Information Security Terms
Last updated 6 December 2023
1. Introduction
These Information Security Terms (“IST”) set forth Supplier’s commitments with respect to Supplier’s compliance with applicable Data Protection Laws and Supplier’s administrative, technical and physical safeguards designed to protect the Personal Information it Processes on Customer’s behalf.
The IST is incorporated into the Agreement pursuant to the General Terms and Conditions. Except where the context requires otherwise, capitalized words used in the IST shall have the meaning given to them in the General Terms and Conditions or elsewhere in the Agreement and the rules of interpretation in the General Terms and Conditions shall apply.
2. Scope
The security of data and information that is accessed, stored, shared, or otherwise Processed via the Services are shared responsibilities between Supplier and Customer. Supplier is responsible for the implementation and operation of an ISM Program and the protective measures that are described in the IST. Customer is responsible for properly implementing such access and use controls and configuring such features and functionalities of the Services as Customer may elect in order to use the Services in a manner that Customer deems adequate to maintain appropriate security, protection, deletion and backup of Customer Data. The provision of the Services is predicated on each party materially complying with applicable Data Protection Laws.
The IST applies specifically to Customer Data Processed via the Services and does not extend to data held on Customer’s systems or environments.
3. Consumer data
Customer Data forms a part of the data that is maintained by or on behalf of Supplier in accordance with Supplier’s ISM Program.
Any transfer, extraction, or recovery of Customer Data pursuant to this Section 3 is conducted entirely at Customer’s own risk, and Supplier is not liable – whether in contract, in tort, for breach of statutory duties, for misrepresentation, for deliberate, willful or intentional conduct or breaches, or otherwise – if any extraction, provision, deletion, destruction or anonymization of Customer Data that is undertaken in accordance with Applicable Laws and the Agreement results in loss of, corruption of, or loss of availability to Customer Data.
Customer Data may be disclosed by Supplier and used by Supplier, its Affiliates and their authorized representatives in accordance with and as permitted under the IST and the Agreement. Customer undertakes to enable such disclosure and use to occur, including by providing all necessary notices and obtaining all necessary consents.
4. Personal Information
Each party may Process Personal Information of the other party’s personnel. Supplier shall Process Customer Personal Information in accordance with the IST and the Agreement and as necessary to deliver the Services and in accordance with written instructions from Customer, which may be specific instructions or instructions of a general nature as set out in this IST or the Agreement or as otherwise notified by Customer to Supplier from time to time, and such instructions shall be consistent with Supplier’s obligations under this IST. For the purposes of the foregoing, where the Supplier is Intelliflo Limited and the UK GDPR applies to the Processing of Customer Personal Information by the Supplier, the parties acknowledge and agree that Section 8 sets out the scope, nature and purpose of Processing by the Supplier, the duration of the Processing and the types of Personal Information and categories of Data Subject. If Supplier is required to Process Customer Personal Information for any other purpose by Applicable Laws, Supplier will use commercially reasonable efforts to inform Customer of this requirement first to the extent permitted by Applicable Laws. Supplier shall notify Customer if, in Supplier’s opinion, an instruction for the Processing of Customer Personal Information given by Customer infringes the Data Protection Laws, and Supplier shall not be required to comply with such instruction.
Information on the manner in which such Personal Information may be processed by Supplier can be found in Supplier’s privacy notice, which is publicly available on its Website.
Customer undertakes to ensure that Customer Personal Information it provides to Supplier – or that Supplier otherwise obtains in the course of providing Services – shall at all times be collected and otherwise Processed in accordance with Data Protection Laws, and may be Processed by Supplier in accordance with and as permitted under the IST and the Agreement.
Customer represents and warrants that it has satisfied itself that: (a) Supplier’s Processing operations are suitable for the purposes for which Customer proposes to use the Services; and (b) Supplier has sufficient expertise, reliability and resources to implement technical and organizational measures that meet the requirements of the Data Protection Laws and the terms of the IST and the Agreement.
Customer agrees that it is responsible for taking all necessary actions to order, enable and use the features of the Services which are designed to assist compliance with applicable Data Protection Laws, to the extent such features are available as part of the Services, and accepts responsibility for its failure to take such actions.
Customer shall not perform any of its obligations under this Section 4 in such a way as to cause Supplier to breach any of its applicable obligations under the Data Protection Laws.
