Version 4.11 Last updated 19th May 2023.
Customer Organisation Data or Data | All business content entered into ISMS.online by Registered Users including Personal Data. |
Data Controller | Identified in clause 3.5 and has the meaning given in the UK GDPR. |
Data Processor | Identified in clause 3.5 and has the meaning given in the UK GDPR. |
Help Material | Registered User guides and online tours for ISMS.online in electronic or printable form also made available in the ‘help’ section of ISMS.online and updated from time to time. |
ISMS.online or the Platform | The cloud software platform (together with any optional feature extras agreed between the parties), owned and operated by Alliantist for the purpose of implementing, improving and managing an Information Security Management System (“ISMS”) or similar management system. |
ISMS.online Policies | An optional package, including ‘head start’ policies and controls such as risk management, security incident and supplier management, along with other documentation e.g. risk bank content or related guidance for the Customer to use as part of its ISMS. These policies can either be adopted, adapted or added to depending on the Customer’s specific needs and circumstances. Where it is so indicated in the Proposal, the ISMS.online Policies shall form part of the Services. |
Lead User | The Customer nominated name of for the person Alliantist should engage with over Customer’s use of the Platform, using their email address. |
Minimum Fee | Unless specifically agreed otherwise in the Proposal, the first-year fee for access to the Services. |
Occasional User | A Registered User who is going to infrequently access the system to benefit from work done on the Platform by Regular Users and who is identified to Alliantist as such by the Customer. This is a supplementary lower cost model for those Occasional Users to receive e.g. a) notification emails from the Platform e.g. for information security updates and/or b) occasionally access the Platform for demonstrating compliance to policies and controls as part of the policy pack add-on and c) infrequently engage in other work e.g. a discussion about a Legitimate Interest Assessment or Data Protection Impact Assessment. |
Personal Data | Shall have the meaning as provided in the UK GDPR (as defined in the Data Protection Act 2018). |
Proposal | The order form is the Alliantist quote once accepted by the Customer that contains the agreed Services scope to be provided by Alliantist, the fees due from the Customer and any additional agreed terms. The terms entered on the Proposal will form part of the contract between the Customer and Alliantist, and in the event of any conflict will take precedence over the terms and conditions set out in this Agreement. |
Registered Users | Users who are permitted by the Customer (and notified to Alliantist by the Customer) to make use of the Platform, each Registered User will have their own unique login email address and password. |
Regular User | A Registered User who can create, administer and manage work on the Platform and who is identified to Alliantist as such by the Customer. |
Services | The products, licence and services that Alliantist has agreed to provide to Customer and Customer has agreed to pay for as set out in the Proposal, including the Vitrtual Coach. |
Sub-processors | Third party suppliers appointed by Alliantist to complement its own delivery of the Services and who in so doing shall process Personal Data. |
Virtual Coach | A coaching service delivered through the Platform that includes guides, checklists, videos and presentations to help organisations that are new to ISO 27001 understand more about the standard and how they can implement and maintain it for their organisation. |
2.1) Subject to the terms of this Agreement, and in consideration for payment of the Fees, Alliantist grants, and Customer accepts, a non-exclusive, non-transferable, revocable, license, to use and to permit the Registered Users to use the Services, without the right to grant sublicenses,during the Term.
2.2) Customer shall display and retain Alliantist’s and/or its suppliers’ copyright, trademarks, proprietary, or confidentiality statement or legends and other notices in ISMS.online or on any resources or materials printed or copied from the Platform.
2.3) Customer acknowledges that Alliantist retains all right, title and interest in and to the original, and any copies, of ISMS.online, ISMS.online Policies and the Help Documentation, Virtual Coach, Assured Results Method (and any other component of the Services) and ownership of all patent, copyright, trade secret, trademarks and other intellectual property rights (whether registered or not) pertaining thereto, shall be and remain the sole property of Alliantist (subject to the rights of any third party copyright holder that may be identified).
