other-ref-terms-and-conditions.md

title	description	services	author	reviewer	lastreviewed	toc_rootlink	toc_sub1	toc_sub2	toc_sub3	toc_sub4	toc_title	toc_fullpath	toc_mdlink
UKCloud Terms & Conditions for G-Cloud 11 | UKCloud Ltd	Provides an overview of what is provided by the UKCloud for Microsoft Azure service	azure-stack	Sue Highmoor	Nicky Stewart	09/05/2019	Reference					UKCloud Terms & Conditions for G-Cloud 11	Reference/other-ref-terms-and-conditions.md	other-ref-terms-and-conditions.md

UKCloud Terms & Conditions for G-Cloud 11

This Agreement and any documents referred to in it (this “Agreement“) contains the terms and conditions that govern Your access to and use of the Services (as defined below) and is an agreement between UKCloud Ltd (company number: 07619797) whose registered office is at Hartham Park, Hartham, Corsham, Wiltshire, SN13 0RP, England ("UKCloud", “We,” “Us,” and “Our”) and You or the entity You represent (“You“ and "Your").

1. Definitions and Interpretation

1.1 The definitions and rules of interpretation in this clause apply in this Agreement:

“Authorised Users" mean Your employees, agents and independent contractors who You authorise to use the Services.

“Call Off Contract” means the G-Cloud 11 Call Off Contract and Order Form, following the provisions of the G-Cloud 11 Framework Agreement, incorporating this Agreement, the applicable Service Definitions, the Systems Interconnect Security Policy and any other referred document.

“Content” means software (including third party software), data, documents, text, video, audio or other content.

“Digital Marketplace” means the UK government maintained online catalogue of G-Cloud services.

“G-Cloud 11 Framework Agreement” means the clauses of framework agreement RM1557.11, together with the framework schedules under which We are authorised to provide certain cloud services.

"Order Form" has the meaning given in Schedule 3 of the G-Cloud 11 Call Off Contract “Glossary and Interpretations”.

"Parties" means You and Us collectively, each being a "Party".

“Service Credits" means the sums attributable to Our failure to deliver any part of the Services in accordance with the service levels, as specified in the applicable Service Definition.

"Service Definitions" means the documents setting out the descriptions of the applicable Services, any terms and conditions specific to such Services, and the applicable service levels offered in respect of such services, as available in the Digital Marketplace and incorporated into the applicable Call Off Contract.

“Services” or “Service” means the services ordered by You as set out in the Order Form, the Digital Marketplace, and the applicable Service Definitions.

“Systems Interconnect Security Policy” is the formal top level security document that identifies which aspects of security are within the remit of Our security officer, and which aspects of security are within the remit of Your security officer.

“Third Party Content” means Content made available to You by any third party in conjunction with the Services.

“UKCloud Content” means any Content We (or Our sub-contractors) make available to You in connection with the Services.

“Virus" means anything or devices (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); steal or redirect data in bad faith or attempt to do the same; or adversely affect the User experience, including worms, malware, ransomware, Trojan Horses, viruses and other similar things or devices.

“Your Content” means Content that You or any Authorised User run on, cause to interface with, or upload to, the Services, under Your account.

2. Use of the Services

2.1 We grant You a non-exclusive, non-sub-licensable, non-transferrable, revocable license during the term of this Agreement to:

(a) Access and use the Services You've ordered solely in accordance with this Agreement; and

(b) Copy and use the UKCloud Content solely to the extent reasonably required for Your permitted use of the Services.

2.2 You may access and use the Services You have ordered in accordance with this Agreement, and We will provide such Services in accordance with the applicable Service Definitions.

2.3 We will obtain sufficient rights to third party software to perform the Services, and grant You a nonexclusive, revocable license to use third party software included in the Services solely to the extent necessary to receive and use the Services during the term of the agreement.

2.4 The Services shall be supplied in conformity with the Service Definitions and entries set out in the Digital Marketplace.

2.5 You will be responsible for any third-party licences and licence costs which are not included in the relevant Service Definition.

2.6 Additional ad-hoc and irregular services may be agreed between the Parties. If required these services will be provided by Us according to the terms of this Agreement.

2.7 You will comply with all laws, rules, and regulations applicable to Your use of the Services, including those specified in the Service Definitions and in the Systems Interconnect Security Policy.

3. Your Content and Data

3.1 For the purposes of this clause 3, the terms "data controller", "data processor", "personal data", and "processing" shall have the meanings given in the Data Protection Act 2018 ("DPA"). References to Your personal data include the personal data of the Authorised Users.

3.2 You shall own all rights, title and interest in and to all of Your Content and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of Your Content.

3.3 We shall not be responsible for backing up Your Content unless this is either a feature included as part of the Service or where it is not, You have explicitly identified this as a requirement either via the Order Form or by raising a support ticket with Us and this having been accepted. Where backup is chosen, We shall follow Our backup procedures for Your Content as set out in such Service Definition.

3.4 Where We process any personal data on Your behalf when performing Our obligations under this Agreement, You shall be the data controller and We shall be a data processor and:

(a) You shall ensure that You are entitled to transfer the relevant personal data to Us so that We may lawfully use, process and transfer such personal data in accordance with this Agreement on Your behalf;

(b) You shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;

(c) We shall process the personal data only in accordance with the terms of this Agreement, the DPA, any lawful instructions given by You from time to time, and in accordance with the terms of the G-Cloud 11 Framework Agreement and Call Off Contract.

3.5 We may collect, store and use Your personal data for the following purposes:

(a) To provide You with Services that You request and to fulfil Our contractual obligations to You; and

(b) To provide information about Our Services.

4. Authorised Users

4.1 In relation to the Authorised Users, You undertake that:

(a) Each Authorised User shall keep a strong and secure password for her or his use of the Services, which shall be kept confidential.

(b) You shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and comply with the UKCloud Systems Interconnect Security Policy. In the event of any such unauthorised access or use, You shall promptly notify Us by email to security@ukcloud.com

(c) You are responsible for all activities that occur under Your account, regardless of whether the activities are undertaken by You, Your employees or a third party (including Your contractors or agents) and, except to the extent caused by Our breach of this Agreement, We are not responsible for unauthorised access to Your account. You will ensure that all Authorised Users comply with Your obligations under this Agreement. If You become aware of any violation of Your obligations under this Agreement by an Authorised User, You will immediately terminate such Authorised User’s access to the Services.

5. Your Obligations

5.1 You shall:

(a) Not access, store, distribute or transmit any Viruses, or any material during the course of Your use of the Services that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; or is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activity, and We reserve the right, without liability to You, to disable Your access to any material that breaches the provisions of this clause.

(b) Not access all or any part of the Services in order to build a product or service which competes with the Services (or any part of them) or attempt to obtain, or assist third parties in obtaining, access to the Services, other than as provided under this Agreement.

