your premises in advance of us attending them;

4.2.6. ensure that all Customer Equipment is in good working order, legally compliant and suitable for the Services;

4.2.7. obtain and maintain all necessary licences and consents as are required for the Customer Materials and for the use of the Customer’s Equipment, in all cases before the date on which the Services are to be supplied (this excludes any licences and consents that are the responsibility of Cloud Gateway to obtain and maintain under clause 5.2);

4.2.8. comply with any restrictions and/or instructions on the safe keeping and use of the Cloud Gateway Equipment and any equipment belonging to a third party;

4.2.9. permit us to publish your name and standard logo as a user of our Services for the duration of this Agreement;

4.2.10. not use the Services to receive or transmit any material that is unlawful, obscene, threatening, menacing, offensive, discriminatory, defamatory, in breach of confidentiality or infringing upon a third party’s IPR;

4.2.11. not transmit any Virus, or cause any Virus to be transmitted, through the Services to any of our computers or systems, or those of any third party. You must ensure that an appropriate and up-to-date malware protection program and firewall (both compliant with good industry standards) are installed on any device that you use to access the Services; and

4.2.12. comply with any additional responsibilities required of you as set out in an Accepted Proposal and its Service Definitions.

4.3. If we are unable to perform our obligations to you under this Agreement because we have been prevented or delayed by you, such as by your failure to do something requested of you, we will not be liable for any delays which may occur in the provision of the Services as a result, and any time frames will be extended by a period equivalent to the delay. If the delay in providing the Services exceeds 14 days, you must pay us for any costs or expenses we have incurred as a result of the delay and for all work provided up to that point in time. We may withhold provision of the Services to you until we have received information requested by us in relation to this clause 4.

4.4. You are responsible for ensuring that each Accepted Proposal is correct and accurately reflects your requirements.

4.5. Where you receive Services from us which involve HSCN Connectivity, the terms of Schedule 3 (HSCN Connectivity Specific Terms) will be deemed to automatically apply to this Agreement and you agree to abide by these additional HSCN Connectivity terms.

4.6. You agree not to use the name, logo, likeness, trade marks, image or other IPR of Cloud Gateway for any advertising, marketing, press release, endorsement or any other purposes without the prior written consent of a Cloud Gateway Director for each proposed use.

5.1. We shall use commercially reasonable efforts to:

5.1.1. provide the Services to you in accordance with the milestones detailed in an Accepted Proposal. Nevertheless, it is acknowledged and agreed that time is not ‘of the essence’ and we will not be liable for any delays;

5.1.2. ensure that the Services materially conform with any applicable specifications in an Accepted Proposal;

5.1.3. provide the Services with reasonable care, skill and diligence; and

5.1.4. cooperate with you in all matters relating to the Services.

5.2. We shall comply with all relevant legislation in relation to the Services. Before the commencement of the Services, we shall obtain and maintain all necessary licences and consents from our suppliers in relation to the Services for the duration of the Accepted Proposal.

5.3. We, or our representatives, provide technical support for the Services pursuant to the terms of the SLA.

5.4. Regardless of all other terms in this Agreement, we may make technical changes to the Platform and the Services from time to time without providing you with prior notice, but please note that we shall use commercially reasonable efforts to ensure that such changes do not have a materially detrimental impact to you.

6.1. We shall make the Platform and the Portal available to you as part of the Services and the uptime requirements will be detailed in the SLA. Please note that if you decide to opt-out of a resilient Cloud Gateway Service (and create your own failover processes), the terms of the SLA will not apply.

FOR CONTEXT: The SLA applies to the availability of the Platform. The Portal is ancillary to the Platform and consequently we do not apply uptime or availability guarantees to the Portal.

6.2 The SLA will not apply, and we will not be liable, where:

6.2.1 you are unable to access the Platform due to an unforeseen Internet outage or connectivity failure outside of our control;

6.2.2 the Platform is unavailable due to a force majeure event; or

6.2.3 you make any changes to your resiliency processes without informing us, and your resiliency processes subsequently fail in the event that we need to failover the Services.

6.3 You are solely responsible for ensuring that you have back-ups of the Customer Materials. Consequently, you agree to indemnify (reimburse on a pound for pound basis), keep indemnified and hold harmless Cloud Gateway and its Group Companies against all losses, costs, liabilities and expenses, including reasonable legal and/or other professional expenses, arising out of, or in connection with, any claim in respect of any liability arising under clause 6.2.

6.4 Each Customer Representative (as requested by you) will be provided by us with their own unique Login Information to access the Platform and the Portal (to the extent that this is required for the Services). Each Customer Representative must keep the Login Information strictly confidential and not disclose it to anyone. Your administrators are responsible for ensuring that access controls are appropriate for each Customer Representative. We will have no liability to you or any third parties in relation to any unauthorised use of the Services via a Customer Representative’s Login Information.

6.5 Without prejudice to clause 6.4, you undertake to notify us immediately at service@cloudgateway.co.uk upon becoming aware or suspecting that any Login Information has been used, or may be known, by any third party.

6.6 In the event that a Customer Representative with access to Login Information ceases to be employed or engaged by you, you must ensure that they do not continue to use the Login Information. You will indemnify and keep indemnified, Cloud Gateway and its Group Companies against all losses, costs, liabilities and expenses, including reasonable legal or other professional expenses, suffered or incurred by us and/or our Group Companies arising out of or in connection with any claim relating to the unauthorised use of any Login Information.

6.7 We do not provide any guarantees in relation to the quality or suitability (including the presence of any Viruses or other malware) of any electronic material that may be transmitted via the Services. We disclaim all liability resulting from any interruptions, data and/or formatting distortions or unauthorised access to your account within the Platform.

7.1. Once a Proposal is approved by you, you will enter the ‘onboarding phase’ with our service team. You agree that the following will be conducted as part of the onboarding process:

7.1.1. Set-Up. We shall promptly take all steps necessary to make the Services ready and available for your use in accordance with the Accepted Proposal and this Agreement. If applicable, on or before the ‘go-live’ date, we shall:

(i) implement any interfaces in the Platform required for your access to the Services;

(ii) deliver to you any Cloud Gateway Materials necessary to access and use the Services;

(iii) issue all Login Information necessary for you to access and use the Services;

(iv) perform any applicable professional or other set-up Services; and

(v) provide you with access to the Services for you to perform the Acceptance Testing (in clause 7.1.2) for both the primary and secondary access connectivity mechanisms.

