CREDAS TECHNOLOGIES LTD TERMS AND CONDITIONS OF SERVICE

1. Interpretation

1.1 The definitions and rules of interpretation in this clause apply in these terms and conditions.

Business Day

a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Charges

the price(s) to be paid by the Customer for Credas Products under clause 6.1 as listed on the Credas System, which shall include any deposit, subscription fees or price per Credit, additional Credit fees and support fees (as applicable).

Credit

means the credits required to be purchased via the Credas System to access and use the Credas Products.

Code

Credas

the Reed Elsevier Code of Conduct for Suppliers, which is available at http://www.reedelsevier.com/corporateresponsibility/Documents/policies/reed-elsevier-supplier-code-of-conduct.pdf.

Credas Technologies Ltd incorporated and registered in England and Wales with company number 10429398 with its registered office at Tec Marina, Terra Nova Way, Penarth, Vale Of Glamorgan, Wales, CF64 1SA. 

Credas Data

the Data comprised in the Credas Products.

Credas Products

all or any part(s) of the products of the type and specification identified on the Credas System, including the Credas Data comprised in the Credas Products,  and the associated documents relating to the product together with any other products and related documents developed by Credas.

Credas System

any information technology system or systems owned or operated by Credas, from which Credas Products are purchased and Credas Data is to be uploaded to any information technology system or systems owned or operated by the Customer.

Confidential Information

all confidential information (however recorded or preserved) disclosed by a party or its employees, officers, representatives, advisers or subcontractors who need to know the confidential information in question for the Permitted Use (Representatives) to the other party and that party’s Representatives in connection with this Agreement, which is either labelled as such or else which should reasonably be considered as confidential because of its nature and the manner of its disclosure.

Customer

the company that purchases Credits and / or Credas Products from Credas in accordance with these terms and conditions.

Customer Data

the data inputted by the Customer (and authorised users of the Customer), or Credas on the Customer’s behalf for the purpose of using the Software and facilitating the Credas Products.

Data

any data or information, in whatever form including images, still and moving, and sound recordings.

Data Protection Legislation

the UK Data Protection Legislation and any other directly applicable European Union regulation relating to privacy and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data and the privacy of electronic communications.

Data Provider

a third party whose data, information, software or other material is supplied as part of the Credas Products.

Effective Date

the date when these terms and conditions are accepted by the Customer.  

Holding Company and Subsidiary

a “holding company” and “subsidiary” as defined in section 1159 of the Companies Act 2006. 

Initial Period

an initial period commencing on the Effective Date, as agreed between the parties. 

Intellectual Property Rights

all patents, rights to inventions, utility models, copyright and related rights, trade marks, service marks, trade, business and domain names, rights in trade dress or get-up, rights in goodwill or to sue for passing off, unfair competition rights, rights in designs, database rights, semi-conductor topography rights, moral rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications for and renewals or extensions of such rights, and all similar or equivalent rights or forms of protection in any part of the world.

Legislation

any statute, statutory provision or subordinate legislation or any mandatory rules or guidance issued by any regulatory body having or asserting jurisdiction over the applicable party, including all applicable laws, ordinances, codes, regulations, standard and judicial or administrative orders, including those of the United Kingdom, the EU and if applicable the United States.

Licence

the licence granted in clause 14.5.

Mandatory Policies

Credas’ business policies and codes as advised by Credas from time to time, as amended by notification to the Customer from time to time.

Materials

any hardware, Software or documents supplied by Credas under these terms and conditions.

Nominee

any nominee of Credas, including its designated accountants or auditors, for the purpose of clause 3.

Permitted Use

the purpose of exercising or performing the relevant party’s rights and obligations under these terms and conditions, specifically in relation to the Customers internal business processes which shall have been approved by Credas prior to the Effective Date.

Release

upgrades and enhancements to the Credas Products, the Credas Data or the Software (as the case may be).

Renewal Period

each successive period equal to the Initial Period which shall commence on the expiry of the Initial Period, unless otherwise terminated in accordance with these terms and conditions.

Reports

the reports to be submitted under clause 3.1.5.

Customer System

any information technology system or systems owned or operated by the Customer to which Credas Data is to be uploaded from the Credas System under clause 4.5.

Security Event

an event where the Credas Products or Credas Data is accessed (a) without authorisation using the Customer’s Security Features,  user IDs and/or through the Credas or Customer’s Systems; (b) lost by the Customer; or (c) as a result of the Customer’s breach of these terms and conditions.

Security Feature

any security feature including any key, PIN, password, token or smartcard.

Software

any software provided by Credas to enable the Credas Products to be used or any software embedded in the Credas Products, including any Releases of the software.

Specification

the functionality and performance specifications for the Credas Products.

Third Party Additional Terms

the terms and conditions as set out in Schedule 1 which will apply dependant on the Credas Product(s) that the Customer is purchasing. 

Trade Marks

the trade mark registrations and applications identified in Schedule 2 together with any further trade marks that Credas may permit or procure permission for the Customer by express notice in writing to use in respect of the Credas Products.

Term

the Initial Period and any Renewal Periods.

UK Data Protection Legislation 

all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

Verification Request

a request made by the Customer via the Credas System to purchase Credas Products from Credas.

1.2 Clause, Schedule and paragraph headings shall not affect the interpretation of these terms and conditions.

1.3 A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.4 The Schedules form part of these terms and conditions and shall have effect as if set out in full in the body of these terms and conditions. Any reference to these terms and conditions includes the Schedules.

1.5 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.6 Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.

1.7 Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.

1.8 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.

1.9 A reference to a statute or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.10 A reference to writing or written includes e-mail unless otherwise expressly stated herein. 

1.11 References to clauses and Schedules are to the clauses and Schedules of these terms and conditions and references to paragraphs are to paragraphs of the relevant Schedule.

1.12 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.

1.13 In the case of conflict or ambiguity between:

1.13.1 any provision contained in the body of these terms and conditions and any provision contained in the Schedules or appendices, the provision in the body of these terms and conditions shall take precedence;

1.13.2 the terms of any accompanying invoice or other documents annexed to these terms and conditions and any provision contained in the Schedules or appendices, the provision contained in the Schedules or appendices shall take precedence; and 

1.13.3 these terms and conditions once accepted by the Customer via the Credas System, and any previous terms and conditions accepted by the Customer, these terms and conditions shall prevail and shall replace and supersede any prior terms and conditions which govern the use of the Credas System and use of the Credas Products at any time, unless the Customer has entered into a separate bespoke contract which has been manually executed by authorised signatories of the parties. 

2. Licence

2.1 In consideration of the Charges paid by the Customer to Credas, Credas grants to the Customer a non-exclusive, non-transferable licence, without the right to sub-licence, for the Term to use the Software and Credas Products.

2.2 Prior to the grant of access to any of the Credas Products, the Customer shall be required to provide Credas with all necessary information relating to the proposed use of the Credas Products by the Customer, for written approval by Credas. The Customer shall remain under a continuing obligation to seek written approval from Credas for any proposed changes to the use of the Credas Products during the period that these terms and conditions are applicable. 

2.3 During the Term, the Customer undertakes not to:

2.3.1 distribute or create,  any products that compete with the Credas Products; or

2.3.2 distribute or resell the Credas Products, and shall only use the Credas Products directly as an end-user in its ordinary course of business.

2.4 The Customer shall only use the Credas Products solely for the Permitted Use in within the following industries and markets: anti-money laundering, counter-terrorism financing, fraud risk management and anti-bribery or corruption, or to meet similar regulatory compliance requirements as agreed in writing between the Customer and Credas. 

2.5 Credas reserves the right to sell the Credas Products directly to customers.

3. Customer’s undertakings

3.1 The Customer undertakes, warrants and agrees with Credas to:

3.1.1 use the Credas Products solely in accordance with the instructions supplied by Credas from time to time in writing and subject to any testing requirements that Credas may reasonably impose;

3.1.2 shall not use any Credas Data or information contained in the Credas Products in any way that is unlawful, illegal, fraudulent or harmful or in connection with any unlawful, illegal, fraudulent or harmful activity, or for any purpose outside of the Permitted Use or as otherwise authorised by these terms and conditions; 

3.1.3 not to either directly or indirectly itself or through any agents or third party (a) request, compile, store, maintain or use the Credas Products, (or the Credas Data contained therein) to build its own database (other than to provide an aggregated list of checks performed); (b) copy, incorporate, issue to the public, store, adapt, modify, transmit, decompile, reverse engineer or distribute the or otherwise reproduce the Credas Products (or any of the Credas Data contained therein) otherwise in accordance with these terms and conditions, or permit anyone else to do the same;

3.1.4 employ a sufficient number of suitably qualified personnel to ensure the proper fulfilment of the Customer’s obligations under these terms and conditions;

3.1.5 no later than the fifth working day of each calendar month (the first such month being deemed to start on the Effective Date, the last such month being deemed to end on the date these terms and conditions terminate for any reason) the Customer shall submit to Credas by such means as Credas may notify to the Customer from time to time, reports in the format stipulated by Credas from time to time showing details of the type of checks that are being undertaken; 

3.1.6 within 14 days of a written request from Credas at any time, and from time to time, provide such information as is reasonably requested by Credas about the Customer’s processes and controls to support compliance with these terms and conditions;