(c) Comply with Your responsibilities as set at Appendix B, section 6, and if applicable, Appendix C, section 8 of this Agreement (“Your Responsibilities”).

(d) Provide Us with all necessary co-operation in relation to this Agreement and all necessary access to such information as We may require in order to render the Services, including but not limited to, security access information and configuration services.

(e) Be solely responsible for procuring and maintaining Your network connections and telecommunications links from Your systems to Our data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to Your network connections or telecommunications links or caused by the internet.

6. Payment

6.1 You will pay Us the applicable fees and charges for use of the Services as described in the applicable Service Definition. All fees and charges shall be payable in pounds sterling, are non-cancellable and non-refundable, and are exclusive of value added tax.

6.2 We calculate and bill Our fees for the Services on a monthly basis (as agreed pursuant to an Order Form), unless otherwise described in the applicable Service Definition, and You will pay Our invoices for such fees within 30 days after the date of such invoices. We may also require payment on different terms for ad hoc services or irregular purchases, in which case We shall inform You prior to Your agreeing to receive these services or purchases.

6.3 Interest shall be payable on the late payment of any undisputed sums of money properly invoiced in accordance with the Late Payment of Commercial Debts (Interest) Act 1998 (as amended from time to time), at the date the relevant invoice was issued, commencing on the due date and continuing until fully paid, whether before or after judgment.

6.4 All sums payable to Us under this agreement will become due immediately upon termination of the Agreement.

7. Suspension

7.1 We may suspend Your or any Authorised User’s right to access or use all or any part of the Services immediately upon notice to You if We determine that:

(a) You are late in making any undisputed payments hereunder by more than the notice period stipulated in the Order Form; or

(b) Your or an Authorised User’s use of the Services:

(i) Creates a security risk to the Services or any third party; or

(ii) May adversely impact the Services or the systems or Content of any other of Our customers.

7.2 If We suspend Your right to use or access all or part of the Services:

(c) You remain responsible for any applicable fees and charges for any Services to which You continue to have access, as Well as applicable data storage fees and charges, and fees and charges for in-process tasks completed after the date of suspension;

(d) You will not be entitled to any Service Credits under the Service Definitions for any period of suspension.

8. Term and Termination

8.1 This Agreement will commence in accordance with the Commencement date of the Call Off Contract (the "Effective Date"), and shall remain in force for the term of the Call Off Contract until terminated by You or Us in accordance with this clause.

8.2 You may terminate this Agreement for convenience by providing Us with written advance notice as set out in the applicable Order Form.

8.3 On termination of this Agreement for any reason:

(a) All rights granted to You under this Agreement shall immediately terminate;

(b) You will immediately return or (at Our request) destroy all UKCloud Content in Your possession;

(c) You are responsible for removing all Content by 23:59:59 on the date of termination. If Content is not removed by this time We reserve the right to charge for any Content not removed, or for retrieving and returning your content, and We may destroy or otherwise securely dispose of any of Your Content in Our possession.

(d) The accrued rights of the Parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, including without limitation clauses 1 (Definitions), 3 (Your Content and Data), 6 (Payment), 8 (Term and Termination), 9 (Intellectual Property Rights), and 10 (Indemnity) shall not be affected or prejudiced.

9. Intellectual Property Rights

9.1 As between You and Us, You own all right, title, and interest in and to Your Content. Save as expressly provided in this Agreement, We shall obtain no rights from You or Your licensors to Your Content. You hereby consent to Us and Our sub-contractors Using Your Content to provide the Services.

9.2 You represent and warrant to Us that You or Your licensors own all right, title, and interest in and to Your Content, and that You have all rights in Your Content necessary to grant the rights contemplated by this Agreement.

9.3 You acknowledge and agree that We and/or Our licensors own all intellectual property rights in the Services. Except as expressly stated herein, this Agreement does not grant You any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Services.

9.4 You shall not, except as may be allowed by any applicable law which is incapable of exclusion by agreement between the Parties, and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Our Content, or attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of Our Content.

10. Indemnities

10.1 You shall, at all times during and after the term of this Agreement, indemnify Us and keep Us indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by Us arising from or in connection with:

(a) Your breach of this Agreement or violation of applicable law by You or any Authorised User;

(b) Your or any Authorised Users’ use of the Services (including any activities under Your UKCloud account and use by Your personnel); or

(c) Your Content or the combination of Your Content with other applications or content, including any claim involving alleged infringement of third-party rights by Your Content or use thereof.

10.2 We shall notify You of any such third-party claim, allow You to conduct all negotiations and proceedings and provide You with such reasonable assistance as is required by You (at Your cost), and not, without prior consultation with You, make any admission relating to such claim or attempt to settle it, provided that You consider and defend the claim diligently, using competent counsel and in such a way as not to bring Our reputation into disrepute.

Appendix A – Free Trial Agreement

[these clauses are to be used only for the purposes of free trials of the Services. These clauses do not apply to any free trial of third party software services provided by Us. The terms of any applicable free trials for third party software can be found here https://docs.ukcloud.com/articles/third-party/third-ref-free-trials.html. Free trials of our Microsoft Azure services are subject to the terms set out at Appendix E of this Agreement.]

UKCloud Customer Agreement for Free Trial of UKCloud Services

This UKCloud Customer Agreement and any documents referred to in it (this “Agreement“) contains the terms and conditions that govern Your access to and use of the Services (as defined below) and is an agreement between UKCloud Ltd (company number: 07619797) whose registered office is at Hartham Park, Hartham, Corsham, Wiltshire, SN13 0RP, England ("UKCloud ", “We,” “Us,” and “Our”) and You or the entity You represent (“You“ and "Your").

1. Definitions and Interpretation

1.1 The definitions and rules of interpretation in this clause apply in this Agreement.

“Authorised Users" mean Your employees, agents and independent contractors who You authorise to use the Services.

“Content” means software, data, documents, text, video, audio or other content.

“Digital Marketplace” means the UK government maintained online catalogue of G-Cloud services.

“Free Trial” means Your ability to access Our Services from the date that the free trial is set up, for a fixed duration and value, as described on the applicable Service Definition.

"Parties" means You and Us collectively, each being a "Party".

"Service Definitions" means the documents setting out the descriptions of the applicable Services, any terms and conditions specific to such Services, and the applicable service levels offered in respect of such services, as set out in the Digital Marketplace.

“Services” or “Service” means the services ordered by You as set out in the Order Form, the Digital Marketplace, and the applicable Service Definitions.

“Systems Interconnect Security Policy” is the formal top level security document that identifies which aspects of security are within the remit of Our security officer, and which aspects of security are within the remit of Your security officer.