Customer will inform Supplier of any Data Subject Rights request made that Supplier must assist with under the applicable Data Protection Laws (including the CCPA) and will provide the information necessary for Supplier to assist with the request.
Supplier shall reasonably assist Customer, at Customer’s request and cost: (a) in so far as it is reasonably possible, to fulfil Customer’s obligations under the Data Protection Laws, including to respond to Data Subjects Rights requests exercising their rights (to the extent that the relevant Customer Personal Information is not accessible to Customer or the Data Subjects through the Services); (b) in so far as is necessary to respond to the requirements of relevant regulatory organizations; and (c) where Supplier receives any communication addressed to Customer from a third party in respect of Customer Personal Information, it will take reasonable efforts to inform Customer of such communication.
Supplier shall use commercially reasonable efforts to assist Customer with respect to Customer’s obligations under the Data Protection Laws as they apply to Customer Personal Information in relation to (a) security of Processing; (b) data protection impact assessments to the extent required by the Data Protection Laws; (c) prior consultation with a Data Protection Regulator regarding high risk Processing; and (d) notifications to a Data Protection Regulator or communications to Data Subjects by Customer in response to a Security Breach.
Customer agrees that for the purpose of providing the Services, Supplier may provide access to, transfer and disclose Customer Personal Information to a third party including Supplier’s Affiliates or Sub-contractors within or outside of the country in which Customer is located for the purpose of providing Services or as otherwise contemplated by the Agreement. Supplier shall maintain on the Website a list of Sub-contractors that it has engaged in connection with the provision of the Services or Processing of Customer Personal Information. Supplier may update the list of Sub-contractors by posting an updated list to the Website or by otherwise providing notice to Customer. Supplier will use commercially reasonable efforts to ensure such updates are made available to Customer at least ten (10) days before the Sub-contractor commences any Processing of Customer Personal Information. Customer may object to the addition of a new Sub-contractors by providing written notice to Supplier describing reasonable and documented grounds relating to the Sub-contractor’s non-compliance with the Data Protection Laws within ten (10) days of the updated list of Sub-contractors being made available to Customer
Supplier will maintain a written agreement with any such Sub-contractor that Processes Customer Personal Information which imposes data protection obligations no less onerous than those required by applicable Data Protection Laws, including, as applicable Article 28 of the UK GDPR, and Supplier will remain liable to Customer for any such Sub-contractor’s compliance with those data protection obligations. Supplier shall be permitted to Process Customer Personal Information in order to improve the Services.
Supplier shall, at Customer’s cost, use commercially reasonable efforts to make available to Customer all information necessary to demonstrate compliance with Supplier’s obligations set out in this Section 4.
Where the Processing of Customer Personal Information is subject to the CCPA, solely with respect to such Customer Personal Information that is subject to the CCPA (and constitutes “personal information” under the CCPA):
- Customer (or a Customer Affiliate) (as Business) has appointed Supplier (as Service Provider) and disclosed such Customer Personal Information to Supplier for a Business Purpose pursuant to the IST or the Agreement and for Supplier to Process on Customer or Customer Affiliate’s behalf in compliance with the CCPA.
- The Parties acknowledge and agree that disclosure of such Customer Personal Information to Supplier (or a Supplier Affiliate) shall not constitute a Sale of such Customer Personal Information to Supplier (or to a Supplier Affiliate).
- Supplier shall Process (and shall ensure that any Sub-contractor Processes) Personal Information only for the following Business Purposes: providing access to, monitoring, and supporting the Services identified in the relevant Order Form under the Agreement.
- Supplier shall not: (a) Sell or Share such Customer Personal Information; or (b) retain, use, or disclose such Customer Personal Information outside of the direct business relationship between Supplier and Customer, such as by combining or updating such Customer Personal Information with Personal Information that it receives from or on behalf of another person or persons, or collects from its own interaction with a Data Subject. Consistent with the above, Supplier may use Personal Information as reasonably necessary to detect a Security Breach and to protect against fraudulent or illegal activity.
- Supplier shall notify Customer promptly after Supplier determines that Supplier can no longer meet its obligations under the CCPA or the IST. Pursuant to such notice to Customer under this paragraph, Customer shall be permitted to take appropriate steps with Supplier to (a) ensure that Supplier uses such Customer Personal Information in a manner that is consistent with Customer’s obligations under the CCPA, and (b) to remediate unauthorized use of such Customer Personal Information.