3.1.7 during the Term and for a period of 5 years following termination of these terms and conditions allow, for the purpose of auditing compliance with these terms and conditions, Credas (or its Nominee), on reasonable notice, access to, and (physical and remote electronic) inspection of, all accounts and records relating to the Credas Products and all facilities of the Customer in which the Customer performs its obligations under these terms and conditions (including the Customer’s data processing facilities) and allow Credas (or its Nominee) to meet with the Customer’s personnel whom the Customer will procure to provide all explanations reasonably necessary to perform the audit effectively. Credas’s costs of such inspection will be borne by  Credas unless it shows a shortfall exceeding 5% for any period to which the inspection relates between the amount actually paid by the Customer and the amount due to be paid by the Customer, in which event (without affecting or prejudicing any other rights that Credas may have) the Customer will pay in full Credas’s costs (which, for the avoidance of doubt, will include any reasonable costs of the Credas’s Nominee in carrying out the inspection) and the amount of the shortfall, within 14 days of the date of the Credas’s invoice for such costs and/or shortfall;

3.1.8 during the Term and for a period of 5 years following termination of these terms and conditions, facilitate the interview of staff employed by the Customer (or any agent of the Customer) and other individuals who may have been involved in the Customer’s activities on behalf of Credas, at any reasonable time specified by Credas, or its Nominee, related to compliance with Legislation;

3.1.9 keep all copies of the Credas Products  in conditions appropriate for their storage and provide appropriate security for the Credas Products, all at its own cost;

3.1.10 inform Credas immediately of any changes in ownership or control of the Customer, of any transfer of all or substantially all of the Customer’s assets and of any change in its organisation or method of doing business that might affect the performance of the Customer’s duties under these terms and conditions;

3.1.11 be responsible for all use of the Software by the users of the Software (Customer employees, agents, representatives or clients as applicable); and

3.1.12 notify Credas in writing within seven days of any:

3.1.12.1 subject to clause 14.13 and clause 16.7, claimed or suspected defects in the Credas Products; or

3.1.12.2 claim or proceeding involving the Credas Products.

3.2 Use of the Credas Products is subject to the Third Party Additional Terms (as applicable to the Credas Product) of its Data Providers. To the extent that the Additional Terms refer to Customers, the Customer agrees to use the Credas Products and access the Credas Data contained therein as if it were a Customer of the Data Provider. Any reference to a services agreement in the Additional Terms shall also include these terms and conditions.  

3.3 Credas may from time to time notify the Customer of additional, updated or new requirements for compliance, which will be a condition of Credas’ continued provision of the Credas Product to the Customer. The Customer agrees to comply with such requirements as to which it has received notice from Credas and such shall be incorporated into these terms and conditions by this reference.

4. Supply of Credas Products

4.1 The parties shall use reasonable efforts to establish connectivity between the Customer System and the Credas System on or shortly after the Effective Date.

4.2 The Customer shall ensure that it promptly complies with any minimum technical API configuration requirements reasonably specified by Credas or its Data Providers, for the purpose of establishing that connectivity.

4.3 Each party shall bear its own costs of establishing that connectivity.

4.4 The Customer may purchase Credas Products by submitting to Credas a Verification Request through the Credas System. Credas may reject any such Verification Request.

4.5 Credas shall, within a reasonable period after any such Verification Request has been submitted and accepted, upload the latest version of the relevant Credas Product from the Credas System to the Customer System.

4.6 Once the relevant Credas Product has been uploaded, the Customer may not cancel or amend the relevant Verification Request.

4.7 Risk in the relevant Credas Product shall pass to the Customer once it has been uploaded from the Credas System to the Customer System.

4.8 Credas shall supply Releases to the relevant Credas Products as such Releases become generally commercially available.

4.9 Once a Release has been supplied or made available under clause 4.8, each such Release shall (as appropriate) become part of, or replace, the applicable Credas Products for the purposes of these terms and conditions.

4.10 The Customer may request that Credas is to supply replacement or additional copies of Credas Products. Credas reserves the right to make additional charges for supplying replacement or additional copies of the Credas Products.

4.11 The Credas may on giving 1 months’ written notice to the Customer exclude from these terms and conditions one or more of the Credas Products as it thinks fit, if for any reason the production of such Credas Products has been permanently discontinued.

4.12 Credas may make changes to the Specification that do not adversely affect the Credas Products and shall give written notice of such changes to the Customer as soon as reasonably practicable.

4.13 Credas may suspend access to the Credas Products for operational reasons such as repair, maintenance or improvement or because of an emergency, in which case Credas will give the Customer as much on-line, written or oral notice as possible and shall ensure that Credas Product is restored as soon as possible following suspension. Credas agrees that it shall, where possible, only suspend access and conduct such repairs, maintenance or improvements outside of normal business hours but the Customer agrees and acknowledges that emergency repairs, improvements or maintenance may need to be conducted during inside normal business hours.

4.14 Credas shall not be responsible for the decisions that the Customer make as a result of the Credas Product, or any information contained therein, that Credas provides to the Customer under these terms and conditions.

5. Credas’s undertakings

5.1 Credas shall, during the Term, provide the Credas Products and the Software to the Customer on and subject to these terms and conditions.

5.2 Credas shall use commercially reasonable endeavours to make the Software available 24 hours a day, seven days a week, except for:

5.2.1 planned maintenance carried out during the maintenance window of 10.00 pm to 2.00 am UK time; and

5.2.2 unscheduled maintenance performed outside of normal business hours, provided that Credas has used reasonable endeavours to give the Customer at least 4 business hours’ notice in advance.

5.3 Credas shall, as part of the Credas Products in consideration of the support fees set out on the Credas Systeme, provide the Customer with the Credas’ standard customer support services during normal business hours in accordance with Credas’ standard support services in effect at the time that the Customer has access to the Software. Credas may amend the Support Services in its sole and absolute discretion from time to time. The Customer may purchase Increased Support Services by notification to Credas. 

5.4 Credas undertakes to provide such information and support as may be reasonably requested by the Customer to enable it properly and efficiently to discharge its duties under these terms and conditions.

5.5 Credas:

5.5.1 does not warrant that:

(i) the Customer’s use of the Software will be uninterrupted or error-free; 

(ii) that the Software, Credas Products and/or the Credas Data  will meet the Customer’s requirements; and

5.5.2 is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Software and the Credas Product may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

5.6 These terms and conditions shall not prevent Credas from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under these terms and conditions.

5.7 Credas warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under these terms and conditions.

6. Prices and payment

6.1 The Charges to be paid by the Customer to Credas for the Credits required to use the Credas Products shall be identified on the Credas System, as amended by Credas from time to time.

6.2 Credits shall be considered used upon each verification request made, at the point that the request is sent. 

6.3 Any Credits purchased shall be (i) valid for a period of 12 months from the date of purchase, unless otherwise expressly agreed in writing by Credas; and (ii) non-refundable (except as provided for in clause 14.14.6). 

6.4 Credas shall give the Customer 14 days’ notice of any increase in the Charges.

6.5 The Charges in respect of any Credits or any particular Credas Product may not be reviewed more than once in each 12-month period commencing on the expiry of the Initial Period or any anniversary of that date.

6.6 Any expenses, costs and charges incurred by the Customer in the performance of its obligations under these terms and conditions shall be paid by the Customer unless Credas has expressly agreed beforehand in writing to pay such expenses, costs and charges.

6.7 Credas will invoice the Customer monthly in the amount to be due for the month concerned.

6.8 The Customer shall pay the full amount invoiced to it by Credas in pounds sterling within 7 days of the date of invoice.

6.9 Any Deposit paid shall be non-refundable in its entirety. 

6.10 All amounts due under this Agreement shall be paid by the Customer to Credas in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).

6.11 The Customer shall be responsible for the collection, remittance and payment of any or all taxes, charges, levies, assessments and other fees of any kind imposed by governmental or other authority in respect of the purchase, import, of the Credas Products.

6.12 Without limiting the effect of clause 6.8, sums payable under these terms and conditions are exclusive of VAT or any relevant local sales taxes, which shall be charged in accordance with the relevant local regulations in force at the time of making the relevant taxable supply and shall only be payable by the Customer after receipt of a valid VAT or local sales tax invoice. If the VAT invoice is delivered after the relevant payment has been made, the Customer shall pay the VAT due within five Business Days of Credas delivering a valid VAT invoice. If the Customer fails to comply with its obligations under this clause 6.9, it shall additionally pay all interest and penalties that thereby arise to Credas.

6.13 If the Customer fails to make any payment due to Credas under these terms and conditions by the due date for payment, then, without limiting Credas’ remedies under clause 17, the Customer shall pay interest on the overdue amount at the rate of 8% per annum above the Bank of England base rate from time to time. Such interest shall accrue on a daily basis from the due date until actual payment of the overdue amount, whether before or after judgment. The Customer shall pay the interest together with the overdue amount.

6.14 Except as otherwise provided in these terms and conditions, the Customer shall bear the entire cost and expense of the performance of its obligations under these terms and conditions, including taxes. 

6.15 In the event that the Customer contracts with Credas on a subscription basis, the Customer shall set up a standing order prior to receipt of the Credas Products. 

7. Advertising and promotion

7.1 No party shall make, or permit any person to make, any public announcement concerning the agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), except as required by law, any governmental or regulatory authority (including any relevant securities exchange), any court or other authority of competent jurisdiction.

7.2 At Credas’s request, within 14 days of the Effective Date, the parties shall issue a joint and mutually agreed upon press release relating to the agreement. The Customer shall co-operate with and support Credas in its press release and publicity materials.

7.3 Credas may refer to the Customer with other customers or prospective customers of Credas and Credas may provide to third parties the Customer’s name and the names of its customers.

