Last updated: June 2026
"Authorised Users" — employees, agents and independent contractors of the Client authorized to use the Software.
"Business Day" — a day other than Saturday, Sunday or public holiday in England when banks are open.
"Charges" — the Software Subscription Fee.
"Client" — the client to whom the Software Subscription Renewal Agreement is addressed.
"Client Data" — all data, content, and information submitted, stored, transmitted or processed through the Software.
"Confidential Information" — information designated as confidential or reasonably regarded as such, relating to business, financial affairs, products, developments, trade secrets, technology, personnel, customers and suppliers.
"Contract" — these Terms of Business, the Software Subscription Renewal Agreement, Privacy Policy, Data Processing Addendum (Schedule 1), and related documents.
"Data Protection Laws" — applicable legislation on personal data processing and privacy, including the Data Protection Act 2018, UK GDPR, and Privacy and Electronic Communications Regulations 2003.
"Data Subject" — has the meaning given in Data Protection Laws.
"DPA" — the Data Processing Addendum set out in Schedule 1.
"Effective Date" — the Software Start Date or last date of signature of the Software Subscription Renewal Agreement.
"Intellectual Property Rights" — patents, trade marks, registered designs, copyright, database rights, know-how, confidential information, and similar protections worldwide.
"Personal Data" — has the meaning given in Data Protection Laws.
"Plinth" — Time to Spare Ltd (trading as Plinth), registered in England and Wales under company number 11530023, located at Space4, 113–115 Fonthill Road, London, N4 3HH.
"Privacy Policy" — Plinth's privacy policy at https://www.plinth.org.uk/privacy, updated from time to time.
"Processing" — has the meaning given in Data Protection Laws.
"Security Incident" — unauthorized or unlawful breach of security leading to destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
"Software" — the OutNav software described in the Software Subscription Renewal Agreement.
"Software Start Date" — the day Plinth starts or continues providing Software access.
"Software Subscription Fee" — the subscription fee for Software use, as set out in the Software Subscription Renewal Agreement.
"Software Subscription Renewal Agreement" — any agreement signed by both parties extending Client entitlement to access and use the Software.
"Sub-processor" — any third party appointed by Plinth to Process Personal Data on behalf of the Client.
"Term" — has the meaning given in clause 2.
"Terms of Business" — Plinth terms of business.
In the Contract:
1.2.1. A reference to a statute or statutory provision includes amendments, extensions or re-enactments and subordinate legislation.
1.2.2. References to clauses and Schedules are to clauses and Schedules of these Terms of Business.
1.2.3. The Schedule forms part of these Terms of Business with the same force and effect.
1.2.4. Words following "including," "include," "in particular," "for example" or similar expressions are illustrative and do not limit preceding words.
1.2.5. Clause headings are for reference only and do not affect Contract construction or interpretation.
1.2.6. A reference to writing or written excludes email.
If there is conflict between clauses of these Terms of Business, the DPA, Privacy Policy, a Software Subscription Renewal Agreement and/or other incorporated documents, the conflict is resolved as follows:
1.3.1. the Data Processing Addendum (Schedule 1);
1.3.2. a Software Subscription Renewal Agreement;
1.3.3. the clauses of these Terms of Business;
1.3.4. the Privacy Policy; and
1.3.5. any other document referred to and expressly incorporated into the Contract.
The Contract commences on the Effective Date and continues, unless terminated earlier under clause 8, for the period set out in the Software Subscription Renewal Agreement (the "Term").
Where the Software Subscription Renewal Agreement specifies Plinth will provide Software access, Plinth grants the Client a non-exclusive, non-transferable, non-sub-licensable right to permit Authorised Users to use the Software from the Software Start Date during the remainder of the Term solely for the Client's internal business operations.
The Software is made available subject to unavailability caused by circumstances beyond Plinth's reasonable control, including Force Majeure Events and computer, communications, internet service or hosting facility failures or delays. The Software may be temporarily limited, interrupted or curtailed due to maintenance, repair, modifications, upgrades or relocation. Plinth shall attempt to notify the Client of scheduled and unscheduled interruptions expected to last more than one Business Day. Plinth may change the Software during the Term provided that Plinth will not materially reduce the functionality provided.