2.4) Without limiting the generality of the foregoing, Customer receives no rights to, and agrees that it will not itself, or through any parent, subsidiary, affiliate, agent or other third party (i) decompile, disassemble, reverse engineer or attempt to reconstruct, identify or discover any source code, underlying ideas, underlying user interface techniques, processes or algorithms of the Services or any portion thereof, or otherwise derive its source code; (ii) modify, port, translate, localise or create derivative works of the Services; (iii) sell, lease, license, sublicense, copy, market, transfer, assign, distribute or otherwise commercially exploit or make available to any third party any aspect or component of the Services; (iv) permit use of the Services by anyone who isn’t a Registered User; (v) encumber or suffer to exist any lien or security interest on the Services; or (vi) disclose the results of any performance tests or qualitative analysis on the Services to any third party without the prior written consent of Alliantist.
2.5) Customer shall notify Alliantist immediately if it becomes aware of any unauthorised disclosure or use of the Services by a third party.
2.6) Where ISMS.online Policies are included in the Services, on condition that Customer is not in breach of any terms of this Agreement (or the Proposal), the Customer can continue to use such ISMS.online Policies (not the technology tools inside the Platform) internally even if it chooses not to renew or continue with the Platform when the Services are due for renewal.
3.1) Customer retains all right, title and interest to all Customer Organisation Data.
3.2) Data uploaded to the Platform and any processing of it must be in compliance with this Agreement along with all applicable laws and regulations. By uploading Data to the Platform, Customer authorises Alliantist to process the Data pursuant to 3.5 and 3.6 below. Alliantist will notify the Customer if it believes the Customer’s processing instruction infringes applicable legislation and/or regulation. The Customer is responsible for ensuring that:
3.3) Alliantist may without liability or prejudice to its other rights to Customer, disable the Customer’s access to any material that breaches the provisions of clause 3.2 (a).
3.4) Alliantist does not (in the normal course of operation) access, moniter or proactively interact with Data held on the Platform. Circumstances in which Aliantist may access such Data includes when Alliantist is required to access the Platform for the provision of coaching to the Customer; or for the purpose of bug & issue support.
3.5) Personal Data Processing
For the purposes of Article 28 of GDPR (and any equivalent domestic law requirement) we set out below the terms of our data processing agreement.
Data Controller | Customer |
Data Processor | Alliantist |
Subject matter of processing | Alliantist provides ISMS.online to enable the Customer to implement and operate a management system, which involves the hosting of Data input by the Customer on Alliantist’s servers. |
Lawful bases for the Controller | The controller warrants that it has a lawful basis for processing the Data. |
Lawful basis of the Processor | Contractual obligation in line with this Agreement. |
Duration for the processing | Alliantist will process the Data on behalf of the Customer for the term of the Agreement and for such time as is required thereafter if the Customer continues with the Services. |
Nature and purpose of the processing | Customer will collect, collaborate, coordinate, organise, share, record, store, amend, edit and delete information including appropriate Personal Data for the purpose of implementing, improving and managing its Platform. Alliantist will also process Personal Data as required to support and maintain the Services for the Customer. |
Types of data held | Customer is only required to add Personal Data of Registered Users such as organisation email address and first name, surname for users to access the Platform. Registered Users can choose to add more details such as an avatar picture and telephone, mobile and work address if they want to in order to facilitate greater trust and collaboration between Registered Users. IP addresses are also held for the purpose of compliance with other legislation, protective monitoring, and delivery of support & maintenance.
Depending on the scope of the solution the Customer may also choose to hold relevant personal details of its staff e.g. during HR information security focused recruitment, induction, in-life management and exit. The Platform is not specifically designed nor encouraged to be used as an HR tool for the holding of significant sensitive or high volumes of Personal Data and the Customer does so at their own risk. Personal Data details of suppliers, partners and customers may also be held in areas such as the Accounts suite where it helps organisations manage business relationships better and demonstrate they are in control of their supply chain. This data includes email address, phone numbers, first name and surname. |
Information Security and Data Protection safeguards in place | Alliantist has a number of organisational and technical related measures for the protection of all valuable information, not just Personal Data.