8. Confidentiality

8.1 The term Confidential Information does not include any information that:

8.1.1 is or becomes generally available to the public (other than as a result of its disclosure by the receiving party or its Representatives in breach of this clause 8);

8.1.2 was available to the receiving party on a non-confidential basis before disclosure by the disclosing party;

8.1.3 was, is, or becomes, available to the receiving party on a non-confidential basis from a person who, to the receiving party’s knowledge, is not bound by a confidentiality agreement with the disclosing party or otherwise prohibited from disclosing the information to the receiving party;

8.1.4 was known to the receiving party before the information was disclosed to it by the disclosing party; or

8.1.5 the parties agree in writing is not confidential or may be disclosed.

8.2 Each party shall keep the other party’s Confidential Information confidential and shall not:

8.2.1 use any Confidential Information except for the Permitted Use; or

8.2.2 disclose any Confidential Information in whole or in part to any third party, except as expressly permitted by this clause 8.

8.3 A party may disclose the other party’s Confidential Information to those of its Representatives who need to know that Confidential Information for the Permitted Use, provided that:

8.3.1 it informs those Representatives of the confidential nature of the Confidential Information before disclosure; and

8.3.2 at all times, it is responsible for the Representatives’  compliance with the confidentiality obligations set out in this clause 8.

8.4 The Customer acknowledges that Credas’s Confidential Information includes the Credas Data and the Materials.

8.5 A party may disclose Confidential Information to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of the disclosure as possible so as to allow Credas to have an opportunity to obtain a protective order to prohibit or restrict such disclosure at its sole cost and expense.  Confidential Information disclosed pursuant to law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction shall otherwise remain subject to the terms applicable to Confidential Information. 

8.6 Each party reserves all rights in its Confidential Information. No rights or obligations in respect of a party’s Confidential Information, other than those expressly stated in these terms and conditions, are granted to the other party, or are to be implied from these terms and conditions.

8.7 The provisions of this clause 8 shall continue to apply after termination of the agreement.

8.8 Upon termination of the agreement or at the request of Credas, the Customer will, without undue delay, return to Credas all Credas Confidential Information and any copies thereof provided to it.

9. Security and passwords

9.1 The Customer shall ensure that the Credas Product and Materials are kept secure by using the Security Features and in an encrypted form, and shall use the best available security practices and systems applicable to the use of the Credas Product and Materials to:

9.1.1 enforce the use restrictions of these terms and conditions; and

9.1.2 prevent, and take prompt and proper remedial action against, unauthorised access, copying, modification, storage, reproduction, display or distribution of the Credas Product and the Materials.

9.2 The Security Features must, unless Credas notifies the Customer otherwise, be kept confidential and not lent, shared, transferred or otherwise misused.

9.3 The Customer shall during the Term:

9.3.1 effect and maintain adequate security measures to safeguard the Credas Products from access or use by any unauthorised person; and

9.3.2 immediately inform Credas if there is any reason to believe that a Security Feature has or is likely to become known to someone not authorised to use it or is being or is likely to be used in an unauthorised way.

9.4 The Customer shall use the highest industry standard security measures to safeguard against unauthorized access to and use of the Credas Product by any individual, computer program, or other unauthorized user.  Further, the Customer shall implement professional monitoring plans under which the Customer shall guard against but otherwise immediately detect any unauthorized access and/or use of the Credas Product. The Customer shall immediately notify Credas of any unauthorized access and/or use of the Credas Product. In addition, the Customer shall notify any other person(s) required to be notified by the Customer under any relevant statute, regulation or order. 

9.5 If the Customer becomes aware, or suspects, or has reason to believe or confirms that there has been any misuse of any Credas Product or the Materials, or any Security Breach in connection with these terms and conditions that could compromise the security or integrity of the Credas Product or the Materials or otherwise adversely affect Credas or its licensors, or if the Customer learns or suspects that any Security Feature has been revealed to or obtained by any unauthorised person:

9.5.1 the Customer shall immediately notify Credas; 

9.5.2 promptly investigate the situation; 

9.5.3 if required by  applicable laws, or in Credas’ reasonable discretion, be responsible for all legal and regulatory obligations including any associated costs which may arise in connection with the Security Event that have arisen from the fault of the Customer;

9.5.4 provide all proposed third party notification materials to Credas for review and approval, which shall not be unreasonably withheld, prior to distribution; 

9.5.5 fully co-operate with Credas to remedy the issue as soon as reasonably practicable; 

9.5.6 Credas may suspend the Customer’s rights under these terms and conditions until the misuse or security breach or unauthorised disclosure of the Security Feature is remedied, or if Credas in its sole discretion, determines that immediate action is required to be taken, Credas may terminate the agreement; and

9.5.7 the Customer agrees to co-operate with Credas’s security investigations.

9.6 Credas may change Security Features on notice to the Customer or the Customer users for security reasons.

10. Data protection

10.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 10 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation.

10.2 Both parties represents and warrants to the other that it has the right to collect, process and use the personal data for the purpose(s) for which it is accessing the Credas Products, submitting the Customer Data or providing the Credas Data (as applicable) and that it has complied with all other obligations under applicable Data Protection Legislation that relate to its access to and use of the Credas Products / provision of the Customer Data or Credas Data (as applicable), including, without limitation, that before it provides any personal data to the other party, it shall:

10.2.1 make due notification to any relevant regulator including its use and processing of personal data and comply at all times with the Data Protection Legislation; 

10.2.2 ensure it is not subject to any prohibition or restriction which would: (i) prevent or restrict it from disclosing or transferring the personal data to the other party, as required under these terms and conditions; or (ii) prevent or restrict either Party from processing the personal data as envisaged under these terms and conditions; and

10.2.3 ensure that all required notices have been given and, as applicable, all required authorisations or consents have been obtained, and are sufficient in scope to enable each party to process the personal data as required in order to obtain the benefit of its rights, and to fulfil its obligations, under these terms and conditions in accordance with the Data Protection Legislation, including the transfer of such personal data to and the other party and the other party’s third party service providers in any jurisdiction. 

10.3 To the extent that Credas acts as a processor of personal data of Customer Data on behalf of the Customer under these terms and conditions,  Credas shall process such personal data in accordance with the following:

10.3.1 Credas shall implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Data Protection Legislation and ensure the protection of the rights of the data subject;

10.3.2 Credas shall not engage another processor without prior specific or general written authorisation of the Customer. In the case of general written authorisation, Credas shall inform the Customer of any intended changes concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes in the manner more specifically set forth herein;

10.3.3 Credas shall process the personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by the Data Protection Legislation governing such personal data; in such a case, Credas shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

10.3.4 ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

10.3.5 take all measures required pursuant to Article 32 of the GDPR;

10.3.6 taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;

10.3.7 assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Credas;

10.3.8 at the choice of the Customer, delete or return all the personal data to the Customer after the end of the provision of services relating to processing and delete existing copies unless Data Protection Legislation requires storage of the personal data;

10.3.9 make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. The rights set out in this clause 10.3.9 are subject to (i) the execution of appropriate confidentiality undertakings or relying on similar obligations in these terms and conditions; (ii) conducted no more than once per year unless a demonstrated reasonable belief of non-compliance with these terms and conditions has been made, upon thirty (30) days written notice and having provided a plan for such review; and (iii) conducted at a mutually agreed upon time and in an agreed upon manner;

10.3.10 immediately inform the Customer if, in its opinion, an instruction from the Customer to Credas infringes the Data Protection Legislation;

10.3.11 to the extent legally permitted, promptly notify the Customer of any data subject requests received by Credas and reasonably cooperate with the Customer to fulfil its obligations under the Data Protection Legislation in relation to such requests. The Customer shall be responsible for any reasonable costs arising from Credas assisting the Customer to fulfil such obligations;

10.3.12 Credas will notify the Customer without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Customer’s request for further information so that Customer may fulfil its obligations under Articles 33 and 34 of the GDPR; and

10.3.13 Credas will ensure that, to the extent that any personal data originating from the UK or European Economic Area (EEA) is transferred to a country or territory outside the UK or EEA that has not received a binding adequacy decision by the European Commission or a competent national data protection authority, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the Data Protection Legislation. 

10.4 Where Credas engages another processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in these terms and conditions shall be imposed on that other processor by way of a contract or other legal act under Data Protection Legislation, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Data Protection Legislation. 

10.5 Credas acts as a data controller in relation to the Credas Data that it controls, including the data that constitutes personal data. The Customer shall comply with the obligations set out in clause 10.3.1 – 10.3.13 inclusive, in relation to such Credas Data, and the clauses shall be interpreted as applying to each party accordingly. 

10.6 The Customer agrees that it shall not permit any of its group companies, operations, businesses, employees, agents or representatives located outside the European Economic Area to access the Credas Products and/or to use the Credas Data unless it has entered into European Commission-approved Standard Contractual Clauses or other appropriate safeguards as described in the Data Protection Legislation. The Customer also agrees that it shall not permit any of its group companies, operations, businesses, employees, agents or representatives located in the US access to the Credas Products and/or to use the Credas Data unless it has entered into a US specific agreement with Credas or a member of Credas’ group.   

10.7 The subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the rights and obligations of the Customer are set forth as follows:

10.7.1 The subject matter of the processing under these terms and conditions is the personal data contained in the Customer Data provided by the Customer to Credas in respect of the Credas Product.

10.7.2 The duration of the processing is the duration of the provision of the Credas Product under these terms and conditions, and for 6 years thereafter for storage and re-access purposes as set out in Credas’ privacy policy. 

