Hosting Services – Terms of Service and Processing Agreement
ESP Projects Limited Terms of Service and Processing Agreement
These terms of service (“Terms”) are a legal agreement between you, either an individual or a single legal entity, and the entity identified in Section 1 that operates as ESP Projects Limited (“ESP”). These Terms govern your use of any ESP online services (“Services”), the ESP website (“Site”), the client software distributed with this Agreement and any other software provided by ESP, including any updates and any accompanying documentation (“Software”). Collectively, the Software, the Site and the Services may be referred to as the “Products.”
By clicking the “I AGREE” button, or using any Products, you agree to these Terms and the ESP Privacy Policy. If you do not agree to these Terms or the Privacy Policy, then do not click the button indicating your acceptance and do not use the Products. If you agree to these Terms on behalf of a legal entity, you represent that you have the authority to bind that legal entity to these Terms.
- Contracting entity
The data processing performed by the Data Processor on behalf of the Data Controller relates to the Service – a managed, encrypted backup/copy of data selected by the Data Controller.
We need certain personal data to enable us to provide our products and services to our clients. In collecting this information, we are acting as a data controller.
Between: ESP Projects Limited, with registered offices at Unit 7 Edmund Road, 135 Edmund Road, Sheffield, S2 4ED. Company Registration Number: 4472697
Hereafter ‘Data Processor’
And: You, the client
Hereafter ‘Data Controller’
The Data Controller and the Data Processor may be referred to individually as a ‘Party’ and collectively as the ‘Parties’
“data controller”, means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
“processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data. The subject matter, duration, nature and purpose of the Processing, and the types of Personal Data and categories of data subjects shall be as defined in Schedule 1 of this agreement.
Whereas:
- The Data Controller wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
- The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. Accounts and Fees
2.1 You must register with ESP to use the Services, and you agree to keep your registration information accurate, complete and up-to-date as long as you continue to use the Services.
2.2 If you sign-up for a Trial Account, you agree to pay the fixed subscription and variable usage-based fees if you agree to continue with the service after the 30 days trial expires. The service is an automatic renewal unless cancellation has been received (please refer to point 10 Terms and Termination).
2.3 If you exceed any quota allocated to your account, you agree that ESP may restrict your ability to backup further data until you reduce your storage usage or agree to increase your account with a higher quota or no quota at all.
2.4 Partners understand that they have control over their own clients’ quotas. If a client exceeds its quota limit the partner is responsible for increasing the client’s quota. ESP will monitor this and will contact the partner directly to inform them if an account is exceeding its quota.
2.5 If you use a credit card for payment, you authorise ESP to automatically renew your subscription and charge the then-current renewal fees to the credit card associated with your account unless you notify ESP 30 days before expiration of your current subscription that you do not want to renew.
2.6 Partners understand that if using a Business Client/Multi User that a minimum charge of £4.00 + VAT per client per month will occur if a client account is less than 50GB of storage. As an alternative the Single User client can be used where no additional costs for licenses occur, only data charges.
2.7 If paying by direct debit, please note that ESP Projects Limited Ltd has appointed the BACS Approved Direct Debit Bureau, Eazy Collect Services Limited (www.eazycollect.co.uk), to collect your payments. ESP Projects Limited will be shown on your bank statement for these direct debit payments.
2.8 ESP reserves the right to and may vary the quoted price of Services, by giving 30 Days notice to Customer to reflect any relevant fluctuation in foreign exchange currency rates which varies the cost price to ESP by more than two percent (2%).
2.9 ESP reserves the right to and may vary the quoted price of Services, by giving 30 Days notice to Customer to reflect any relevant supplier cost fluctuations which varies the cost price to ESP by more than two percent (2%).
2.10 ESP shall provide all such evidence as the Customer may reasonably request in order to verify increases in any of the costs described in Clause 2.8 and 2.9
3. Passwords and security
3.1 You are responsible for keeping your passwords secure, and you agree not to disclose your passwords to any third party.
3.2 You are solely responsible for any activity that occurs under your user names and accounts, including any sub-accounts. If you lose your passwords or the encryption keys for your accounts, you may not be able to access your backup data. [Note: Without this Encryption Key, ESP are unable to restore client’s data. ESP are unable to change or reset the Encryption Key. ESP do not know or store any passwords].