7.1.2. Acceptance Testing. Upon completion of all activities and tasks (whether performed by us pursuant to 7.1.1 or by you) that are a prerequisite to use the Services in a live production environment, you shall have a period of up to five Business Days (“Acceptance Test Period”) to test the Services to ensure that they conform in all material respects to the Cloud Gateway Materials and any other agreed-upon performance criteria or functional specifications (“Acceptance Testing”). Acceptance Testing is not required where you have already undertaken a proof of concept (“POC”) with us under an Accepted Proposal. Where a POC has not been undertaken, the Services shall be deemed to be accepted by you following the end of the Acceptance Test Period unless you submit a written notice of rejection to us before the end of the Acceptance Test Period. You may decide to submit a written notice of acceptance to us earlier than the end of the Acceptance Test Period. If you provide us with notice of rejection during the Acceptance Test Period, the parties will work to resolve the reasons for directions under a re-testing process.

7.1.3. Retesting. In the event that you notify us within the Acceptance Test Period that the Services have failed to conform to the agreed acceptance criteria, we will have five Business Days from receipt of such notice to cure such failures (at no additional cost to you) (“Correction Period”). Following the Correction Period, or upon us notifying you that all corrections have been made (whichever is earlier), you shall have up to five Business Days to retest the Services to ensure that they conform with the agreed acceptance criteria (“Retesting Period”). The Services shall be deemed to be accepted by you following the end of the Retesting Period unless you submit a written notice of rejection to us prior to the end of the Retesting Period detailing how the Services still do not conform with the agreed acceptance criteria. You may at your discretion submit a written notice of acceptance to us earlier than the end of the Retesting Period. If you provide us with notice of rejection during the Retesting Period, you shall have the option to:

(i) extend to us an additional Correction Period and Retesting Period as set forth above; or

(ii) terminate the failed Services under this Agreement, in which case we shall promptly refund to you all sums paid by you for the Services terminated under the affected Accepted Proposal. If you choose to proceed with clause 7.1.3(i), this will not stop you from using clause 7.1.3(ii) in the event that we fail to correct all non-conformances at the end of the second Retesting Period.

7.2. Following acceptance of the Services in accordance with clause 7.1, any Service outages attributed to your failure to deploy and test both connectivity routes to implement a ‘dynamic failover’ shall not be included in the calculation of service availability, incident priority allocation or resolution times under the SLA.

7.3. You are responsible for managing your account within the Portal. This includes changing your preference settings (including security settings). You can assess the performance of your Services and activity within the Portal.

8.1. Each party warrants that it has, and shall maintain, all licences, authorisations, consents and approvals necessary from third parties (including any licensors of software), or required by applicable laws, necessary to grant the licences and rights contained in this clause 8.

8.2. You will remain the owner (or authorised licensor) of all Customer Materials and nothing in this Agreement assigns the Customer Materials to us.

8.3. You hereby grant us a non-exclusive, royalty-free, revocable, limited licence to use the Customer Materials for the duration of the Accepted Proposal, solely for the purpose of providing the Services and the Deliverables pursuant to the Accepted Proposal and in accordance with the terms of this Agreement. You warrant that the Customer Materials will not infringe any third party IPR.

8.4. We are (and will remain) the owner (or authorised licensor) of all IPR in the Services (including the Platform and the Portal) and Cloud Gateway Materials. Any new IPR created as part of the Services will be automatically owned by Cloud Gateway.

8.5. We hereby grant you (and, where specified in an Accepted Proposal, your Group Companies) a non-exclusive, revocable (subject to suspension or termination of this Agreement in accordance with its terms), non-transferable and non-exclusive licence to access and use the Services for the duration of the Accepted Proposal, solely for the purposes specified in that Accepted Proposal. Your permitted use under this clause includes:

8.5.1. non-production uses and applications as may be necessary or useful for the effective use of the Service (if you purchase a non-production environment);

8.5.2. use in operation with other software, hardware, systems, networks and Services owned or licensed by Customer; and

8.5.3. use of all Cloud Gateway Materials and any other materials provided or made accessible by us to you in connection with the Services or which are necessary to access or use the Services.

8.6. With the exception of the Customer Materials (which are your responsibility), we warrant that the IPR in the Services and the Cloud Gateway Materials shall not infringe any third party copyright, trade marks, service marks, database rights, design rights and/or moral rights.

9.1. Regardless of any other provision in this Agreement, this clause 9 sets out the limitations on the entire financial liability of each party.

9.2. Nothing in this Agreement limits or excludes the liability of either party:

(i) for death or personal injury resulting from negligence;

(ii) for any damage or liability incurred by a party as a result of fraud or fraudulent misrepresentation by the other party;

(iii) under any indemnity in this Agreement;

(iv) holding the other party harmless under a ‘hold harmless’ clause in this Agreement; or

(v) for any other losses which cannot be excluded or limited by law.

9.3. Excluding all of the liabilities listed in clause 9.2:

9.3.1. all warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from this Agreement;

9.3.2. Cloud Gateway and each of its officers, employees or agents will not be liable for:

9.3.2.1. the incompatibility of any part of the Services with any Customer data or any third party software used by you (which interface with, connect to, or operate on the Services);

9.3.2.2. the transmission of malware to any computer or system used by you; and

9.3.2.3. the accuracy or completeness of any Customer Materials provided through the Services, nor for any loss you or any third party occasion from acting (or refraining from acting) in reliance on, or as a result of, any material included in or omitted from the Customer Materials provided through the Services.

FOR CONTEXT: We do not monitor the content that passes through the Services and consequently it is not appropriate for us to accept any liability in relation to the contents of Customer Materials.

9.3.3. We will not be liable to you for any loss of profits, loss of agreements / contracts / business / sales, depletion of goodwill and/or similar losses, loss of anticipated savings, loss of goods, loss of contract, loss of use, loss or corruption of data or information, or any special, indirect, consequential or pure economic losses, costs, damages, charges or expenses.

