OpenPlay - Terms of Service

Introduction.

1. These Terms of Service (Terms) are between (1) OpenPlay Limited (company number 07720829), whose registered office is at Surrey Hills Accountancy Ltd, 8 Mead Road, Cranleigh, England, GU6 7BG (OpenPlay) and (2) OpenPlay’s customer receiving its service (as described in the Order Form) (Customer), together referred to as the parties and each a party. The Terms consist of the terms and conditions set out below and any schedules or attachments referenced in the Terms. Unless otherwise defined in the Terms, capitalised terms set out in the Terms have the meanings given in Schedule 1.

2. Customer must enter into an Order Form to purchase the Services.  Each Order Form entered into by Customer (or a Customer Affiliate), together with its attachments, sets out the details of the Services to be provided by OpenPlay and will form a separate agreement, incorporating the version of Terms as at the date of the Order Form (together the Agreement).

3. The Agreement governs Customer’s subscription to and use of OpenPlay’s software-as-a-service platforms and related services provided by OpenPlay. 

Agreed terms.

1. Service

1.1 How to Subscribe. Customer must enter into an Order Form to subscribe for the Services. Each Order Form sets out the details of the Services to be provided by OpenPlay. Each Order Form will form a separate agreement between the Customer and OpenPlay. 

1.2 Scope of Services. The Customer’s access to and use of the Services is limited to the scope of the Services specified in the Order Form.  Customer  agrees  that  its  purchase of the Services is  not  contingent  on  the  delivery  of  any  future  functionality  or  features,  or  dependent on any oral or written public comments made by OpenPlay regarding future functionality or features.

1.3 Use of Service. OpenPlay will make the Service available to Customer for its internal business operations during the Subscription Period, solely for use by Customer and its Users, and at all times in accordance with the Agreement, the User Guides, and the Order Form. Customer may permit its Contractors to serve as Customer Users provided that any use of the Service by each such Contractor is solely for the benefit of Customer. Customer shall be responsible for use of the Service and compliance with the Agreement and the Order Form by each User.

1.4 System Requirements; Installed Software. Customer acknowledges that access to the Services is at all times subject to Customer’s compliance with the Agreement, including meeting all Minimum System Requirements. To the extent use of the Services requires Customer to use Installed Software, OpenPlay grants to Customer a limited, non-transferable, non-sublicensable, non-exclusive licence during the Subscription Period to use the object code form of the Installed Software internally in connection with Customer’s use of the Service, subject to the terms and conditions of the Agreement.

1.4 Provision of API Services. In connection with Customer’s use of the Service, OpenPlay may make the API Services available to Customer, subject to the following terms and restrictions.

• (a) Usage Restrictions.  In addition to the restrictions set out in clause 1.6, except as expressly and unambiguously authorised under this Agreement or by OpenPlay in writing, Customer shall not (i) disclose or provide the OpenPlay API to any person or entity other than to Customer’s employees or consultants, or contractors who have a need to know, (ii) use the API Services in a product or service that is commercially released, (iii) exceed any reasonable usage level notified to it by OpenPlay, or (iv) use the API in a manner that, as determined by OpenPlay in its sole discretion, constitutes excessive or abusive usage, or otherwise fails to comply or is inconsistent with any part of the User Guides or documentation related to the API Services.  OpenPlay reserves the right to terminate access to the API Services immediately upon any breach of this Agreement by Customer.

• (b) Proprietary Rights.  As between the parties, OpenPlay owns all rights, title, and interest in and to the API Services and all other output of the OpenPlay API. Except to the limited extent expressly provided in this Agreement, OpenPlay does not grant, and Customer shall not acquire, any right, title or interest (including, without limitation, any implied licence) in or to the API Services or their output.

• c) Disclaimers.  OpenPlay reserves the right to limit access to or functionality of the API Services at any time. The API Services are provided ‘as is’ and OpenPlay disclaims all warranties relating to the OpenPlay API, express or implied.