3.3 You must notify ESP immediately of any unauthorised use of your accounts or any other security breach related to the Service. If ESPdetermines that a security breach has occurred or is likely to occur, ESP may suspend your accounts and require you to change your user names and passwords.
3.4 ESP shall notify you, the Data Controller, without undue delay after becoming aware of a Personal DataBreach, and shall notify the relevant supervisory authority (ICO) as applicable.
4. Use of services and software
4.1 Subject to these Terms, ESP grants you a limited, non-exclusive, nontransferable and revocable licence to access the Site and use the Services and Software.
4.2 You may install and use the Software in executable form on a one client licence per machine basis; additional machines added will be charged and invoiced per machine. By installing the Software and associated licence, you are agreeing to accept additional costs. Any historical accounts will be reviewed individually and contacted 30 Days prior to any changes being implemented.
4.3 You acknowledge that certain third party code may be provided with the Software and that the licence terms accompanying that code will govern its use.
4.4 You specifically agree that you will not, nor will you permit another person to:
- sub-licence, lease, rent, loan, transfer, or distribute any portion of the Products;
- modify, adapt, translate, or create derivative works from the Products;
- decompile, reverse engineer, disassemble, or otherwise attempt to derive source code from the Products; or
- remove, obscure or alter any trademark, copyright or other proprietary rights notices displayed in the Software or on the Site.
- Any Software you have installed will periodically check with ESP Servers for updates, and you agree that ESP may automatically download and install such updates on your devices.
- Use of these ‘Services’ will require us to send you, via the email provided, backup reports and server status notices. Agreeing to these ‘Terms’ means specifically agreeing to receiving these emails.
5.1 Shared content and seed services
5.1 If you have a large amount of data to backup when you first sign-up for the Services, you may choose to seed your initial backup using the ESP Seeding Service.
5.2 If you use this service, you agree that you bear all risk of loss and damage to your backup data while it is in transit, and you may not be able to access and retrieve your backup data until you have performed a successful online backup after completion of the Data Seed transfer. All data is fully encrypted at all times.
5.3 As a client or partner you agree to return the seed provided within 30days of receiving the seed. If the seed isn’t returned then charges will occur for the replacement of the seed. All clients will sign a Hard Drive Agreement before a seed is sent.
6. Compliance with laws and acceptable use
6.1 You, as Data Controller, are solely responsible for your conduct related to the Service and any data you store or share on the Service. You specifically agree that you will not use the Products to:
- violate any laws or regulations;
- infringe the intellectual property or other rights of third parties;
- transmit any material that is obscene or objectionable or that contains viruses or other harmful computer code or files such as Trojan horses, worms, or time bombs.
- in connection with any nuclear, aviation, mass transit, or medical application or any other inherently dangerous application that could result in death, personal injury, catastrophic damage, or mass destruction; or
- in any other way which results in (or is likely to result in) ESP having to defend its own interests before a court, government agency, industry regulator, self-regulatory body or similar membership organisation, or dispute resolution body and/or which incurs (or is likely to incur) any losses, costs, expenses, damages or other liability in connection with any threatened or actual civil, criminal or administrative proceedings,
7. Data Protection
7.1 As the performance of the Agreement and the delivery of Services implies the processing of personal data, the Data Controller and the Data Processor shall comply with the applicable data protection legislation and regulations.