FOR CONTEXT: Loss or damage is indirect if it is not an ordinary consequence of a breach, and, as such, indirect losses are normally only recoverable if, at the time this Agreement was made, the paying party knew (or should have known in the circumstances) that such loss may arise. Despite this, we do not take responsibility for the Customer Materials processed via the Platform and we will not be liable for any indirect losses (even where they are foreseeable) such as, for example, where a breach results in a contract between the Customer and one of its customers being delayed (for any reason).

9.3.4. Cloud Gateway’s total aggregate liability to you in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution or otherwise arising under or in connection with this Agreement (including any Accepted Proposal) will be limited to an amount equal to the Fees paid by you for the affected Services under the Accepted Proposal to which the liability relates during the 12-month period prior to the event giving rise to such claim for damages (to be calculated on a pro rata basis to equate to 12 months of Fees in the event that a claim arises in the initial 12 months following the effective date of the Accepted Proposal).

FOR CONTEXT: We cap our liability at the value of the applicable Fees to ensure that our risk and liability is proportionate to the value of the Agreement. We set our Fees according to the scope of risk under the liability cap.

9.4. Without impacting clause 9.3, during the term of this Agreement we shall keep a Professional Indemnity Insurance policy in force at an amount not less than £1,000,000. Following a written request from you, we shall promptly provide the insurance certificate to you.

10.1. Duration and Termination for Convenience – This Agreement. The parties acknowledge and agree that:

10.1.1. this Agreement will commence on the Effective Date and will continue indefinitely until it is terminated;

10.1.2. termination of an Accepted Proposal pursuant to clause 10.2 will not terminate this Agreement;

10.1.3. either party may terminate this Agreement upon providing the other party with written notice, which will only take effect upon the termination of all Accepted Proposals then in effect; and

10.1.4. entering into this Agreement does not commit you to purchase any Services unless and until a Proposal is accepted.

10.2. Duration and Termination for Convenience – Accepted Proposals. The parties acknowledge and agree that:

10.2.1. each Accepted Proposal will continue for the time period stated in the Accepted Proposal terms;

10.2.2. Accepted Proposals cannot be cancelled or terminated early for convenience;

10.2.3. unless stated otherwise in an Accepted Proposal, each Accepted Proposal will continue for a minimum period of 12 months (“Initial Term”) and will automatically renew for further 12 month periods (each a “Renewal Period”) unless and until a party provides the other party with at least 90 days prior written notice of termination, which shall take effect no earlier than the end of the Initial Term or the then-current Renewal Period, whichever is applicable at the time notice is given;

FOR CONTEXT: We automatically renew Services to ensure that there is no break in continuity. You can only cancel a Service for convenience by providing 90 days prior written notice of termination prior to the renewal date. If no cancellation is received, we will continue to invoice you in accordance with the Accepted Proposal, with any 5% or pre-advised Fee increase.

10.2.4. unless stated otherwise in an Accepted Proposal, at the end of each 12 month period from the commencement of an Accepted Proposal, the Fees may be increased by 5% or in accordance with our then-current fee rate card (as notified to you from time to time). We will use commercially reasonable efforts to notify you of a fee increase where it is above 5%, at least 90 days prior to the fee changes taking effect; and

10.2.5. we shall apply a 5% reduction in Fees (excluding any one-off or third party costs) to the next Renewal Period where you notify us of your recommendation to a third party (who is not an existing or previous customer of Cloud Gateway) to use our Services and they subsequently enter into a binding contract for the provision of our Services within a period of six months following your introduction.

10.3. Termination for Cause. This Agreement and/or any Accepted Proposals can be terminated by either party immediately upon providing written notice to the other party if:

10.3.1. the Agreement or any Accepted Proposal, as applicable, is breached by the other party and, if the breach can be remedied, the defaulting party does not resolve the breach within 30 days of receiving a termination notice; or

10.3.2. the other party:

(i) becomes bankrupt / insolvent;

(ii) appoints an administrative receiver or liquidator;

(iii) is unable to pay its debts as they fall due;

(iv) does (or threatens to) suspend or cease trading; or

(v) any event similar in nature to clauses 10.3.2. (i-iv) (inclusive).

10.4. Consequences of Termination – This Agreement. Upon the termination of this Agreement (other than pursuant to clause 10.1, for example if there is a breach), all Accepted Proposals will automatically terminate.

10.5. Consequences of Termination – Accepted Proposals. Upon the termination of an Accepted Proposal (for example if there is a breach):

10.5.1. all Services under that Accepted Proposal will immediately end;

10.5.2. you will be liable for paying the full Fees under that Accepted Proposal and we will invoice you with any outstanding charges;

10.5.3. we will have no obligation to pay you a refund under any circumstances;

10.5.4. you must promptly return all Cloud Gateway Equipment to us (no later than three Business Days). If you fail to do so, we may enter your premises and take possession of all Cloud Gateway Equipment and you agree to provide us with access and reasonable assistance in recovering the Cloud Gateway Equipment. Until the Cloud Gateway Equipment has been returned to us, you are solely responsible for its safe keeping (at your sole cost);

10.5.5. we will return all Customer Equipment and Customer Materials to you (that have not been consumed in the Services);

10.5.6. you must complete the offboarding activities that we notify you of in writing; and

10.5.7. regardless of any other terms in this Agreement, upon your request, and subject to you paying us a charge additional to the Fees in accordance with our then-current rates (“Transitional Services Fee”), we shall provide you with transitional services assistance for up to a one month period to enable you to transition any terminated Services from us to you or any replacement vendor (“Disentanglement”). In providing Disentanglement, we shall:

(i) co-operate with you and/or any replacement vendor, including by taking all reasonable steps requested by you to assist in effecting a complete Disentanglement, including providing documentation, interface specifications, and where applicable, any related professional service at comparable rates to those we have previously offered to you;

(ii) conclude all Services;

(iii) perform all other activities necessary or consistent with fully transferring the Services from us without impairing your receipt or use of the Service, including, without limitation, providing the Services during Disentanglement; and

(iv) use commercially reasonable efforts not to cause interruption of, or any adverse impact on, you or any replacement vendor. We will not be held responsible for any delays in the transfer of the Services if such delays are caused by you or any replacement vendor.

10.6. In the event that you fail to comply with clauses 10.5.4. or 10.5.6. (and/or clause 10.5.7 where Disentanglement is requested by you), we reserve the right to charge you a Transitional Services Fee, or a continuation of the previously agreed Fees, to maintain your access to the Portal and Services whilst the actions are completed.