1.6 Restrictions on use of Service. Solely for the purposes of this clause 1.6, “Service” shall include the API Services. To the maximum extent permitted by law and except as expressly granted in the Agreement, Customer shall not (and shall procure that Users shall not): (a) copy (provided that Customer and its Users can copy as reasonably necessary to its and their rights under this Agreement and in connection with ordinary course back-up and disaster recovery procedures), reproduce, publish, distribute, redistribute, broadcast, transmit, modify, adapt, edit, abstract, store, archive, display publicly or to a third party, sell, license, lease, rent, assign, transfer, disclose (in each case whether or not for charge) or in any way commercially exploit any part of any Service, the Installed Software or the User Guides; (b) permit any use of any Service, the Installed Software or the User Guides in any manner by any third party (including permitting use in connection with any timesharing or service bureau, outsourced or similar service to third parties or making any Service, Installed Software or the User Guides (or any part) available to any third party or allow or permit a third party to do any of the foregoing); (c) combine, merge or otherwise permit the Service to become incorporated in any other program or service, or arrange or create derivative works based on it (in whole or in part); (d) attempt to reverse engineer, observe, study or test the functioning of or decompile the Service or the Installed Software (or any part) or otherwise seek to obtain the source code or non-public APIs to any Service, through automated means or otherwise, except to the extent expressly permitted by Applicable Laws; (e) or remove or obscure any proprietary or other notices contained in the Service or the Installed Software; (f) use the Service in violation of this Agreement, applicable laws or government regulations; or (g) access any part of the Service in order to build a competitive product or service or use the Service in a way that competes with products or services offered by OpenPlay.  

1.7 Service and Support Standards and Parameters. The standards of service, including availability of the Service, and availability of support from OpenPlay are set out in the Service Level Agreement, as attached at Schedule 3.

2. Users; Serviced Customer Sites

2.1 Users. Only Users may access or use the Service. Customer manages its User accounts through its Administrator(s), and Customer is responsible and liable for its Users’ actions through the Service and for their compliance with this Agreement. Customer will ensure that Users keep their login credentials and password confidential and will promptly notify OpenPlay upon learning of any compromise of User accounts or credentials. Customer shall procure that each User is aware of, and complies with, the obligations and restrictions imposed on Customer under this Agreement, including all obligations and restrictions relating to OpenPlay’s Confidential Information.  

2.2 Customer User Level Permissions and Administrators. Customer User access to the Services is subject to the permission levels given to a Customer User by Customer’s Administrator(s).  Customer may designate a Customer User as an account administrator (“Administrator”) with control over Customer’s Service account, including: management of Users and Customer User Permission Levels; ability to access, disclose, restrict, or remove information from the User account; or restrict or terminate a User’s access to the Service, each as further described in the User Guides. Customer is fully responsible for its choice of Administrator(s) and any actions such Administrator(s) take.

2.3 Moves+ Users.  Where the Service includes Moves+, Customer undertakes that the number of Moves+ User accounts shall not exceed the number authorised in the Order Form (or otherwise agreed in writing).  

2.4 Minimum Number of Serviced Customer Sites. Customer undertakes that during the Subscription Period the number of Serviced Customer Sites will not be reduced, except in the case of clause 2.5.3. 

2.5 Migration, Addition, and removal of Serviced Customer Sites. 

• 2.5.1 During the Subscription Period, Customer shall use its best endeavours to ensure that all Customer Sites that are not using the Service are migrated so that they are a Serviced Customer Site.  

• 2.5.2 The Customer may include additional Serviced Customer Sites by giving OpenPlay not less than 90 days' notice and OpenPlay will charge additional Fees on a pro rata basis as further detailed in the Order Form.

• 2.5.3 Without prejudice to its obligations in clause 2.4, OpenPlay acknowledges that the Customer may be required to remove certain Serviced Customer Sites as necessary in accordance with changes to its business operations (for example the cessation of contracts) and the requirement to comply with its client's instructions or wishes (for example where a client insists on an alternative to OpenPlay's product being used in its venues). The Customer shall provide as much notice to OpenPlay as is practicably possible of such removal, and not less than 90 days' written notice of such a removal of a Serviced Customer Site.

• 2.5.4 The Customer will provide to OpenPlay a facility list showing mobilisations and demobilisations (planned additions and removals) on a monthly basis to aide OpenPlay's business planning process.  The parties will update the co-managed Serviced Customer List on a monthly basis.

3. Upgrading the Service 

3.1 Service Updates. OpenPlay's standard updates to the Service that are made available to all of its customers will be provided to Customer at no additional cost. Notwithstanding the foregoing, Customer agrees  that  its  purchase of the Service is  not  contingent  on  the  delivery  of  any  future  functionality  or  features,  or  dependent on any oral or written public comments made by OpenPlay regarding future functionality or features.