10.7.3 The nature and purpose of the processing is in connection with the provision of the Credas Product.

10.7.4 The types of personal data processed under these terms and conditions may include full name, email addresses, home postal addresses, office/institution postal address, social media handles, telephone, mobile phone numbers, business cards and job titles, work section, username and passwords for accessing and using the products and services, education, certifications, professional background and training; gender, photographs, audio and videos; credit card data (for processing purchases) bank account data (for direct deposit payments); government-issued identification, including passport numbers (for identification); date of birth (for identification and marketing); place of birth (for identification); sanction and watch list data; purchase/license/ inquiry history; goods, services or content provided; usage data and statistics; connection data; locale data; other unique identifiers such as IP addresses or device IDs; GPS data; and other types of personal data identified in the GDPR, and/or documents, images or other content containing Personal Data submitted by or at the direction of the Customer as part of the products and services.

10.7.5 The categories of data subjects may include representatives, including employees, contractors, agency and temporary personnel, of the Customer, and the Customer’s clients, prospective clients, insurance policyholders and other insured persons, suppliers and other individuals about whom personal data is submitted to Credas by or at the direction of Customer’s clients as part of the products or services.  

10.8 On expiration or termination of the agreement, both parties shall delete or return personal data in accordance with the terms and timelines for the products and services set forth in these terms and conditions, unless Data Protection Legislation, or other applicable law, requires storage of the personal data. 

10.9 Credas may engage other processors for the processing of Customer’s clients’ personal data in accordance with these terms and conditions. Credas shall maintain a list of such processors in its privacy policy, which is available via the Software or upon request, which Credas may update from time to time. At least 7 days before authorising any new such processor to process personal data, Credas shall update the list in its policy. The Customer may object to the change by initiating the Agreement’s dispute resolution process, or in the absence of a dispute resolution procedure, Credas shall use reasonable endeavours to change, modify or remove the affected products or services, in order to avoid processing of the Customer’s clients’ personal data by such new processor to which Customer reasonably objects, or otherwise terminate the Agreement in the event that the Credas Product is unable to be provided without such processor.  

10.10 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Customer and Credas shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 

10.10.1 the pseudonymisation and encryption of personal data;

10.10.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

10.10.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

10.10.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

10.11 In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

10.12 The Customer and Credas shall take steps to ensure that any natural person acting under the authority of the Customer or Credas who has access to personal data does not process them except on instructions from the Customer, unless he or she is required to do so by Data Protection Legislation or  applicable laws.

10.13 The Customer shall indemnify and hold harmless Credas on demand against loss, damage and liability suffered and expenses (including but not limited to legal expenses) incurred by Credas resulting from any claims made by third parties as a result of breach by the Customer of its obligations under Data Protection Legislation or this clause 10.

11. Compliance with laws and regulations

11.1 The Customer shall, subject to clause 12, be responsible for obtaining any import licences or permits necessary for the entry of Credas Products, or their delivery to the Customer, and the Customer shall be responsible for any and all customs duties, clearance charges, taxes, brokers’ fees and other amounts payable in connection with the import and delivery of the Credas Products.

11.2 Credas warrants to the Customer that the Credas Products comply with the Legislation in force at the Effective Date.

11.3 In performing its obligations under these terms and conditions, the Customer shall comply with all Legislation and the Mandatory Policies.

11.4 Both parties shall immediately report any apparent breach of this clause 11 to the other party.  

12. Export

12.1 Neither party shall export, directly or indirectly, any technical data acquired from the other party under these terms and conditions (or any products, including Software, incorporating any such data) in breach of any applicable laws or regulations (Export Control Laws), including United States export laws and regulations, to any country for which the United States or any other government or any agency thereof at the time of export requires an export licence or other governmental approval without first obtaining such licence or approval.

12.2 Each party undertakes:

12.2.1 contractually to oblige any third party to whom it discloses or transfers any such data or products to make an undertaking to it that substantially replicates the one set out in clause 12.1; and

12.2.2 if requested, to provide the other party with any reasonable assistance, at the reasonable cost of the other party, to enable it to perform any activity required by any competent government or agency in any relevant jurisdiction for the purpose of compliance with any Export Control Laws.

13. Anti-bribery

13.1 The Customer shall:

13.1.1 comply with all applicable laws, regulations, and codes relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010 (Relevant Requirements);

13.1.2 not engage in any activity, practice or conduct which would constitute an offence under sections 1, 2 or 6 of the Bribery Act 2010 if such activity, practice or conduct had been carried out in the UK;

13.1.3 comply with the Credas’ Ethics, Anti-bribery and Anti-corruption Policies as Credas or the relevant industry body may update them from time to time (Relevant Policies).

13.1.4 have and shall maintain in place throughout the Term its own policies and procedures, including adequate procedures under the Bribery Act 2010, to ensure compliance with the Relevant Requirements, the Relevant Policies and clause 13.1.2 and will enforce them where appropriate;

13.1.5 promptly report to the Credas any request or demand for any undue financial or other advantage of any kind received by the Customer in connection with the performance under these terms and conditions;

13.1.6 immediately notify Credas (in writing) if a foreign public official becomes an officer or employee of the Customer or acquires a direct or indirect interest in the Customer (and the Customer warrants that it has no foreign public officials as officers or employees or direct or indirect owners at the Effective Date;

13.1.7 within 1 months of the date of the Effective Date, and annually thereafter, certify to Credas in writing signed by an officer of the Customer, compliance with this clause 13 by the Customer and all persons associated with it under clause 13.2. The Customer shall provide such supporting evidence of compliance as Credas may reasonably request.

13.2 Without prejudice to clause 20.1, the Customer shall ensure that any person associated with the Customer who is performing services in connection with these terms and conditions does so only on the basis of a written contract which imposes on and secures from such person terms equivalent to those imposed on the Customer in this clause 13 (Relevant Terms). The Customer shall in all circumstances be responsible for the observance and performance by such persons of the Relevant Terms, and shall in all circumstances be directly liable to Credas for any breach by such persons of any of the Relevant Terms howsoever arising.

13.3 Breach of this clause 13 shall be deemed a material breach, which is irredeemable, under clause 17.2.2.

13.4 For the purpose of this clause 13, the meaning of adequate procedures and foreign public official and whether a person is associated with another person shall be determined in accordance with section 7(2) of the Bribery Act 2010 (and any guidance issued under section 9 of that Act), sections 6(5) and 6(6) of that Act and section 8 of that Act respectively.

14. Intellectual property rights ownership

14.1 The Customer acknowledges that:

14.1.1 unless otherwise agreed between the parties, all Intellectual Property Rights in and to the Credas Product, including the Credas Data belong, and shall belong, to Credas and/or its Data Providers;

14.1.2 it shall have no rights in or to the Credas Products or the Materials other than the right to use them in accordance with the express terms of these terms and conditions; and

14.1.3 Credas or its Data Providers has or have made and will continue to make substantial investment, time and funds in the obtaining, verification, selection, co-ordination, development, presentation and supply of the Credas Data. The Credas Data and information contained therein, are, and will continue to be, the exclusive property of Credas and/or its Data Providers. Nothing contained in these terms and conditions shall be deemed to convey to the Customer, or to any other party, any right, title or interest, including any patent, copyright or other Intellectual Property Rights, in or to the Credas Data (except to the extent of the limited licence granted by virtue of these terms and conditions). 

14.2 The Customer shall, at the expense of Credas, take all such steps as Credas may reasonably require to assist Credas in maintaining the validity and enforceability of the Intellectual Property Rights of Credas during the Term.

14.3 Without prejudice to the right of the Customer or any third party to challenge the validity of any Intellectual Property Rights of Credas, the Customer shall not do or authorise any third party to do any act that would or might invalidate or be inconsistent with any Intellectual Property Rights of Credas and shall not omit or authorise any third party to omit to do any act that, by its omission, would have that effect or character.

14.4 Credas makes no representation or warranty as to the validity or enforceability of the Intellectual Property Rights in the Credas Products and the Trade Marks nor as to whether the same infringe any Intellectual Property Rights of third parties.

14.5 The Customer shall not:

14.5.1 copy the Credas Products or any part of any of them except to the extent and for the purposes expressly permitted by these terms and conditions; or 

14.5.2 modify, adapt, develop, create any derivative work, reverse engineer, decompile, disassemble or carry out any act otherwise restricted by copyright or other Intellectual Property Rights in the Software except and only to the extent that it is expressly permitted by  applicable laws.

14.6 The Customer acknowledge and agrees that for any breach of clause 14.5, Credas will not have an adequate remedy at law and consequently (without limiting the right of Credas to any other remedy), shall be entitled to specific performance, and the Customer further consents (without limiting the right of Credas to any other remedy) to the entry of an immediate injunction without the need for posting a bond against any threatened or continuing breach. 

14.7 The Customer acknowledges that it has received, whether as application programming interfaces or otherwise, sufficient information to enable it to use the Credas Product in the manner envisaged by these terms and conditions.

14.8 Except as expressly provided in these terms and conditions, the Customer shall not:

14.8.1 use the Credas Products (wholly or in part) in its products or services; or

14.8.2 distribute the Credas Products (wholly or in part).

14.9 The Customer shall ensure that each reference to, and use of, any of the Trade Marks by the Customer is in a manner approved from time to time by Credas and accompanied by an acknowledgement in a form approved by Credas that the same is a trade mark (or registered trade mark) of Credas. 

14.10 The Customer shall not use:

14.10.1 any of the Trade Marks in any way that might prejudice their distinctiveness or validity or the goodwill of Credas in the Trade Marks;

14.10.2 in relation to the Credas Products, any trade marks other than the Trade Marks without obtaining the prior written consent of  Credas; or

14.10.3 any trade marks or trade names so resembling any trade mark or trade names of Credas as to be likely to cause confusion or deception.

