DATA PROTECTION AND SECURITY REQUIREMENTS​

Data Protection and Security Requirements

These Data Protection and Security Requirements are incorporated into and should be read in conjunction with the terms and conditions agreed between the Parties (the “Agreement”).

In these Data Protection and Security Requirements: (i) “LT” means the LevelTech company, or any LevelTech Group Company that is a party to the Agreement; (ii) “Partner” means the NGB, or other company or organisation that is also a party to the Agreement; and (iii) “Party” or “Parties” means either one or both of them.

Other capitalised words or phrases used in these Data Protection and Security Requirements shall have the meanings set out in the Glossary of Terms Section below.

Roles

The Parties recognise they are processing personal data in connection with the performance of their obligations under the Agreement and that the factual arrangement between them dictates the role of each Party (as to controller or processor) in respect of the Data Protection Legislation.

Unless the factual arrangement between us is otherwise challenged or determined by a Regulator or other lawful court order with relevant jurisdiction, the Parties agree that LT and Partner shall be independent data controllers. Each Party may also utilise processors or sub-processors who may assist them in the processing of personal data, for which they are respective data controllers.

 

Statutory Compliance

Each Party must comply with its respective obligations under the Data Protection Legislation and shall not by any act or omission cause the other Party to be in breach of the Data Protection Legislation.

 

Lawful Processing

Each Party must process any personal data:

  • lawfully and fully in compliance with Data Protection Legislation;
  • only to the extent necessary to meet their obligations under the Agreement and for no other purpose; and
  • solely in accordance with the Agreement or other written agreed instructions from time to time.
 

Marketing

Unless a Party has otherwise given its consent in writing, a Party must not use the personal data of the other Party to undertake any unrelated sales or marketing activity not expressly agreed between the Parties. Sales and marketing activity means any direct and indirect marketing of any kind including promotional emails, outbound telephone calls, mail, SMS messages and any digital or social media to advertise to, or communicate directly with data subjects.

 

Data Enrichment

Each Party must not process or use any personal data to enhance or enrich any other data or database (including any customer or marketing databases) unless:

  • it is necessary for the performance of the Agreement;
  • the scope of the potential enhancement or enrichment has been clearly and fully disclosed to the other Party; and
  • the other Party has consented or agreed to such enhancement or enrichment.
Controller Requirements

The following requirements apply to the extent a Party is acting as a controller of personal data provided to it by the other Party:

 

Assistance

Each Party must provide to the other such assistance and information regarding its processing activities as the other may reasonably require in order to comply with any requests from a Regulator or for it to provide transparency to data subjects in respect of the transfer and use of the other Party’s personal data and otherwise comply with its obligations under the Data Protection Legislation.

 

Privacy/Processing Notice

Each Party is responsible for providing the necessary information required to be provided to data subjects in accordance with the Data Protection Legislation in respect of its processing of any personal data provided to it by the other Party.

Each Party agrees that nothing contained in its privacy/processing notice or other transparency information provided to data subjects shall permit the other Party to use the personal data other than in strict accordance with these Data Protection and Security Requirements.

 

Legal Basis of Processing

Each Party must have and be able to evidence a valid lawful basis for each processing activity in compliance with the Data Protection Legislation. If consent of the data subject is the lawful basis relied upon, each Party is responsible for obtaining adequate consent of the data subjects for its own processing activities and transferring that data to the other Party accordingly.

 

Subject Requests

Each Party must promptly and properly respond to and, as appropriate, comply with any requests it receives from data subjects regarding the exercise of any of their rights pursuant to Data Protection Legislation.

If the Party in receipt of a data subject request is not the appropriate Party to respond to the data subject, that Party shall without undue delay refer the data subject request to the other Party, setting out reasons why it is not able to adequately comply with the request. Where the assistance of the other Party is required to respond to any data subject request, that Party shall promptly and at its own cost provide such assistance as is reasonably requested.

 

International Data Transfers

The Parties shall ensure any transfers of personal data to territories outside of the EEA or which are not subject to an Adequacy Decision (“Permitted Territory’), shall be undertaken with the appropriate international data transfer mechanism in place (e.g. Standard Contractual Clauses, Safe Harbor, or any of their successors). The Parties shall also ensure any processors or sub-processors engaged by them relating to any transfers of personal data fulfil the requirements in the Processor/Sub-Processor section set out below.

