The following comprise the full terms and conditions of Bytemark’s services.
Select a topic below to jump straight to that section:
From the 25th May 2018 the Data Processing Amendment will apply to all customers regardless of whether the services taken by them are covered by the General terms and conditions.
DATA PROCESSING AMENDMENT
YOUR ATTENTION IS PARTICULARLY DRAWN TO THE PROVISIONS OF CLAUSE 7.5 (INDEMNITY) AND CLAUSE 8(LIMITATION OF LIABILITY).
Where words are underlined please click through to this part of these Conditions for the details.
- Definitions Interpretation
The following definitions and rules of interpretation apply in these Conditions.
Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.
Charges: the charges payable by You for the supply of the Services in accordance with clause 5 and Charges.
Commencement Date: has the meaning given in clause 2.2.
Conditions: these general terms and conditions as amended from time to time.
Contract: the contract between Us and You for the supply of the Services in accordance with these Conditions.
Control: shall be as defined in section 1124 of the Corporation Tax Act 2010, and the expression change of control shall be construed accordingly.
Customer Default: has the meaning set out in clause 4.2.
Data Controller: has the meaning set out in section 1(1) of the Data Protection Act 1998.
Data Subject: an individual who is the subject of Personal Data.
Extra Services: the extra services.
Intellectual Property Rights: patents, rights to inventions, copyright and related rights, moral rights, trade marks, business names and domain names, rights in get-up, goodwill and the right to sue for passing off, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.
Interest Rate: 6% above the Bank of England base rate from time to time.
Order: Your order on those Conditions for any of Our Services is made when you make a request for them on our site; via email; or a signed order form.
Person: an individual or partnership or corporation.
Personal Data: has the meaning set out in section 1(1) of the Data Protection Act 1998 and relates only to personal data, or any part of such personal data, in respect of which You are the Data Controller and in relation to which we are providing the Services under the Contract.
Processing and process: have the meaning set out section 1(1) of the Data Protection Act 1998.
Services: the Standard Services and the Extra Services, supplied by Us to You.
Service Level: the service level.
Standard Services: the Standard Services
We/Our/Us: Bytemark Limited.
You/Your: the Person who makes the Order.
(a) A reference to a statute or statutory provision is a reference to it as amended or re-enacted. A reference to a statute or statutory provision includes all subordinate legislation made under that statute or statutory provision.
(b) Any words following the terms including, include, in particular, for example or any similar expression, shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
(c) A reference to writing or written includes email but excludes faxes.
- Basis of contract
2.1 Your Order constitutes an offer by You to purchase the Services in accordance with these Conditions.
2.2 Your Order is accepted by Us on these Conditions when We either commence providing any of the Services to You or have acknowledged Your Order (Commencement Date).
2.3 These Conditions apply to the Contract to the exclusion of any other terms whatsoever or howsoever that You seek to impose or incorporate.
2.4 Subject to clause 3.3 We reserve the right to amend or change any or all of these Conditions on giving You not less than 28 days notice in writing by email of any such amendment or change and which You are hereby deemed to accept if You continue to use Our Services after this period expires.
- Supply of Services
3.1 We shall use reasonable endeavours to provide the Services in compliance with the Service Level.
3.2 We reserve the right to amend or change the Services and the Service Level on giving You not less than 28 days notice in writing by email of such amendment or change and which You are hereby deemed to accept if You continue to use Our Services after this period expires.
3.3 Notwithstanding clause 2.4 You hereby agree that the Data processing amendment applies with effect from 25 May 2018 and that no further notice will be given to You in this respect.
- Customer's obligations
4.1 You shall:
(a) co-operate with Us in all matters relating to the Services;
(b) provide Us with such information and materials as We may reasonably require in order to supply the Services, and ensure that such information is complete and accurate in all material respects; and
(c) comply with all applicable laws;
4.2 If Our performance of any of Our obligations under the Contract is prevented or delayed by any act or omission by You or failure by You to perform any relevant obligation (Customer Default):
(a) without limiting or affecting any other right or remedy available to it, We shall have the right to suspend performance of the Services until You remedy the Customer Default, and to rely on the Customer Default to relieve it from the performance of any of Our obligations in each case to the extent the Customer Default prevents or delays the Supplier's performance of any of Our obligations; and
(b) We shall not be liable for any costs or losses sustained or incurred by You arising directly or indirectly from Our failure or delay to perform any of Our obligations as set out under this Contract.
- Charges and Payment
5.1 Unless We otherwise agree with You in writing You shall pay the Charges to Us for the Standard Services either monthly, quarterly or annually (depending on the type of Standard Services You have purchased) and such payment shall be taken by Us from Your selected credit or debit card (details of which You have provided to Us).
5.2 Unless We otherwise agree with You in writing You shall pay the Charges to Us for the Extra Services by the credit or debit card (details of which You have provided to Us) and You hereby authorise Us to take such payments or, where relevant, within 7 days of the date of Our invoice to You for such Extra Services and invoices for Extra Services shall be sent to You by email at the end of each month.
5.3 We reserve the right to change the Charges on giving You 28 days notice.
5.4 All amounts payable by You under the Contract are exclusive of amounts in respect of value added tax chargeable from time to time (VAT).