14.11 Other than the licences expressly granted under these terms and conditions, neither party grants any licence of, right in or makes any assignment of any of its Intellectual Property Rights. In particular, except as expressly provided in these terms and conditions, the Customer shall have no rights in respect of any trade names or trade marks used by Credas in relation to the Credas Products or their associated goodwill, and the Customer acknowledges that all such rights and goodwill shall inure for the benefit of and are (and shall remain) vested in Credas. Without limitation, the Customer acknowledges that reference in any element of the Materials to trade names or proprietary products where no specific acknowledgement of such names or products is made does not imply that such names or products may be regarded by the Customer as free for general use, outside the scope of the use of the Materials authorised by these terms and conditions.

14.12 At the request of Credas, the Customer shall do or procure to be done all such further acts and things (including the execution of documents) as Credas shall require to give Credas the full benefit of these terms and conditions.

14.13 The Customer shall promptly give notice in writing to Credas in the event that it becomes aware of:

14.13.1 any infringement or suspected infringement of the Trade Marks or any other Intellectual Property Rights in or relating to the Credas Products; and

14.13.2 any claim that any Credas Product or the manufacture, use, sale or other disposal of any Credas Product, whether or not under the Trade Marks, infringes the rights of any third party.

14.14 In the case of any matter falling within clause 14.4:

14.14.1 Credas shall, in its absolute discretion determine what action if any shall be taken in respect of the matter;

14.14.2 Credas shall have sole control over and shall conduct any consequent action as it shall deem necessary;

14.14.3 Credas shall pay all costs in connection with that action and shall be entitled to all damages and other sums that may be paid or awarded as a result of any such action;

14.14.4 Credas shall have the right to suspend any part of the Credas Product that is subject to the infringement claim made by the third party;

14.14.5 modify the Credas Product, so as to avoid any alleged infringement, provided that the modification does not materially affect the performance of the Credas Product;

14.14.6 terminate the agreement upon written notice to the Customer and provide a refund to the Customer of any prepayment of Credits which remain unused at the date of termination.

14.15 Credas shall defend the Customer, its officers, directors and employees against any claims that the marketing, advertising or distribution of the Credas Products in accordance with these terms and conditions infringes any UK Intellectual Property Right and shall be responsible for any amounts awarded against the Customer in judgment or settlement of such as a result of such claim, provided that:

14.15.1 Credas is given prompt notice of such claim, specifying the nature of the claim in reasonable detail;

14.15.2 the Customer provides reasonable co-operation to Credas in the defence and settlement of such claim, at the Credas’s expense;

14.15.3 Credas is given sole authority to defend or settle the claim; and

14.15.4 the Customer does not make any admission of liability, agreement or compromise in relation to the claim without the prior written consent of Credas (such consent not to be unreasonably conditioned, withheld or delayed).

14.16 In the defence or settlement of a claim, the Credas may obtain for the Customer the right to continue using the Credas Products in the manner contemplated by these terms and conditions, replace or modify the Credas Product so that it becomes non-infringing or, if such remedies are not reasonably available, terminate the agreement immediately by notice in writing and without liability to the Customer.

14.17 Credas shall have no liability under clause 14.15 if the alleged infringement is based on:

14.17.1 a modification of the Credas Products by any person other than  Credas;

14.17.2 the Customer’s use of the Credas Products in a manner contrary to the instructions given to the Customer by Credas;

14.17.3 the Customer’s use of the Credas Products after notice of the alleged or actual infringement from Credas or any appropriate authority;

14.17.4 use of the Credas Products in combination with any hardware or Software not supplied or approved by  Credas;

14.17.5 use of the Credas Products for any purpose other than that for which they are designed;

14.17.6 use of a superseded Release of the Credas Products; or

14.17.7 the Customer failure to provide a suitable environment for connecting the Customer System to the Credas System in breach of clause 4.2.

14.18 Notwithstanding any other provision in these terms and conditions, the foregoing states the Customer’s sole and exclusive rights and remedies, and Credas’ entire obligations and liability, in the case of any matter falling under clause 14.13.2.

14.19 Each party shall, at the request and expense of the other, provide all reasonable assistance to the other (including the use of its name in, or being joined as a party to, proceedings) in connection with any action to be taken by the other party, provided that that party is given such indemnity as it may reasonably require against any damage to its name or reputation.

14.20 The provision of all reasonable assistance by the Customer under clause 14.19 shall include the provision to Credas and its professional advisors of access at reasonable times, on reasonable prior notice, to its premises and its officers, directors, employees, agents, representatives or advisers, and to any relevant assets, accounts, documents and records within the power or control of the Customer, so as to enable Credas and its professional advisors to examine them and to take copies (at Credas’ expense) for the purpose of assessing the relevant claim.

14.21 The Customer acknowledges that the obligation contained in clause 14.15 is solely for the benefit of the Customer who has no authority to extend this indemnity to any third-party or any other person.

15. Warranties

15.1 Each party represents, warrants and undertakes that:

15.1.1 it has full capacity and authority and all necessary consents to enter into and to perform the agreement and to grant the rights and licences referred to in these terms and conditions and that these terms and conditions are executed by its duly authorised representative and represents a binding commitment on it; and

15.1.2 it shall comply with all applicable Legislation in the performance of its obligations under these terms and conditions.

15.2 Credas warrants to the Customer that the Credas Products supplied or licensed by it under these terms and conditions will operate substantially in accordance with, and perform, the material functions and features as set out in the applicable part(s) of the Specification. 

15.3 Credas’s warranties in clause 15.2 are solely for the benefit of the Customer, who has no authority to extend this warranty to any third party or any other person.

15.4 If Credas breaches the warranty in clause 15.2, and the Customer so notifies Credas within five (5) days after receipt of the Credas Data, the Customer’s sole remedy and Credas’s only obligation and liability to the Customer shall be for Credas:

15.4.1 to replace the Credas Product / Credas Data in question; or

15.4.2 at Credas’s option, to repay any price paid for the defective Credas Product.

15.5 The Credas shall have no liability under the warranty in clause 15.2 if the non-performance is attributable to any of the causes set out below:

15.5.1 a modification of the Credas Products by any person other than Credas;

15.5.2 use of the Credas Products in combination with any hardware or Software not supplied or approved by Credas;

15.5.3 use of the Credas Products for any purpose other than that for which they are designed;

15.5.4 use of a superseded Release; or

15.5.5 failure to provide a suitable installation environment under clause 4.2.

15.6 Except as expressly and specifically provided in these terms and conditions, all warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from these terms and conditions.

15.7 Without limiting the effect of clause 15.6, Credas does not warrant that:

15.7.1 the supply of the Credas Product will operate without interruption or be error-free;

15.7.2 the Software will run on the Customer System;

15.7.3 the Credas Products or the functions contained in the Credas Products will meet the Customer’s requirements; or

15.7.4 the Credas Product has been tested for use by the Customer or any third party or that the Credas Product will be suitable for or be capable of being used by any third party.

16. Limitation of liability

16.1 Neither party excludes or limits liability to the other party for:

16.1.1 fraud or fraudulent misrepresentation;

16.1.2 death or personal injury caused by negligence;

16.1.3 a breach of any terms implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or

16.1.4 any matter for which it would be unlawful for the parties to exclude liability.

16.2 Subject to clause 16.1, Credas shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, to the Customer or third party for:

16.2.1 any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;

16.2.2 any loss or corruption (whether direct or indirect) of data or information;

16.2.3 loss (whether direct or indirect) of anticipated savings or wasted expenditure (including management time); or

16.2.4 any loss or liability (whether direct or indirect) under or in relation to any other contract; 

even if Credas is advised of the possibility of such damages. 

16.3 Subject to clause 16.1, Credas’ total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of the agreement under these terms and conditions or any collateral contract shall in all circumstances be limited to the lesser of:

16.3.1 £1,000,000; or

16.3.2 100% of the total Charges paid by the Customer to Credas during the 12 month period immediately before the date on which the cause of action first arose or, if the cause of action arose during the Initial Period, in respect of the Initial Period.

16.4 Credas shall not be liable for any delay in delivery of the Credas Products that is caused by an event within the scope of clause 19 or the Customer’s failure to provide Credas with adequate instructions that are relevant to the supply of the Credas Products or the Customer’s failure to comply with clause 4.2.

16.5 Without limiting the effect of the other provisions of this clause 16, if the agreement is terminated for any reason other than termination by the Customer on the ground of Credas’ material breach under clause 17.2.2,  Credas shall not be liable:

16.5.1 to provide the Customer with any Credas Product or any product, service or solution relating to any Credas Data; or

16.5.2 for the consequences of the inability of the Customer to comply with the terms of any other arrangements that the Customer may have entered into with any third party.

16.6 The Customer shall indemnify and hold harmless Credas, and its affiliates, against any and all liabilities, claims, losses, damages, costs (including all legal fees) costs and expenses incurred by or awarded against Credas or any Data Provider arising out of or in connection with:

16.6.1 the use, disclosure, sale or transfer of the Credas Data by the Customer, or for the Customer’s breach of these terms and conditions; 

16.6.2 access to or use or distribution of Credas Products or Materials by the Customer otherwise than in accordance with these terms and conditions (including any inaccurate or incomplete Report);

16.6.3 the development, marketing, licensing or use of any Customer Product; or

16.6.4 the provision of any Data or material by the Customer to Credas.

(Claims). For clarity, Claims shall include any claim or action claiming that the provision, receipt or use of any Customer Product or any such Data or material (wholly or in part) infringes any UK Intellectual Property Right of a third party.

16.7 Subject to the Customer not having breached clause 3.1.2, the indemnity set out in clause 16.6 shall not apply to any Claim to the extent that it has arisen out of or in connection with any negligence or wilful default of Credas.