Processor/Sub-Processor Requirements

The following requirements apply to the extent a Party engages a processor or sub-processor to process personal data provided to it by other Party:

 

Unlawful Instructions

Such processor or sub-processor must promptly notify the Party in writing if in its reasonable opinion an instruction issued by such Party in respect of the transferred personal party is not compliant with Data Protection Legislation.

 

Processors/Sub-processors

Other than processors or sub-processors notified to the other Party as specified in the Agreement and/or otherwise agreed in writing, a Party must not allow personal data transferred to it by other Party to be processed by a third party for any purpose without the written approval of such Party.

Where such approval is provided, such Party must ensure that each processor or sub-processor processes such personal data in accordance with a written agreement that requires the processor or sub-processor to comply with terms which are no less onerous than those applicable to such Party under these Data Protection and Security Requirements (including audit rights to audit the relevant processor or sub-processor).

Such Party shall remain wholly responsible for any failure by any processor or sub-processor to process any personal data transferred to a Party in accordance with these Data Protection and Security Requirements and/or the Data Protection Legislation.

Each Party must ensure appropriate technical and organisational measures are in place to ensure compliance when responding to requests from data subjects under the Data Protection Legislation (in particular the right of access, rectification, erasure, objection, data portability and restriction of processing), when utilising a processor or sub-processor.

 

Data Subject Requests

Upon receipt of a request from a data subject that relates to personal data that has been transferred between the Parties, a Party shall ensure that any processor or sub-processor it utilises:

  • promptly (and in any event within five working days) notifies such Party of the request including full details of the request, and which shall be referred to other Party where required;
  • does not respond to the request without such Party’s prior written consent (not to be unreasonably withheld or delayed); and
  • fully co-operates and promptly (and in any event within five days) and properly responds to all enquiries from such Party so that they can comply in good time with the request in accordance with their own obligations under the Data Protection Legislation.
 

High Risk Processing

Any processor or sub-processor utilised by a Party must not process personal data transferred to it by the other Party (in particular by using any new technologies) in a manner which could, when taking into account the nature, scope, context and purpose of the processing to be carried out, result in a high risk for the rights and freedoms of individuals, unless such Party has:

  • been notified precisely of the nature of such high risk;
  • been able to assess the impact of the proposed processing operations on the protection of such personal data (including reviewing the appropriate impact assessment); and
  • provided their approval to implement the processing operations.
 

Assistance

Any processors or sub-processors utilised must assist the Party in ensuring its compliance with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to it, including completion of any impact assessment consider necessary by such Party in respect of the processing of such personal data.

 

Records

Processors or sub-processors must maintain a record of processing activities undertaken on a Party’s behalf, which shall contain details of the categories of processing, the technical and organisational security measures in place for that processing and any transfers of personal data to a third country or international organisation (and the suitable safeguards in place). Such records shall be subject to the audit provisions at Section 6 (Audit & Access to Data) of these Data Protection Security Requirements.

 

Regulator

In the event a processor or sub-processor is contacted by any Regulator in respect of or due to any aspect of its performance of any of its obligations that relate to the processing of personal data transferred to it from the other Party, such processor or sub-processor shall undertake to promptly (and in any event within 48 hours) notify such Party of all details regarding the enquiry or investigation, unless prohibited from doing so by a Regulator or Statutory Requirement.

Except where a processor or sub-processor is explicitly mandated to do so by the Data Protection Legislation or a Regulator, it shall not make any disclosures, comments, statements or take any action other than as set out above in response to contact it has received from a Regulator without such Party’s prior written consent (such consent not to be unreasonably withheld or delayed).

 

Transfers Outside EEA

Processors or sub-processors utilised by a Party shall only transfer personal data provided to it by the other Party to territories within the EEA or which are subject to an Adequacy Decision (“Permitted Territory”), with the written prior approval of such Party, and who shall provide the other Party with reasonable advance notice when undertaking such international transfers.

Where a Party consents to an international transfer outside of the Permitted Territories, the processor or sub-processor must ensure appropriate safeguards are in place in accordance with the Data Protection Legislation (which may include entering into Standard Contractual Clauses with such Party). If the Standard Contractual Clauses are no longer deemed adequate by a competent authority or the Data Protection Legislation the processor or sub-processor must as a matter of priority enter into an agreement approved pursuant to the Data Protection Legislation or take other measures as may reasonably be required.