Organisational and technical measures include: 1. UKAS certified ISO 27001: 2013 and ISO 27701: 2019 at the organisation level, the software application ISMS.online, and the staff involved in the Services meet appropriate privacy, confidentiality, integrity and availability thresholds following a risk analysis. 2. Supply chain is certified to at least the same standard or an acceptable equivalent for infrastructure critical services (data centre hosting, code mgt etc). 3. Any smaller suppliers that work on the platform who don’t hold ISO certifications themselves follow Alliantist IMS and are contracted on that basis. 4. All Alliantist staff (and relevant suppliers) involved are regularly trained on information security and privacy. They agree to comply with the policies and controls, including confidentiality, as part of their recruitment, induction, in-life monitoring, at least annually and if appropriate when undertaking change of role. 5. Where appropriate data protection impact assessments, policy reviews and internal audits are undertaken regularly alongside management reviews in line with ISO 27001/27701. 6. The Platform is penetration tested annually or on significant change events. 7. Data in transit between the end user and the service uses TLS. The SSL Certificate in use by the service uses a 2048 bit RSA Key with a SHA256 algorithm. The TLS terminator is configured to prefer more recent versions of protocols and more secure options first and is configured to not revert to an older standard after initial negotiation. The minimum version of the TLS protocol supported is TLS1.2. ISMS.online has been rated A+ by independent checks using the Qualys review process for SSL inspection. 8. For data at rest, the shared filesystem and database filesystem Is encrypted to AES-256 using HSM technology using the Amazon KMS service. Passwords are salted and hashed when stored. The database is not shared with other services nor is it publicly accessible – it is firewalled off in our private cloud and is only accessible by our application servers. 9. All backups are encrypted/decrypted at source with AES256 level encryption and are encrypted in transit between the application and the backup data storage. 10. All staff that are involved in the service delivery have been vetted, follow strict protocols and all the services they use are configured to use Single Sign On (SSO) and or 2 factor authentication (depending on availability of either). All passwords are managed by a service, ensuring very strong and secure passwords. 11. Alliantist follows Cyber Essentials to the IASME standard. 12. Alliantist has strong permissions and controls management to ensure that only authorised Users following strong security protocols can access the relevant parts of the backend of the platform in the event of a support issue. All access is logged and if appropriate can be forensically analysed in the unlikely event it needs to be. 13. Alliantist holds appropriate insurance cover for Professional Indemnity, Cyber Breach, Public Liability and Employment. Other technical and Platform measures made available for Registered Users include: 14. 2 factor authentication is included for all Registered Users – at no additional cost to the core service and implemented from within the User preferences area. Customer administrators can see who has and hasn’t implemented it. 15. Strong passwords, SSO and other forced security measures that can be set at an organisation level e.g. timeouts, forced password change etc. 16. Role based permissions and access control measures for different jobs / different Registered User requirements. 17. Privacy controls and permissions management in workspaces, controlled by the Customer administrators to prevent unauthorised access to Data. 18. Administrator reports and measures to help monitor activity without breaching user privacy (and ensure Customer investments in Registered Users are optimised). 19. Alliantist personnel or subcontractors acting in a coaching or support capacity inside the ISMS.online instance of the Customer are only added by the Customer for the time required and then removed by the Customer. Customer is expected to take advantage of the Platform measures added for its benefit. Alliantist will not be responsible for any security incident or event that may occur because the Customer has failed to implement any or all of the Platform measures listed above. This includes Registered Users being responsible for maintaining the confidentiality and security of their password and login details and using the provided two factor authentication service. |
Sub-processors | Sub-processors are used for a range of jobs and managed according to their role and risk around the Personal Data.