7.2 The obligations of the Processor are as follows:
The Data Processor shall ensure that in relation to personal data disclosed to it by, or otherwise obtained from the Data Controller, it shall act as the Data Controller’s data processor in relation to such personal data and shall therefore:
7.2.1 create and maintain a record of its processing activities in relation to this
Agreement; The Data Processor shall make a record available to the Data Controller, any auditor appointed by it and/or the supervisory authority on first request;
7.2.2 implement appropriate technical and organisational measures for the fulfilment of Data Controller’s obligation to respond to requests by Data Subjects to exercise their rights of access, rectification or erasure, to restrict or object to processing of Personal Data, or to data portability;
7.2.3 not process the personal data for any purpose other than to deliver the Services and to perform its obligations under the Agreement in accordance with the documented instructions of the Data Controller; if it cannot provide such compliance, for whatever reasons, it agrees to promptly inform the Data Controller of its inability to comply;
7.2.4 inform the Data Controller immediately if it believes that any instruction from the Data Controller infringes applicable data protection legislation and regulations;
7.2.5 not disclose the personal data to any person other than to its personnel as necessary to perform its obligations under the Agreement and ensure that such personnel is subject to statutory or contractual confidentiality obligations;
7.2.6 take appropriate technical and organisational measures against any unauthorised or unlawful processing, and to evaluate at regular intervals the adequacy of such security measures are described in Schedule 1;
7.2.7 ensure that access, inspection, processing and provision of the personal data shall take place only in accordance with the need-to-know principle, ie. information shall be provided only to those persons who require the personal data for their work in relation to the performance of the Services;
7.2.8 promptly notify the Data Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Data Controller with (ii) any accidental or unauthorised access, and more in the general, any unlawful processing to assist the Data Controller with;
7.2.9 deal promptly and properly with all reasonable enquiries from the Data Controller relating to its processing of the personal data or in connection with the Agreement;
7.2.10 make available to the Data Controller all information necessary to demonstrate compliance with the applicable data protection legislation and regulations;
7.2.11 at the request and costs of the Data Controller, submit its data processing facilities for audit or control of the processing activities;
7.2.12 refrain from engaging another data processor without the prior written consent of the Data Controller;
7.2.13 assist the Data Controller, subject to reasonable additional compensation, with the Data Controller’s obligation under applicable data protection laws and regulations.
7.2.14 respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another Processor, namely that the Processor may not engage another Processor (Sub-Processor) without the prior authorisation of the Controller. Those Sub-Processors that are authorised by the Controller at the date of this agreement are listed in Schedule 2. In cases where another Processor is engaged, the Sub-Processor must be subject to the same contractual terms as described on this Agreement;
7.3 The obligations and rights of the controller are as follows:
The Controller shall:
7.3.1 take into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that Processing is performed in accordance with the GDPR. Those measures shall be reviewed and updated where necessary;
7.3.2 where appropriate in relation to Processing activities, the measures referred to in paragraph 7.3.1 shall include the implementation of appropriate data protection policies by the Controller;
7.3.3 implement appropriate technical and organisational measures for ensuring that, by default, only Personal Data which are necessary for each specific purpose of the Processing are processed. That obligation applies to the amount of Personal Data collected, the extent of their Processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default Personal Data are not made accessible without the individual’s intervention to an indefinite number of natural persons;
7.4 By default, all data will be backed up to our two UK Datacentre locations. Where specifically requested or configured by you, the Data Controller, ESP will ensure that all data that we process within the European Economic Area remains on servers or storage residing in the European Economic Area.
7.5 By default, all data will be backed up to our two UK Datacentre locations. Where specifically requested or configured by you, the Data Controller, ESP will ensure that all data that we process within the United States of America remains on servers or storage residing in the United States of America.
7.6 Personal data processed in the context of this Agreement may not be transferred to a country outside of the European Economic Area without the prior written consent of the Data Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, both Data Controller and Data processor shall ensure that the personal data is adequately protected.
8. Confidentiality
8.1 Each Party acknowledges that during this Agreement, a Party (the ‘receiving Party’) may become privy to Confidential Information which is disclosed by the other Party (the ‘disclosing Party’).
8.2 The receiving Party shall keep all Confidential Information confidential. The receiving Party shall not disclose Confidential Information to any third party, and shall not use Confidential Information for any purposes other than for the purposes of this Agreement. The receiving Party shall safeguard the Confidential Information to the same extent that it safeguards its own confidential and proprietary information and in any event with no less than a reasonable degree of protection.
8.3 Each Party agrees that before any of its subcontractors and/or agents may be given access to Confidential Information, each such subcontractor and/or agent shall agree to be bound by confidentiality undertaking comparable to the terms of this Agreement. Notwithstanding the return of any Confidential Information, each Party and its subcontractors and/or agents will continue to hold in confidence all Confidential Information, which obligation shall survive any termination of this Agreement.
8.4 In the event the receiving Party is requested or required to disclose, by court order or regulatory decision, any of the disclosing Party’s Confidential Information, the receiving Party shall provide, to the extent permitted, the disclosing Party with prompt written notice so that the disclosing Party may seek a protective order or other appropriate remedy and/or waive compliance with the provisions of this Agreement. The receiving Party shall furnish only that portion of the Confidential Information which is legally required.