3.2 Service Upgrades. Customer may during the Subscription Period (subject to OpenPlay’s written approval and  the prevailing Fees) upgrade the Service that it has ordered by adding to the Service (each as applicable): (a) additional available OpenPlay modules that are not included within the Order Form; or (b) additional Moves+ User accounts (each an Upgraded Feature).   Where an Upgraded Feature by OpenPlay has been activated, OpenPlay shall invoice, and Customer shall pay to OpenPlay the relevant fees for such Upgraded Features pro rata for the remaining part of the Subscription Period.  

3.3 New Order Form. OpenPlay reserves the right to require Customer to enter into a new Order Form before providing any Upgraded Features.

4 Subscription Period and Renewals. 

The Agreement is effective on the earlier of the subscription start date stated in the Order Form (Subscription Start Date) and the date the Order Form is last signed, and will continue for the Initial Subscription Period.  Subject to the following, on expiry of the Initial Subscription Period, the Agreement will renew for a period of twelve months, and thereafter renew for further periods of twelve months (each a Renewal Period) (the Initial Subscription Period and each Renewal Period together the Subscription Period).  If either party wishes for the Agreement to expire at the end of the Initial Subscription Period or the end of a Renewal Term), it shall provide not less than 30 days’ written notice to the other party prior to the end of the Initial Term or relevant Renewal Term.

5. Fees

5.1 Fees payment. The Fees and any other charges (including expenses) expressly agreed between OpenPlay in writing shall be paid by Customer at the rates and in the manner described in the Order Form. The Fees shall be paid into OpenPlay’s bank account by BACS or CHAPS or other method of electronic funds transfer. Other than as set out in the Agreement, all payment obligations are non-cancellable, and Fees are non-refundable except where the Fees have been  paid in advance and the Agreement is terminated due to breach of the terms of the Agreement by OpenPlay (in which case such fees are repayable pro rata for the period from termination to the end of the period for which the fees were paid in advance). 

5.2 Fee increases. OpenPlay may increase the Fees at any time by written notice to Customer, provided that such increase in the Fees will (a) not be greater than the percentage increase in the Retail Price Index (RPI) over the preceding 12 months, provided that any such increase shall not exceed a maximum of 10% of the current Fees and (b) will not take effect before expiry of the then current Subscription Period. 

5.3 Tax and interest. The Fees are exclusive of Taxes which shall be payable by Customer at the rate and in the manner prescribed by law. If OpenPlay has the legal obligation to pay or collect Taxes for which Customer is responsible, OpenPlay will invoice Customer and Customer will pay that amount unless Customer provides OpenPlay with a valid tax exemption certificate authorised by the appropriate taxing authority. 

5.4 Interest. OpenPlay has the right to charge interest on overdue invoices at the rate of 4% per year above the base rate of Barclays plc, calculated from the date when payment of the invoice becomes due for payment up to and including the date of actual payment whether before or after judgment.

6. Warranties

6.1 Service warranty. OpenPlay warrants that: (a) the Service shall operate materially in accordance with its description in the User Guides when used in accordance with the Agreement under normal use and normal circumstances during the relevant Subscription Period; (b) OpenPlay will provide the Services with reasonable care and skill; (c) OpenPlay will not materially decrease the functionality of the Service during the Subscription Period; and (d) it will provide the Services in accordance with Applicable Laws as they relate to the provision of the Services OpenPlay’s customers generally without regard to Customer’s particular use of the Services. The warranties in this clause 6.1 shall not apply to the extent that any error in the Service arises as a result of: (a) incorrect operation or use of the Service by Customer or a User; (b) use of any Service with other software or services or on equipment with which it is incompatible; (c) any unapproved modification of the Service; or (d) material breach of the Agreement by Customer (or by any User).

6.2 Authority. Each party warrants and represents to the other that it has the right, power and authority to enter into the Agreement and grant to the other the rights (if any) contemplated in the Agreement and to perform its obligations under the Agreement.

6.3 Warranty disclaimer. Other than as expressly stated in the Agreement, the Services and the Installed Software are provided ‘as is’ and without warranty, whether express or implied, statutory or otherwise, to the maximum extent permitted by law. Customer accepts that the Services may be subject to delays, interruptions, errors or other problems. Customer acknowledges that such risks are inherent in the nature of the Services and that OpenPlay shall have no liability for any such delays, interruptions, errors or other problems.  Customer acknowledges that OpenPlay accepts no liability or obligation that: (a) the Service will meet Customer’s individual needs or purpose, whether or not such needs/purpose have been communicated to OpenPlay; (b) the operation of the Service will be free of minor errors or defects; or (c) the Service will be compatible with any other software or service or with any hardware or equipment except to the extent expressly referred to as compatible in the User Guides.  