In relation to Authorised Users, the Client undertakes that:
3.3.1. each Authorised User shall keep secure any password or login details used to access the Software;
3.3.2. each Authorised User shall comply with Plinth's Information Governance Policy and Privacy Policy as updated;
3.3.3. authority given by the Client to an Authorised User shall cease and access permissions shall be removed when the Client ceases to employ or engage that person;
3.3.4. it shall permit Plinth or Plinth's designated auditor to audit the Software to determine compliance. Each audit may be conducted no more than once per quarter, at Plinth's expense, with reasonable prior notice, in a manner not substantially interfering with the Client's business;
3.3.5. if audits reveal the Client has underpaid the Software Subscription Fee, the Client shall pay a pro rata amount for such underpayment within 30 days of the audit date;
3.3.6. it shall comply with any restrictions regarding Software use specified in the Software Subscription Renewal Agreement.
The Client shall not access, store, distribute or transmit viruses or material that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability; or is otherwise illegal or causes damage or injury. Plinth reserves the right, without liability to the Client, to disable access to material breaching this provision.
The Client shall not:
3.5.1. except as allowed by applicable law incapable of exclusion and except to the extent expressly permitted:
(i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Software; or
(ii) attempt to de-compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or
3.5.2. access the Software in order to build a product or service which competes with the Software; or
3.5.3. use the Software to provide services to third parties; or
3.5.4. license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Software available to any third party except Authorised Users, or
3.5.5. attempt to obtain, or assist third parties in obtaining, access to the Software, other than as provided.
The Client shall use all reasonable endeavours to prevent unauthorized access to, or use of, the Software and promptly notify Plinth of any such unauthorized access or use.
4.1.1. The Client retains all rights, title and interest in all Client Data. Plinth does not own or control Client Data and shall Process Client Data only in accordance with the Client's instructions as set out in the Contract and the DPA.
4.1.2. The Client is solely responsible for the accuracy, quality, integrity, legality, reliability and appropriateness of all Client Data.
4.1.3. The Client warrants that it has all necessary rights and consents to provide Client Data to Plinth for Processing and that such Processing will not violate any applicable laws or third party rights.
4.2.1. Both parties shall comply with their respective obligations under Data Protection Laws.
4.2.2. The parties acknowledge and agree that:
(i) the Client is the data controller in respect of Personal Data contained in Client Data;
(ii) Plinth is a data processor acting on behalf of the Client in respect of such Personal Data; and
(iii) the DPA (Schedule 1) sets out the scope, nature and purpose of Processing and the duration, types of Personal Data and categories of Data Subjects.
4.2.3. Plinth shall Process Personal Data only on documented instructions from the Client (specific or general instructions as set out in the Contract or as otherwise notified during the Term), unless required by applicable law, in which case Plinth shall (unless prohibited by law) inform the Client before Processing.
4.2.4. The Client's instructions for Processing Personal Data shall comply with Data Protection Laws. The Client will ensure that Processing in accordance with its instructions will not cause Plinth to breach Data Protection Laws.
4.2.5. If Plinth believes any Client instruction may violate Data Protection Laws, it shall promptly inform the Client and is entitled to cease performance until the parties agree amended instructions complying with Data Protection Laws.
4.3.1. Plinth's Privacy Policy at https://www.plinth.org.uk/privacy explains how Plinth collects, uses and protects personal information of Software users.
4.3.2. By using the Software, the Client and Authorised Users acknowledge they have read and understood the Privacy Policy.
4.3.3. Plinth may update the Privacy Policy from time to time. Plinth will notify the Client of material changes by email or through the Software interface. Continued use after notification constitutes acceptance of the updated Privacy Policy.
4.4.1. Plinth shall implement and maintain appropriate technical and organisational measures to protect Personal Data against Security Incidents as detailed in the DPA.
4.4.2. All Client Data transmitted to and from the Software is encrypted using SSL/TLS encryption.
4.4.3. All Client Data is encrypted at rest in Plinth's databases and backups.
4.4.4. Further details of Plinth's security measures are available in Plinth's Security Documentation.
4.5.1. The Client provides general authorisation for Plinth to engage Sub-processors to Process Personal Data, provided that:
(i) Plinth maintains an up-to-date Sub-processor list which the Client may access;
(ii) Plinth provides the Client with at least 14 days' prior written notice of the addition or replacement of any Sub-processor;
(iii) Plinth imposes data protection terms on any Sub-processor requiring protection to the standard required by Data Protection Laws; and
(iv) Plinth remains liable for the acts and omissions of its Sub-processors.