10.7. Termination of this Agreement will not affect any party’s rights, obligations, remedies or liabilities that have accrued prior to termination.

11.1. Neither party shall, in any circumstances, have any liability to the other party under this Agreement if it is prevented from or delayed in performing its obligations under this Agreement, or from carrying on its business, by any acts, events, omissions or accidents beyond its reasonable control, including, without limitation: acts of God; fire; flood; storm; epidemic; pandemic; war; riot; civil commotion; malicious damage; compliance with any law or governmental order, rule, regulation or direction; accident; breakdown of plant or machinery; default of suppliers or subcontractors; strikes, lock-outs or other industrial disputes or illness involving the workforce of Cloud Gateway; delays, interruptions or failures of telecommunication networks or services, or of internet service providers; or failure of a utility service or transport network (“Force Majeure Event”).

The affected party must take reasonable steps to limit the impact of the Force Majeure Event upon its business and the performance of its obligations under this Agreement. In the event of a partial, delayed or defective execution of an obligation due to a Force Majeure Event, the parties will continue executing the obligations under this Agreement that are not affected in any way by such cause. The party affected by the foregoing causes will recommence compliance with all of its obligations and conditions under this Agreement within a reasonable period of time, once such cause(s) has/have disappeared. For clarity, a Force Majeure Event will not waive your payment obligations under this Agreement. If the Force Majeure Event continues for a period of 60 days or more, the unaffected party may terminate this Agreement with immediate effect by providing the other party with written notice.

12.1. “Confidential Information” means any information that is of a reasonably confidential nature (including the terms of this Agreement, and any commercial, technical, proprietary and/or financial: information, data, know-how or processes) that has been disclosed orally, in writing or by demonstration by one party or its Group Companies (the “Disclosing Party”) to the other party or its Group Companies (the “Receiving Party”).

12.2. The Receiving Party agrees to:

12.2.1. protect the Confidential Information from unauthorised access or disclosure;

12.2.2. use the Confidential Information solely in connection with the Services and its obligations under this Agreement; and

12.2.3. only make the Confidential Information available to its Representatives that reasonably require it to enable the Receiving Party to perform its obligations under this Agreement (subject to such Representatives being bound by confidentiality obligations that are materially equivalent to this clause 12).

12.3. Nothing in this Agreement will restrict the Receiving Party’s use of any Confidential Information which:

12.3.1. is disclosed to enable us to state that you are a Cloud Gateway customer in relation to the Services, or to enable you to state that you have engaged Cloud Gateway for the Services, and is a mere commercial reference in each party’s respective internal and external marketing related materials and statements;

12.3.2. is made available in the public domain by any person without breach of this Agreement;

12.3.3. is already in the Receiving Party’s lawful possession, as reasonably evidenced by the Receiving Party;

12.3.4. has already been independently developed by the Receiving Party without reference to the Confidential Information;

12.3.5. is disclosed by the Receiving Party with the prior written approval of the Disclosing Party; or

12.3.6. is required by law to be released (e.g. by a court order), provided that the Disclosing Party is given at least seven days’ prior written notice of such request (where such notice is not prohibited by law) and the Receiving Party co-operates to obtain a protective order / disclosure limitation, as requested by the Disclosing Party.

12.4. This clause 12 will survive the termination of this Agreement.

13.1. General Obligations. Each party will ensure that, in the performance of its obligations under this Agreement, it will at all times comply with all applicable Data Protection Laws and any other applicable privacy laws and regulations.

13.2. Data Specification. No Personal Data is processed through the Services. Personal data is only collected from you and processed by us for the purpose of enabling your access to the Services. The Data Subjects will be your employees that interact with the Services, and the personal data collected will be their usernames and contact details, such as email addresses. Further details regarding how we handle Personal Data can be found in our Privacy Policy here. You are responsible for ensuring that we have appropriate processing specifications for the Personal Data provided to us under this Agreement.

13.3. Data Controller. You acknowledge and agree that you will be the Data Controller under this Agreement and that you will be responsible for adequately addressing the use of cookies and data protection obligations in your end-customer / client terms and conditions and policies. As we do not have any control over your data protection notices, policies and terms and conditions, you will indemnify (reimburse on a pound for pound basis), and keep indemnified, Cloud Gateway and our officers, employees, consultants, agents and subcontractors against all losses, costs, liabilities and expenses, including reasonable legal or other professional expenses, suffered or incurred by us arising out of or in connection with any claim in respectof:

(i) a breach of clause 13.1, 13.2 or 13.3;

(ii) any liability arising whatsoever in respect of the cookies on, or the capture of Personal Data through, your website(s) and applications; and

(iii) the consent of Data Subjects for the exportation of any Personal Data outside of the UK and/or European Economic Area by us under clause 13.6.

13.4. Data Processor. We acknowledge and agree that we will be the Data Processor under this Agreement and that we shall:

(i) keep all Personal Data strictly confidential (pursuant to clause 12 (Confidentiality)) and not disclose any Personal Data to third parties;

(ii) not use the Personal Data for any purpose other than to perform our obligations under this Agreement;

(iii) ensure that all Personal Data is processed in accordance with this Agreement, or as otherwise instructed by you from time to time in writing, and we shall not process the Personal Data for any other purpose – unless required by law to which we are subject – in which case we shall, to the extent permitted by law, inform you of that legal requirement prior to responding to the request;

(iv) promptly carry out any written request made by you during this Agreement requiring us to amend, transfer or delete all, or any part of, the Personal Data; and

(v) notify you without undue delay, or in any case within 48 hours, upon us or any sub-processor becoming aware of a Personal Data Breach and at this time provide you with all sufficient information required to meet any obligation to notify the relevant data protection authority or inform affected individuals under applicable Data Protection Laws.

13.5. Assistance. We agree to assist you with all subject access requests which may be received from an end-customer in a prompt timeframe (at your cost) and to ensure that appropriate technical and organisational measures are in place to enable you to meet your obligations to those requesting access to Personal Data held by us. Upon request, we shall provide you with reasonably requested information within a reasonable timeframe to demonstrate our compliance with this clause 13. We shall assist you in relation to any data impact / risk assessments and/or any prior consultation with the relevant data protection authority, provided that we shall be entitled to charge a reasonable fee for such assistance.