5.5 If You fail to make a payment due to Us under the Contract by the due date, then, without limiting Our remedies under clause 9. We shall be either entitled to terminate this Contract with immediate effect or cease providing the Services with immediate effect and without liability for breach of contract until such payment is received.
5.6 All amounts due under the Contract shall be paid in full without any set-off, counterclaim, deduction or withholding (other than any deduction or withholding of tax as required by law).
- Intellectual property rights
6.1 All Intellectual Property Rights in or arising out of or in connection with the Services are owned by Us.
- Data Protection and Data Processing
7.1 Subject to New Data Protection Provisions, You and We acknowledge that for the purposes of the Data Protection Act 1998, You are the Data Controller and We are the data processor in respect of any Personal Data.
7.2 We shall process the Personal Data only in accordance with Your instructions from time to time and shall not process the Personal Data for any purposes other than those expressly authorised by You.
7.3 Each party warrants to the other that it will process the Personal Data in compliance with all applicable laws, enactments, regulations, orders, standards and other similar instruments.
7.4 We warrant that, having regard to the state of technological development and the costs of implementing any measures, We will:
(a) take appropriate technical and organisational measures against the unauthorised or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to:
(i) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
(ii) the nature of the data to be protected including the security measures set out in Schedule 5; and
(b) take reasonable steps to ensure compliance with those measures.
7.5 Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations under this clause 7.
7.6 You acknowledge that the We are reliant on You for direction as to the extent to which We are entitled to use and process the Personal Data. Consequently, We shall not be liable for any claim brought by a Data Subject arising from any action or omission by Us, to the extent that such action or omission resulted directly you’re your instructions.
7.7 We may authorise a third party (subcontractor) to process the Personal Data provided that the subcontractor's contract:
7.8 is on terms which are substantially the same as those set out in the Contract; and
7.9 terminates automatically on termination of the Contract for any reason.
- Limitation of liability: YOUR ATTENTION IS PARTICULARLY DRAWN TO THIS CLAUSE.
8.1 Nothing in the Contract shall limit or exclude Our liability for:
(a) death or personal injury caused by its negligence, or the negligence of its employees, agents or subcontractors;
(b) fraud or fraudulent misrepresentation; or
(c) breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession) or any other liability which cannot be limited or excluded by applicable law.
8.2 Subject to clause 8.1, We shall not be liable to You, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with the Contract for:
(a) loss of profits;
(b) loss of sales or business;
(c) loss of agreements or contracts;
(d) loss of anticipated savings;
(e) loss of use or corruption of software, data or information;
(f) loss of or damage to goodwill; or
(g) any indirect or consequential loss.
8.3 Subject to clause 8.1, the Supplier's total liability to the Customer, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with the Contract shall be limited to the total Charges paid under the Contract as at the date of the said breach.
8.4 The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from the Contract.
8.5 This clause 8 shall survive termination of the Contract.
9.1 Without affecting any other right or remedy available to Us, We may terminate the Contract by giving You 28 days notice at any time after the end of any minimum term of the Contract.
9.2 Without affecting any of the right or remedy available to You, You may terminate the Services on the basis set out in the Standard Services and Extra Services.
9.3 Without affecting any other right or remedy available to it under the Contract or otherwise, either party may terminate the Contract with immediate effect by giving written notice to the other party if:
(a) the other party commits a material breach of any term of the Contract and (if such a breach is remediable) fails to remedy that breach within seven days of that party being notified in writing to do so;
(b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business;
(c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or
(d) the other party's financial position deteriorates to such an extent that in the terminating party's opinion the other party's capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.
- Consequences of Termination
10.1 On termination of the Contract You shall immediately pay to Us all of Our outstanding unpaid Charges and, in respect of Extra Services supplied but for which no invoice has been submitted, We shall submit an invoice, which shall be payable by the Customer immediately.
10.2 Termination of the Contract shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Contract which existed at or before the date of termination.
10.3 Any provision of the Contract that expressly or by implication is intended to come into or continue in force on or after termination of the Contract shall remain in full force and effect.
10.4 Interest shall be charged on any unpaid Charges at the Interest Rate from the date when the Charges were due and payable compounded monthly.
11.1 Force majeure. Neither party shall be in breach of the Contract nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.
11.2 Assignment and other dealings.
(a) We may at any time assign, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under the Contract.
(b) You shall not assign, transfer, mortgage, charge, subcontract, declare a trust over or deal in any other manner with any of its rights and obligations under the Contract.
(a) Each party undertakes that it shall not at any time during the Contract, and for a period of five years after termination of the Contract, disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by clause 11.3(b).
(b) Each party may disclose the other party's confidential information:
(i) to its employees, officers, representatives, subcontractors or advisers who need to know such information for the purposes of carrying out the party's obligations under the Contract. Each party shall ensure that its employees, officers, representatives, subcontractors or advisers to whom it discloses the other party's confidential information comply with this clause 11.3; and
(ii) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
(c) Neither party shall use the other party's confidential information for any purpose other than to perform its obligations under the Contract.
11.4 Entire Agreement.
(a) The Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
(b) Each party acknowledges that in entering into the Contract it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Contract.