4.5.2. The Client may object to Plinth's appointment or replacement of a Sub-processor on reasonable grounds relating to data protection by notifying Plinth in writing within 10 days of notice. If the Client objects, the parties shall discuss the objection in good faith. If no resolution is reached, the Client may terminate the affected Services by written notice.
4.6.1. Taking into account the nature of Processing, Plinth shall assist the Client by implementing appropriate technical and organisational measures to enable the Client to respond to Data Subject requests exercising rights under Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing).
4.6.2. If Plinth receives any request from a Data Subject in respect of Personal Data, Plinth shall promptly notify the Client and shall not respond except on the Client's documented instructions or as required by applicable law.
4.6.3. The Client may access, amend, or delete Client Data (including Personal Data) at any time through the Software interface. Plinth shall provide reasonable assistance to the Client in accessing, amending or deleting Client Data where the Client is unable to do so independently.
4.7.1. Plinth shall notify the Client without undue delay (and in any event within 48 hours) after becoming aware of any Security Incident affecting Personal Data.
4.7.2. Such notification shall contain, to the extent possible:
(i) a description of the Security Incident's nature including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned;
(ii) the likely consequences of the Security Incident;
(iii) a description of the measures taken or proposed by Plinth to address the Security Incident; and
(iv) details of a contact point where more information can be obtained.
4.7.3. Plinth shall co-operate with the Client and take reasonable commercial steps as directed by the Client to assist in investigation, mitigation and remediation of each Security Incident.
4.8.1. Plinth shall retain Client Data for the duration of the Term and for such period thereafter as is necessary to provide the Services or as required by law.
4.8.2. During the Term, the Client may delete Client Data at any time through the Software interface. Deleted Client Data shall be:
(i) stored in Plinth's recovery log for 90 days to allow for recovery of accidentally deleted data;
(ii) held in backups for 1 year; and
(iii) permanently and irretrievably deleted after 1 year.
4.8.3. Upon termination or expiry of the Contract, Plinth shall:
(i) provide the Client with access to export all Client Data in a commonly used electronic format for 30 days following termination or expiry;
(ii) delete or return all Client Data (at the Client's election) within 30 days of termination or expiry, save to the extent Plinth is required by applicable law to retain some or all of the Client Data; and
(iii) certify to the Client in writing that it has complied with this clause.
4.8.4. Notwithstanding clause 4.8.3, Plinth may retain Client Data in its backup systems for up to 1 year after termination, after which time such data shall be permanently deleted.
4.9.1. If Plinth believes or becomes aware that its Processing of Personal Data under the Contract is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform the Client.
4.9.2. Plinth shall provide reasonable assistance to the Client (at the Client's cost) with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which the Client reasonably considers to be required by Data Protection Laws, in each case solely in relation to Processing of Personal Data by Plinth.
4.10.1. Plinth shall make available to the Client such information as is reasonably necessary to demonstrate compliance with Plinth's obligations under clause 4 and the DPA.
4.10.2. Plinth shall allow for and contribute to audits, including inspections by the Client (or another auditor mandated by the Client) to verify compliance with clause 4 and the DPA, provided that:
(i) the Client provides at least 30 days' prior written notice of any audit;
(ii) audits are conducted no more than once per year unless required by a supervisory authority or in response to a Security Incident;
(iii) audits are conducted during business hours in a manner not unreasonably interfering with Plinth's business operations;
(iv) the Client and any auditors agree to Plinth's reasonable confidentiality requirements; and
(v) the Client is responsible for the costs of such audits.
4.11.1. Plinth processes and stores all Personal Data within the United Kingdom and the European Union.
4.11.2. Plinth shall not transfer Personal Data outside the United Kingdom or the European Union without the Client's prior written consent.
4.11.3. If such a transfer is agreed, Plinth shall ensure that appropriate safeguards are in place as required by Data Protection Laws (such as Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office).
Upon termination or expiry of the Contract, each party shall (if requested by the other party) return to the other party or destroy (at the other party's option) that other party's Confidential Information which is in its possession, subject to clause 4.8 in respect of Client Data.
5.1. Plinth and its licensors shall retain ownership of all Intellectual Property Rights in the Software.
5.2. The Client and its licensors shall retain ownership of all Intellectual Property Rights in the Client Data.
5.3. Plinth shall indemnify the Client in full against any losses, damages, costs or expenses and other liabilities (including all legal fees) incurred by or awarded against the Client arising out of or in connection with any claim brought against the Client for infringement of a third party's rights (including any Intellectual Property Rights) arising out of or in connection with the receipt or use of the Software by the Client.