6.4 Third Party Services. The Service may display, contain links to, or allow Customer to integrate the Service with third-party products, services, and websites (collectively, “Third Party Services”).  If Customer installs, enables or uses Third Party Services with the Service that requires the transfer, storage of processing of Customer Data for the Third Party Services to interoperate with the Service, Customer grants OpenPlay permission to transfer, store, and process Customer Data from and to Customer’s Third Party Services accounts on its behalf.  OpenPlay does not control Third Party Services and does not guarantee the accuracy, integrity or quality of such Third Party Service.  OpenPlay is not responsible or liable, directly or indirectly, for any transferring, transmitting, damage, disclosure, modification, deletion or loss caused to Customer or Customer Data by Customer’s use of or reliance on any Third Party Services. Third Party Services are governed solely by the terms and conditions of those Third Party Services and, as between OpenPlay and Customer, Customer is responsible for complying with licenses, the applicable terms and conditions, providing required notices and obtaining appropriate consents from its Users and for paying fees for Third Party Services.

7 Intellectual property

7.1 OpenPlay intellectual property.  OpenPlay or its licensors retain all rights, title and interest (including all patent, copyright, trade mark, trade secret and other intellectual property rights) to the Service, User Guides, the Deliverables, the Installed Software, and all related and underlying code, software, technology and documentation (including any derivative works, modifications, or improvements of any of the foregoing), and any Feedback that may be incorporated (OpenPlay Rights). Customer shall execute all such documents and do such things as OpenPlay may reasonably consider necessary to give effect to this clause 7.1.  Other than as expressly stated in the Agreement, no right, title or interest in the OpenPlay Rights is granted to Customer. Customer acknowledges that the Service is offered as an online, hosted solution, and therefore Customer has no right to obtain a copy of the underlying computer code of the Service. OpenPlay may freely use and incorporate into its products and services any suggestions, enhancement requests, recommendations, corrections, or other feedback provided by Customer or by any Users relating to OpenPlay’s products or services (Feedback).  

7.2 Branding. The Service enables Customer to apply the logos, trade marks and other branding of Customer and of the applicable Serviced Customer Site (Customer Branding) to the frontend of the Service ordered by Customer under the Agreement.  Customer (and the owners of the Serviced Customer Sites) will at all times retain rights, title and interest (including all intellectual property rights) in Customer Branding. Customer grants OpenPlay a royalty-free, non-transferable, non-exclusive licence to use Customer Branding (including making copies) only to the extent necessary to perform or provide the Service. Customer shall include the notice “powered by OpenPlay” on the main booking page of each Service Customer Site website for End Users, and such notice shall not be obscured or removed during the Subscription Period. The OpenPlay logo used in the notice shall contain a ‘DoFollow Backlink’ to Openplay.net.

7.3 Customer Data. Customer (and Customer’s licensors) will at all times retain rights, title and interest (including all patent, copyright, trade mark, trade secret and other intellectual property rights) in Customer Data. Customer grants OpenPlay a royalty-free, non-transferable, non-exclusive licence to use Customer Data (including making copies) only to the extent necessary to perform or provide the Services.

7.4 Usage Data.  Subject to its obligations under clause 8, OpenPlay may collect and use Usage Data to develop, improve, and support its products and services. OpenPlay may use Usage Data for any other lawful purpose,  including sharing Usage Data with a third party, provided that it shall not do so without Customer’s written consent unless such data has been aggregated and anonymised, such that Customer, Users and individuals cannot be identified from it. 

8. Data; Security

8.1 Mutual obligations. The parties shall comply with the DPA and all Data Protection Laws. 

8.2 Customer Data responsibility. Customer shall ensure (and is exclusively responsible for) the accuracy, quality, integrity and legality of Customer Data.  Customer warrants and represents that that it has made all disclosures and has all necessary appropriate rights, consents, and permissions necessary to lawfully transfer Customer Data to OpenPlay for the duration and purposes of the Agreement, all without violating or infringing Applicable Laws, third-party rights (including intellectual property rights, publicity or privacy rights) or any terms or privacy policies that apply to the Customer Data.

8.3 Security. OpenPlay shall implement technical and organisational security measures in relation to Customer Data, in accordance with the Security Measures as set out in its DPA at Schedule 2.