(c) Nothing in this clause shall limit or exclude any liability for fraud.
11.5 Waiver. A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent breach or default. A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.
11.6 Severance. If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of the Contract.
(a) Any notice or other communication given to a party under or in connection with the Contract shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or sent by email to the email address that You have given Us.
(b) Any notice or other communication shall be deemed to have been received: if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address; if sent by pre-paid first class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service; or, if sent by email, at 9.00 am on the next Business Day after transmission.
(c) This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.
11.8 Third Party Rights.
(a) Unless it expressly states otherwise, the Contract does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Contract.
(b) The rights of the parties to rescind or vary the Contract are not subject to the consent of any other person.
11.9 Governing Law. The Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with the law of England and Wales.
11.10 Jurisdiction. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Contract or its subject matter or formation.
- The Standard Services are:
1.1 Bytemark Cloud servers and other services that can provisioned via our web control panel or API endpoint.
(a) Notice period: charges rounded to the nearest day with service credit issued pro-rata
1.2 All dedicated servers, including but not limited to ones listed on our website and referred to as Value, Fixed, Premium, Storage Monster, Dual, Essential, Pro, Custom.
(a) Notice period: 28 days, following the end of the minimum period of the Contract of the then current billing period.
1.3 Virtual machines on our legacy virtual machine platform:
(a) Notice period: Any time in the then current billing cycle, service will cease at end of the then current billing cycle.
1.4 Server management services provisioned since 1st September 2017
(a) Notice period: 28 days, following the end of the minimum period of the Contract or the then current billing period.
- The Extra Services are:
2.1 On demand system administration billed per 15 minutes or part thereof.
The Charges are provided to You at the time of placing Your Order, and are subject to clause 5.3.
This acceptable use policy applies to your usage of any services within, or connectivity to, Our network.
- If You breach the following clauses We may temporarily or permanently disconnect Your services. We will always endeavour to warn You where a breach is inadvertent. Only where We suspect deliberate contravention, or where severe network abuse is involved, You may be cut off without notice
1.1 The customer may not:
(a) Use, or permit use of any service for any purpose which contravenes the laws of the United Kingdom.
(b) Use, or permit use of any service for network abuse: the bulk sending of any kind of unsolicited network traffic, including but not limited to email, ICQ/AIM/MSN messages or newsgroup postings.
(c) Use any service for the hosting or promotion of any software or services designed for network abuse.
1.2 The customer is entirely responsible for any activity conducted on any service, and must take steps to ensure that anyone to whom access is granted will not breach this AUP in turn.
1.3 The customer agrees by subscribing to a service, that the customer will fully indemnify us against any claims for loss or damage by any third party in respect of activities conducted on any service under the customer’s control.
1.4 For Virtual Machines and Cloud servers: the customer acknowledges that their use of their service affects some other users, and must agree to terminate, at Bytemark’s request, any activities which we deem to be degrading to the service that Bytemark provides its other customers.
This section describes the standard level of service that We aspire to provide You with during the Contract.
- Core network
1.1 You can expect our core network to be available 100% of the time – that is to say that Our infrastructure will provide two-way traffic from any other properly-routed internet protocol (IP) address, to the IP addresses allocated to your hosting product(s).
1.2 We acknowledge that anything less than 100% is a lapse in the service level that you expect. On request we will credit 10% of the maximum monthly refund for every full 30-minute period that the network connectivity falls below this figure, accumulated during any consecutive 30-day period.
1.3 We exclude from this guarantee lapses in service where We cannot communicate with IP addresses from other organisations that are not properly routed at the time of the lapse; the following causes are some examples of where some global IP addresses will end up as “improperly-routed” and excluded from our guarantee:
(a) Another organisation misconfiguring its peering arrangements with Us, causing its IP addresses to become unrouteable as a result
(b) Failure or major changes in routing by a global “tier 1” transit provider, even where We are not direct customers of said provider
(c) Misconfiguration of a hosting product by the customer (as detailed below)
- Hosting products (general)
2.1 All our guarantees on hosting are conditional on the customer’s hosting product being properly configured and maintained. Specifically, this means that:
(a) We shall have a Technical Contact available, either the customer or another party nominated by the customer to make minor configuration changes at our request which may be necessary to facilitate smooth running of our network
(b) Your hosting product should not be “thrashing” (i.e. the system constantly using swap during normal operation)
(c) Your hosting product should be completely under your control, and not have been compromised by a third party
(d) Your hosting product should not be blocked from responding to ICMP pings over its network interface
2.2 If any problems arise with your hosting as a result of your hosting products not being maintained properly, We cannot guarantee any particular availability or performance.
2.3 We may also need to perform maintenance on your hosting which we consider essential to the ongoing reliability of our network or hosting platforms, which we will attempt to warn you about at least 7 days in advance. Such maintenance is excluded from any guarantees of uptime where the customer has been warned 7 days in advance.
- Hosting products (cloud servers)
These conditions are specific to hosting on our Cloud Server platform.
3.1 You can expect Your Cloud Servers to be available for 100% of the time – that is to say that once you start a virtual machine running, it won’t stop running due to hardware faults.