5. Information security management
Supplier maintains a written information security management program that includes appropriate administrative, physical and technical measures to protect the confidentiality, integrity, and availability of the Processing of Customer Personal Information through the Services, including protection of Customer Personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (“ISM Program”). Supplier may update or modify the ISM Program from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.
Supplier conducts reasonable and appropriate background investigations on personnel in accordance with Applicable Laws prior to them Processing Customer Personal Information on behalf of Customer. Supplier conducts periodic training to inform personnel on procedures and policies relevant to the ISM Program. Supplier has adopted and implemented written policies reasonably designed to have personnel Process Customer Personal Information only in a manner permitted or required by the IST or the Agreement and for no other purpose. Supplier provides access to Customer Personal Information to personnel who are reasonably required to know that information in order to perform their job duties or to enable Supplier to comply with Applicable Laws. Supplier ensures that personnel who are required to access Customer Personal Information are subject to confidentiality obligations in respect thereof. Supplier requires Sub-contractors to maintain adequate administrative, physical, and technical safeguards based on risk tiers appropriate to subcontracted services that support Supplier’s compliance with the requirements of the IST and the Agreement, and to maintain disaster recovery and business continuity plans. Supplier ensures that Sub-contractors accessing Customer Personal Information are subject to confidentiality obligations with respect to such Customer Personal Information.
Supplier ensures the security of its facilities, networks and devices that store or enable access to Customer Personal Information in order to seek to prevent unauthorized access or use by implementing such safeguards as: (a) having access controls at facilities that process Customer Personal Information; (b) securely transporting and disposing physical media that contain Customer Personal Information; and (c) having controls that are designed to protect against environmental hazards (e.g., water or fire damage).
Supplier has implemented technical safeguards that include encrypting Customer Personal Information while in transit and at rest, using industry standard encryption controls; logically separating Customer Personal Information from other customers’ records, including when stored on backup media; monitoring systems for attacks, intrusions, exfiltration, unauthorized access, or transmissions; prohibiting any connection to Customer’s network that allows cross-network access between Customer’s network and other networks; and limiting access to any Customer Personal Information by verifying the identity of those with access, providing unique user IDs, making available the use of strong passwords and multifactor authentication for users who have access to Customer Personal Information (“Authentication Credentials”). Supplier does not allow more than one user to have the same Authentication Credentials and encrypts passwords stored by it in line with industry standards.
6. Business continuity and disaster recovery
Supplier maintains a Business Continuity and Disaster Recovery Policy (“Continuity Policy”) that it periodically reviews for suitability, adequacy and efficacy.
7. Security incident response and reporting
Supplier maintains an Incident Management and Response Policy that it periodically reviews for suitability, adequacy and efficacy, which is managed by trained security professionals.
Supplier notifies Customers in the event Supplier becomes aware of any Security Breach and takes reasonable steps to address the Security Breach. A Security Breach does not include unsuccessful attempts, everyday security alerts, or other events that do not materially compromise the security or availability of Customer Personal Information, including unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Supplier’s notification of a Security Breach under this section is not an acknowledgement by Supplier of any fault or liability for such Security Breach.
Supplier has implemented reasonable measures to mitigate the cause of any Security Breach and undertakes reasonable corrective measures to prevent the same Security Breach from occurring in the future. As information is collected or otherwise becomes available to Supplier and unless prohibited by Applicable Laws, Supplier undertakes to provide information regarding the nature and consequences of the Security Breach that are reasonably requested to allow Customers to notify affected individuals, government agencies and/or credit bureaus. Where Supplier may not have access to or know the nature of the information that is contained within Customer Personal Information, it may not be possible for Supplier to provide Customer with a description of the type of information or the identity of individuals who may be affected by a Security Breach. Customer is solely responsible for determining whether to notify impacted individuals, providing such notice, and determining if regulatory organizations or enforcement commissions applicable to Customer or Customer’s use of the Services need to be notified of a Security Breach.
In the event there is a security breach of Customer Systems or another security risk to Supplier, Supplier’s Affiliates or Supplier Resources that could reasonably impose liability on Supplier or its Affiliates resulting from any Customer System or the actions of Customer or Authorized User (“Customer Security Incident”), Supplier may immediately suspend access to and use of the Services without liability to Customer until such Customer Security Incident has been reasonably mitigated, provided that Supplier will use reasonable efforts to promptly notify Customer of and mitigate such Customer Security Incident. Customer will promptly notify Supplier if it becomes aware of any Customer Security Incident and reasonably cooperate with Supplier in mitigating and responding to such Customer Security Incident.