“Trial Credits” mean the fixed value of the Free Trial to the equivalent of £500 of Service consumption, priced in the applicable Service Definition, unless the value of the Trial Credit is stated differently in Our Free Trials Service Scope which can be found here https://docs.ukcloud.com/articles/other/other-sco-free-trials.html?q=free%20trial

“Virus" means anything or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); steal or redirect data in bad faith or attempt to do the same; or adversely affect the User experience, including worms, malware, Trojan Horses, viruses and other similar things or devices.

“Your Content” means Content that You or any Authorised User run on, cause to interface with, or upload to, the Services, under Your account.

2. Use of the Services

2.1 We grant You a non-exclusive, non-transferrable, revocable licence during the term of this Agreement to:

(a) Access and use the Services You've ordered solely in accordance with this Agreement; and

(b) Copy and use Our Content solely to the extent reasonably required for Your permitted use of the Services.

2.2 Free Trials are available to Our new and existing customers, and will be limited to products that You have not already purchased from Us, unless You are testing a significantly different use-case or, if You are a partner, testing a solution for a different customer.

2.3 You may participate in the Free Trial for the duration described in the Service Definition from the date that Service is made available to You by Us. The Free Trial will terminate when the duration of the Free Trial is ended, or the Trial Credits are consumed, whichever is the soonest. Unused consumption of either the Trial Credits or the term of the Free Trial cannot be rolled forward to any other agreement, without Our express agreement.

2.4 Service Credits do not apply to Free Trials, and any issues will be communicated by Us to You using reasonable endeavours.

2.5 You will be responsible for any Third Party Licence costs which are not included in the applicable Service Definition.

2.6 You will comply with all laws, rules, and regulations applicable to Your use of the Services, including those specified in the Service Definitions and in the Systems Interconnect Security Policy.

3. Your Content and Data

3.1 For the purposes of this clause 3, the terms "data controller", "data processor", "personal data", and "processing" shall have the meanings given in the Data Protection Act 2018 ("DPA"). References to Your personal data include the personal data of the Authorised Users.

3.2 You shall own all rights, title and interest in and to all of Your Content and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of Your Content.

3.3 We shall not be responsible for backing up Your Content unless this is either a feature included as part of the Service or where it is not, You have explicitly identified this as a requirement and this having been accepted. Where backup is chosen, We shall follow Our backup procedures for Your Content as set out in such Service Definition.

3.4 Where We process any personal data on Your behalf when performing Our obligations under this Agreement, You shall be the data controller and We shall be a data processor and:

(a) You shall ensure that You are entitled to transfer the relevant personal data to Us so that We may lawfully use, process and transfer such personal data in accordance with this Agreement on Your behalf;

(b) You shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;

(c) We shall process the personal data only in accordance with the terms of this Agreement, the DPA, and any lawful instructions given by You from time to time.

3.5 We may collect, store and use Your personal data for the following purposes:

(a) To provide You with Services that You request and to fulfil Our contractual obligations to You; and

(b) To provide information about Our Services.

4. Authorised Users

4.1 In relation to the Authorised Users, You undertake that each Authorised User shall keep a strong and secure password for their use of the Services, which shall be kept confidential.

4.2 You shall use all reasonable endeavours to prevent any unauthorised access to, or use of, the Services and, in the event of any such unauthorised access or use, promptly notify Us by email to security@ukcloud.com.

4.3 You are responsible for all activities that occur under Your account, regardless of whether the activities are undertaken by You, Your employees or a third party (including Your contractors or agents) and, except to the extent caused by Our breach of this Agreement, We are not responsible for unauthorised access to Your account.

5. Your Obligations

5.1 You shall:

(a) Not access, store, distribute or transmit any Viruses, or any material during the course of Your use of the Services that is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; or is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activity, and We reserve the right, without liability to You, to disable Your access to any material that breaches the provisions of this clause;

(b) Not access all or any part of the Services in order to build a product or service which competes with the Services (or any part of them) or attempt to obtain, or assist third parties in obtaining, access to the Services, other than as provided under this Agreement;

(c) Comply with Your responsibilities as set out within Appendix B, section 6 of this Agreement (“Your Responsibilities”);

(d) Provide Us with all necessary co-operation in relation to this Agreement and all necessary access to such information as We may require in order to render the Services, including but not limited to, security access information and configuration services;

(e) Be solely responsible for procuring and maintaining Your network connections and telecommunications links from Your systems to Our data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to Your network connections or telecommunications links or caused by the internet.

6. Term

6.1 This Agreement will commence when the Free Trial has been made available to You by Us, and shall remain in force for the duration described in the Service Definition.

6.2 This agreement will automatically terminate when set duration of the Free Trial expires, or when the Trial Credits have been consumed, whichever is the soonest.

6.3 Your trial service will be terminated unless You choose to enter into a further agreement with UKCloud, which will be subject to charges as described in the applicable Service Definition and be governed by Our standard terms and conditions.

7. Suspension

7.1 We may suspend Your or any Authorised User’s right to access or use all or any part of the Services immediately upon notice to You if We determine that:

(a) Your or an Authorised User’s use of the Services creates a security risk to the Services or any third party; or

(b) May adversely impact the Services or the systems or Content of any other of Our customers.

8. Intellectual Property Rights

8.1 As between You and Us, You own all right, title, and interest in and to Your Content. Save as expressly provided in this Agreement, We shall obtain no rights from You or Your licensors to Your Content. You hereby consent to Us and Our sub-contractors Using Your Content to provide the Services.

8.2 You represent and warrant to Us that You or Your licensors own all right, title, and interest in and to Your Content, and that You have all rights in Your Content necessary to grant the rights contemplated by this Agreement.

8.3 You acknowledge and agree that We and/or Our licensors own all intellectual property rights in the Services. Except as expressly stated herein, this Agreement does not grant You any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of the Services.

8.4 You shall not, except as may be allowed by any applicable law which is incapable of exclusion by agreement between the Parties, and except to the extent expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the UKCloud Content, or attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the UKCloud Content.

9. Indemnities

9.1 You shall, at all times during and after the term of this Agreement, indemnify Us and keep Us indemnified against all losses, damages, costs or expenses and other liabilities (including legal fees) incurred by, awarded against or agreed to be paid by Us arising from or in connection with:

(a) Your breach of this Agreement or violation of applicable law by You or any Authorised User;

(b) Your or any Authorised Users’ use of the Services (including any activities under Your UKCloud account and use by Your personnel); or

(c) Your Content or the combination of Your Content with other applications or content, including any claim involving alleged infringement of third-party rights by Your Content or use thereof.

9.2 We shall notify You of any such third-party claim, allow You to conduct all negotiations and proceedings and provide You with such reasonable assistance as is required by You (at Your cost), and not, without prior consultation with You, make any admission relating to such claim or attempt to settle it, provided that You consider and defend the claim diligently, using competent counsel and in such a way as not to bring Our reputation into disrepute.