3.2 If there is a failure of a Cloud Server, providing the customer’s machine was “properly configured” at the time of a failure, We will refund 10% of hosting fees for every full hour that it is down or unreachable. We define “down or unreachable” as either the system not running at all or running slowly enough that a static web fetch of 5KB or less, or a one-line SSH banner return takes more than 20 seconds to return.
3.3 You can also expect that the Cloud Servers API will be available 100% of the time, that is to say you should be able to issue requests to create, delete or alter the specification of virtual machines at any time.
3.4 If there is a failure of the Cloud Servers API, we will credit 10% of your Cloud Server fees for every full hour that the service remains unavailable or returning server errors.
- Hosting products (virtual machine)
These conditions are specific to hosting on our Virtual Machine platform.
4.1 You can expect our virtual machine platform to be available for 100% of the time – that is to say that once running, it won’t stop running due to hardware faults.
4.2 However, we may occasionally need to perform maintenance that will involve stopping or moving customer’s data, which can incur 30-90 minutes of down time for each virtual machine. We will endeavour to warn customers of such outages up to 3 days in advance, but the customer must acknowledge that this is not always possible in the event of sudden hardware problems.
4.3 If there is a failure of the service, providing the customer’s VM was “properly configured” at the time of a failure, We will refund 10% of hosting fees for every full hour that it is down or unreachable. We define “down or unreachable” as either the system not running at all, or running slowly enough that a static web fetch of 5KB or less, or one-line SSH banner return takes more than 20 seconds to return.
- Hosting products (dedicated server)
These conditions apply to customers who rent a dedicated server from Us.
5.1 You can expect your dedicated host to be available for 100% of the time unless it has suffered a hardware failure. If your host suffers a hardware failure which brings down your hosting completely, you can expect Us to repair or replace the faulty part within 4 hours of your reporting it to us. If the hardware failure is not remedied within the stated times, we will credit on request 10% of your maximum monthly refund for every hour or part-hour that the host is not in a bootable state, up to a maximum of 100%.
Data Processing Amendment
1.1 This Data Processing Amendment reflects the parties’ agreement with respect to the terms governing the processing and security of Customer Data under General Terms and Conditions of Our Services (Applicable Agreement).
2.1 Capitalized terms used but not defined in this Data Processing Amendment have the meanings given elsewhere in the Applicable Agreement. In this Data Processing Amendment, unless stated otherwise:
Additional Products: products, services and applications that are not part of the Services.
Additional Security Controls: security resources, features, functionality and/or controls that Customer may use at is option and/or as it determines.
Affiliate: any entity controlling, controlled by, or under common control with a party, where “control” is defined as:
the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity;
the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or
the power to exercise a controlling influence over the management or policies of the entity.
Agreed Liability Cap: the maximum monetary or payment-based amount at which a party’s liability is capped under the Applicable Agreement.
Amendment Effective Date: as applicable:
25 May 2018, if Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the Applicable Agreement prior to or on such date; or
the date on which Customer clicked to accept or the parties otherwise agreed to this Data Processing Amendment in respect of the Applicable Agreement, if such date is after 25 May 2018.
Audited Services: the Services.
Customer Data: data submitted, stored, sent or received via the Services by Customer, its Affiliates or end users.
Customer Personal Data: data contained within the Customer Data.
Data Incident: a breach of Bytemark Limited’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Bytemark Limited. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
Domain means the primary domain and any secondary domains managed together by Customer within a single instance of Admin System.
EEA: the European Economic Area.
European Data Protection Legislation: as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
Full Activation Date: (a) if this Data Processing Amendment is incorporated into the applicable Agreement by reference, the Amendment Effective Date; or (b) if the parties otherwise agreed to this Data Processing Amendment, the eighth day after the Amendment Effective Date.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Bytemark Limited’s Third Party Auditor: a Bytemark Limited-appointed, qualified and independent third party auditor, whose then-current identity Bytemark Limited will disclose to Customer.
ISO 27001 Certification means ISO/IEC 27001:2013 certification or a comparable certification, as related to the Audited Services.
Notification Email Address: the email address(es) designated by Customer in our Admin System or the Order Form to receive certain notifications from Bytemark Limited.
Security Documentation: all documents and information made available by Bytemark Limited under Section 7.4(a) (Reviews of Security Documentation).
Security Measures: the meaning given in Section 7.1(a) (Bytemark Limited’s Security Measures).
Services: the Services referred to in the Applicable Agreement.
Term: the period from the date of the Applicable Agreement until the end of Bytemark Limited’s provision of the Services under the Applicable Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Bytemark Limited may continue providing the Services for transitional purposes.
2.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this Data Processing Amendment have the meanings given in the GDPR.
- Duration of data processing amendment
3.1 This Data Processing Amendment will take effect on the Amendment Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Data by Bytemark Limited as described in this Data Processing Amendment.
3.2 Bytemark reserves the right to amend or change this Data Processing Amendment on giving You not less than 28 days notice in writing by email of such amendment or change and which You are hereby deemed to accept if You continue to use any Bytemark services after this period expires.