16.8 The Customer acknowledges that each Data Provider and any other provider of services to Credas has the benefit of and may directly enforce the exclusions and limitations set out in this clause 16, as if the provisions of this clause 16 were set out in full in these terms and conditions and each reference to Credas were replaced by that Data Provider or other provider (as the case may be).

16.9 Credas shall have no liability or obligation under clause 15.4 if it is exempted from liability under clause 15.5.

16.10 The Customer has or will obtain, and Customer shall maintain during the Term, a business general liability insurance policy from a grade A or higher insurance company authorized to conduct business in the UK, and that such insurance policy have coverage in amounts not less than One Million Pounds Sterling (£1,000,000.00) per claim, Two Million Pounds Sterling (£2,000,000.00) aggregate. The Customer will notify Credas in writing before any changes, modifications, or cancellations are made to such policy, and the Customer shall provide copies of such policies to Credas. 

17. Term and termination

17.1 These terms and conditions shall take effect on the Effective Date and shall, unless terminated earlier in accordance with clause 17.2, continue for the Initial Period, and will automatically renew on the expiry of the Initial period for subsequent terms of 12 months (“Renewal Period”) unless either party provides notice to terminate the agreement upon the expiry of the Initial Period, or the Renewal Period as applicable, on no less than 30 days written notice.

17.2 Without prejudice to any rights that have accrued under these terms and conditions or any of its rights or remedies, either party may terminate the agreement with immediate effect by giving written notice to the other party if:

17.2.1 the other party fails to pay any amount due under these terms and conditions on the due date for payment and remains in default not less than 14 days after being notified to make that payment;

17.2.2 the other party commits a material breach of any term of these terms and conditions (other than failure to pay any amounts due under these terms and conditions) and (if that breach is remediable) fails to remedy that breach within a period of 30 days after being notified to do so;

17.2.3 the other party:

17.2.3.1 suspends, or threatens to suspend, payment of its debts;

17.2.3.2 is unable to pay its debts as they fall due or admits inability to pay its debts;

17.2.3.3 is deemed unable to pay its debts within the meaning of section 123 of the Insolvency Act 1986;

17.2.4 the other party commences negotiations with all or any class of its creditors with a view to rescheduling any of its debts, or makes a proposal for or enters into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;

17.2.5 a petition is filed, a notice is given, a resolution is passed, or an order is made, for or in connection with the winding up of that other party other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party;

17.2.6 an application is made to court, or an order is made, for the appointment of an administrator, or if a notice of intention to appoint an administrator is given or if an administrator is appointed, over the other party;

17.2.7 the holder of a qualifying floating charge over the assets of that other party has become entitled to appoint or has appointed an administrative receiver;

17.2.8 a person becomes entitled to appoint a receiver over the assets of the other party or a receiver is appointed over the assets of the other party;

17.2.9 a creditor or encumbrancer of the other party attaches or takes possession of, or a distress, execution, sequestration or other similar process is levied or enforced on or sued against, the whole or any part of the other party’s assets and that attachment or process is not discharged within 14 days;

17.2.10 any event occurs or proceeding is taken with respect to the other party in any jurisdiction to which it is subject that has an effect equivalent or similar to any of the events mentioned in clause 17.2.3 to clause 17.2.9 (inclusive); or

17.2.11 the other party suspends or ceases, or threatens to suspend or cease, carrying on all or a substantial part of its business; 

17.3 Without prejudice to any other rights or remedies to which Credas may be entitled, Credas may terminate the Agreement without liability to the Customer if:

17.3.1 if the Customer commits a breach of its obligation in clause 11.3.

17.3.2 the Customer challenges or disputes the validity of any of the Credas’s Intellectual Property Rights;

17.3.3 the Customer purports to assign any of its rights or obligations under these terms and conditions;

17.3.4 if Credas determines or reasonably suspects that the Customer is violating any provision of these terms and conditions, or any Legislation, regulation or rules described in these terms and conditions; or

17.3.5 there is a change of control of the Customer (within the meaning of section 1124 of the Corporation Tax Act 2010).

17.3.6 If Credas’ licence with its Data Provider terminates for any reason.  

18. Effects of termination

18.1 On termination or expiry of the agreement for any reason:

18.1.1 the Customer shall (at its sole cost) return (or at Credas’ option, destroy) all media (subject to clause 18.1.2) on which the Credas Products are held and the Customer shall stop combining or using the Credas Products with the Customer Products;

18.1.2 after termination or expiry of this agreement, the Customer shall:

18.1.2.1 promptly return to Credas, or otherwise dispose of as Credas may instruct, all Credas Data, samples, technical pamphlets, catalogues, advertising materials, specifications and other materials, documents or papers whatsoever sent to the Customer and relating to Credas’ business (other than correspondence that has passed between the parties) that the Customer may have in its possession or under its control; and

18.1.2.2 the Customer shall discontinue all use of the Trade Marks and shall not advertise, promote, resell, distribute or otherwise deal in any products bearing the Trade Marks;

18.1.3 the accrued rights, remedies, obligations or liabilities of the parties at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced including  clause 8 to clause 18 inclusive; and

18.1.4 subject to the foregoing provisions of this clause 18.1, all rights and licences of the Customer under these terms and conditions shall terminate.

18.2 The termination of the agreement shall not of itself give rise to any liability on the part of Credas to pay any compensation to the Customer for loss of profits or goodwill, to reimburse the Customer for any costs relating to or resulting from such termination, or for any other loss or damage.

18.3 The Customer shall provide written confirmation (in the form of a letter signed by a director) of compliance with clause 18.1.2 no later than 14 days after termination of the agreement.

18.4 If a party is required by any Legislation to retain any documents or materials that it would otherwise be required to return or destroy under clause 18.1, it shall notify the other party in writing of that retention, giving details of the documents or materials that it must retain. That party shall not be in breach of clause 18.1 with respect to the retained documents or materials, but clause 8 shall continue to apply to them.

19. Force majeure

Neither party shall be in breach of these terms and conditions nor liable for delay in performing, or failure to perform, any of its obligations under these terms and conditions if that delay or failure results from events, circumstances or causes beyond its reasonable control. In such circumstances the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 4 weeks, the party not affected may terminate the agreement by giving 14 days’ written notice to the other party.

20. Assignment

20.1 These terms and conditions are personal to the Customer and it shall not assign, transfer, mortgage, charge, declare a trust of or deal in any other manner with any of its rights and obligations under these terms and conditions without the prior written consent of Credas.

20.2 The Customer shall not be entitled to subcontract any of its obligations under these terms and conditions. If any third party requests to use the Credas Products as a reseller from the Customer, the Customer shall direct them to Credas. 

20.3 The Customer confirms it is acting on its own behalf and not for the benefit of any other person.

20.4 Credas may at any time assign, transfer, mortgage, charge, subcontract, declare a trust of or deal in any other manner with any of its rights and obligations under these terms and conditions without the consent of the Customer.

21. Waiver

No failure or delay by a party to exercise any right or remedy provided under these terms and conditions or by law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.

22. Remedies

Except as expressly provided in these terms and conditions, the rights and remedies provided under these terms and conditions are in addition to, and not exclusive of, any rights or remedies provided by law.

23. Notice

23.1 Any notice or other communication required to be given to a party under or in connection with these terms and conditions shall be in writing and shall be delivered by hand or sent by pre-paid first class post or other next working day delivery service providing proof of postage, at its registered office, or sent by fax to the other party’s main email address.

23.2 Any notice or communication shall be deemed to have been received:

23.2.1 if delivered by hand, on signature of a delivery receipt at the time the notice is left at the proper address;

23.2.2 if sent by email, at 9.00 am on the next Business Day after transmission; or

23.2.3 if neither (a) nor (b) apply, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service.

23.3 This clause 23 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution. For the purposes of this clause 23, writing shall not include e-mail.

24. Entire agreement

24.1 The agreement constitutes the entire agreement between the parties and supersedes all previous discussions, correspondence, negotiations, arrangements, understandings and agreements between them relating to its subject matter.

24.2 Each party acknowledges that in entering into the Agreement it does not rely on, and shall have no remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in these terms and conditions.

24.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the agreement.

25. Variation

Except as expressly provided in these terms and conditions, no variation of these terms and conditions shall be effective unless it is in writing and signed by the parties (or their authorised representatives). Email shall not suffice as writing for the purposes of this clause. 

26. Severance

26.1 If any provision or part-provision of these terms and conditions is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of these terms and conditions.

26.2 If any provision or part-provision of these terms and conditions is deemed deleted under clause 26.1 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

27. No partnership or agency

27.1 Nothing in these terms and conditions are intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.

27.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.

28. Third-party rights

28.1 Except as expressly provided elsewhere in these terms and conditions, a person who is not a party to the agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the agreement, but this does not affect any right or remedy of a third party that exists, or is available, other than in that Act.

28.2 The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under these terms and conditions is not subject to the consent of any person that is not a party to the agreement.

29. Governing law and jurisdiction

29.1 These terms and conditions and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.

29.2 Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with the agreement, these terms and conditions or its subject matter or formation (including non-contractual disputes or claims).

Schedule 1
Third Party Additional Terms

The following additional terms will apply dependant on the Credas Product that the Customer is purchasing:

Facial Recognition and/or document verification:

1. The Customer must not use the Service for the purposes of verifying the identity of data subjects where the Customer does not have the relevant permission or consent from the data subject in accordance with the Data Protection Legislation.

 

2. The Customer shall be responsible for the creation, maintenance and design of all data provided by the Customer to Credas.

 

3. The Customer acknowledges and accepts that occasionally Credas (or is Data provider), may be required to:

(a) change the Specification for operational reasons, however, Credas will ensure that any change to the Specification does not materially reduce or detrimentally impact the performance of Credas Product;

(b) give the Customer instructions which it reasonably believes are necessary to enhance or maintain the quality of the Credas Product provided by Credas and Credas shall not be responsible for any errors resulting from the Customer’s non-compliance with such instructions.