10. Limitation of Liability

10.1 The following provisions set out Our entire financial liability (including any liability for the acts or omissions of Our employees, agents, sub-contractors and licensors) to You in respect of:

(a) Any breach of this Agreement howsoever arising;

(b) Any use made by You of the Services or any part of them; and

(c) Any representation, misrepresentation (whether innocent or negligent), statement or tortious act or omission (including negligence) arising under or in connection with this Agreement.

10.2 All warranties, conditions and other terms implied by statute or common law are, to the fullest extent permitted by law, excluded from this Agreement.

10.3 Nothing in this Agreement excludes Our liability for:

(a) Death or personal injury caused by Our negligence; or

(b) Fraud or fraudulent misrepresentation; or

(c) Any other act or omission, liability for which may not be limited under applicable law.

10.4 Subject to clause 10.5, We shall not in any circumstances be liable, whether in tort (including for negligence or breach of statutory duty howsoever arising), contract, misrepresentation (whether innocent or negligent) or otherwise for:

(a) Loss of profits of business; or

(b) Depletion of goodwill or similar losses; or

(c) Loss of anticipated savings; or

(d) Any special, indirect, consequential or pure economic loss, costs, damages, charges or expenses.

10.5 Subject to clause 10.1, Our total liability in contract, tort (including negligence or breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this Agreement shall be limited £1000 under this Agreement for the Service which gave rise to the claim during the term of this Agreement.

11. Confidentiality

11.1 You shall keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and have been disclosed to You by Us or Our agents, and any other confidential information concerning Our business or Our products and services which You may obtain.

12. General

12.1 This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by and construed in accordance with the laws of England.

Appendix B – Using Our Multi-Tenanted Services

Unless otherwise specified in the applicable Service Definition, this Appendix describes how our Services will be used:

1. Onboarding

1.1 Both Parties will complete a profile which details the roles and responsibilities expected of both parties. We will then deploy and configure basic managed VMs from a standard build template to which You can then upload or migrate applications.

1.2 A number of videos, help guides, manuals and FAQs are available to help train and instruct users so that they are up and running quickly and easily. These are available within the Knowledge Centre, accessed via Our portal.

1.3 You will be assigned a Customer Success Manager (CSM) to provide any assistance required during the first 90 days of the service.

2. Data Migration

2.1 In many circumstances, We can help facilitate a bulk migration to the platform using local data import. This is priced on a time-and-materials basis from Our SFIA rate card.

2.2 We can also help facilitate a bulk migration to the platform using offline data ingest and extraction — please ask Us for details.

3. Service Management

3.1 A comprehensive secure online portal will provide the most common service management functionality and address most requirements.

3.2 We will allocate a Technical Account Manager (TAM) to provide You with an assigned point of contact. The TAM will provide additional assistance with reporting and incident escalation, at all times following Our ISO 20000-certified ITIL-based process framework.

3.3 For organisations that require a managed service, We have a mature and active partner ecosystem that can provide value-added services such as consultancy and ongoing custom managed services. We will make an introduction on request.

4. Service Constraints

4.1 We will adhere to the following in terms of maintenance windows:

• “Planned Maintenance” means any pre-planned disruptive maintenance to any of the infrastructure relating to the service. Planned Maintenance activity may result in periods of degradation or loss of availability depending on the nature of the activity required. In such cases, We shall provide affected customers with at least fourteen (14) days' advance notice of the Planned Maintenance.

  • If during Planned Maintenance there is a loss of availability outside the scope described in the planned maintenance notification to the Service, an SLA event will be triggered.

• “Emergency Maintenance” means any urgent maintenance required to prevent or mitigate against any event compromising the infrastructure relating to the Service. Whenever possible, UKCloud shall: a) provide affected customers with at least six (6) hours’ advance notice and b) carry out the emergency maintenance between the hours of 00:00 and 06:00 (UK local time) Monday to Friday or between the hours of Saturday 00:00 to 06:00 (UK local time) on Monday, (including bank holidays) unless there is an identified and demonstrable immediate risk to customer environment(s). Emergency Maintenance may result in periods of degradation or loss of availability depending on the nature of the activity required.

  • If during Emergency Maintenance there is a loss of availability to the Service, an SLA event will be triggered. This time will be excluded from the availability calculation but will be included in monthly reporting related to the Service.

5. Technical Requirements

5.1 You will require appropriate network connectivity such as DDoS-protected internet access or accredited connectivity such as a government secure network to our cloud platforms. Connectivity via the DDoS-protected internet, a government secure network (PSN, Janet or HSCN) or private leased line is available but may incur additional charges if the hosting of CPE routers is required.

5.2 Where they are required, You are responsible for procuring and managing appropriate devices or software to meet the requirement for data security over the various forms of connectivity.

6. Your Responsibilities

6.1 You are responsible for:

(a) The control and management of access and responsibilities for end users.

(b) Advanced OS security hardening specific to application requirements.

(c) Deployment and management of non-core OS components such as IIS, Apache and Active Directory.

(d) User account creation, administration and assignment of permissions.

(e) Deployment of patches facilitated by Our patch repository, and sourcing and deployment of all non-core OS and non-critical patches.

(f) Timely testing of application and data following any changes to the managed VM.

(g) Management of AV policies, exclusions and quarantine.

(h) Clean-up of virus infestations.

(i) System administration tasks.

(j) Creation of systems documentation.

(k) Configuration management of OS and application components.

(l) Disaster recovery and business continuity.

(m) Security management and protective monitoring of OS and applications.

(n) Optimisation of VM resources.

(o) You are also responsible for compiling with the Our Security Operating Procedures (SyOPs) and other information assurance requirements as specified in Our System Interconnect and Security Policy (SISP) and associated accreditation documentation sets.

(p) You are also responsible for accrediting the OS and application environment.

7. Exit

7.1 Prior to contract termination, the contract, customers are able to transfer data out of the Service (for example using Our API to retrieve data).

7.2 Customers are responsible for removing all Content by 23:59:59 on the date of termination. If Content is not removed by this time We reserve the right to charge for any Content not removed, or for retrieving and returning any content, and We may destroy or otherwise securely dispose of any of Your Content in Our possession.

7.3 Unless otherwise stated in the Pricing Guide, there are no termination costs for the Services.

Appendix C – Using Our Private Cloud Services

1. Ordering and invoicing

1.1 The service can be ordered via the G-Cloud Framework and must be supported by a valid purchase order.

1.2 We will issue invoices as follows:

• At point of order for upfront fees and service options

• Annually in advance for pre-payment fees

• Monthly in arrears for monthly fees

1.3 Payment can be made by direct bank transfer (BACS/CHAPS).

2. Onboarding

2.1 Given the nature of this service, on acceptance of an order, We will work with the customer to create a detailed design for the Private Cloud for Compute platform, using Our supported hardware. This design will formalise the dedicated components required for the solution, such as server and storage hardware, systems management software, network hardware and cables.