- Scope of data protection legislation
4.1 Application of European Legislation. The parties acknowledge and agree that the European Data Protection Legislation will apply to the processing of Customer Personal Data if, for example:
(a) the processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA; and/or
(b) the Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behaviour in the EEA.
4.2 Application of Non-European Legislation. The parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.
4.3 Application of Data Processing Amendment. Except to the extent this Data Processing Amendment states otherwise, the terms of this Data Processing Amendment will apply irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies to the processing of Customer Personal Data.
- Processing of data
5.1 Roles and Regulatory Compliance; Authorisation
5.2 Processor and Controller Responsibilities. If the European Data Protection Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:
5.3 the subject matter and details of the processing are described in Appendix 1;
5.4 Bytemark Limited is a processor, as applicable, of that Customer Personal Data under the European Data Protection Legislation; and
5.5 Customer is a controller or processor, as applicable, of that Customer Personal Data under the European Data Protection Legislation; and
(a) each party will comply with the obligations applicable to it under the European Data Protection Legislation with respect to the processing of that Customer Personal Data.
5.6 Authorisation by Third Party Controller. If the European Data Protection Legislation applies to the processing of Customer Personal Data and Customer is a processor, Customer warrants to Bytemark Limited that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Bytemark Limited as another processor, have been authorised by the relevant controller.
5.7 Scope of Processing
(a) Customer’s Instructions. By entering into this Data Processing Amendment, Customer instructs Bytemark Limited to process Customer Personal Data only in accordance with applicable law:
(i) to provide the Services and related technical support;
(ii) as further specified via Customer’s use of the Services (including the Admin System and other functionality of the Services) and related technical support;
(iii) as documented in the form of the Applicable Agreement, including this Data Processing Amendment; and
(iv) as further documented in any other written instructions given by Customer and acknowledged by Bytemark Limited as constituting instructions for purposes of this Data Processing Amendment.
(b) Bytemark Limited’s Compliance with Instructions. As from the Full Activation Date, Bytemark Limited will comply with the instructions described in Section 5.7(a) (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Bytemark Limited is subject requires other processing of Customer Personal Data by Bytemark Limited, in which case Bytemark Limited will inform Customer (unless that law prohibits Bytemark Limited from doing so on important grounds of public interest) via the Notification Email Address.
- Data deletion
6.1 Deletion During Term. Bytemark Limited will enable Customer to delete Customer Data during the applicable Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Data during the application Term and the Customer Data cannot be recovered by Customer or an End Use (such as from “trash”), this use will constitute an instruction to Bytemark Limited to delete the relevant Customer Data from Bytemark Limited’s systems in accordance with applicable law. Bytemark Limited will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage.
6.2 Deletion on Term Expiry. Subject to Section 6.3 (Deferred Deletion Instruction), on expiry of the applicable Term Customer instructs Bytemark Limited to delete all Customer Data (including existing copies) from Bytemark Limited’s systems in accordance with applicable law. Bytemark Limited will comply with this instruction as soon as reasonably practicable and within a maximum period of 180 days, unless EU or EU Member State law requires storage. Without prejudice to Section 9.1 (Access; Rectification; Restricted Processing; Portability), Customer acknowledges and agrees that Customer will be responsible for exporting, before the applicable Term expires, any Customer Data it wishes to retain afterwards.
6.3 Deferred Deletion Instruction. To the extent any Customer Data covered by the deletion instruction described in Section 6.2 (Deletion on Term Expiry) is also processed, when the applicable Term under Section 6.2 expires, in relation to an Agreement with a continuing Term, such deletion instruction will only take effect with respect to such Customer Data when the continuing Term expires. For clarity, this Data Processing Amendment will continue to apply to such Customer Data until its deletion by Bytemark Limited.
- Data security
7.1 Bytemark Limited’s Security Measures, Controls and Assistance
(a) Bytemark Limited’s Security Measures. Bytemark Limited will implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (Security Measures). The Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Bytemark Limited’s systems and services; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. Bytemark Limited may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
(b) Security Compliance by Bytemark Limited Staff. Bytemark Limited will take appropriate steps to ensure compliance with the Security Measures by its employees, and contractors to the extent applicable to their scope of performance, including ensuring that all persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Additional Security Controls. In addition to the Security Measures, Bytemark Limited will make additional Security Controls available to:
(i) allow Customer to take steps to secure Customer Data; and
(ii) provide Customer with information about securing, accessing and using Customer Data.
(d) Bytemark Limited’s Security Assistance. Customer agrees that Bytemark Limited will (taking into account the nature of the processing of Customer Personal Data and the information available to Bytemark Limited) assist Customer in ensuring compliance with an of Customer’s obligations in respect of security of personal data and personal data breaches, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by:
(i) implementing and maintaining the Security Measures in accordance with Section 7.1(a) (Bytemark Limited’s Security Measures);
(ii) making the Additional Security Controls available to Customer in accordance with Section 7.1(c) (Additional Security Controls);
(iii) complying with the terms of Section 7.2 (Data Incidents); and
(iv) providing Customer with the Security Documentation in accordance with Section 7.4(a) (Reviews of Security Documentation) and the information contained in the applicable Agreement including this Data Processing Amendment.