 

4. The Customer shall be responsible for:

(a) ensuring that it has a minimum of one system administrator;

(b) informing Credas of any changes to the Customer’s system administrator’s contact details without undue delay;

(c) providing the telecommunications and network services and correctly configured hardware and other equipment needed to connect to the Software;

(d) the configuration and management of access to the Software including configuration of the Customer’s network, firewall, DNS, routers, personal computers and user profile; 

(e) obtaining Credas’ prior written consent to any integration of Credas Product into a website or call centre application which the Customer may wish to undertake; and

(f) any work required for any integration approved by Credas.

 

5. The Customer shall ensure that:

(a) any use of the Credas Product for the purpose of testing, development, or any activity that affects the production environments usage, license model or configuration (”Testing Activity”) must be reported to Credas prior to the Testing Activity taking place; and

b) any Credas Product used in test/staging environment must at all times be licensed appropriately and adhere to all relevant usage restrictions as advised by Credas. 

 

6. The Customer acknowledges that it is solely responsible for supplying Credas with written notification of any intention to conduct Testing Activity. If any Testing Activity takes place prior to Credas being notified, then any such usage shall be charged. 

 

7. The Customer acknowledges and accepts that Credas cannot process payment cards as it does not follow the Payment Card Industry Data Security Standard. Consequently, the Customer must not send Credas images of payment cards.

 

8. The Customer must retain back-up copies of all information provided to Credas.

 

9. The Customer shall only access the Credas Product as permitted by Credas and shall not attempt at any time to circumvent system security or access the source software or compiled code. 

 

10. Upon no less than seven (7) days’ prior written notice, Credas may vary the Third Party Additional Terms and such varied terms shall become effective upon the expiry of the seven (7) day notice period or such later date as the notice may specify. 

 

11. The Customer procures the grant of a non-transferable, non-exclusive, royalty free licence to use, disclose and copy the information provided to Credas to enable Credas to carry out its obligations under these terms and conditions.

 

12. The Customer warrants that:

(a) it will not use or exploit the Intellectual Property Rights in the Credas Product or permit others to use or exploit the Intellectual Property Rights in the Credas Product outside of the terms of the licence granted to the Customer under these terms and conditions. 

(b) all computers and/or IT systems which Credas are required to use, are legally licensed to the Customer or are the Customer’s property and that such activities by Credas will not infringe the rights of any third party;

(c) the use of the Credas Product by the Customer through any software, equipment, materials or services not provided by Credas will not infringe the rights of any third party;

(d) Credas’ compliance with any designs or specifications provided by the Customer, or on the Customer’s behalf will not infringe the rights of any third party; and 

(e) the use by Credas of the data provided by the Customer through the provision of the service in accordance with the terms of the Agreement, will not infringe any third party’s Intellectual Property Rights.

 

13. Due to Credas’ reliance on its Data Providers, and telecommunication services, over which Credas has no direct control, Credas cannot warrant:

(a) suitability for purpose/requirements and/or uninterrupted availability of the Credas Product; or

(b) that the use of the Credas Product; will meet the Customer’s  business requirements and the Customer accepts that the Credas Product was not designed or produced to the Customer’s individual requirements and that they are responsible for their selection.

 

14. The Parties acknowledge that damages alone may not be an adequate remedy for a breach by the other Party. Accordingly, without prejudice to any other rights and remedies it may have, the injured Party shall be entitled to seek specific performance and/or injunctive or other equitable relief.

 

15. Credas makes no warranty (i) that the Software is or will be compatible with any rules, requirements or guidelines of the owners or operators of other platforms which may be used by the Customer, (ii) regarding the accuracy or suitability of the templates contained within the Credas Product; or (iii) that the use of the Software, or the Credas Product will meet the Customer’s business requirements.

 

Data Services

1. The Customer shall not use the Credas Products for the following purposes: (a) marketing; (b) employment screening; (c) credit assessment purposes. 

2. The Credas Data is supplied subject to additional terms of its Data Providers, which are available upon request and are hereby incorporated into the Agreement as if written in full herein.

3. The Customer shall adhere to and implement all of the security and audit requirements set out in Schedule 3;

4. In performing its obligations under these terms and conditions, the Customer shall comply with the Code.

5. The Customer acknowledges that Data Providers are subject to economic sanctions laws, including but not limited to those enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”), the European Union, and the United Kingdom.  Accordingly, the Customer shall comply with all economic sanctions laws of the United States, the European Union, the United Kingdom and the GCC as appropriate.  The Customer shall not provide access to Credas Products to any individuals identified on OFAC’s list of Specially Designated Nationals (“SDN List”), the UK’s HM Treasury’s Consolidated List of Sanctions Targets, or the EU’s Consolidated List of Persons, Groups, and Entities Subject to EU Financial Sanctions.  Customer shall not take any action, which would place Credas or its licensors in a position of non-compliance with any such economic sanctions laws. 

6. The Customer acknowledges that Credas, or its Data Provider, maintains a database, updated on a periodic basis, from which the Customer obtains and sells Credas Data, and that Credas does not undertake a separate investigation for each inquiry or request for Credas Data made by the Customer.  The Customer also acknowledges that the prices Credas charges the Customer for the Credas Products, are based upon Credas’ expectation that the risk of any loss or injury that may be incurred by use of the Credas Products will be borne by the Customer and not Credas.  The Customer therefore agrees that it is responsible for determining that the Credas Products and the Credas Data are in accordance with Credas’ obligations under these terms and conditions.  If the Customer reasonably determines that the Credas Data does not meet Credas’ obligations under these terms and conditions, Customer shall so notify Credas in writing within five (5) days after receipt of the Credas Data in question. The Customer’s failure to notify Credas within the specified period, shall mean that the Customer accepts the Credas Data as is, and Credas will be discharged of any liability for non-performance. 

7. Without limiting the effect of clause 15.6 of the agreement, Credas does not warrant that the Credas Data is accurate, complete, reliable, secure, useful, fit for purpose, timely or of a particular quality. 

8. Disclaimer of Warranty: Credas will use reasonable efforts to deliver the Credas Products requested by the Customer; provided, however, that the Customer accepts all information contained in the Credas Data “AS IS.” Because the Credas Products involve conveying information and data provided to Credas by other sources, Credas cannot and will not, be an insurer or guarantor of the accuracy or reliability of the Credas Product, Credas Data contained in its database, or in the Credas Product. CREDAS DOES NOT GUARANTEE OR WARRANT THE ACCURACY, TIMELINESS, COMPLETENESS, CURRENTNESS, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OF THE CREDAS PRODUCT OR CREDAS DATA, INFORMATION IN THE CREDAS PRODUCT OR CREDAS DATA OR THE MEDIA ON OR THROUGH WHICH THE CREDAS PRODUCTS ARE PROVIDED AND SHALL NOT BE LIABLE TO CUSTOMER, TO ANY END USERS OR OTHER THIRD PARTIES FOR ANY LOSS OR INJURY ARISING OUT OF OR CAUSED IN WHOLE OR IN PART BY CREDAS’ ACTS OR OMISSIONS, IN PROCURING, COMPILING, COLLECTING, INTERPRETING, REPORTING, COMMUNICATING OR DELIVERING THE CREDAS PRODUCT OR CREDAS DATA OR INFORMATION THEREIN UNLESS CAUSED BY CREDAS NEGLIGENCE OR WILFUL MISCONDUCT. 

9. The Customer warrants not to sue or maintain any cause of action, claim, demand, cross claim, third party action or other form of litigation or arbitration against Credas, its Data providers, officers, directors, employees, contractors, agents, affiliated bureaus or subscribers arising out of or relating in any way to the Credas Products (or information therein) being blocked by Credas or not being accurate, timely, complete or current.  The Customer agrees that Credas and its Data Providers are entitled to enforce the data security, use, legal compliance and indemnification provisions of these terms and conditions directly against the Customer.

 

 

Schedule 2

Trade marks

Trade mark number: UK00003206140 

 

Schedule 3

Customer Security and Audit Requirements

THESE TERMS SHALL ONLY APPLY TO CUSTOMERS WHO ARE RECEIVING DATA SERVICES 

INTRODUCTION

The Customer must appropriately protect data.  

The Customer must keep all information confidential and secure and must take appropriate measures to protect against misuse and/or unauthorized access.  

The Customer must implement an audit program. 

The Customer must develop and implement a defined audit program designed to detect unauthorized use of the Credas Products, Software or information. 

Upon request, the Customer agrees to provide Credas with any documentation related to above. 