If a processor has subcontracted any part of the processing of personal data transferred between the Parties, and such Party has consented to an international transfer to the sub-processor outside the Permitted Territories, the processor must ensure that each sub-processor enters into Standard Contractual Clauses with such Party prior to that data transfer to the sub-processor processing personal data transferred to it by the other Party.

Information Security Management System

Policy Requirements

Each Party must maintain effective information security policies which comply with: (i) applicable Statutory Requirements; (ii) Good Industry Practice; and (iii) any professional or industry information security certifications that a Party may state they hold (e.g. ISO27001).

 

 

Roles and Responsibilities

Each Party must ensure it has a named individual(s) who is assigned responsibility and accountability for information security as a minimum for:

  • data and information security and governance;
  • ensuring that all Personnel and Subcontractors receive training on data handling and information security awareness and how to report Security Incidents;
  • assigning and revoking access to Systems for Personnel and Subcontractors who no longer have a legitimate need for it; and
  • responding to and reporting Security Incidents in accordance with these Data Protection and Security Requirements.
 

Personnel and Subcontractors

Each Party must ensure Personnel and Subcontractors:

  • are vetted in accordance with Good Industry Practice;
  • have contractually committed themselves to complying with appropriate information security management practices;
  • undertake regular and appropriate training on handling data and preventing, mitigating and reporting Security Incidents;
  • do not have access to or process any personal data unless they are strictly required to do so for the purpose of the Agreement; and;
  • are informed and understand that a Party’s Data is confidential information and are under a contractual obligation of confidentiality.

 

Each Party is responsible for procuring that all Personnel and Subcontractors comply with these Data Security Requirements.

 

Assets and Media Handling

Each Party must ensure all assets (both physical and logical) are managed effectively to prevent Security Incidents. As a minimum this includes:

  • maintaining an accurate and up-to-date inventory of assets;
  • ensuring all Personnel and Subcontractors return assets in their possession upon termination of their employment;
  • removing access rights of Personnel and Subcontractors to all assets immediately upon termination of their employment;
  • having in place appropriate access controls and access management systems and procedures (including password management); and
  • securely and properly disposing of all assets in accordance with appropriate documented procedures.

 

A Party must not hold any data transferred to it on any removable media (e.g. CD, USB memory stick) without ensuring all data held on the removable media is encrypted and handled in accordance with these Data Protection and Security Requirements.

 

Data Handling and Encryption

Each Party must maintain data classification and handling policies in accordance with Good Industry Practice that ensure the adequate protection of any data transferred to it by the other Party.

Each Party must ensure that all transferred data is encrypted in transit (including on removable media) using algorithms, strong key lengths (at least 256-bit) and proper key-management practices that meet Good Industry Practice and as a minimum the National Institute for Standards and Technology cryptographic standards set out here:

https://csrc.nist.gov/Projects/Cryptographic-Standards-and-Guidelines.

Encryption keys must never be stored in clear text.

 

Physical and Operational Security

Each Party must ensure appropriate technical and organisational measures are in place and take such precautions as are necessary to:

  • protect any data transferred to the other Party against unauthorised or unlawful access, processing, accidental loss, disclosure, improper use, damage or destruction;
  • ensure its business practices, premises, Personnel, Subcontractors and System remain free from Vulnerabilities; and
  • ensure that it nor any Personnel and Subcontractors introduce any Threats or Vulnerabilities into the other Party’s System and/or premises.

 

The technical and organisational measures a Party must have in place include as a minimum:

  • using internationally recognised anti-malware software to detect and remove all known malware;
  • ensuring any anti-malware solution is: (i) is centrally managed; (ii) automatically updates anti-malware definitions as they are made available by vendors; and (iii) runs scheduled anti-malware scans at the frequency recommended by the vendor on all endpoints connected to a System that stores processes or transmits any data transferred to the other Party;
  • taking appropriate steps to ensure that availability and access to transferred data held on its System can be restored in a timely manner following an outage or Security Incident;
  • ensuring the application of all security updates and patches to its System in accordance with the vendor’s instructions and at the recommended frequency for automatic updates;
  • securing all networks and network services, including appropriate segregation; and
  • performing robust and detailed due diligence on all Subcontractors, including review of their security measures and procedures.
 