8.5 Within 30 business day following (i) the termination or expiry of this Agreement or (ii) the disclosing Party’s reasonable earlier request at any time, the receiving Party shall destroy or return to the disclosing Party (at its option) any and all of the disclosing Party’s Confidential Information, and shall purge all copies and traces of the same from any storage location and/or media.
8.6 The confidentiality undertaking under Section 8 shall not be applicable if the Confidential Information:
8.6.1 has become publicly known prior to being divulged or thereafter, but without any breach of confidentiality undertaking; or
8.6.2 has been legitimately obtained from a third party neither tie by an obligation of confidentiality nor professional secrecy; or
8.6.3 was independently created by the receiving Party without use of any Confidential Information of the disclosing Party; or
8.6.4 was already known or developed by Receiving Party, as can be demonstrated by documentary evidence.
9. Intellectual property protection
9.1 ESP is and shall remain the owner of any materials used or made available in the context of the delivery of the Services.
9.2 ESP respects the intellectual property of others and requires that users of the Service do the same.
9.3 ESP licenses all such rights to you free of charge on a non-transferable, non-sub licensable, irrevocable (except for breach), nonexclusive, worldwide basis to such extent as is necessary to enable you to make use of the Services during the term
of the Contract. If the Contract is terminated, this license will automatically terminate.
10. User indemnity
10.1 You agree to defend, indemnify and hold ESP, its supplier, partners, and their respective affiliates harmless from and against any claims, liabilities, damages, losses and expenses, including reasonable legal fees and costs, in connection with:
- your use of the Products;
- your breach of these Terms;
- your infringement of any third-party right, including any intellectual property right; or
- any claim that use of your data caused damage to a third party;
- any breach by you of Data Protection clause 7;
- any breach by you of Intellectual Property clause 9
10.2 This indemnity obligation will survive the termination or expiration of your account and these Terms.
11. Changes to the service and terms
11.1 ESP reserves the right at any time to modify, suspend, or discontinue providing the Service, in whole or in part.
11.2 In the event ESP anticipates that any such action will significantly affect your use of the Service in a negative way, ESP will endeavour to provide you with advance notice by e-mail, an in-client message or by posting relevant information on the Site within 30 days in the event of the following:
- misuse by the user;
- critical maintenance work;
- technological developments making it difficult, infeasible or unprofitable to continue the Services without making changes;
- ESP can no longer procure equipment, software, services or facilities from suppliers under reasonable terms;
- general market or economic conditions make it difficult or impossible for ESP to operate its business at a reasonable cost;
- attacks against ESP by third parties create a serious risk to the integrity, security or availability of customer data;
- laws, regulations or lawsuits require changes to the Services or make it difficult to operate the Services at reasonable costs;
- legal developments like laws, regulations and lawsuits require changes or make them advisable;
- features or added or eliminated from the Services.
11.3 You acknowledge that providing notice of any modification, suspension or discontinuation of the Services or of any modification of the Terms in accordance with clause 10 will not be reasonably practicable for ESP in the following circumstances:
- misuse by the user;
- unforeseen critical maintenance work;
- breach of data- or cyber-security (or material concerns in relation to the same);
- suspected or alleged infringement of intellectual property rights in respect of the Services;
- unforeseen changes in laws or regulations; or
- widespread network or power failures affecting ESP facilities.
- Any modification to the Terms will be posted to the Site. Notice of change of such Terms shall be sent to you upon posting. The new Terms shall be effective 30 days after such notice. All material modifications to the Terms will apply prospectively only. Your continued use of any Services following notification by ESP of any modification to the Terms constitutes your agreement to be bound by the modified Terms. To stay informed of any changes, please review the most current version of these Terms posted on the Site.
- If you do not agree to be bound by the Terms (or any modified version thereof), you must stop using the Services immediately, and request termination of the Agreement (and your account) pursuant to clause 12 term and termination.
- ESP reserves the right to amend these Conditions from time to time and shall notify you of any changes within 30 days, and each such modification will be effective upon posting on the site. All material modifications will apply prospectively only.
- Your continued use of any Products following any such modification constitutes your agreement to be bound by the modified Terms. To stay informed of any changes, please review the most current version of these Terms posted on the Site. If you do not agree to be bound by these Terms, you must contact your Account Manager within 10 working days to permit 10 working days of negotiation.