13.6. Data Transfers. We agree not to transmit any Personal Data to a country or territory outside of the UK and/or the European Economic Area without your prior written consent, provided that such consent is hereby deemed provided where the Personal Data is subject to an adequate level of protection and appropriate legal safeguards in accordance with Data Protection Laws (which may include entering into an International Data Transfer Agreement), subject to you informing us of your explicit withdrawal of such consent.

13.7. Return of Data. Upon the termination or expiry of this Agreement for any reason, we shall return all Personal Data to you, or destroy it, as requested by you in writing, provided that this shall not prevent us from retaining a copy to meet our legal or regulatory obligations.

13.8. Safeguards. Taking into account the state-of-the-art, the costs of implementation, and the nature, scope, context and purpose of processing, as well as the varying risks to rights and freedoms of natural persons, the parties warrant that for the duration of this Agreement they will implement administrative, technical and physical safeguards sufficient to: ensure the security and confidentiality of Personal Data; protect against the unauthorised or accidental destruction, loss, alteration, use, or disclosure, of Personal Data and other records and information of the end-customers or employees; and to protect against anticipated threats or hazards to the integrity of Personal Data and other such information and records.

14.1. During the term of this Agreement and for a period of one year following its termination, each party agrees not to directly or indirectly solicit or entice away any person who is, or has been, engaged as an employee, worker, agent, consultant or subcontractor of the other party (“Restricted Person”), unless it has obtained the prior written consent of the other party. Each party agrees that this clause is reasonable.

14.2. A party will not breach clause 14.1 where it employs / engages a Restricted Person as a result of running a national advertising campaign open to all applicants and not specifically targeted at any Restricted Person, or after having been approached directly by a Restricted Person without the party taking any active steps to solicit this.

14.3. If you commit a breach of this clause 14, you will, without prejudice to any of our other rights or remedies, pay us on demand a sum equal to one year’s basic salary of (or the annual fee that was payable by us to) the applicable Restricted Person, plus the recruitment costs we incur in replacing such person. For avoidance of doubt, any salary or annual fee payable shall be exclusive of any commission or bonuses that the Restricted Person may have been entitled to.

15.1. The parties shall:

15.1.1. comply with all applicable anti-slavery and human trafficking laws, statutes and regulations time to time in force including but not limited to the Modern Slavery Act 2015;

15.1.2. comply with all applicable laws, regulations, codes and sanctions relating to anti-bribery and anti-corruption including, but not limited to, the Bribery Act 2010 and the Foreign Corrupt Practices Act 1977 (“Relevant Requirements”); and

15.1.3. provide the party with such evidence as is reasonably required from time to time to demonstrate compliance with this clause 15.1.

15.2. The parties shall:

15.2.1. maintain in place throughout the term of the Agreement its own policies and procedures, including adequate procedures under the Bribery Act 2010, to ensure compliance with the Relevant Requirements and will enforce them where appropriate; and

15.2.2. promptly report to the other party any request or demand for any undue financial or other advantage of any kind received by them in connection with the performance of the Agreement.

15.3. The parties recognise that the law and regulations may change or may be clarified, and that terms of this Agreement may need to be revised (on advice of legal counsel), in order to remain in compliance with such changes or clarifications, and the parties agree to negotiate in good faith revisions to the term or terms that cause the potential or actual breach or non-compliance. In the event the parties are unable to agree to new or modified terms as required to bring the entire Agreement into compliance, either party may terminate this Agreement by providing at least 30 days written notice to the other party, or earlier if necessary to prevent noncompliance with a governmental deadline or effective date.

15.4. We maintain and adhere to a Conflict of Interest Policy. You represent and undertake that no employee, officer or director of Cloud Gateway is an employee, officer or director of the Customer, or serves on any boards or committees of or in any advisory capacity with Customer, except as disclosed by you to us in writing prior to entering into this Agreement. To the extent that any employee, officer or director of Cloud Gateway may now or in the future serve on any board or committee of or in any advisory capacity to the Customer, any payments made to such parties shall be at fair market value for the Services rendered.

16.1. If a dispute arises out of or in connection with this Agreement or the performance, validity or enforceability of it, then either party may give written notice of the dispute to the other party (with supporting documents) and the parties agree to seek to resolve the dispute in good faith within 30 days. If a resolution to the dispute cannot be reached within 30 days, then the parties may agree to refer the matter to mediation in accordance with the CEDR Model Mediation Procedure. Unless otherwise agreed between the parties, the mediator shall be nominated by CEDR.

16.2. Regardless of any other provisions in this Agreement, a dispute can be referred to the courts by either party at any time pursuant to clause 17.11.

17.1. Variation. We reserve the right to modify this Agreement or the Services and to impose new or additional terms or conditions at any time. We shall provide you with at least 30 days prior written notice of any material changes. If you continue to use the Services after such a notice period has expired, you will be deemed to have accepted any notified changes, and they will be incorporated into this Agreement.

Subject to the preceding, no variation of this Agreement will be effective unless it is in writing and signed by the authorised representatives of both parties. Either party may propose changes to Accepted Proposals and, subject to agreement on the specifications, Fees, and timeframes, such changes will be binding on the parties upon them signing a Contract Change Notice (CCN).

FOR CONTEXT: We need the right to update the terms of this Agreement to reflect changes to the law and to our processes. Such changes will apply to all our customers. We will provide you with reasonable notice (30 days minimum) in advance of any material changes and will seek to address any queries that you may have at this time.

17.2. Severance. If any provision of this Agreement is held to be invalid, illegal or unenforceable for any reason by a court of competent jurisdiction, such provision will be severed and the remainder of this Agreement will continue in full force and effect as if this Agreement had been executed with the illegal or unenforceable provision eliminated.

17.3. Survival. All obligations in this Agreement which expressly, or by their nature, are intended to continue beyond the termination of this Agreement (including provisions relating to confidentiality, liability, indemnification, data protection and governing law) will survive the termination of this Agreement.

17.4. Assignment. This Agreement is for the benefit of, and binding on, the parties and their respective successors and assignees. It may not be assigned by either party without the prior written consent of the other party, except that we may, upon notice, transfer our rights and obligations under this Agreement to a Cloud Gateway Group Company.