Monitoring, Review and Improvement

Each Party must:

  • continually monitor the effectiveness of its information security management practices and ensure its compliance with these Data Protection and Security Requirements;
  • proactively make improvements to its information security management practices on a continuing basis; and
  • conduct regular audits, tests and risk assessments (at least annually) of its information security management practices and promptly remediate any issues identified.
 

Hosting and Development

If a Party, or any Personnel or Subcontractor on its behalf, performs any coding, development, programming and/or hosting of any code, software, applications, APIs and/or websites transmitting or processing the transferred data, such Party must:

  • Carry out such work in accordance with Good Industry Practice and secure coding principles, including those specified by the Open Web Application Security Project (OWASP);
  • Ensure it adopts a secure development lifecycle the same as or equivalent to the OWASP Secure Software Development Lifecycle guidelines;
  • Not use or host any code, software, applications, APIs and/or websites in a live or production environment until its use has been approved by the other Party;
  • Ensure all relevant keys, passwords and tokens are encrypted using strong key lengths (at least 256-bit) and adopt proper key-management practices that meet Gr73 good Industry Practice and as a minimum the National Institute for Standards and Technology cryptographic standards set out here: https://csrc.nist.gov/Projects/Cryptographic-Standards-and- Guidelines;
  • Perform rigorous security and penetration tests on all code, software, applications, APIs and/or websites prior to using it, and properly remediate all Vulnerabilities; and
  • Submit (or provide access to) all code, software, applications, APIs and/or websites to the other Party along with the details and results of all security and penetration testing that have been carried out or evidence of any Vulnerability testing performed, upon reasonable request.
 

PCI-DSS

If a Party, or any of its Subcontractor processes, transmit or stores customers’ payment card data for the purposes of the Agreement, such Party must comply with the relevant Payment Card Industry Security Standards Council’s then current standards, including (as appropriate) PCI DSS, PA DSS, PCI PTS Security Requirements, PCI Card Security Requirements (together the “PCI Standards”). Such Party must also comply with any specific requirements of any card issuer regarding payment card data. Each Party must without undue delay notify the other Party when it becomes aware of any non-minor breach by it or any Subcontractor of the PCI Standards which are relevant to the provision of such Party’s obligations under the Agreement. On request, a Party will (if relevant) promptly evidence its compliance with the PCI Standards by submitting to the other Party a copy of its Attestation of Compliance (AoC) which is applicable to its obligations under the Agreement. This must meet the requirements and governance set by the PCI Security Standards Council.

 

Security Incident Management Incident Management

Each Party must maintain robust controls to ensure the proper notification and handling of Security Incidents to ensure they are notified to the other Party without undue delay and timely corrective action can be undertaken to mitigate the impact and resolve the Security Incident.

 

Notification

On occurrence of a Security Incident, a Party must without any undue delay, and in any event within 24 hours:

  • notify the other Party that a Security Incident has occurred as follows: LT by telephone (07910 518195 in business hours or 07910 518195 out of hours) and by e-mail (info@leveltech.io)

 

Partner through the contact details provided to LT for such purposes;

  • to the extent it is aware at the time, provide the other Party with details regarding the nature and potential severity of the Security Incident. It is acknowledged that details may not be known about the Security Incident without further investigation and the initial notification may be limited to the Security Incident having occurred.

 

Each Party must also comply with the Investigation and Mitigation requirements in the sub-section below and regularly (and upon the other Party’s reasonable request) update the other Party by telephone or e-mail regarding the Security Incident, providing details of:

  • the extent that the data transferred to it by the other Party has been lost, corrupted or disclosed;
  • where the Security Incident relates to any personal data transferred to it, the categories and approximate number of data subjects and data records that may be affected by the personal data breach;
  • the likely consequences of the Security Incident and its anticipated duration; and
  • the measures taken or to be taken to address the Security Incident and mitigate its effects.

 

A Party must not issue any communication to any Regulator or data subject regarding the Security Incident without the other Party’s prior approval (not to be unreasonably with-held or delayed), unless explicitly mandated to do so by a Regulator or Statutory Requirement.

Each Party must provide reasonable cooperation and assistance and such information as the other Party may require regarding the Security Incident which may include assisting such Party to notify the Regulator or affected data subjects in accordance with Data Protection Legislation.