In return for use of the Software, the Client shall pay Plinth the Charges.
All amounts payable by the Client exclude amounts in respect of value added tax ("VAT"), which the Client shall additionally be liable to pay to Plinth at the prevailing rate (if applicable), subject to receipt of a valid VAT invoice.
Unless specified otherwise in the Software Subscription Renewal Agreement, Plinth shall be entitled to submit invoices for the Charges plus VAT (if applicable) to the Client as follows:
6.3.1. the Software Subscription Fee shall be invoiced on agreement of the Software Subscription Renewal Agreement and annually thereafter on each anniversary of that date.
The Client shall pay each invoice due and submitted by Plinth within 30 days of receipt, to a bank account nominated in writing by Plinth.
If the Client fails to make any payment due to Plinth under the Contract by the due date for payment, then, without limiting Plinth's remedies under clause 8 (Termination):
6.5.1. the Client shall pay interest on the overdue sum from the due date until payment, whether before or after judgment. Interest under this clause will accrue each day at 2% a year above the Bank of England's base rate from time to time. The parties acknowledge and agree that the amounts set out in this clause represent a substantial remedy in terms of the Late Payment of Commercial Debts (Interest) Act 1998.
6.5.2. Plinth may suspend access to the Software until payment has been made in full.
All amounts due under the Contract from the Client to Plinth shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
Nothing in the Contract shall limit either party's liability:
7.1.1. for the indemnity given under clause 5.3 of the Contract;
7.1.2. for death or personal injury caused by breach of duty;
7.1.3. for fraud or fraudulent misrepresentation;
7.1.4. for any breach of the obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982;
7.1.5. for breach of the Data Protection Laws or obligations under clause 4 and the DPA; or
7.1.6. to the extent such limitation or exclusion is not permitted by law.
Plinth's liability to the Client for any breach of the Contract provisions, or otherwise in relation to the Contract subject matter (including that arising from negligence, tort, delict or otherwise) shall not exceed the Contract Value at the time of the event giving rise to such liability, where the Contract Value means the total value of the Charges paid by the Client plus any Charges payable under the Contract, whether or not invoiced to the Client.
The Client's liability to Plinth for any breach of the Contract provisions, or otherwise in relation to the Contract subject matter (including that arising from negligence, tort, delict or otherwise) shall not exceed £1,000,000.
Neither party shall be liable in contract, tort, delict (including negligence) or otherwise arising out of or in connection with the Contract for any special, indirect or consequential losses or damages, or for loss of profit, business, contracts, data, anticipated savings, management time, increased cost of working, whether or not such losses were within the contemplation of the parties at the date of the Contract, suffered or incurred by that party arising out of or in connection with provisions of any matter under the Contract.
Plinth shall not be liable to the Client for any losses or damages sustained by the Client or any Authorised User as a result of:
7.5.1. the negligence or default of the Client or any Authorised User;
7.5.2. faults of any electronic communication network provider software, line or equipment;
7.5.3. electrical interference generated in or radiated by electric, electronic or other similar equipment or materials not supplied by Plinth;
7.5.4. the lack of availability or poor quality of any internet services; or
7.5.5. the failure of any equipment which has not been provided by Plinth or the failure of any equipment which is outside the control of Plinth.
Without affecting any other right or remedy available to it, either party to the Contract may terminate it with immediate effect by giving written notice to the other party if:
8.1.1. the other party commits a material breach of any Contract provision which is irremediable or (if remediable) fails to remedy that breach within 30 days after being notified in writing to do so;
8.1.2. the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction;
8.1.3. the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business.
Without affecting any other right or remedy available to it, Plinth may terminate the Contract with immediate effect by giving written notice to the Client if the Client fails to pay any amount due under the Contract on the due date for payment and such amount remains unpaid 10 days after being notified of such non-payment by Plinth.