7.2 Data Incidents
(a) Incident Notification. If Bytemark Limited becomes aware of a Data Incident, Bytemark Limited will:
(i) notify Customer of the Data Incident promptly and without undue delay; and
(ii) promptly take reasonable steps to minimise harm and secure Customer Data.
(b) Details of Data Incident. Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Bytemark Limited recommends Customer take to address the Data Incident.
(c) Delivery of Notification. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Bytemark Limited’s discretion, by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid.
(d) No Assessment of Customer Data by Bytemark Limited. Bytemark Limited will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
(e) No Acknowledgement of Fault by Bytemark Limited. Bytemark Limited’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Bytemark Limited of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and Assessment
(a) Customer’s Security Responsibilities. Customer agrees that, without prejudice to Bytemark Limited’s obligations under Section 7.1 (Bytemark Limited’s Security Measures, Controls and Assistance) and Section 7.2 (Data Incidents):
(i) Customer is solely responsible for its use of the Services, including:
(ii) making appropriate use of the Services and the Additional Security Controls to ensure a level of security appropriate to the risk in respect of the Customer Data;
(iii) securing the account authentication credentials, systems and devices Customer uses to access the Services, and
(iv) backing up its Customer Data; and
(v) Bytemark Limited has no obligation to protect Customer Data that Customer elects to store or transfer outside of Bytemark Limited’s system (for example, offline or on-premise storage), or to protect Customer Data by implementing or maintaining Additional Security Controls except to the extent Customer has opted to use them.
(b) Customer’s Security Assessment
(i) Customer is solely responsible for reviewing the Security Documentation and evaluating for itself whether the Services, the Security Measures, the Additional Security Controls and Bytemark Limited’s commitments under this Section 7 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the European Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable.
(ii) Customer acknowledges and agrees that (taking into account the state of the art, costs on implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Bytemark Limited as set out in Section 7.1(a) (Bytemark Limited’s Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
(c) Security Certifications and Reports.
(i) Bytemark Limited will in order to evaluate and help ensure the continued effectiveness of the Security Measures maintain the ISO 27001 Certification.
7.4 Reviews and Audits of Compliance
(a) Reviews of Security Documentation. In addition to the information contained in the applicable agreement including this Data Processing Amendment, Bytemark Limited will make available for review by Customer the certificates issued in relation to the ISO 27001 Certification to demonstrate compliance by Bytemark Limited with its obligations under this Data Processing Amendment.
(b) Customer’s Audit Rights
(i) If the European Data Protection Legislation applies to the processing of Customer Personal Data, Bytemark Limited will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Bytemark Limited’s compliance with its obligations under this data Processing Amendment in accordance with Section 7.4(c) (Additional Business Terms for Reviews and Audits). Bytemark Limited will contribute to such audits as described in Section 7.3(c) (Security Certifications and Reports) and this Section 7.4 (Reviews and Audits of Compliance).
(ii) Customer may also conduct an audit to verify Bytemark Limited’s compliance with its obligations under this Data Processing Amendment by reviewing the Security Documentation (which reflects the outcome of audits conducted by Bytemark Limited’s Third Party Auditor).
(c) Additional Business Terms for Reviews and Audits
(i) Customer must send any requests for audits under Section 7.4(b)(i) to Bytemark Limited’s Data Protection Team as described in Section 12 (Data Protection Team).
(ii) Following receipt by Bytemark Limited of a request under Section 7.4(b)(i), Bytemark Limited and Customer will discuss and agree in advance on:
(A) the reasonable date(s) of and security and confidentiality controls applicable to any review of the documentation under Section 7.4(a); and
(B) the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit under Section 7.4(b)(i).
(iii) Bytemark Limited may charge a fee (based on Bytemark Limited’s reasonable costs) for any audit under Section 7.4(b)(i). Bytemark Limited will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance on any such review or audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.
(iv) Bytemark Limited may object in writing to an auditor appointed by Customer to conduct any audit under Section 7.4(b)(i) if the auditor is, in Bytemark Limited’s reasonable opinion, not suitably qualified or independent, a competitor of Bytemark Limited, or otherwise manifestly unsuitable. Any such objection by Bytemark Limited will require Customer to appoint another auditor or conduct the audit itself.
- Impact assessments and consultations
8.1 Customer agrees that Bytemark Limited will (taking into account the nature of the processing and the information available to Bytemark Limited) assist Customer in ensuring compliance with any obligations of Customer in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of GDPR, by:
(a) Providing the Additional Security Controls in accordance with Section 7.1(c) (Additional Security Controls) and the Security Documentation in accordance with Section 7.4(a) (Reviews of Security Documentation), and
(b) Providing the information contained in the Applicable Agreement including this Data Processing Amendment.
- Data subject rights; data export
9.1 Access; Rectification; Restricted Processing; Portability. During the applicable Term, Bytemark Limited will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by Bytemark Limited as described in Section 6.1 (Deletion During Term), and to export Customer Data.