8.4 Customer Data deletion.  At the end of the Subscription Period, OpenPlay will offer the Customer reasonable assistance to extract Customer Data in an accessible form.  Unless otherwise set out in the Order Form, or subsequently agreed by the parties in writing, Customer instructs OpenPlay to securely delete all Customer Data hosted in the Service, within 90 days of the end of the provision of the Services, except to the extent that any Applicable Laws require OpenPlay to store such Customer Data for longer.  OpenPlay will have no liability for any deletion or destruction of any such Customer Data.

9 Technical Services

9.1 Provision. Where applicable, OpenPlay will perform the Technical Services for Customer as detailed in the Order Form, subject to the terms and conditions of the Agreement. The OpenPlay personnel that perform the Technical Services will be professional and qualified in the performance of the applicable Technical Services. 

9.2 Assistance. Customer acknowledges that timely access to applicable Customer Materials (defined below), resources, personnel, equipment or facilities is necessary for the provision of Technical Services. Customer agrees to provide such access and to reasonably cooperate with OpenPlay for the provision of the Technical Services. OpenPlay will have no liability for any delay or deficiency to the extent resulting from Customer’s breach of its obligations under this clause 9.

9.3 Customer Materials. Customer hereby grants OpenPlay a limited right to use any materials provided to OpenPlay in connection with the Technical Services (Customer Materials) solely for the purpose of providing Technical Services to Customer. Customer will retain any of its rights (including all intellectual property rights) in and to Customer Materials. OpenPlay will treat Customer Materials subject to the confidentiality obligations under clause 10 (Confidentiality). Customer warrants that Customer has and will have sufficient rights in Customer Materials to grant the rights to OpenPlay under the Agreement.

9.4 Licence to Deliverables. The Technical Services that OpenPlay provides (e.g., guidance on configuring the Service), and the resulting Deliverables are generally applicable to OpenPlay’s business and are part of OpenPlay’s technology.  Subject to the terms and conditions of the Agreement, OpenPlay hereby grants Customer a limited, non-exclusive, royalty-free, non-transferable worldwide license to use the Deliverables internally, solely in connection with such Customer’s use of the Service during the Subscription Period.

10 Confidentiality 

10.1 Confidentiality duty. Both parties shall maintain the confidentiality of the Confidential Information and shall not without the prior written consent of the other party, disclose or copy the Confidential Information other than as necessary for the performance or receipt of the Service. Each party: (a) undertakes to disclose the Confidential Information only to those of its officers, employees, agents, contractors and direct and indirect sub-contractors to whom, and to the extent to which, such disclosure is necessary for the purposes contemplated under the Agreement or as otherwise reasonably necessary for the provision or receipt of the Service; and (b) shall be responsible to the other party for any acts or omissions of any of the persons referred to in clause 11.1(a) in respect of the Confidential Information of the other party as if it was its own information.

10.2 Excluded information. The provisions of this clause 10 shall not apply to information that: (a) is or comes into the public domain through no fault of the disclosing party, its officers, employees, agents or contractors; (b) is lawfully received by disclosing party from a third party free of any obligation of confidence at the time of its disclosure; or (c) is required by law, by court or governmental or regulatory order to be disclosed.

11 Indemnity

11.1 OpenPlay indemnity. OpenPlay shall defend, indemnify and hold Customer harmless from and against all claims, losses, damages, fines, expenses and liability (including court costs and reasonable legal costs) resulting from any claim by a third party that the Service or a Deliverable infringes the intellectual property rights of that third party. OpenPlay shall have no liability under this clause 11.1, in respect of any claim which arises in whole or in part from: (a) any modification of the Service or Deliverable other than by OpenPlay; (b) Customer Data or any materials not provided by OpenPlay; (c) use of the Service (or any part) or Deliverable by Customer otherwise than in accordance with the Agreement; or (d) the combination of the Service or Deliverable with products or processes not provided by OpenPlay. This clause sets out Customer’s sole remedy with respect to any claim of intellectual property infringement.

11.2 Customer indemnity. Customer shall defend, indemnify and hold OpenPlay harmless from and against all claims, losses, damages, fines, expenses and liability (including court costs and reasonable legal costs) resulting from (a) any claim by a third party arising from any Customer Data, Customer Materials, Customer Branding or any Customer-offered product or service used in connection with the Service; or (b) any claim by an End User or arising from or relating to any acts or omissions by End Users in their use of the Service.  The indemnification obligation of Customer in clause 11.2(a) will not apply to the extent the applicable claim is attributable to unauthorised use or modification by OpenPlay of any data, material or product referred to in clause 11.2(b). 