 

Investigation and Mitigation

Each Party, in addition to notifying a Security Incident to the other Party, shall proactively and without delay:

  • investigate the Security Incident;
  • minimise the extent of any actual or potential harm caused by the Security Incident;
  • take all reasonable steps to protect data and/or its System;
  • comply with any of the other Party’s reasonable requests or instructions in relation to the Security Incident, including taking any remedial actions they reasonably require;
  • carry out a root cause analysis of the Security Incident and undertake any necessary
    remediation to prevent an equivalent Security Incident in the future; and
  • promptly report the conclusions of the root cause analysis including details of any issues, recommendations or risks identified to the other Party and confirm what remediation work has been undertaken.
 

System

In the event a Party’s System is in any way threatened or compromised by a Security Incident or any data transferred to the other Party is corrupted, lost or degraded on their System as a result of a Security Incident caused by such Party, that Party:

  • undertake such steps as it considers necessary to mitigate the Security Incident;
  • attempt to restore the data from the last available back-up and/or attempt to contain the Security Incident;
  • assist without charge to restore the data transferred to it and/or mitigate the Security
    Incident; and
  • reimburse the other Party for the reasonable costs it incurs to reconstitute the transferred data from the last available backup and to complete the effective recovery of its System.

 

Publicity

If a Security Incident impacts customers or adversely affects the reputation of a Party, that Party may without the approval of the other Party issue a factual statement to address the issues raised by the Security Incident and that names the other Party and its relevant Subcontractors and take such other steps as may be required to protect its name and reputation.

 

BCDR

In the event a Security Incident is or reasonably should be considered to be a BCDR Event, a Party must comply with the Business Continuity Section below.

Business Continuity

BCDR Plan

Throughout the term of the Agreement each Party must maintain a BCDR Plan in accordance with Good Industry Practice which ensures in the event of a BCDR Event the effective recovery and continuity of its obligations under the Agreement (including meeting any agreed recovery time objective (RTO) or recovery point objective (RPO) targets or service levels).

 

Testing

A Party must test its BCDR Plan on a regular basis (and in any event no less than once every twelve months). Testing may be performed separately on the constituent parts of the BCDR Plan rather than in full, provided all constituent parts are separately tested during a 12-month period.

A Party must promptly notify the other Party following the completion of any test of the BCDR Plan where such test reveals any weakness, flaw or fault, including full details of the root cause of the same and any remedial measures to be undertaken by such Party.

 

Invocation
A Party must notify the other Party by telephone and email immediately upon becoming aware of the occurrence of a BCDR Event. If the BCDR Event poses a real and major risk to the other Party’s business, it will invoke the BCDR Plan provided the other Party is notified of the invocation with full details of the steps taken as soon as possible.

Despite invocation of the BCDR Plan, a Party must use all reasonable endeavours to continue to perform its obligations under the Agreement and keep the other Party regularly updated of the progress of the resolution of the BCDR Event.

Remote and System Access

Access

A Party nor any of its Personnel or Subcontractor must not access or attempt to gain access to the other Party’s System without such Party’s prior authorisation (whether remotely or otherwise).

 

Access Requirements

If a Party grants the other Party or any Personnel or Subcontractor any access to their System, such Party must (and must ensure that all Personnel and Subcontractors must):

  • not access, nor attempt to gain access to any part of the Party’s System for which access has not been authorised;
  • comply with all security directions and procedures as the Party may specify in the Agreement or as otherwise agreed;
  • ensure that controls are in place to automatically terminate any remote access sessions which have been initiated to access the Party’s System;
  • ensure only authorised Personnel and Subcontractors who hold a unique user identification and password access a Party’s System;
  • where a Party requires the other Party to do so, ensure that multi-factor authentication is used when commencing all access sessions to the Party’s System;
  • ensure that access is revoked immediately for Personnel and Subcontractors who no longer have a legitimate reason for maintaining it; and
  • use the access only for the purpose and to the extent necessary to perform its obligations under the Agreement (including only accessing a Party’s System at any agreed service times).

 

Withdrawal of Access

A Party may remove or prohibit remote or system access or may impose additional requirements they deem reasonably necessary to ensure appropriate security regarding the other Party’s system access at any time without notice.

Audit and Access to Data

Audit

A Party must allow for and contribute to audits and inspections conducted by the other Party, a Regulator or otherwise by any third party acting on a Party’s behalf. Any audits carried out in accordance with this Section (Audit and Access to Data) will be subject to the audit provisions as may be set out in the Agreement.