9.2 Data Subject Requests
(a) Customer’s Responsibility for Request. During the applicable Term, if Bytemark Limited receives any request from a data subject in relation to Customer Personal Data, Bytemark Limited will advise the data subject to submit his/her request to Customer, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
(b) Bytemark Limited’s Subject Request Assistance. Customer agrees that (taking into account the nature of the processing of Customer Personal Data) Bytemark Limited will assist Customer in fulfilling any obligation to respond to requests by data subjects, including if applicable Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, by:
(i) providing the additional Security Controls in accordance with Section 7.1(c) (Additional Security Controls); and
(ii) complying with the commitments set out in Section 9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2(a) (Customer’s Responsibility for Requests).
- Data transfers
10.1 Data Storage and Processing Facilities Centre Information. Information about the locations of Bytemark Limited’s data centres is available at: www.bytemark.co.uk (as may be updated by Bytemark Limited from time to time). Bytemark will not transfer customer data out of the EEA.
11.1 Consent to Sub-processor Engagement. Customer specifically authorises the engagement of Bytemark Limited’s Affiliates as Sub-processors. In addition, Customer generally authorises the engagement of any other third parties as Sub-processors (“Third Party Sub-processors”).
11.2 Information about Sub-processors. Information about Sub-processors, including their functions and locations, is available at www.bytemark.co.uk (as may be updated by Bytemark Limited from time to time in accordance with this Data Processing Amendment).
11.3 Requirements for Sub-processor Engagement. When engaging any Sub-processor, Bytemark Limited will:
(a) ensure via a written contract that:
(i) the Sub-processor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Application Agreement (including this Data Processing Amendment); and
(ii) if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this Data Processing Amendment, are imposed on the Sub-processor; and
(iii) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
11.4 Opportunity to Object to Sub-processor Changes
(a) When any new Third Party Sub-processor is engaged during the applicable Term, Bytemark Limited will, at least 30 days before the new Third Party Sub-processor processes any Customer Data, inform Customer of the engagement (including the name and location of the relevant Sub-processor and the activities it will perform) either by sending an email to the Notification Email Address or view the Admin Console.
(b) Customer may object to any new Third Party Sub-processor by terminating the Applicable Agreement immediately upon written notice to Bytemark Limited, on condition that Customer provides such notice within 20 days of being information of the engagement of the Sub-processor as described in Section 11.3(a)(i). This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third Party Sub-processor.
- Data protection team
12.1 Bytemark Limited’s Data Protection Team. Bytemark Limited’s Data Protection Team can be contacted by Customer at www.bytemark.co.uk (while Administrators are signed in to their Admin Account) and/or by Customer by providing a notice to Bytemark Limited as described in the Applicable Agreement.
12.2 Bytemark Limited’s Processing Records. Customer acknowledges that Bytemark Limited is required under the GDPR to:
(a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Bytemark Limited is acting and, where applicable, of such processor’s or controller’s local representative and data protection officer; and
(b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to Bytemark Limited via the Admin System or other means provided by Bytemark Limited, and will use the Admin System for such means to ensure that all information provided is kept accurate and up-to-date.
- Third party beneficiary
13.1 Notwithstanding anything to the contrary in the Applicable Agreement, where Bytemark Limited is not a party to such agreement, Bytemark Limited will be a third party beneficiary of Section 7.4 (Reviews and Audits of Compliance) and Section 11.1 (Consent to Sub-processor Engagement) of this Data Processing Amendment.
- Effect of amendment
14.1 To the extent of any conflict or inconsistency between the terms of this Data Processing Amendment and the remainder of the Applicable Agreement, the terms of this Data Processing Amendment will govern. Subject to the amendments in this Data Processing Amendment, such Agreement remains in full force and effect. For clarity, if Customer has entered more than one Agreement, this Data Processing Amendment will amend each of the Agreements separately.
- Subject Matter
1.1 Bytemark Limited’s provision of the Services to Customer.
- Duration of the Processing
2.1 The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by Bytemark Limited in accordance with the Data Processing Amendment.
- Nature and Purpose of the Processing
3.1 Bytemark Limited will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Amendment.
- Categories of Data
4.1 Personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may include the following categories of data: user IDs, email, documents, presentation, images, calendar entries, tasks and other data.
- Data Subjects
5.1 Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users
- Data Centre and Network Security
1.1 Data Centres
(a) Infrastructure. We maintain and operate services from both its own data centre as well as geographically distributed third party data centres.
(b) Redundancy. Infrastructure systems have been designed to remove single points of failure. This redundancy is provided by using dual or additional network, power, cooling or other systems. The systems are designed to be maintainable while providing service without interruption. All critical infrastructure systems have documented preventative maintenance schedules, according to manufacturer’s specifications and our own requirements.
(c) Power. The electrical power to the data centre is designed to be redundant and maintainable while providing power to the date centre IT load 24 hours a day 365 days a year. Depending on the level of criticality of the particular IT load, the power may be provided with either routing resiliency, or a completely separate feed. In all cases the power will be provided by an uninterruptable power supply system within a minimum resilience of N+1. The UPS systems profile clean in profile power guaranteed against total loss of power, or power out of voltage or frequency profile. In the event of power loss, the UPS system will power the full load of the data centre for a minimum of 10 minutes while the diesel generator system takes over. The generator system is capable of providing power to the data centre at full capacity for periods of days.