On termination or expiry of the Contract for whatever reason:
8.3.1. the Client shall immediately pay to Plinth all of Plinth's outstanding unpaid invoices and interest;
8.3.2. Plinth shall comply with its obligations under clause 4.8 (Data Retention and Deletion);
8.3.3. each party shall comply with clause 4.12 in respect of the return or destruction of Confidential Information;
8.3.4. the licences granted by Plinth to the Client under the Contract shall terminate with immediate effect and the Client shall immediately cease using the Software;
8.3.5. the rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any Contract breach which existed at or before the date of termination or expiry, shall not be affected; and
8.3.6. any Contract provision that expressly or by implication is intended to come into or continue in force on or after termination or expiry shall remain in full force and effect, including clauses 4 (Client Data and Data Protection), 5 (Intellectual Property), 7 (Limitation of Liability), 8 (Termination), 11 (Confidentiality), 13 (Entire Agreement), 15 (Waiver), 16 (Severance), 18 (Rights of Third Parties) and 19 (Governing Law) shall survive the termination or expiry of the Contract.
Neither party shall be in breach of the Contract, nor liable for any failure or delay in performance of any of its obligations caused by acts, events, omissions or accidents beyond its reasonable control ("a Force Majeure Event"), including: acts of God, including fire, flood, earthquake, windstorm or other natural disaster; terrorist attack, civil war, civil commotion or riots; nuclear, chemical or biological contamination or sonic boom; compliance with any law (including a failure to grant any licence or consent needed or any change in the law or interpretation of the law); fire, explosion or accidental damage; loss at sea; extreme weather; collapse of building structures, failure of plant machinery, machinery, computers or vehicles; any labour dispute, including strikes, industrial action or lockouts; non-performance by suppliers or subcontractors; interruption or failure of any utility service.
The corresponding obligations of the other party shall be suspended to the same extent as those of the party first affected by the Force Majeure Event.
If the Force Majeure Event continues for a period of 60 days or more, the party not affected by the Force Majeure Event may terminate the Contract by giving 14 days' notice in writing to all the other parties. On the expiry of this notice period, the Contract shall terminate provided such Force Majeure Event is continuing at the date of termination. Such termination shall be without prejudice to the rights of the parties in respect of any Contract breach occurring prior to such termination.
10.1. Neither party may assign the benefit of, or any of their rights under, the Contract nor sub-contract any of its obligations under the Contract without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), except that Plinth may sub-contract Processing of Personal Data to Sub-processors in accordance with clause 4.5.
Each party undertakes that it shall not at any time during the Contract, and for a period of five years after termination of the Contract, disclose to any person any Confidential Information of the other party, except as permitted by clause 11.2.
Each party may disclose the other party's Confidential Information:
11.2.1. to its employees, officers, representatives, subcontractors or advisers who need to know such information for the purposes of carrying out the party's obligations under the Contract. Each party shall ensure that its employees, officers, representatives, subcontractors or advisers to whom it discloses the other party's confidential information comply with this clause 11; and
11.2.2. as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
Neither party shall use any other party's Confidential Information for any purpose other than to perform its obligations under the Contract.
The existence of the relationship between parties is not considered Confidential Information:
11.4.1. Both parties are permitted to disclose the existence of and a brief description of the relationship using each other's names (including trading names, if different), logos and other trademarks in publicity-related situations, including advertising, press releases and on either party's website(s) and social media.
Each party shall ensure that neither it nor any of its directors, officers, employees, agents or subcontractors has in relation to the entering into of the Contract directly or indirectly done or omitted to do any act which would be or could be construed as an unlawful act under statutory or common law relating to bribery, corruption, fraud, slavery or human trafficking in any jurisdiction including, without limitation, the Bribery Act 2010 and the Modern Slavery Act 2015.
Each party shall ensure that neither it nor any of its directors, officers, employees, agents or subcontractors will in relation to the performance of the Contract directly or indirectly do or omit to do any act which would be or could be construed as an unlawful act under statutory or common law relating to bribery, corruption, fraud, slavery or human trafficking in any jurisdiction including, without limitation, the Bribery Act 2010 and the Modern Slavery Act 2015.
Any breach of clauses 12.1 or 12.2 will entitle the other party to terminate the Contract immediately by giving notice to the party in breach pursuant to clause 8 (Termination) as being a material breach of a Contract provision which is irremediable.
This Contract and the documents referred to in it (including the Privacy Policy and the DPA) constitute the entire agreement between the parties and supersedes and replaces any previous agreement, understanding, undertaking or arrangement of any nature between the parties relating to the subject matter of the Contract.
No variation of the Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives), except that Plinth may update the Privacy Policy in accordance with clause 4.3.