2.2 Lead times for delivery and hand over will depend on the final solution design.

2.3 The dedicated components will be procured by Us or by the customer, depending on the package requested. We will also create the customer’s Primary Administrator account and send the customer a Welcome Pack which includes the URL for the UKCloud Portal for access to the Knowledge Centre and service management function.

2.4 Customers have the choice of deploying the solution in one or both of Our UK data centres. Customers can request to be deployed into a specific data centre at the time of the order. Crown Campus is also an available option.

2.5 Customers will be assigned a Customer Success Manager (CSM) to provide any assistance required during the first 90 days of the service.

2.6 We have a large ecosystem of partners who can deliver additional services, such as support and professional services. We would be pleased to introduce you to the right partner to suit your needs.

3. Crown Campus Environments

3.1 If the customer chooses to locate their hardware solution in a Crown Campus environment, the customer will be wholly responsible for setting this arrangement up through the Digital Marketplace.

3.2 We will design the customer’s compute environment, the customer is responsible for purchasing the required hardware.

3.3 We will supply the customer with the environment specification so that they can procure the hardware. We will arrange for the build and support the infrastructure for the customer.

3.4 The customer is responsible for providing the connectivity between their environment within the Crown Campus suite and the UKCloud Meet Me Room.

4. Data migration

4.1 In many circumstances, We can help facilitate a bulk migration to the platform using local data import. This is priced on a time-and-materials basis from the UKCloud SFIA rate card.

4.2 We can also help facilitate a bulk migration to the platform using offline data ingest and extraction — please ask Us for details.

5. Service management

5.1 We will allocate a Technical Account Manager (TAM) to provide you with an assigned point of contact. The TAM will provide additional assistance with reporting and incident escalation, at all times following Our ISO20000-certified ITIL-based process framework.

5.2 For organisations that require a managed service, We have a mature and active partner ecosystem that can provide value-added services such as consultancy, training and on-going custom managed services. We will be pleased to make an introduction on request.

Crown Campus Environments

5.3 In order to manage the platform for customers with Crown Campus environments, We will require all management tools and root access applicable to the infrastructure to ensure the platform can be monitored and maintained.

5.4 The customer will not have access to the management of the platform, which will be managed by Us.

5.5 A minimum of four named UKCloud personnel need to be added to the whitelist to access the Crown Campus, to ensure maintenance and capacity upgrades can be carried out.

6. Service constraints

6.1 The UKCloud Assured Cloud platform is designed and optimised to operate in specific conditions. UKCloud therefore imposes the following service constraints:

• Support for specific hardware configuration (such as certain VCE vBlock configurations, certain Cisco + EMC + VMware ‘POD’ configurations and certain Super Micro + Arista configurations)

• UKCloud must be named agents for all support and maintenance contracts

• UKCloud data centre access is available to UKCloud staff only — customers will not be allowed access to the data centres except in exceptional circumstances

• Private Cloud for Compute must include specified top-of-rack/end-of-rack network switches which will be designed, implemented and managed by UKCloud

• Private Cloud for Compute must include specific software features to enable UKCloud to provide automation, orchestration and instrumentation

• UKCloud provides no SLA or warranty related to performance

6.2 We will adhere to the following in terms of maintenance windows:

• “Planned Maintenance” means any pre-planned disruptive maintenance to any of the infrastructure relating to the service. Planned Maintenance activity may result in periods of degradation or loss of availability depending on the nature of the activity required. In such cases, UKCloud shall provide affected customers with at least fourteen (14) days' advance notice of the Planned Maintenance.

  • Planned maintenance will be reported as an SLA event but will not be eligible for service credits. If during Planned Maintenance there is a loss of availability outside the scope described in the planned maintenance notification to the service, an SLA event will be triggered and will be eligible for service credits.

• “Emergency Maintenance” means any urgent maintenance required to prevent or mitigate against any event compromising the infrastructure relating to the service. Whenever possible, UKCloud shall: a) provide affected customers with at least six (6) hours’ advance notice and b) carry out the emergency maintenance between the hours of 00:00 and 06:00 (UK local time) Monday to Friday or between the hours of Saturday 00:00 to 06:00 (UK local time) on Monday, (including bank holidays) unless there is an identified and demonstrable immediate risk to customer environment(s). Emergency Maintenance may result in periods of degradation or loss of availability depending on the nature of the activity required.

  • Emergency maintenance will be reported as an SLA event, but will not be eligible for service credits.

7. Technical requirements

7.1 Customers will require appropriate network connectivity such as DDoS-protected internet access or accredited connectivity such as a government secure network to our platforms. Connectivity via the DDoS-protected internet, a government secure network (PSN, Janet, HSCN or RLI) or private leased line is available but may incur additional charges if the hosting of CPE routers is required — see the Pricing Guide for more details. Where they are required, customers are responsible for procuring and managing appropriate devices or software to meet the requirement for data security over the various forms of connectivity.

8. Your responsibilities:

(a) The control and management of access and responsibilities for end users including appropriate connectivity, security and accreditation if required. If access is required over government secure networks such as HSCN, Janet, RLI or PSN (including legacy networks), the customer is responsible for adhering to the relevant Code of Connection (CoCo) and for providing evidence of their CoCo to UKCloud upon request. UKCloud is unable to provide access to secure networks where such evidence has not been provided by the customer.

(b) Customers are responsible for backing up all data relating to this service.

(c) Management and administration of layers above the IaaS (for example the systems that use the Private Cloud for Compute platform).

(d) As a core benefit of the cloud platform, customers are able to self-manage their environment including provisioning, stopping/starting virtual machines, antivirus and patching which UKCloud support with the availability of update repositories for key operating systems.

(e) Customers must be aware of the variable nature of the billing based on usage.

(f) The customer is also responsible for ensuring only lawful data that supports the UK Public Sector is stored and processed by applications on this environment, and that they fully comply with the UKCloud Security Operating Procedures (SyOPs) and other information assurance requirements as specified in the UKCloud System Interconnect and Security Policy (SISP) and associated accreditation documentation sets.

UKCloud Hosted and Crown Campus Hosted

(g) The customer is responsible for supplying UKCloud with all network switches and cabling to connect to the customer’s compute environment. The customer may ask UKCloud to supply these on the customer’s behalf.

(h) An agreement between UKCloud and the customer will be established to cover hardware failures and associated removal and/or disposal.

(i) The customer is responsible for:

• Arranging the installation of their own hardware and associated software

• Setting up a service and maintenance contract for their hardware

• Setting up a software and maintenance agreement for all licensed software

• The cost of software patch licences

• Performing capacity planning and activities

• Raising service requests through the portal when you need configurations implemented

• Raising incident tickets if you experience any issues with your service

• Giving us time to plan the installation of any additional hardware

9. Exit

Termination

9.1 Customers may terminate the Services by providing Us with not less than 30 days' advance notice in writing. At the point of termination, customers are responsible for removing all Content by 23:59:59 on the date of termination. If Content is not removed by this time We reserve the right to charge for any Content not removed, or for retrieving and returning your content, and may destroy or otherwise securely dispose of any Content in Our possession.