I. CUSTOMER SECURITY REQUIREMENTS 

A USE RESTRICTIONS

The Customer acknowledges that the Credas Products and information available therein may include personally identifiable information and Customer is required to keep all such information confidential and secure.  Accordingly, the Customer shall take appropriate measures to protect against the misuse and/or unauthorized access through or to User IDs and passwords. The Customer shall: (a) restrict access to the Credas Products to those employees who have a need to know as part of their official duties; (b) ensure that none of its employees (i) obtain and/or use any information from the Credas Products for personal reasons, or (ii) transfer any information received through the Credas Products to any party except as permitted hereunder; (c) keep all User IDs and related passwords, or other security measures used to access the Credas Products confidential and prohibit the sharing of User IDs; (d) immediately deactivate the User ID of any employee who no longer has a need to know, or for terminated employees on or prior to the date of termination; (e)  take all commercially reasonable measures to prevent unauthorized access to, or use of, the Credas Products or Credas data received there from, whether the same is in electronic form or hard copy, by any person or entity; (f) maintain and enforce data destruction procedures to protect the security and confidentiality of all information obtained through Credas Products as it is being disposed; (g) unless otherwise required by law, purge all information received through the Credas Products and stored electronically or on hard copy by the Customer which is not required for the purposes of providing access to the results data obtained to provide to the Customer’s customers within ninety (90) days of initial receipt; (h) be capable of receiving the Credas Products where the same are provided utilizing “secure socket layer,” or such other means of secure transmission as is deemed reasonable by Credas; (i) not access and/or use the Credas Products via mechanical, programmatic, robotic, scripted or other automated search means, other than through batch or machine-to-machine applications approved by Credas; and (k) take all steps to protect its networks and computer environments, or those used to access the Credas Products, from compromise. The Customer agrees that on at least a quarterly basis, it will review searches performed by its User IDs to ensure that such searches were performed for a legitimate business purpose and in compliance with all terms and conditions herein, and shall use commercially reasonable efforts to follow additional policies and procedures for account maintenance as may be communicated to Customer by Credas from time to time.  

Further, the Customer shall ensure that personal data shall be processed in a manner that ensures appropriate security, integrity and confidentiality of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

B SECURITY POLICIES AND PROCEDURES AND INCIDENT NOTIFICATION

The Customer will implement policies and procedures to prevent unauthorized use of User IDs and the Credas Products and information related thereto and will immediately notify Credas if the Customer suspects, has reason to believe or confirms that a User ID or the Credas Products (or data derived directly or indirectly there from) is or has been lost, stolen, compromised, misused or used, disclosed, accessed or acquired in an unauthorized manner or by any unauthorized person, or for any purpose other than legitimate business reasons.  The Customer shall, without undue delay, investigate all such instances.  The Customer is solely liable for all costs associated therewith and shall further reimburse Credas for any expenses Credas or its Data Providers incur due to the Customer’s failure to prevent such impermissible use or access of User IDs and/or the Credas Products, or any actions required as a result thereof.  

Furthermore, in the event that the Credas Products provided to the Customer include personally identifiable information (including, but not limited to, social security numbers, driver’s license numbers or dates of birth), the following shall apply: the Customer acknowledges that, upon unauthorized acquisition or access of or to such personally identifiable information, including but not limited to that which is due to use by an unauthorized person or due to unauthorized use (a “Security Event”), the Customer shall, in compliance with law or as may be requires at Credas’ discretion, notify the individuals whose information was potentially accessed or acquired that a Security Event has occurred, and also notify any other parties (including but not limited to regulatory entities and credit reporting agencies).  

The Customer agrees that such notification shall not reference Credas or its Data Providers or the Credas Products through which the data was provided, nor shall Credas or the Credas Products be otherwise identified or referenced in connection with the Security Event, without Credas’ express written consent.  

The Customer shall be solely responsible for any other legal or regulatory obligations that may arise under Legislation  in connection with a Security Event and shall bear all costs associated with complying with legal and regulatory obligations in connection therewith.  

The Customer shall remain solely liable for all costs and claims that arise from a Security Event, including, but not limited to, costs for litigation (including attorneys’ fees), and reimbursement sought by individuals, including but not limited to, costs for credit monitoring or allegations of loss in connection with the Security Event, and to the extent that any claims are brought against Credas, shall indemnify Credas from such claims. The Customer shall provide samples of all proposed materials to notify consumers and any third-parties, including regulatory entities, to Credas for review and approval prior to distribution.  In the event of a Security Event, Credas may, in its sole discretion, take immediate action, including suspension or termination of the Customer’s account, without further obligation or liability of any kind. If the Customer is contacted by a government or law enforcement agency regarding suspected or actual misuse of Credas Products, the Customer will immediately notify Credas unless expressly prohibited from doing so by the government or law enforcement agency. 

C SECURITY OF CREDAS DATA

The Customer certifies that it has not been the subject of any proceeding regarding any trust related matter including, but not limited to, fraud, counterfeiting, identity theft and the like, and that the Customer has not been the subject of any civil, criminal or regulatory matter that would create an enhanced security risk to Credas or its data. If any such matter has occurred or occurs during the course of the Customer’s relationship with Credas, the Customer shall provide to Credas a signed statement, along with all relevant supporting documentation, providing all details of such matter.  

D CUSTOMER’S COMPREHENSIVE INFORMATION SECURITY PROGRAM

The Customer shall establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of the data received from Credas. This program shall include, but is not limited to, the implementation of industry best practice controls such as current and updated anti-virus software on systems, appropriate use of firewalls and intrusion detection systems, and periodic monitoring of user activity. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to the Customer’s size and complexity, the nature and scope of Customer’s activities, and the sensitivity of the information received from Credas, including:

The designation of an employee or employees to coordinate and be accountable for the information security program.

The identification of material internal and external risks (both known and reasonably anticipated) to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (a) employee training and management; (b) information systems, including network and software design, information processing, storage, transmission, and disposal; and (c) prevention, detection, and response to attacks, intrusions, or other systems failures.

The design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.

The evaluation and adjustment of the Customer’s information security program in light of the results of the testing and monitoring required by subparagraph 3, any material changes to the Customer’s operations or business arrangements, or any other circumstances that the Customer knows or has reason to know may have a material impact on the effectiveness of its information security program.

The Customer shall promptly remediate any deficiencies identified above.

Specifically, the information security program shall implement the following requirements:

 

  • User access management. Each Customer must name a System Administrator who will be responsible for maintaining the following records:
  • A complete list of each user name associated with each User ID, ensuring that each User ID and password is assigned to only one individual.  User IDs and passwords may not be shared, and “generic” User IDs and passwords are not permitted. 
  • Documentation of monthly verification to ensure that each active User ID corresponds to a Customer’s current employee, and confirming that employee is an authorized user.
  • User names and passwords. User passwords must be at least 6 characters long, must be changed at least every 90 days, must contain at least 3 of the 4 character sets (uppercase, lowercase, number, special characters), and User IDs must be suspended after at most five continuous and unsuccessful login attempts.
  • Connectivity.  IP address restrictions are required for Customers who have access to full Social Security Numbers (”SSNs”) and/or Driver’s License Numbers (”DLNs”).  IP address restrictions are also strongly recommended for non-qualified access users.  The types of IP address restrictions include:
  • Full restrictions – the Customer can only gain access when using the product within the IP address range designated.
  • Roaming restrictions – subject to approval by Credas, the Customer can gain access to the products both inside and outside of the IP address restriction range.  Within the IP address range, the product will display full SSNs and DLNs.  Outside of the IP address range, the product will display truncated SSNs and will not display DLNs. Customers must ensure that all transactions, XML and Web Based Applications, are sent over an encrypted medium.   Valid encryption strategies are either HTTPS (TLS) 1.2 or better and at least 128 bit or HTTP over an IP Secure VPN. 

All Batching must be tracked by the Customer using a specific Customer user ID.

Credas may require the Customer to enhance their authentication procedures using multi-factor authentication for access to certain types of data.

All Customers are required to have FTP servers in place for receiving batch requests.  Security measures should include Standard PGP encryption (Public Keys Exchange) or a secure SFTP using SSH as a method of encryption.

Customers are required to take reasonable and appropriate steps to ensure that information that is mailed to their clients and consumers is appropriately secured. These steps include using confidential envelopes for mailing, not marking the outside of the envelope with any information regarding its contents, and masking or truncating sensitive information in printed and mailed documents wherever possible.

II. CUSTOMER AUDIT AND TRAINING REQUIREMENTS

A AUDIT PROGRAM 

In addition to Credas’ own stringent security and audit programs, Credas contractually requires its Customers to have a defined audit program in place that will be designed to reasonably prevent unauthorized usage, and will detect unauthorized or inappropriate use of Credas data.  Customers must appropriately monitor use of the Credas Data and ensure compliance with the Credas’ standards, legal and regulatory obligations and contractual obligations made by the Customer to Credas.  

Upon request by Credas, the Customer shall provide copies of such audit files to confirm compliance with these terms and conditions set forth herein.  Credas reserves the right to monitor and audit the Customer’s Audit Program as it deems appropriate, in its sole discretion, and Credas requires all Customers to co-operate fully and provide, without undue delay, responses to such monitoring and auditing.   Violations, as determined by Credas in its sole discretion, may be grounds for immediate changes without notice to account status, including but not limited to, suspension, change in service level provided, and/or termination of account.   The Customer shall randomly audit a representative number of its existing and new Customers per year (for example, by applying the “95/5” statistical methodology to their account selection for such random audit program).    The Customer shall maintain, during the Term and for five years following termination of the agreement, accurate and complete books and records related to its audits and investigations.  

B MONITORING AND LOGGING REQUIREMENTS

The Customer Audit Program must include sufficient monitoring and logging capability to track individual transactions. Specifically, Credas must be able to identify the following information for each search performed by its Customers:

  • Customer company/entity that performed the search;
  • User ID used to access the system
  • Name of the individual that is registered to each User ID; 
  • Date and time the search was performed;
  • IP address from which the search originated; and
  • Business reason and corresponding legal permissible purpose under the applicable statute (for example, the GLBA) permitting the Customers to conduct each search.

Credas must monitor its Customers to ensure that it is in compliance with its contract for Credas Products, and that its Customers are in compliance with all laws and regulations. Customers are required to take reasonable and appropriate steps to ensure that their use abides by all terms and conditions of their relationship with Credas. 

Credas Website Privacy Policy

This site uses cookies and other tracking technologies to assist with navigation, for you to provide feedback, analyse your use of our products and services, assist with our promotional and marketing efforts, and provide content from third parties.