 

Access to Data

A Party must ensure that all data provided to it under the terms of the Agreement is made available to the other Party on demand. Such Party acknowledges that no restrictions apply to the number of demands a Party or any Auditor(s) may make to access or receive data.

 

Notification of Compliance

Promptly following receipt of written notice, a Party shall provide the other Party with information necessary to demonstrate its compliance with its obligations set out in these Data Protection and Security Requirements.

 

Expiry or Termination

Except as otherwise agreed between the Parties, within 30 days of expiry or termination of the Agreement (or such other time agreed by the Parties) and at any other time when reasonably requested to do so by a Party, the other Party must, at such Party’s option:

  • deliver up or make available to the other Party their data in its then current format; and/or
  • securely delete all the other Party’s data, including without limitation, any data stored on any magnetic or optical disk, memory or server (including those of any Subcontractor) and confirm such deletion to said Party.

 

A Party shall be entitled to retain the other Party’s data where it is explicitly mandated by Statutory Requirement, provided such Party has anonymised or deleted any of the transferred data to the maximum extent possible. Where a Party has retained transferred data as described above, the other Party shall continue to be a controller of that retained personal data but its obligations in accordance with these Data Protection and Security Requirements shall continue to apply for as long as it continues to process that personal data.

Glossary

Adequacy Decision

a decision of the European Commission, the UK Government or supervisory authority, or of any other relevant country, that the laws of a country ensure an adequate level of protection or any other decision or position adopted to govern the international transfer of personal data;

BCDR Event

an event which causes or is reasonably likely to cause a disruption to performance of a Party’s obligations under the Agreement to such an extent that it would be reasonably prudent to invoke the BCDR Plan;

BCDR Plan

The business continuity and disaster recovery plan that is prepared, tested and invoked in accordance with these Data Protection and Security Requirements;

controller, personal data breach, processor, processing, personal data and data subject

have the meanings in the Data Protection Legislation;

Data Protection Legislation

together: (a) Regulation (EU) 2016/679 (“GDPR”) as amended to be adapted into UK law (where applicable); (b) the Data Protection Act 2018 (“DPA 2018”); (c) any regulations made under the DPA 2018; (d) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended); (e) any regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (Law Enforcement Directive); (f) any mandatory guidance and codes of practice issued by the Information Commissioner or any other supervisory authority; and any applicable data protection legislation that may apply from a relevant legal jurisdiction, as applies to the Parties under the Agreement;

Good Industry Practice

the exercise of skill, care, prudence, efficiency, foresight and timeliness which would reasonably be expected from a leading and expert supplier in their industry;

Group Company

means any subsidiaries, holding companies and subsidiaries of such holding companies from time to time (as such terms are defined in s1159 of the Companies Act 2006);

Personnel

all employees, staff, workers, agents and consultants employed by a Party or its Subcontractors;

Regulator

the Information Commissioner’s Office (or any successor) and any other governmental or supervisory authority of a Party’s business, whether in the UK or any other relevant jurisdiction;

Security Incident

any unlawful, unauthorised access to or misuse of a Party’s System which: (a) has or may reasonably be expected to have an adverse impact on the other Party’s System; (b) causes the loss, degradation or unauthorised disclosure of any personal data transferred to the other Party; and/or (c) results in a personal data breach in respect of transferred personal data;

Standard Contractual Clauses

the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC as may be amended or superseded;

Statutory Requirements

any law, legislation, bye law, regulation, order, regulatory policy (including any requirement, guidance, order, demand or notice of any Regulator or recognised stock exchange) or mandatory industry code of practice, rule of court or directives, delegated or subordinate legislation in force;

Subcontractors

any subcontractor or third-party supplier engaged by a Party in connection with the Agreement;

System

the computing environment and infrastructure consisting of hardware, software, devices, end points, network components (including servers) and protocols (including any third-party data centres and cloud infrastructure);

Threat

any real or perceived security threat, danger or circumstance (whether intentional or accidental) that could or does result in risk or harm to data on a Party’s System (including any virus, malicious software, program or code); and

Vulnerability

a physical, system or software security weakness or gap that could be exploited by a Threat.

ON THIS PAGE

SPEAK TO A LEVELTECH EXPERT