Offboarding

9.2 All-inclusive package: prior to terminating the contract, the customer must make the final payment (early exit charge) in order to take ownership of the storage hardware. The customer must make arrangements to collect the server and storage hardware within 14 days of contract termination and pay any applicable early exit charges.

9.3 UKCloud Hosted package: as the Private Cloud for Compute platform hardware is owned by the customer, the customer must make arrangements to collect the server and storage hardware within 14 days of contract termination and pay any applicable early exit charges.

9.4 Crown Campus Hosted package: Prior to terminating the contract, the customer will terminate the connectivity between the Crown Hosting and the UKCloud Meet Me room and pay any applicable early exit charges.

9.5 For clarity, when the customer terminates their agreement with UKCloud, UKCloud ensures all of the organisation’s data is deleted in accordance with clause 8.3 (c) of this Agreement, unless the customer owns the storage hardware.

Appendix D Microsoft Licensing

[to be used only when You obtain Microsoft software services directly from Us]

1. All licensing relating to the operating system must be provided by Us, unless You have a dedicated server. You may provide Your own application licensing, but you must complete and provide a Microsoft Mobility Agreement to Us.

2. You shall not remove, alter, cover or obscure any trademarks, trade names, service marks, logos or brands, copyright notices, patent numbers or any other statements or symbols of ownership from software, or do so in respect of any media supplied to You by Us on which any software is loaded.

3. You shall not copy, alter, modify, adapt, translate, create derivative works of, distribute, rent, lease, sublicense, transmit, sell all or part of the software or do so in respect of any media on which the software is loaded.

4. To the extent permitted by applicable law, We make no representations or express or implied warrantees in relation to the software services, and disclaim all express or implied warrantees, including without limitation:

   (a) Any implied warranties of merchantability, and fitness of the software services for a particular purpose;

   (b) Any liability on the part of Microsoft, or its suppliers, for any direct, indirect or consequential damage arising from the software services.

5. We, or a third party on Our behalf, will provide technical support for the software services. Microsoft will not provide direct support to You.

6. You agree that We may be obliged to pass limited details about You to Microsoft in the event that Your software service consumption exceeds the £GB Sterling equivalent of US$1000 per month, or if Microsoft elects to undertake an audit of software service consumption

7. In the event that You have failed to pay for the correct number of end users, or other necessary software licenses, You will promptly obtain the correct amount, and hold Us harmless against any consequential liabilities.

8. You agree that the software services are not fault tolerant and are not guaranteed to be error free or to operate uninterrupted. No rights are granted to You to use the software services in any application or situation where failure of the software services could lead to death or serious injury of any person, or to severe physical or environmental damage (“High Risk Use”).

9. You agree that Microsoft is an intended third-party beneficiary of this Appendix D and that Microsoft holds the right to enforce this Appendix D, and to verify Your compliance with this Appendix D.

Appendix E – Multi-Cloud for Microsoft Azure Services

[to be used only in conjunction with Our Multi-Cloud for Microsoft Azure Services]

1. You agree and accept that the Microsoft Cloud Solution Provider Customer Agreement is incorporated into the terms of the Call Off Contract.

2. You agree that Microsoft is an intended third-party beneficiary of this Appendix E and that Microsoft holds the right to enforce this Appendix E, and to verify Your compliance with this Appendix E.

3. You agree that when You have accepted the Microsoft Cloud Solution Provider Customer Agreement We will report Your name, email address and date of acceptance to Microsoft, in line with our obligations to Microsoft.

4. The Microsoft Cloud Solution Provider Customer Agreement is available here (Europe/United Kingdom).

   https://docs.microsoft.com/en-us/partner-center/agreements

Appendix F – PSN Standards

[to be used only when Services are being carried over the PSN network]

1. Defined Terms

NCSC: The UK government’s National Technical Authority for Information Assurance. See https://www.ncsc.gov.uk

Code of Connection or CoCo: The agreement, as set out in the code template, setting out the obligations and requirements for organisations wanting to connect to the PSN, together with all documents annexed to it and referenced within it.

Code of Interconnection or CoICo: The agreement, as set out in the code template, setting out the obligations and requirements for an organisation to provide PSN connectivity services, together with all documents annexed to it and referenced within it.

Code of Practice or CoP: The agreement, as set out in the code template, setting out the obligations and requirements for an organisation wanting to provide PSN services, together with all documents annexed to it and referenced within it.

GCN Service Provider or GCNSP: A component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.

Government Conveyance Network or GCN: The total network of all GCN services provided by all GCN Service Providers.

PSN connectivity service: A component, product or service that enables PSN-connected organisations to enjoy intra and inter-organisation IP data transmission and for which a PSN compliance certificate has been awarded by the PSN team.

PSN connectivity service provider: An organisation that is supplying or is approved to supply a PSN connectivity service in accordance with a CoICo.

PSN compliance certificate: The certificate awarded to the individual infrastructures, GCN Services, PSN services and PSN connectivity services that make up the PSN.

PSN customer: The PSN service consumer that has achieved PSN compliance certification for their PSN customer environments and holds PSN supply agreement(s) with PSN service providers and PSN connectivity service providers for the services concerned.

PSN supply agreement: Either a contract or – if it is between public sector bodies – a Memorandum of Understanding (MoU) to deliver PSN services or PSN connectivity services.

PSN service consumer: An organisation which uses PSN services or PSN connectivity services.

PSN Service Provider or PSNSP: An organisation that is supplying or is approved to supply PSN services in accordance with a CoP.

PSN service: A functional service available to PSN-connected organisations from a PSN-connected infrastructure in order to enable the fulfilment of a specific business activity, which is offered by a PSN Service Provider in accordance with a CoP and for which a PSN Compliance Certification has been awarded by the Public Services Network Team.

Public Services Network or PSN: The government’s high-performance network, which helps public sector organisations work together, reduce duplication and share resources.

2. Obligations

2.1 We shall ensure that any PSN and GCN services that it supplies, or are supplied by others, pursuant to this Agreement shall have been awarded and retain at all times a PSN compliance certificate.

2.2 We shall ensure that any PSN and GCN services that we supply, or are supplied by others, pursuant to this Agreement are delivered in accordance with the applicable code, codes or Documents of Understanding (DoU).

2.3 You shall ensure that any PSN customer environment used to consume PSN and GCN services supplied pursuant to this Agreement shall have been awarded and retain at all times a PSN compliance certificate.