Sub-processors for our role as Data Processor For customers using our UK/EU data center: The UK is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated at an AWS data center in Ireland, and a further encrypted backup with Linode UK to the same technical and organisational standards. For customers using our APAC data center: Australia is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is stored as an encrypted backup with Linode Australia to the same technical and organizational standards. For customers using our US data center: The US is the primary processing location for Alliantist in its role as the Data Processor with the hosting via AWS. For backup and redundancy purposes, a copy of that data is replicated to a second AWS data center within the US. A further encrypted backup is stored within Linode US to the same technical and organizational standards. Sub-processors for our role as Data Controller In our role as Data Controller the sub-processors used include: Atlassian, AWS (UK/EU Customers: UK and Ireland. APAC Customers: Austraila. US customers: US), Creditsafe, Cybercontrols, Fresh Financials, FreshWorks, GoCardless, Google, HubSpot, Impartner, Insycle, Linode, Microsoft, Quotient, Qwilr, RingCentral, Stripe, Typeform, Wisepops, WordPress, Xero, ZoomInfo. Where Personal Data is transferred outside the UK, it will only be transferred to countries that have been identified as providing adequate protection for UK data or to a third party where we have approved transfer mechanisms in place to protect Personal Data such as the European Commission’s Standard Contractual Clauses with the UK’s International Data Transfer Addendum. By agreeing to this Agreement, Customer grants Alliantist a general authorisation in the meaning of Article 28 (2) of GDPR to engage sub processors for the purposes of providing the Services. Alliantist will inform the Customer of material changes in such sub-processors in accordance with the Agreement and in line with Clause 7.1. |
Plan for the safe return of data or its destruction at the end of the Agreement | At any point Customer can remove its Data through a range of reports, exports and mechanisms on the Platform. Subject to the scope, style and nature of what it wants and in what format, Alliantist will also assist the Customer with its end of life exit activity including the relevant aspects of Personal Data portability and transfer if required.
On conclusion of the Agreement and payment for the Services, Alliantist operates a Customer exit process in line with our IMS Controls where it ensures the Customer has, as Data Controller, removed what it wants from the Platform and then goes through the safe erasure and deletion of the Customer’s Data. This takes place 30 daays after contract termination and then takes 30 days to conclude as the back-up information is erased and replaced during that cycle. |
3.6) Alliantist as the Data Processor will assist the Customer as the Data Controller in meeting the Customer’s obligations under Regulation (EU) 2016/679 and allowing data subjects to exercise their rights under Regulation (EU) 2016/679. To that end Alliantist has a range of policies, procedures and approaches such as:
4.1) Fees payable by the Customer for the Services are set out in the Proposal. Fees include access to the Services as described and include Platform maintenance with technical support for the Customer Lead User and authorised administrators as may be further detailed in the Proposal. The fees also include automatic access to relevant Platform releases and enhancements for the functionality in scope on the Proposal. Registered User support is covered in the fees through the Help Documentation and includes tours, videos and other support materials on the Platform.
4.2) Unless otherwise stated in the Proposal this Agreement shall last for the initial term of one year(Initial Term). Unlesss stated otherwise in the Proposal, the fees are invoiced annually in advance. All payments from the Customer are due 7 days of the date of invoice.
4.3) After the end of the Initial Term (or any Renewal Term), unless terminated in accordance with the terms of this Agreement, the this Agreement will automatically continue for a further period of one year (Renewal Term). Unless agreed otherwise, fees for the Renewal Term shall be payable in the same manner (monthly, quarterly, annually) as for the Initial Term. Alliantist will be entitled to revise the fees in line with RPI upon renewal. Any further increase to the fees will only take effect if the Alliantist gives the Customer 30 days’ written notice and during such notice period the Customer will be entitled to immediately terminate without liability.
4.4) Either party may terminate this Agreement on a minimum of 30 days’ notice, such notice to expire at the end of the Initial Term or any Renewal Term.
4.5) Additional Registered Users or increases to the Services scope e.g. adding an optional extra such as policy packs or supply chain accounts may be agreed between the parties at any time subject to the relevant fee payment as set out in the Proposal or the price as quoted at the time of request. Registered User numbers are reviewed quarterly or at other intervals as needed and paid pro rata for any period added then aligned with the usual payment period thereafter. Subject to the fees in the Initial Term not falling below the Minimum Fee any of the Services can be adjusted accordingly and fee changes reflect the ongoing change in use.