A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy.
A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.
If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of the Contract.
Any notice, demand or communication in connection with the Contract shall be in writing and delivered personally or sent by pre-paid first class post to the recipient's address as set out in the Software Subscription Renewal Agreement, or to any other address which the recipient has notified in writing to the sender not less than 7 Business Days before the notice is despatched.
The notice, demand or communication is deemed given:
17.2.1. if delivered personally, at the time of delivery to the address provided for in the Contract;
17.2.2. if sent by pre-paid first class post, on the second Business Day after posting it,
provided that, if it is delivered personally on a day which is not a Business Day or after 4pm on any Business Day, it shall instead be deemed to have been given or made on the next Business Day.
The Contract does not create any rights in favour of third parties under the Contracts (Rights of Third Parties) Act 1999 to enforce or otherwise invoke any provision of the Contract.
The Contract and any dispute or claim arising out of or in connection with it or its subject matter (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales and the Parties irrevocably submit to the exclusive jurisdiction of the Courts of England and Wales.
This Data Processing Addendum ("DPA") forms part of the Contract between Plinth and the Client.
In this DPA:
1.1. "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing" and "Supervisory Authority" shall have the meanings given in the Data Protection Laws.
1.2. "Client Personal Data" means any Personal Data Processed by Plinth on behalf of the Client pursuant to or in connection with the Contract.
1.3. "Sub-processor" means any Processor engaged by Plinth to Process Client Personal Data.
The parties acknowledge and agree that:
(a) the Client is the Controller of Client Personal Data;
(b) Plinth is a Processor of Client Personal Data; and
(c) Plinth shall Process Client Personal Data only on behalf of and in accordance with the Client's documented instructions.
The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are described in Annex 1 to this DPA.
2.3.1. Plinth shall Process Client Personal Data only on documented instructions from the Client, which shall be:
(a) to Process Client Personal Data in accordance with the Contract;
(b) to Process Client Personal Data in accordance with applicable law; and
(c) any additional instructions given by the Client from time to time.
2.3.2. Plinth shall immediately inform the Client if, in Plinth's opinion, an instruction infringes Data Protection Laws.
2.4.1. The Client warrants and represents that:
(a) it has complied and will comply with all applicable requirements of the Data Protection Laws in respect of the Processing of Client Personal Data;
(b) its instructions to Plinth for the Processing of Client Personal Data shall comply with Data Protection Laws; and
(c) it has provided all notices and obtained all consents and rights necessary under Data Protection Laws for Plinth to Process Client Personal Data as contemplated by the Contract.
2.4.2. Plinth warrants and represents that it shall Process Client Personal Data in compliance with its obligations under Data Protection Laws applicable to Processors.
3.1. Plinth shall ensure that all personnel engaged in the Processing of Client Personal Data:
(a) are informed of the confidential nature of Client Personal Data;
(b) have received appropriate training on their responsibilities under Data Protection Laws;
(c) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
(d) Process Client Personal Data only as necessary for the purpose of performing Plinth's obligations under the Contract or as required by law.
4.1.1. Plinth shall implement and maintain appropriate technical and organisational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data.
4.1.2. The security measures implemented by Plinth include:
(a) encryption of Client Personal Data in transit and at rest using SSL/TLS and AES-256 encryption;
(b) measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
(c) measures to ensure the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident;
(d) regular testing, assessment and evaluation of the effectiveness of technical and organisational measures;
(e) measures for the pseudonymisation and encryption of Client Personal Data where appropriate;
(f) access controls to ensure that only authorised personnel have access to Client Personal Data;
(g) procedures for regularly testing, assessing and evaluating the effectiveness of security measures; and
(h) incident response and security breach notification procedures.
4.1.3. Further details of Plinth's security measures are set out in Plinth's Security Documentation.
4.2.1. Plinth shall notify the Client without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Client Personal Data.
4.2.2. Such notification shall contain, to the extent possible:
(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) the name and contact details of Plinth's data protection officer or other contact point where more information can be obtained;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken by Plinth to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.2.3. Plinth shall:
(a) provide the Client with reasonable co-operation and assistance in relation to any Personal Data Breach;
(b) take such measures and give such information as the Client reasonably requests to remediate or mitigate the effects of the Personal Data Breach; and
(c) not inform any third party of any Personal Data Breach without the Client's prior written consent, except as required by law or to such Sub-processors as necessary to remedy the Personal Data Breach.