2.4 You shall ensure that any PSN customer environment used to consume PSN and GCN services supplied pursuant to this Agreement shall be provided and maintained in accordance with the applicable code or codes.

2.5 Each of the Parties warrants and undertakes that they shall throughout the term, where specifically requested in writing by the PSN team acting on advice from the Infrastructure SIRO, immediately disconnect its GCN services, PSN services or customer environment (as the case may be) from such PSN services (including any Direct Network Services (DNS)), GCN services and customer environments as the PSN team instructs where there is an event affecting national security, or the security of the GCN or PSN.

2.6 The Parties acknowledge and agree that the PSN team shall not be liable to them or any other party for any claims, proceedings, actions, damages, costs, expenses and any other liabilities of any kind which may arise out of, or in consequence of any notification pursuant to clause 2.5.

2.7 Each of the Parties acknowledges and agrees that these clauses 2.4 and 2.5 are for the benefit of and may be enforced by the PSN team, notwithstanding the fact that the PSN team is not a party to this agreement, pursuant to the Contracts (Rights of Third Parties) Act 1999.

2.8 We shall cooperate with suppliers of other PSN services and GCN service providers to enable the efficient operation of PSN.

2.9 The PSN services shall be delivered in a way that enables the sharing of services across customers of PSN services and maximises the savings to be achieved by such sharing of services.

Appendix G – HSCN Mandatory Supplemental Terms

[to be used only when Services are being carried over the HSCN]

Glossary

Term	Meaning
CN-SP	means a consumer network service provider, as defined in the HSCN Solution Overview document and the HSCN Operational Design Overview.
CN-SP Deed	means a deed of undertaking made between the HSCN Authority and a CN-SP which governs the obligations owed by the CN-SP to the HSCN Authority and HSCN Consumers.
HSCN	means the government’s network for health and social care, which helps all organisations involved in health and social care delivery to work together and interoperate.
HSCN Authority's Advanced Network Monitoring Service	means the Advanced Network Monitoring Service as described in the HSCN Operational Design Overview.
HSCN Authority Network Analytic Service	means the Network Analytic Service as described in the HSCN Operational Design Overview.
HSCN Connectivity Services	means any service which is offered by a CN-SP to provide access to and / or routing over the HSCN.
HSCN Consumer(s)	means the recipient(s) of HSCN Connectivity Services.
HSCN Supplier	means any supplier providing any element of the HSCN services.
HSCN Website – Providers of NHS Services	means the providers of NHS services section of the HSCN website that can be accessed at https://digital.nhs.uk/services/health-and-social-care-network/hscn-suppliers#central-network-services.
Data Security & Protection Toolkit (DSPT)	means the system for assessing compliance with Department of Health information governance policies and standards available at: https://www.dsptoolkit.nhs.uk.
NHS Digital National Applications	means the applications listed at https://digital.nhs.uk/services.

Any changes to this Connection Agreement shall be subject to the change control procedures as available at the HSCN Website – Providers of NHS Services section and may be updated from time-to-time by the HSCN Authority

1 Entitlement to connect to and use the HSCN

1.1 Connection to the HSCN is provided based on the business need to share information within the health and social care community.

1.2 However, to protect the availability of the HSCN as a shared resource for the health and social care system, where (in its sole discretion) the HSCN Authority has concerns in respect of the cyber security, information assurance or information governance arrangements of an organisation applying for a HSCN service it reserves the right to:

1.2.1 refuse a HSCN service if such HSCN service is not already in place;

1.2.2 restrict or modify access under a HSCN service to the HSCN Authority’s systems, services or applications (including National Applications); or

1.2.3 terminate a HSCN service.

1.3 Despite the HSCN Authority's rights set out above, its preference shall be to work with a HSCN Consumer to identity and rectify root cause security issues to avoid terminating a HSCN service where possible.

1.4 However, if evidence emerges of activity or behaviour by a HSCN Consumer in relation to the use of the HSCN that would undermine the availability of the HSCN, damage the reputation of the HSCN, the NHS or Her Majesty’s Government, or otherwise pose a security threat to the organisation or other HSCN Consumers or providers of the HSCN, the HSCN Authority may have no choice other than to terminate the HSCN service.

2 Security Considerations for the HSCN

2.1 The primary security consideration of the HSCN is to make sure that it is available as a resource to carry information between providers in the health and social care community. There is a secondary requirement to maintain and to improve a good standard of information governance and cyber-security across the health and social care community. This will help to reduce the exposure of the NHS and wider health and social care providers to the kinds of cyber-attack and loss of personal data that has been widely reported in the media in the last few years.

2.2 It is important that each HSCN Consumer (where necessary working with or through its IT partners, suppliers, or other HSCN Consumers):

2.2.1 works with the HSCN Authority, HSCN Suppliers, and other members of the health and social care community to help each of these requirements be realised and, in the event that a security incident – including cyber-attack or malware outbreak - is detected or suspected, works (collaboratively where necessary) to help contain the problem, minimise the impact, subsequently resolve it and then to help prevent a re-occurrence;

2.2.2 ensures that each and every other organisation which routes traffic through the HSCN Consumer's own HSCN connection:

2.2.2.1 has signed and submitted to the HSCN Authority an HSCN Connection Agreement; or

2.2.2.2 is otherwise made subject to legally binding terms identical to those set out in this Connection Agreement (which the HSCN Authority may require the HSCN Consumer to verify in writing at any time); and

2.2.3 has technical measures in place to prevent organisations that have not signed a Connection Agreement (or are not subject to terms identical to those set out in this Connection Agreement) in accordance with clause 3.2.2 are prevented from routing traffic to the HSCN through that HSCN Connection.

3 HSCN Authority’s obligations under this Connection Agreement

3.1 The HSCN Authority commits to:

3.1.1 work with HSCN Consumers to help improve and maintain good cyber security and good data handling processes. This includes communicating updates to good cyber security, information governance and other related guidance to its HSCN Consumers; and

3.1.2 inform HSCN Consumers in a timely manner of any incident or security matter that the HSCN reasonably believes will have a negative impact on the connection to the HSCN.

4 HSCN Consumer Obligations

4.1 Whilst there are no specific assurance or compliance regimes to which HSCN Consumers must adhere in order to obtain a connection to the HSCN, there are a number of obligations on all organisations that use the HSCN. These are designed to help maintain the availability of the HSCN whilst improving the overall cyber security position of HSCN Consumers and continuing to protect personal information about patients and service users.