4.6) All fees assume a fair and acceptable use of the Services by the Customer and the Registered Users. In the event that the use of the Platform or the Services by the Customer exceeds fair and acceptable use Alliantist will alert Customer to the issues in writing and give the Customer the opportunity of easing use or paying for the extra service requirements.
4.7) All fees exclude VAT and other government taxes.
4.8) Either party may terminate this Agreement and any Proposal immediately upon written notice if the other commits a material breach of the Agreement and which (in the case of a breach capable of remedy) shall not have been remedied within 30 days. A material breach includes (i) a failure by Customer to make payment in accordance with this Agreement; or (ii) the other party has a liquidator, receiver, administrator or administrative receiver appointed in respect of the whole or any part of its undertaking or assets; or (iii) the other party ceases or threatens to cease to carry on business; or (iv) the commencement of negotiations with all or any class of that party’s creditors with a view to rescheduling any of its debts, or making a proposal for or entering into any compromise or arrangement with its creditors other than for the sole purpose of a scheme for a solvent amalgamation of that other party with one or more other companies or the solvent reconstruction of that other party; or (v) a data breach that increases risks to the rights and freedoms of data subjects’ information held on the Platform.
4.9) On termination for any reason:
4.9.2) The Customer shall immediately pay to Alliantist any sums due to Alliantist under this Agreement, except where any sum of money shall be recoverable from or payable by Alliantist, the Customer may deduct same from any sum then due to Alliantist under this Agreement;
4.9.3) Customers can remove Customer Organisation Data from the Platform at any time.
5.1) Alliantist warrants that the Platform shall perform substantially in accordance with the specifications set out in the Proposal, the Additional Services Information: https://www.isms.online/about/additional-services-information/, Help Documentation and will reflect the features and services expressed from the ISMS.online website.
5.2) Customer hereby acknowledges and agrees that access to the Services may be affected by local network telecommunications activity; government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software. Alliantist hereby disclaims and Customer hereby waives any and all Alliantist responsibility for any failures in connection with local market network telecommunication activity, government networks, electronic mail failure, capacity and compatibility with third party communication equipment, communication software, web browsers and internet (or intranet) enabled software.
5.3) Alliantist shall not be liable for any failure to perform its obligations under this Agreement because of circumstances beyond its control which such circumstances shall include (without limitation) natural disaster (including widespread infectious disease, including epidemics and pandemics), terrorism, labour disputes, war, declarations of governments, transportation delays, telecommunications failure and misuse of the Services by Customer.
5.4) Alliantist agrees, subject to the limit of its insurance cover to indemnify Customer against all claims, demands, suits, liabilities, costs, expenses (including reasonably incurred legal fees), damages and losses suffered or incurred by Customer arising out of a third-party claim against Customer in respect of infringement of a third party’s intellectual property rights arising out of Customer’s use of ISMS.online. This indemnity shall not apply to the extent that a claim under it results from Customer’s negligence, wilful misconduct, or modification from the specification. It is subject to Customer immediately notifying Alliantist of any claim and in any event within 3 months; Customer not admitting any fault or making any offer to settle and Alliantist having sole control of the claim with reasonable assistance as required from the Customer.
If Customer is prevented from using the Platform thereafter Alliantist will at its sole discretion and cost either: source the rights to continue use; replace the disputed intellectual property and modify ISMS.online such that the purpose is still served; or terminate the Agreement and refund Customer any unused but prepaid fees.
5.5) Other than to the extent prohibited by law, or liability in relation to clause 5.4, in no event shall the total aggregate liability of Alliantist exceed the annual fees paid in the previous year by the Customer.
6.1) ISMS.online, ISMS.online Policies, Virtual Coach, Assured Results Method and the Help Documentation are proprietary to Alliantist and contain valuable trade secrets. The Customer shall at all times keep the software, policies, documentation, technical or commercial information, inventions or processes and any and all information concerning Alliantist’s business or products and which have been disclosed to the Customer by Alliantist and which are of a confidential nature in strict confidence and shall not permit the same to be used, copied, disclosed or disposed of except in accordance with this Agreement.