(d) Fire suppression. We maintain automatic fire suppression and detection systems including very early smoke detection in its data centres.
1.2 Network and Transmission
(a) Connections between data centres are typically by the use of high speed private interconnects. We ensure that a Customer Data Centre will have a minimum of two geographically diverse interconnections to other data centres that We operate from.
1.3 Site Controls
(a) Data centre security. Our data centre is secured by an access control system on all doors into and out of the building. It is monitored or manned twenty-four hours a day, with internal and external CCTV systems. Inside the data centre all cabinets and aisles are locked with a distinguished key system to further discriminate access.
(b) Physical access procedures. We maintain formal access control procedures for granting physical access to the data centre. Any visitors, contractors or customers will have photo identification checked as part of the sign-in process. Only authorised employees, contractors, customers or visitors are allowed entry, with no visitors being un-accompanied by staff. All non-staff access rights are granted on a per-visit basis.
1.4 Third Party Data Centres
(a) Where We locate equipment that hold customer data (Customer Data Centre) it ensures that it, at least, meet the standards above for Redundancy and Power, Network and Site controls.
- Information Security, Access Control and Incident Response
2.1 Information Security
(a) We operate an information security management system (ISMS) in accordance with, and certified to, the ISO27001:2013 standard. We maintain an information security policy for all its staff.
(b) All staff are trained on information security, Our ISMS and relevant security policies.
2.2 Access Control
(a) We have and maintain an access control policy ensuring that We maintain control of all access to its information systems, assets and physical premises and ensures that access rights are appropriate and are granted on a need to know/have basis.
(b) Access to internal systems. Access to systems is on a need to have basis, based on a staff member’s team or role. We maintain a system that allows the setting of access controls on a group basis, granting and revoking privileged access to internal systems on a centralised basis. Access is controlled at the network, system and application layers, where possible and applicable two factor authentication is used.
(c) Customer facing systems.
(i) Access to the administrative front end of Our automated hosting services (Bytemark Cloud) is restricted by username and password with optional two factor authentication. Once logged in access is only granted to that customers services.
(ii) Other administrative access to customers’ accounts is restricted by manual verification according to our Customer verification procedures.
(d) Customers own systems.
(i) Where a server management service is not ordered by the Customer, We do not and cannot control access to a customer’s own system, it is the customer’s responsibility to restrict access according to their data protection needs.
(ii) In the case where We provide a server management service We control access in the same automated need to have basis as We do for internal systems.
2.3 Incident Handling
(a) We have and maintain an incident management plan, major incident plan and Business continuity plan. Any urgent security incidents are handled promptly, with all incidents and vulnerabilities reviewed at regular intervals.
3.1 Cloud Services
(a) Data storage and isolation. We store data on multi-tenanted servers. We logically isolate the stored data, in memory data and processing from other customers, and one customer does not have access to another customer’s data. We use hardware assisted processor virtualisation to isolate processing and memory between customers. Stored data is isolated and only exposed to the cloud server configure by the customer.
3.2 Dedicated Servers
(a) We retain ownership of the physical customer server but do not maintain any access or logins to servers unless You have ordered a service or product from us that requires us to access your server.
- Decommissioned Disks
4.1 Where any storage devices are removed from servers, either as a result of failure or decommissioning, they are stored securely in the data centre, until they can be processed. Where appropriate, drives are securely erased and re-used, and where an erase fails or the drives are otherwise unsuitable for re-use, they are securely shredded on site.
- Staff Security
5.1 Our staff are required to act in accordance with company information security policies, and confidentiality clauses in employment contracts. Prior to employment, criminal records and other relevant and appropriate checks are carried out.
Bytemark do not, and cannot, monitor the content of all our customers’ sites. If you wish to have a libellous statement removed from one of our customers’ sites, we must have the following information for each libellous statement:
- the full URL where the content is hosted
- (where the content at the URL is longer than one paragraph) a quotation of the statement in question
- a reason as to why the content is libellous.
Without this information, we will not consider ourselves sufficiently informed of a libellous statement, as we will not track them down on behalf of a third party.
Our remedies for libellous statements will only extend to removal or alteration of the libellous statement in question. We will categorically not entertain demands to:
- remove an entire page, except where its contents entirely consist of a libellous statement, or statements
- block a customer’s server or terminate a contract with a customer.
It is also our policy to work with our customers in the first instance, and to give them 72 hours from notification to alter their site(s) on receipt of a complaint about a libellous statement.
To notify Bytemark of a libellous statement please firstname.lastname@example.org. Reports not containing the information we require will be rejected.
This information is for customers purchasing .uk domains through Bytemark.
- Please note that all .uk domains are purchased subject to Nominet’s terms and conditions.
- .uk domains are current charged at £14.25 per 2 years registration.
- You will receive an email reminding you renew your domain 5 days before it is due to expire. Alternatively you may use our control panel to set your domain to automatically renew, which will happen 30 days before the domain’s expiry date.
- Renewals can be actioned through our support team or through auto-renewal. Renewals are charged at the same rate as registrations.
There are no charges for transferring domain names to a new registrar, you can do this via our control panel. Changing the tag puts the tag outside of Bytemark’s control and ends your domain management contract with us.