17.5. Subcontracting. We may subcontract any of our rights or obligations under this Agreement without your consent. You may subcontract any of your rights or obligations under this Agreement if you have obtained our prior written consent and ensure that any of your sub-contractors are made aware of, and are legally bound to comply with, the terms of this Agreement. Each party will remain fully responsible for the acts and/or omissions of any of its subcontractors.

17.6. No Partnership / Agency. Nothing in this Agreement is intended to, or will be deemed to establish, any partnership or joint venture between the parties, make a party the agent of the other party, or authorise a party to make or enter into any commitments for or on behalf of the other party.

17.7. Third Party Rights. No one other than a party to this Agreement, its successors or its permitted assignees, will have any right to enforce any of its terms.

17.8. Waiver. No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law will constitute a waiver of that or any other right or remedy, nor will it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any such right or remedy will prevent or restrict the further exercise of that or any other right or remedy. The rights and remedies provided under this Agreement are in addition to, and are not exclusive of, any rights or remedies provided by law.

17.9. Notices. All notices must be in writing and are deemed to be given when mailed by registered or certified mail, return receipt requested, to the other party’s registered address, or email address, specified on the Proposal, or any such other address or email address as is notified to the other party in writing. Any notice or communication shall be deemed to have been received:

(i) if delivered by hand, upon signature of a delivery receipt, or at the time the notice is left at the proper address; or

(ii) if sent by email, at 09:00 on the next Business Day after transmission. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

17.10. Counterparts. This Agreement, any Accepted Proposals and any ancillary agreements may be signed in counterparts. Each signed copy of a document will be deemed to be an original, but all signed copies, when taken together, will constitute one and the same agreement.

17.11. Governing Law. This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by English law and the parties irrevocably submit to the exclusive jurisdiction of the English courts.

a Proposal that has been signed and accepted by the Customer.

Monday to Friday, excluding any bank holidays in England.

09:00 to 17:30 in England on a Business Day.

any equipment, including tools, systems, cabling, boxes or facilities, provided to the Customer by Cloud Gateway, its agents, subcontractors or consultants, and used directly or indirectly in the supply of the Services, including any such items specified in an Accepted Proposal and any such items belonging to a third party, but excluding any such items which are the subject of a separate agreement between the parties under which title passes to the Customer.

any information, data, text, content or materials made available by Cloud Gateway to the Customer as part of the Services.

any equipment, including tools, systems, cabling or facilities, provided to Cloud Gateway by the Customer, its agents, subcontractors or consultants, which is used directly or indirectly in the supply of the Services, including any such items specified in an Accepted Proposal.

all documents, data, information, items and materials in any form, whether owned by the Customer or a third party, which the Customer processes through the Services, or that is provided by the Customer to Cloud Gateway in order to set up the Services.

all applicable data protection and privacy legislation in force from time to time in the United Kingdom, which may include the UK General Data Protection Regulation (Retained Regulation (EU) 2016/679), the Data Protection Act 2018, and the Privacy and Electronic Communication (EC Directive) Regulations 2003 (PECR), as well as any other applicable legislation relating to personal data in any relevant jurisdiction, and the guidance and codes of practice issued by the Information Commissioner’s Office or another relevant data protection or supervisory authority, all as amended or replaced from time to time. “Controller”, “Processor”, “Personal Data”, “Data Subject”, “Personal Data Breach” and processing (and process, processes, and processed shall be construed accordingly) shall have the meanings given to them in the Data Protection Laws.

any charges paid or payable by the Customer to Cloud Gateway under this Agreement, as set out in an Accepted Proposal.

any company which is under common management control of, and of which more than 50% of the shares (or equivalent) are owned by: a party; a subsidiary of that party; its ultimate holding company; or any direct or indirectly owned subsidiary of such ultimate holding company (where “holding company” and “subsidiary” shall be as defined in section 1159 of the Companies Act 2006).

a connection of the Cloud Gateway Platform into the ‘Health and Social Care Network’ (HSCN).

any patents, trade marks, service marks, copyrights, database rights, moral rights, design rights, unregistered design rights, know-how, confidential information and/or any other intellectual or industrial property rights, whether or not registered or capable of registration, and whether subsisting in England or any other part of the world, together with any goodwill relating or attached thereto.

any digital certificate or security token given to the Customer by Cloud Gateway, or agreed with the Customer by Cloud Gateway, for the purpose of gaining access to the Services.

a connection of the Cloud Gateway Platform into the ‘Public Services Network’ (PSN).

the Cloud Gateway technology that allows the transmission of Customer Materials as directed by the Customer.

the application provided to manage Customer support tickets and to view Customer usage and statistics.

a document that Cloud Gateway sends to the Customer detailing the specifications for the proposed Services, incorporating the terms of this Agreement.

a party’s officers, staff members, contractors, agents and/or professional advisors.

the provision of the Platform, Cloud Gateway Equipment, Cloud Gateway Materials and any services to be provided by Cloud Gateway to the Customer as set out in an Accepted Proposal.

the Cloud Gateway Service Level Agreement, as updated by us and notified to you from time to time.

any thing or device (including any software, code, worm, trojan horse, virus, file, programme or any other similar thing or device) which may (as applicable) prevent, impair or otherwise adversely affect: the operation of any computer software, hardware or network; any telecommunications service, equipment, network or other service or device; access to or the operation of any programme or data, including the reliability of any programme or data (whether by rearranging, altering or erasing the programme or data in whole or part or otherwise); or the user experience.

the deed required by the HSCN Authority to be signed by any CN-SP in order for it or its subcontractor to deliver HSCN Connectivity Services.

the agreement setting out the obligations and requirements for organisations wanting to connect to the HSCN, together with all documents annexed to it and referenced within it.

an organisation that is supplying or is approved to supply HSCN Connectivity Services having achieved the appropriate HSCN Compliance.

the standards, practices, methods and procedures conforming to the law and the exercise of the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or body engaged within the relevant industry or business sector.

the government’s network for health and social care, which helps all organisations involved in health and social care delivery to work together and interoperate.