6.2) The Proposal of this Agreement is confidential and may not be disclosed by either party without the prior written consent of the other party.
6.3) Where Customer discloses confidential information to Alliantist, Alliantist agrees to protect the Customers confidential information with the same standards and integrity as it uses in respect of its own confidential information.
6.4) The receiving party (whether Customer or Alliantist) may disclose information of a confidential nature to such of its employees or professional advisors as need to know the same for the purpose of discharging the receiving party’s obligations or rights under this Agreement and shall ensure that such employees are subject to obligations of confidentiality corresponding to those set out in this Agreement.
6.5) The provisions of this section 6 shall: (i) not apply to information which is already public knowledge or becomes so at a future date (other than by breach of this Agreement); (ii) not apply to information which is known without restriction to the receiving party at the time of disclosure without breach of any obligation of confidentiality; (iii) not apply to information which is shown to the reasonable satisfaction of the originating party to have been generated independently by the receiving party; (iv) remain in full force and effect notwithstanding termination of this Agreement for any reason.
7.1) The Customer shall provide a nominated name and email address being the Lead User to deal with Alliantist over the Customer’s use of the Platform. The Lead User will be granted system administration rights and will participate in reviews with Alliantist from time to time. Alliantist will notify the Lead User in the event of a data breach. The Customer can nominate a replacement Lead User on written notice to Alliantist. The role of Lead User may be shared between multiple people, provided that Alliantist is entitled to treat each person as being fully authorised to represent the Customer independently.
8.1) As is common for all SaaS (‘software as a service’) vendors, Alliantist may from time to time need to alter the terms. Therefore, we reserve the right to alter this Agreement at any time by posting such changes to the Customer at its nominated Lead User email address and through the Alliantist website. If these changes may have an adverse effect on Customer’s business where it may want to object to such change, the Customer should rise such concerns with the relevant Alliantist customer success manager in the first instance.
8.2) The Customer’s continued use of the Services after changes to these terms, as detailed in clause 8.1 above constitutes your binding acceptance of such changes. Such amended Agreement will become effective upon the earlier of your continued use of the Services, or 30 days from notification of the changes. Customer warrants that it shall be deemed to have reviewed the most up to date version of these terms at the start of each Renewal Term; or upon any variation to the Services.
8.3) The Platform may contain links to other third-party web sites. Alliantist is not responsible for the privacy practices or the content of these other web sites. Registered Users will need to check the policy statement of these other web sites to understand their policies. Registered Users who access a linked site may be disclosing their private information. It is the responsibility of the Registered User to keep such information private and confidential.
8.4) Unless otherwise specified in the Proposal, service and support shall be provided subject to the terms set out in the support policy available in the footer of the Platform and on the website.
8.5) Unless specifically agreed otherwise, by entering into this Agreement Customer grants Alliantist permission to use the Customer’s name and logo in its marketing and promotional materials including without limitation its website and social media channels.
8.6) This Agreement will be governed by and construed in accordance with English Law, without giving effect to its conflict of law provisions or Customer’s actual state or country of residence. Any claims, legal proceeding or litigation arising in connection with ISMS.online will be brought solely in England, and Customer consents to the exclusive jurisdiction of such courts provided that each party shall have the right to enforce a judgment of the English Courts in a jurisdiction in which the other party is incorporated or in which any assets of the other party may be situated.
8.7) A person who is not a party to this Agreement may not rely upon or enforce any rights pursuant to the Contracts (Rights of Third Parties) Act 1999.
8.8) This Agreement including the Proposal, privacy policy and support policy constitutes the entire agreement between Customer and Alliantist.
Any questions or issues should in the first instance be dealt with using the normal ISMS.online support channels support@isms.online or with your customer success manager then escalated if required thereafter.
To access our previous Terms and Conditions click here