8. Personal Information Processing Details – United Kingdom
Purposes of Processing
Customer Personal Information will be Processed by Supplier as Processor for the purposes of providing the Services, managing advice outcomes on behalf of Customer, and as otherwise permitted in the Agreement.
Customer agrees that Supplier may aggregate and anonymize Customer Personal Information and use such data for the purposes permitted under the Agreement, in accordance with the General Terms and Conditions.
Duration of Processing
Unless otherwise stated the Agreement, Supplier will Process Customer Personal Information for the duration of the Agreement.
Nature of Processing
The Processing will include Supplier storing and otherwise Processing Customer Personal Information within the Subscribed Service, using and sharing Customer Personal Information with Supplier Affiliates and suppliers of Third Party Services, allowing clients of Customer to create client reports with Customer Personal Information and allowing clients of Customer to view their Customer Personal Information via a personal finance portal, in accordance with and as permitted under the Agreement.
Description of Customer Personal Information
Customer Personal Information which Supplier may Process as Processor under the Agreement includes the Data Subject’s:
- Name, age, gender
- Place and date of birth
- Contact details
- Passport number
- Driving license number
- Any other ID card numbers
- Financial dependent details
- Investment and retirement plan information
- Protection and mortgage details
- Income and expenditure details
- Tax details
- Vehicle registration number
- Sort code and account numbers
- Bank account or policy numbers
Special Categories of Personal Data (as it amounts to Customer Personal Information)
- General details relating to the Data Subjects’ health that could affect the financial advice given may be passed to Supplier (for example: if the Data Subject has been diagnosed with a long-term illness or the Data Subject’s smoking status).
- Personal Data revealing religious or philosophical beliefs
Personal Data relating to Criminal Convictions and Offences (as it amounts to Customer Personal Information)
Criminal or civil convictions data that is revealed as part of a fact find may also be Processed (for example: driving license points).
Categories of Data Subjects
- Clients of Customer
- Authorized Users (to the extent that Personal Information relating to them is Processed by Supplier as Processor)
9. Definitions
In the IST the following expressions have these meanings:
CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., as amended including by the California Privacy Rights Act of 2020, and their implementing regulations.
Business, Business Purpose, Commercial Purpose, Sell, Selling, Sale, Sold, Sensitive Personal Information, Service Provider, and Share, Shared, or Sharing have the meaning given to them in the CCPA or applicable Data Protection Laws.
Customer Data means all data that: (a) is provided by Customer or an Authorized User to Supplier; (b) is otherwise uploaded by Customer or an Authorized User or hosted on any part of the Services; and (c) is information about or results from Customer or an Authorized User’s use of the Services, excluding Supplier Resources.
Customer Personal Information means the Personal Information made available to Supplier by Customer or any Customer Affiliate, or otherwise obtained by Supplier pursuant to the Agreement which Supplier Processes in the course of providing the Services or for other legitimate business purposes.
Data Protection Laws means the data protection and privacy legislation in force from time to time which are applicable to Supplier, Customer or the provision of the Services, including, as applicable, the CCPA, the UK General Data Protection Regulation as created and modified by the Data Protection Act 2018, and as further consolidated by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419 (“UK GDPR”) and the General Data Protection Regulation ((EU) 2016/679).
Data Protection Regulator means an independent public authority which is responsible for monitoring and enforcing the Data Protection Laws.
Data Subject means an identified or identifiable natural person.
Data Subject Rights means all rights granted to Data Subjects by Data Protection Laws, including the right to know, access, correct, delete, opt-out and limit the use and disclosure of Sensitive Personal Information.
ISM Program has the meaning set forth in Section 5.
Personal Information means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular Data Subject or household and includes “Personal Information” or “Personal Data” as defined in the Data Protection Laws.
Processing means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether or not by automated means, and “Processed”, “Processes” and “Process” shall each be construed accordingly.
Security Breach means a breach of security leading to the unauthorized disclosure of or access to Customer Personal Information that Supplier Processes on Customer’s behalf in the course of providing the Services.
Sub-contractor means an entity to whom its obligations are subcontracted as permitted in accordance with the IST and the Agreement (including the Processing of Personal Information) and “Sub-contract” and “Sub-contracting” shall each be construed accordingly. For clarity, the Third Party Services are not Sub-contractors.