NHS Digital (the Health and Social Care Information Centre).

a status as detailed in the document "HSCN Compliance Operating Model" as set out here, and as updated by the HSCN Authority from time to time.

any service which is offered by a CN-SP to provide access to and routing over the HSCN.

a recipient of HSCN Connectivity Services.

any agreement pursuant to which a CN-SP (or Sub-contractor of a CN-SP) agrees to supply HSCN Connectivity Services to a HSCN Consumer.

the obligations as available here which may be updated from time-to-time by the HSCN Authority.

the document containing the architecture and technical solution for HSCN (the latest version can be accessed here).

a sub-contractor (including any affiliate or group company) of a CNSP in relation to HSCN Connectivity Services which, in the reasonable opinion of the HSCN Authority, performs (or would perform if appointed) a substantive role in the provision of all or any part of the HSCN Connectivity Services.

the NHS Digital Care Computing Emergency Response Team, that provide cyber security intelligence and advice to the health and care system using links across the public sector and with partners in industry.

3.1. All organisations wishing to obtain access to the HSCN network are required to sign a Connection Agreement before HSCN Connectivity Services can be provisioned by Cloud Gateway.

3.2. You acknowledge that we are not permitted to allow access to any HSCN Service to any person with whom we do not have a direct contract covering the

HSCN Connectivity Service. Regardless of all other terms in this Agreement, you must not permit any access to any HSCN Connectivity Service by any third party, including any beneficiary.

3.3. If we serve a notice terminating the provision of HSCN Connectivity Services in accordance with the provisions of this Agreement, you will be liable to pay the Fees for those Services up until the point in time that you could otherwise first have terminated those Services, irrespective of the fact that those Services are no longer being provided.

3.4. You acknowledge and agree that we will not be liable to you or any third party for any claims, proceedings, actions, damages, costs, expenses and any other liabilities of any kind which may arise out of, or in consequence of, any notification by the HSCN Authority requiring disconnection of HSCN Connectivity Services or a consumer environment under the terms of paragraph 4.4 below.

3.5. You will cooperate fully and promptly in relation to any audit that we are required to conduct from time to time in relation to its customers for HSCN Connectivity Services, including by answering questionnaires and providing documentary evidence. If we have any concern that requires a physical audit of you and your premises, records and/or systems, you will again cooperate fully with us. We may charge for any audit that we perform beyond the initial paper-based questionnaire and review (at our then current professional services fee rates), which you must pay. You irrevocably consent to us revealing the findings from any such audit process to the HSCN Authority.

3.6. The HSCN Authority requires certain mandatory terms and conditions to be included in any agreement for the supply of HSCN Connectivity Services. Those mandatory terms are set out in paragraph 4 below (“Mandatory HSCN Terms”), and the Customer and Cloud Gateway will comply with them. In the event of any conflict between any of terms of this paragraph 3 and paragraph 4, clause 4 will prevail to the extent necessary to resolve the conflict.

4.1. We shall ensure that any HSCN Connectivity Services that we supply pursuant to this Agreement shall have been awarded HSCN Compliance and shall retain at all times HSCN Compliance.

4.2. We shall ensure that any HSCN Connectivity Services that we supply pursuant to this Agreement are delivered in accordance with the HSCN Obligations Framework.

4.3. You must ensure that any HSCN service consumer environment used to consume HSCN Connectivity Services supplied pursuant to this Agreement shall be provided and maintained in accordance with the Connection Agreement.

4.4. Each of the parties warrants and undertakes that during the term of this Agreement they will immediately disconnect their HSCN Connectivity Services, or consumer environment (as the case may be), from all other HSCN Connectivity Services and consumer environments where specifically requested in writing by the NHS Digital CareCERT (or the HSCN Authority acting on behalf of NHS Digital CareCERT) where there is an event affecting national security or the security of the HSCN.

4.5. The parties acknowledge and agree that the HSCN Authority shall not be liable to them or any other party for any claims, proceedings, actions, damages, costs, expenses and any other liabilities of any kind which may arise out of, or in consequence of any notification pursuant to paragraph 4.4 above.

4.6. Each of the parties acknowledges and agrees that paragraphs 4.4 and 4.5 are for the benefit of and may be enforced by the HSCN Authority, regardless of the fact that the HSCN Authority is not a party to this Agreement, pursuant to the Contracts (Rights of Third Parties) Act 1999. For the avoidance of doubt, such appointment shall not increase any of our liability beyond the scope of its existing liabilities under this Agreement, the CN-SP Deed or the HSCN Obligations Framework.

4.7. We shall procure that any Material Sub-contractor shall comply with terms materially equivalent to the terms of this Agreement in relation to their provision of HSCN Connectivity Services.

4.8. Where any level of standard, practice or requirement associated with any Cloud Gateway obligation referenced in this Agreement, the HSCN Obligations Framework, the HSCN CN-SP Service Management Requirement Addendum or the HSCN Consumer Contract conflicts with another level of standard, practice or requirement associated with any of our obligations or with Good Industry Practice, then the higher standard or requirement or best practice shall be adopted by us. In the event that we cannot determine which represents the higher standard or requirement or best practice, we shall seek guidance from the HSCN Authority which shall reasonably determine which is the level of standard, practice or requirement that is the most favourable from a HSCN Consumer perspective, and thus with which standard or best practice to comply.

4.9. If we fail to provide any part of the HSCN Connectivity Services as required under this HSCN Consumer Contract, we shall, in accordance with the guidance documentation published here, be directly liable to the HSCN Consumer in respect of such HSCN Connectivity Services.

4.10. You must share all records and information with the HSCN Authority as are reasonably requested by the HSCN Authority in connection with the monitoring and operation of the HSCN network described in the HSCN Solution Overview Document.

5.1. Security and Compliance is a shared responsibility between the parties. The purpose of this document is to outline these responsibilities including the appropriate connectivity, security and accreditation if and where required.

6.1. We are responsible for protecting the infrastructure that runs all of the Services offered on the Platform. This infrastructure is composed of the hardware, software, networking, and facilities that run the Cloud Gateway Services. This includes (but not limited to) controls such as vulnerability and patch management, certificate and cryptography, access control, monitoring / alerting, incident / change management and business continuity.

