Our policies on slavery and human trafficking

We are committed to ensuring that there is no modern slavery or human trafficking in our supply chains or in any part of our business.  In addition, our Whistleblowing Policy provides a reporting method for our staff and others to alert us to any concerns they may have. This provides a second line of defence in assuring our compliance with modern slavery, and is managed by our Compliance team.

Training

We provide training to key staff on modern slavery risks and constantly review and ensure that all our employees and partners are aware of our policies and commitment to abolish slavery and human trafficking.

Further steps

Following a review of the effectiveness of the steps we have taken to ensure that there is no modern slavery or human trafficking in our supply chains, we intend to take the following further steps to combat modern slavery and human trafficking: -

• We will roll-out further modern slavery awareness training to all our staff and current and future partners and suppliers.

• We will publicise and sustain our focus on our Policy 

• We continue to review our relevant policies

• We will monitor all relevant outcomes and amend policies as needed in order to fulfil the letter and spirit of the law.

Generic Service Usage

1.1 Service Boundary

The Supplier is only responsible for the service up to the point of ingress and egress from AWS.  The network connection and routing from AWS to the Client, and the related systems and services hosted by the Client, or their Representatives, are the responsibility of the Client.  The Client-side browsers, and related desktop infrastructure, are the responsibility of the Client.

1.2 Commodity Cloud Provider

The standard offering of the Service is for it to be hosted on AWS, however it could be hosted on other commodity cloud providers, such as Azure, by agreement.

1.3 Supplier’s Intellectual Property Rights (IPR)

The IPR of the Service is solely the Suppliers and remains so before, during and after the provision of the Service to the Client.

1.4 Client’s Right to Use

The Client has a non-exclusive, non-transferable, non-sublicensable right to use the Service for the duration of the Agreement, and to permit Authorised Users to access and use the Service solely for the Client’s internal business operations.

1.5 Service Termination

If no prior arrangements have been agreed between the Client and the Supplier, the Supplier will terminate provision of the Service on the Termination Date.  The Client Data will be extracted into CSV files and sent to the Client Support Contact.  All Client Data on the Supplier’s systems and on the Commodity Cloud Provider’s systems will be deleted.  Once this is completed no further rights or obligations exist between the Supplier and the Client.

1.6 Service Extension

The Client can extend the Agreement beyond the initial Termination date, subject to compliance with the terms of the Digital Marketplace, and in agreement with the Supplier. 

Service Level Agreement (SLA)

2.1Availability

The availability target is 99% uptime during the normal working day, i.e. 9-5 Monday to Friday.  Availability is measured at the ingress and egress point of the service on AWS.  The effects of the Customer’s network are outside the scope of any SLA on availability.

The timing of any incident effecting the service availability is from the point the Supplier is successfully contacted by either email and/or phone.

2.2 Maintenance

There is a four-hour maintenance window from Saturday midnight until 04:00 Sunday morning.  The Supplier will inform the Client of all material changes to the Service prior to its implementation during the Maintenance period.  If the Client has concerns about the proposed maintenance activity this must be issued via email to the Supplier in a timely fashion prior to the maintenance activity.

The implementation of the Service on Commodity Cloud lends itself to Continuous Integration and Continuous Delivery (CI/CD) via a Blue/Green deployment.  This will be used as the Client and Supplier mature their engagement by mutual agreement.

2.3 Severity Codes

• Severity One – Is only used for the entire Service being down. The Customer must raise a severity one incident as soon as they are aware of any outage of the Service via email and/or phone.  The supplier will confirm receipt and begin initial diagnostics within four hours.
• Severity Two – A feature of the Service is not working properly affecting business processes significantly. The Customer must raise a severity two incident as soon as they are aware of the incident via email and/or phone.  The supplier will confirm receipt and begin initial diagnostics within one working day.
• Severity Three – There is an anomaly in the Service which can be worked around but is causing some minor business disruption. The Customer must raise a severity three incident via email and/or phone.  The supplier will confirm receipt and begin initial diagnostics within two working days.

2.4 Resumption of Service

The Supplier reserves the right to make immediate changes to the Service to restore service after a Severity One incident, without consultation with the Client. 

The Supplier is entitled to carry out unscheduled maintenance at any time in the case of an emergency or any unforeseen circumstances that affects the Service. In these circumstances the Supplier will use reasonable endeavours to inform the Client. 

Client Obligations

3.1 Problem Resolution

The Client must provide reasonable assistance in helping to find the root cause of the problem by providing appropriate technical resources and the sharing of appropriate information and artefacts, e.g. screen shots, audit logs and config files, in a timely manner.

3.2 General Engagement

The Client shall use all reasonable endeavours to provide all pertinent information to the Supplier that is necessary for the Supplier’s provision of the Services.

In the event that the Supplier requires the decision, approval, consent or any other communication from the Client in order to continue with the provision of the Services or any part thereof at any time, the Client shall provide the same in a reasonable and timely manner.  

3.3 Framework Licences

The Client is responsible for obtaining all framework licences for any job roles or job skills frameworks used on the Service, e.g. SFIA.

3.4 Notification of Material Changes to the use of the Service

The Client must keep the Supplier informed of any material changes to the potential usage of the Service.  So, if there is a roll-out schedule for the Service this must be communicated to the Supplier in a timely fashion so that the Supplier can monitor the Service appropriately.   Likewise, if there is an anticipated material decrease in the use of the Service the Supplier must be informed.  Failure to appropriately inform the Supplier negates the applicability of the Service Credit regime.

3.5 Acceptable Use 

The Client shall endeavour to ensure that the Authorised Users do not access, store, distribute or use the Service in such a manner as to bring either the Client or the Supplier into disrepute.

3.6 Non-Compete

The Client shall not attempt to reverse engineer the Service in order to build a product or service which competes with the Service.

3.7 Payment of Fees

All fees must be paid within 30 days of receipt or the Supplier may stop provision of the Service.

What Personal Identifiable Information (PII) we collect

The PII data we collect from you includes:

• Email and name

Why we need your data

The PII data we collect is used to identify you on our system.

Our legal basis for processing your data

The legal basis for processing personal data in relation to site security is our legitimate interests, and the legitimate interests of our users, in ensuring the security and integrity of the data collected.

What we do with your data

The PII data we collect is used to identify you on our system. It may also be shared with our technology suppliers, for example our hosting provider.

We will share your data if we are required to do so by law - for example, by court order, or to prevent fraud or other crime.

How long we keep your data

We will only retain your PII data for as long as it is needed for the purposes set out in this document or for as long as the law requires us to.

We will:

• keep your email data until you unsubscribe
• Or until the service is discontinued at our sole discretion

Children’s privacy protection

Our services are not designed for, or intentionally targeted at, children 13 years of age or younger. We do not intentionally collect or maintain data about anyone under the age of 13.

Where your data is processed and stored

We design, build and run our systems to make sure that your data is as safe as possible at all stages, both while it’s processed and when it’s stored.

All personal data is stored in the European Economic Area (EEA). 

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. We have set up systems and processes to prevent unauthorised access or disclosure of your data - for example, we protect your data using varying levels of encryption.

We also make sure that any third parties that we deal with keep all personal data they process on our behalf secure.

Your rights

You have the right to request:

• information about how your personal data is processed
• a copy of that personal data
• that anything inaccurate in your personal data is corrected immediately

You can also:

• raise an objection about how your personal data is processed
• request that your personal data is erased if there is no longer a justification for it
• ask that the processing of your personal data is restricted in certain circumstances

If you have any of these requests, get in contact with our Support Team via email to support@microbond.co.uk.