12. Term and termination
12.1 These Terms, and any posted revisions, remain in effect as long as you continue to maintain an account or use the Services. You may terminate your account at any time, for any reason, by following the instructions on the Site and discontinuing use of the Products.
12.2 ESP may suspend your account and these Terms immediately on written notice with 24hours notice if you fail to pay any fees or invoices when due or otherwise fail to comply with these Terms.
12.3 ESP may terminate this Agreement (and your account, regardless of whether it is a Paid or Trial Account) immediately on written notice in any of the following circumstances:
- you fail to comply with these Terms and such failure persists for more than
30 days from receipt of a request from ESP to rectify such noncompliance;
- you commit a Misuse of the Services (as defined in clause 6)
- upon discontinuation of the Services by ESP in accordance with clause 11.
- On suspension or expiration of your account or these Terms, you will no longer have the right to continue to use the Software and the Services, and you will no longer be able to access and restore your backup data. Also, you specifically agree that ESP has no obligation to provide you or anyone else with a copy of your backup data and may automatically purge your backup data from ESP systems.
- The Customer is invoiced on the agreed term of monthly, quarterly or annually in advance for the service. The customer may terminate this contract or the service provided at any time by giving 30 days notice to ESP in writing to cancellation@safedatastorage.co.uk . If notice is given by the customer during the minimum period the customer must pay the charges due for the remainder of the minimum period unless the customer has given notice because ESP has materially changed the Conditions of this contract to the customer’s detriment.
- The customer will be entitled to a refund of any advance monies paid on a pro rata basis. All data held on our servers is deleted immediately after the 30 days notice providing the account is paid to date. ESP may terminate this contract or the service provided under it at any time on 30 days notice.
13. Entire agreement
13.1 These Terms constitute the entire agreement between you and ESP and completely replace any prior agreements between you and ESP in relation to the Products. If any part of these Terms is held invalid or unenforceable, that portion will be construed in a manner consistent with applicable law to reflect, as nearly as possible, the original intentions of the parties, and the remaining portions will remain in full force and effect.
13.2 The Contract shall be governed by and construed in accordance with English law and the Parties agree to submit to the exclusive jurisdiction of the English courts.
14.2 Limitation of liability:
14.1 In no event shall ESP or its advertisers or suppliers have any obligation or liability to you for the cost of procurement of substitute services or data or for any direct, indirect, incidental, special, exemplary or consequential damages (including, without limitation, any loss of data, revenue or profits or business interruption) or other pecuniary loss arising out of your use or inability to use your account or the service or your loss of data or files stored therein.
Schedule 1: Data Processing and Security
1.Description of the data processing carried out on behalf of the Data Controller
In addition to the information provided elsewhere in the Agreement, ESP wish to document the following information in relation to the data processing activities:
The data processing performed by the Data Processor on behalf of the Data Controller relates to the Service – a managed, encrypted backup/copy of data selected by the Data Controller. The data processing activity consists of all selected data being compressed and encrypted prior to it leaving the client system. All data is then stored fully encrypted in secure UK Data Centres. ESP is unable to read any of the data that is backed up to our servers.
We need certain personal data to enable us to provide our products and services to our clients. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data and about the rights you have over your data. Refer to Privacy Policy.
The categories of personal data that ESP hold are:
- Name, address, telephone number and email address of clients
- Login name (not password or encryption key)
- Financial data (credit card details (WorldPay) / direct debit) for payment of Services Backup set details
- IP addresses
The duration of the data processing activities is in line with the Term and Conditions and as such will stop upon termination of Services.
2.Description of security measures
The Data Processor has implemented the following security measures:
- Encryption in transit
- Encryption at rest
- Role-based access control
- Multi-factor authentication
- Regular backups
- Vulnerability scanning
- Intrusion detection system
- Intrusion prevention system
- Firewall
- Anti-virus
- Business continuity plan
Schedule 2: Sub-Processors
As of this agreement, the following Sub-Processors have been notified by the Processor to the Controller with respect to the Processing:
- Ahsay Corporation
- Amazon Web Services
- Beechlands Accountancy
- Eazy Collect Services Ltd
- Filecloud
- FreeAgent
- Jira
- LADesk
- Microsoft
- StorageCraft
- Worldpay
- Safe Data Storage