6.2. The Platform benefits from extensive independent validation via certifications ranging from international standards (for example ISO27001 and Cyber Essentials Plus) to UK Public Sector specific standards (for example, PSN certification). The Platform is subject to regular, extensive IT Security Health Check (ITSHC) CHECK Tests by independent, CESG-approved assessors to ensure that our customers have confidence in the physical and technical security controls which have been implemented to protect their valuable data assets.

7.1. There are no specific assurance or compliance schemes to which you must adhere in order to obtain a connection to the Platform, except for when connecting to the public services referenced within this document. However, there are a number of obligations on all organisations that use our Services. These are set out below and designed to help maintain the availability of the Platform whilst improving the overall cyber security position of Cloud Gateway clients.

7.2. Incident Reporting. You have a responsibility to report any identified incidents that are affecting or have the potential to affect the Cloud Gateway Services. Incidents should be reported to the Cloud Gateway Service Team at the earliest opportunity.

7.3. You must have an individual who is responsible for information security with respect to the Services provided by us. These contact details should be shared with us so that we can contact them directly regarding security incidents and concerns.

7.4. Information Security. We recommend that you implement good practice cyber security measures to limit exposure to malware and lateral movement of network distributed attacks that could reach the Cloud Gateway Services. This should include:

7.4.1. properly configured systems for detecting when accounts or systems have been breached;

7.4.2. managing and handling all matters relating to logins, authentication, and access permissions; and

7.4.3. encrypt data within Client applications to protect information, systems and Services from unauthorised disclosure, destruction, theft, unavailability or loss of integrity through cyber and / or other forms of attack.

7.5. Network Monitoring. You are required to inform us of any security testing or traffic pattern changes that could be interpreted as early indicators of compromise.

You must provide at least 2 weeks notice of any activities, such as penetration tests, and you must provide details we request about the proposed test. The Services are monitored by us for the purposes of maintaining the availability and security of the systems and/or Services. Examples include looking for abnormal amounts of traffic or port scanning that could indicate a malware or other cyber security attack. We do not store or have access to the content of the network traffic, only the metadata. If you do not provide sufficient notice or information prior to the tests, we reserve the right to take any action to cover any costs we incur and to maintain the Services.

7.6. Access Controls. Our Services do not impose any restrictions on categories of sites or services that you can access except from a standard set of controls that are in place to prevent data from being shared with known malware resources (for example, places on the Internet with which malware may try to communicate with).

7.7. You are required to request and authorise the required application / network traffic that is permitted through the Platform. A security assessment will be performed to ensure the integrity of the platform is maintained.

8.1. Where you connect to the HSCN network through the Platform, you are responsible for the control and management of access and responsibilities for end users including appropriate connectivity, security and accreditation if required. Where access is required over HSCN, you are responsible for adhering to the Code of Connection by signing a Connection Agreement which is a mandatory requirement before connecting to the network. This link has more information.

8.2. To check that you have a signed Connection Agreement, go here and search either using your organisation name or ODS code.

8.3. We will check this Connection Agreement is in place before we enable your connection to the Platform.

the UK government’s National Technical Authority for Information Assurance. See www.cesg.gov.uk

the agreement, as set out in the code template, setting out the obligations and requirements for organisations wanting to connect to the PSN, together with all documents annexed to it and referenced within it.

the agreement, as set out in the code template, setting out the obligations and requirements for an organisation to provide PSN connectivity services, together with all documents annexed to it and referenced within it.

the agreement, as set out in the code template, setting out the obligations and requirements for an organisation wanting to provide PSN services, together with all documents annexed to it and referenced within it.

a component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.

the total network of all GCN services provided by all GCN Service Providers.

a component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.

an organisation that is supplying or is approved to supply a PSN connectivity service in accordance with a CoICo.

the certificate awarded to the individual infrastructures, GCN Services, PSN services and PSN connectivity services that make up the PSN.

the PSN service consumer that has achieved PSN compliance certification for their PSN customer environments and holds PSN supply agreement(s) with PSN service providers and PSN connectivity service providers for the services concerned.

either a contract or – if it is between public sector bodies – a Memorandum of Understanding (MoU) to deliver PSN services or PSN connectivity services.

an organisation which uses PSN services or PSN connectivity services.

an organisation that is supplying or is approved to supply PSN services in accordance with a CoP.

a functional service available to PSN-connected organisations from a PSN-connected infrastructure in order to enable the fulfilment of a specific business activity, which is offered by a PSN Service Provider in accordance with a CoP and for which a PSN Compliance Certification has been awarded by the Public Services Network Team.

the government’s high-performance network, which helps public sector organisations work together, reduce duplication and share resources.

3.1  We shall ensure that any PSN and GCN services that we supply, or are supplied by others, pursuant to this agreement shall have been awarded and retain at all times a PSN compliance certificate.

3.2  We shall ensure that any PSN and GCN services that we supply, or are supplied by others, pursuant to this agreement]are delivered in accordance with the applicable code, codes or Documents of Understanding (DoU).

3.3  You shall ensure that any PSN customer environment used to consume PSN and GCN services supplied pursuant to this agreement shall have been awarded and retain at all times a PSN compliance certificate.

3.4  You shall ensure that any PSN customer environment used to consume PSN and GCN services supplied pursuant to this agreement shall be provided and maintained in accordance with the applicable code or codes.

3.5  Each of the parties warrants and undertakes that they shall throughout the term, where specifically requested in writing by the PSN team acting on advice from the Infrastructure SIRO, immediately disconnect its GCN services, PSN services or customer environment (as the case may be) from such PSN services (including any Direct Network Services (DNS)), GCN services and customer environments as the PSN team instructs where there is an event affecting national security, or the security of the GCN or PSN.

3.6  The parties acknowledge and agree that the PSN team shall not be liable to them or any other party for any claims, proceedings, actions, damages, costs, expenses and any other liabilities of any kind which may arise out of, or in consequence of any notification pursuant to clause 3.5.

3.7  Each of the parties acknowledges and agrees that these clauses 3.4 and 3.5 are for the benefit of and may be enforced by the PSN team, notwithstanding the fact that the PSN team is not a party to this agreement, pursuant to the Contracts (Rights of Third Parties) Act 1999.

3.8  We shall cooperate with suppliers of other PSN services and GCN service providers to enable the efficient operation of PSN.

3.9  The PSN services shall be delivered in a way that enables the sharing of services across customers of PSN services and maximises the savings to be achieved by such sharing of services.