Incident Reporting

4.2 In the event of a security incident which relates to your use of the HSCN or your connection to the HSCN, you agree that you (or a partner working on your behalf, for example, a system supplier, or IT supplier) will:

4.2.1 conduct initial diagnosis of the incident to determine which service is the cause (or most likely cause of the incident);

4.2.2 raise the incident with UKCloud for the affected service, who will then raise it with the CN-SP;

4.2.3 at the earliest opportunity inform the HSCN Authority through the mechanism for notifying security incidents as set out on the HSCN Website – Providers of NHS Services section and to complete actions assigned by the HSCN Authority or its representatives in an agreed timeframe to support containment and resolution of the incident;

4.2.4 if the HSCN Data Security Centre team contacts you to help resolve an incident or problem, you must respond as you would for one of your own customers or users;

4.2.5 depending on the nature of the incident, provide audit logs holding user activities, exceptions and information security events to assist in investigations; and

4.2.6 where appropriate, notify other HSCN Consumers with whom you share a HSCN service of any incident that has been communicated to you by the HSCN Supplier or the HSCN Authority.

4.3 Where an incident occurs relating to the use of the HSCN by another HSCN Consumer or HSCN Supplier or you reasonably suspect an incident has occurred, you agree that you will notify the HSCN Authority at the earliest opportunity using the contact information set out on the HSCN website.

Cyber and Information Security

4.4 All HSCN Consumers have a duty, through the implementation of robust data handling and information security practices:

4.4.1 to be ‘good citizens’ to help ensure that the HSCN remains available for all users; and

4.4.2 a wider duty to protect their information, systems and services from unauthorised disclosure, destruction, theft, unavailability or loss of integrity through cyber and / or other forms of attack. In some cases, this duty is set out in law, in others it is what service users and patients might reasonably expect of organisations that hold, control or process personal or personal sensitive information about them.

4.5 You acknowledge that your organisation has been notified of this information and your responsibilities to implement good information security.

Network Monitoring

4.6 The HSCN Consumer agrees that the HSCN Authority Network Analytic Service will monitor the connection point between their networks and the HSCN for the purposes of maintaining the availability of the HSCN, systems and / or services that are available through the HSCN, and the connection between the HSCN and the internet. Examples include looking for abnormal amounts of traffic that could indicate a malware or other cyber security attack.

4.7 However, the HSCN Authority Network Analytic Service does not look at or store the content of network traffic.

4.8 The HSCN Consumer agrees that the HSCN Authority's Advanced Network Monitoring Service will monitor and inspect, through signature and behavioural analysis, the content of unencrypted internet-bound traffic to look for evidence of malicious or suspicious content. The HSCN Consumer acknowledges that the operation of this service involves the analysis of the content of internet traffic, including Personal Data and Sensitive Personal Data.

4.8.1 "Controller", "Processor", "Data Subject", "Personal Data Breach" and "Processing" shall have the same meanings as in the Data Protection Laws and "Processed" and "Process" shall be construed in accordance with the definition of "Processing". "Personal Data" and "Sensitive Personal Data" shall have the same meaning as in the Data Protection Laws, and shall refer to Personal Data (or Sensitive Personal Data) provided by the HSCN Consumer to the HSCN Authority in connection with this Connection Agreement, or as otherwise Processed by the HSCN Authority in relation to the services offered to the HSCN Consumer in connection with HSCN.

4.9 For the avoidance of doubt, the HSCN Authority shall have no liability to the HSCN Consumer in respect of the functioning or non-functioning of the HSCN Authority Network Analytic Service and/or the HSCN Authority's Advanced Network Monitoring Service.

Securing information

4.10 Each HSCN Consumer acknowledges that:

4.10.1 the HSCN’s primary requirement is to be available as a means for sharing information between the health and social care community;

4.10.2 the HSCN does not help secure data in any way as it passes across the network. Responsibility for providing sufficient security lies with the sending and receiving organisation, or the providers and users of sites or applications that are accessed through the HSCN. This includes providing assurances that any service or application available on the HSCN or any organisations or users on the network are authentic and appropriately secured; and

4.10.3 the HSCN does not warrant the authenticity of any service, system or data available through the HSCN or of any information received through the HSCN.

Access Controls

4.11 Because there is sometimes a business need to access a variety of content from a range of services, the HSCN network does not impose any restrictions on categories of sites or services that HSCN Consumers can access through the HSCN, except that:

4.11.1 for internet access, a standard set of controls are in place to prevent data from being shared with known malware resources (for example, places on the internet with which malware may try to communicate with). The purpose of this restriction is to limit the impact on the HSCN community should a malware attack take place, and as such the list of blocked sites may change from time to time; and

4.11.2 HSCN Consumers may agree access restrictions on internet access or general network access (for example, blocks on categories of internet sites) with UKCloud, but that is a solely a matter between the HSCN Consumers and UKCloud.

HSCN Service Information

4.12 Each HSCN Consumer agrees to provide and maintain (through their connection profile information posted at the HSCN Website – Providers of NHS Services section):

4.12.1 whether their connection to the HSCN is shared with any other organisations (whether health and social care or not) and if so the identity of those organisations; and

4.12.2 the following contacts at the HSCN Consumer:

4.12.2.1 the business sponsor of the connection – this contact should be in a senior position in the organisation who is ultimately responsible for the use of the HSCN Connectivity Services (e.g. Chief Information Officer); and

4.12.2.2 security lead with whom the HSCN Authority can communicate security information. This individual may be the Senior Information Risk Officer (SIRO), Caldicott Guardian, Chief Security Officer or of equivalent standing and responsibility. For some HSCN Consumers, this may be a contact at for example, a partner organisation such as an IT systems supplier or shared service provider who handles security matters for the HSCN Consumer.

Information Governance – NHS Digital National Applications

4.13 The HSCN Consumer shall comply with all applicable information governance requirements in order to handle patient data, and access systems, services and resources that are available through the HSCN.

4.14 For the NHS Digital National Applications, this is currently the Data Security & Protection Toolkit (DSPT). For other systems and services, local arrangements may apply.

4.15 By accepting the terms of the Connection Agreement, you are agreeing to comply with requirements and arrangements for those systems and services which you will access or make use of through the HSCN. The current arrangements for the NHS Digital National Applications are set out here: https://www.dsptoolkit.nhs.uk. HSCN Consumers should check with organisations that provide systems and services that they use as to local arrangements that are in place.

4.16 The HSCN Consumer shall comply with all relevant policies, guidelines or directions from time to time made available on the HSCN Data Security Centre websites, accessible at the following locations (and/or via any replacement sites identified by the HSCN Authority from time to time):

4.16.1 https://digital.nhs.uk/services/data-and-cyber-security-protecting-information-and-data-in-health-and-care; and

4.16.2 http://systems.digital.nhs.uk/infogov.

https://info.ukcloud.com/hscn-annexa-further-legal-terms

Appendix H – Third Party Software Terms and Conditions

End User License Agreements for third party software products available through Us are available by following the link set out below. Unless otherwise stated in this Agreement, the terms and conditions provided below govern Your use of third-party software purchased through Us. You should carefully read the license terms for the applicable software.

https://docs.ukcloud.com/articles/third-party/third-ref-eula.html