5.1.1. The Client provides general written authorisation to Plinth to engage Sub-processors to Process Client Personal Data, subject to the requirements of this section 5.
5.1.2. Plinth shall maintain an up-to-date list of Sub-processors.
5.1.3. The Sub-processors currently engaged by Plinth are listed in Annex 2 to this DPA.
5.2.1. Plinth shall:
(a) enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those set out in this DPA;
(b) ensure that each Sub-processor complies with the obligations under this DPA;
(c) remain fully liable to the Client for the performance of any Sub-processor's obligations; and
(d) supervise each Sub-processor's compliance with its data protection obligations.
6.1.1. Taking into account the nature of the Processing, Plinth shall provide reasonable assistance to the Client (at the Client's cost) to enable the Client to respond to:
(a) requests from Data Subjects seeking to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, data portability, and objection); and
(b) any complaint, communication or request relating to Plinth's obligations under Data Protection Laws.
6.1.2. If Plinth receives any request from a Data Subject in respect of Client Personal Data, Plinth shall:
(a) not respond to that request except on the documented instructions of the Client or as required by applicable law; and
(b) promptly forward the request to the Client.
The Client may at any time through the Software interface:
(a) access and export Client Personal Data;
(b) rectify inaccurate Client Personal Data;
(c) restrict the Processing of Client Personal Data; and
(d) delete Client Personal Data.
7.1. Taking into account the nature of the Processing and the information available to Plinth, Plinth shall provide reasonable assistance to the Client (at the Client's cost) with:
(a) any data protection impact assessments required under Data Protection Laws; and
(b) any prior consultations with Supervisory Authorities or other competent data privacy authorities,
in each case solely in relation to Processing of Client Personal Data by Plinth and taking into account the nature of the Processing and information available to Plinth.
Upon termination or expiry of the Contract, Plinth shall (at the Client's election):
(a) delete all Client Personal Data from its systems (save to the extent required by applicable law to retain the same); or
(b) return a complete copy of all Client Personal Data to the Client by secure file transfer in such format as is reasonably notified by the Client to Plinth.
Plinth shall comply with clause 8.1 within 30 days of termination or expiry, except that Plinth may retain Client Personal Data:
(a) to the extent required by applicable law; or
(b) in its backup systems for up to 1 year, after which time such data shall be permanently deleted.
Plinth shall certify to the Client in writing that it has complied with this section 8.
9.1. The Client may conduct audits (including inspections) to verify Plinth's compliance with this DPA, provided that:
(a) the Client provides at least 30 days' prior written notice of any audit;
(b) audits are conducted no more than once per year unless:
(i) required by a Supervisory Authority; or
(ii) in response to a Personal Data Breach;
(c) audits are conducted during normal business hours and in a manner that does not unreasonably interfere with Plinth's business operations;
(d) the Client and any auditors agree to Plinth's reasonable confidentiality requirements; and
(e) the Client is responsible for the costs of such audits.
9.2. Plinth shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to such audits.
10.1. Plinth shall Process and store all Client Personal Data within the United Kingdom and the European Economic Area.
10.2. Plinth shall not transfer Client Personal Data outside the United Kingdom or the European Economic Area without:
(a) the Client's prior written consent; and
(b) ensuring that appropriate safeguards are in place as required by Data Protection Laws, such as:
(i) Standard Contractual Clauses approved by the European Commission or the UK Information Commissioner's Office;
(ii) Binding Corporate Rules approved by a competent Supervisory Authority; or
(iii) an adequacy decision adopted by the European Commission or the UK Secretary of State.
11.1. This DPA shall be governed by and construed in accordance with the governing law provisions of the Contract.
11.2. This DPA shall remain in effect for so long as Plinth Processes Client Personal Data on behalf of the Client.
11.3. In the event of any conflict or inconsistency between the provisions of this DPA and the provisions of the Contract, the provisions of this DPA shall prevail to the extent of such conflict or inconsistency.
The provision of the OutNav software as a service to enable the Client to manage and track outcomes-based activities and impact measurement.
The duration of the Contract unless terminated earlier in accordance with the Contract.
Plinth will Process Client Personal Data for the purpose of:
Plinth maintains an up-to-date list of Sub-processors. As of the date of this DPA, the Sub-processors typically include:
Contact: For questions about these terms, please contact support@plinth.org.uk.