11.3 Indemnification Procedures. In the event of a potential indemnity obligation under this clause 11,  the indemnified party shall: (a) promptly (and in any event within five Business Days) notify the indemnifying party in writing of any actual or threatened claim; (b) make no comment or admission and take no action that may adversely affect the indemnifying party’s ability to defend or settle the claim; (c) provide all assistance reasonably required by the indemnifying party; and (d) give the indemnifying party sole authority to control, defend or settle the claim. Any indemnification obligation under this clause 11 will not apply if the indemnified party settles or makes any admission with respect to a claim without the indemnifying party’s prior written consent.  Nothing in this clause will restrict or limit either party’s general obligation at law to mitigate a loss it may suffer or incur as a result of an event that may give rise to a claim under the indemnification obligations in this clause 11.

12 Limitation of liability

12.1 Liability cap. Subject to clause 12.3 and excluding a party’s liability under the indemnities in clause 12, or Customer’s liability for breach of clause 1.5(a) or clause 1.6, neither party’s total aggregate liability in respect of the Services (howsoever arising under or in connection with the Agreement) shall exceed 100% of the Fees for the relevant Service paid or payable to OpenPlay by Customer in the 12-month period immediately preceding the first incident giving rise to the relevant claim under the Agreement. 

12.2 Excluded losses. Subject to clause 12.3, neither party shall be liable in respect of the Services (howsoever arising under or in connection with the Agreement) for: (a) consequential, indirect or special losses; or (b) any of the following (whether direct or indirect): loss of profit; loss of use; loss of contract; loss of opportunity; and/or harm to reputation or loss of goodwill.

12.3 Unlimited liability. Notwithstanding any other provision of the Agreement, neither party’s liability shall be limited in any way in respect of the following: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) a breach of confidentiality obligations; or (d) any other losses which cannot be excluded or limited by Applicable Laws. 

12.4 Third party services or products. Customer acknowledges that OpenPlay shall have no liability to Customer in relation to any Third Party Services. 

13 Termination

13.1 Termination for cause. Either party may terminate the Agreement immediately at any time by giving notice in writing to the other party if: (a) the other party is subject to an insolvency event which shall mean, in relation to an entity; (i) that it is unable or admits inability to pay its debts as they fall due; (ii) that the value of its assets is less than its liabilities (taking into account contingent and prospective liabilities); or (iii) the appointment of a liquidator, administrator or other insolvency or similar officer in respect of it or its assets or any analogous procedure or step is taken in any jurisdiction; (b) the other party commits a material breach of the Agreement and such breach is not remediable; (c) the other party commits a material breach of the Agreement that is capable of being remedied and such breach has not been remedied within 20 Business Days of receiving written notice of such breach; or (d) the other party has failed to pay any amount due under the Agreement on the due date and such amount remains unpaid within 30 Business Days after the other party has received written notification that the payment is overdue.

13.2 Effect of termination. Immediately on termination or expiry of the Agreement (for any reason), the rights granted by OpenPlay under the Agreement shall terminate and Customer shall (and shall procure that each User shall): (a) stop using the Service; (b) destroy and delete or, if requested by OpenPlay, return any copies of the User Guides in its possession or control (or in the possession or control of any person acting on behalf of any of them); and (c) uninstall the Installed Software. Termination or expiry of the Agreement shall not affect any accrued rights and liabilities of either party at any time up to the date of termination or expiry. 

13.3 Surviving clauses. Any clauses that expressly or by implication are intended to continue beyond termination will survive termination of this Agreement. 

13.4 Suspension of the Service. OpenPlay may suspend access to the Services to all or some of the Users if: (a) OpenPlay reasonably suspects that there has been misuse of or threat to the Service or a breach of the Agreement that, in OpenPlay’s reasonable opinion, threatens the confidentiality, integrity or availability of the Service (in which case OpenPlay will take steps to investigate the issue and may restore or continue to suspend access at OpenPlay’s reasonable discretion); (b) any sums due to OpenPlay by Customer are thirty (30) days or more overdue; or (c) as required by law or as directed by governmental entities. OpenPlay will provide notice of suspension as is commercially reasonable under the circumstances. Where any of the above events has been cured, OpenPlay will, without undue delay, reinstate the affected Service.

14 Publicity. 

OpenPlay may, during the Subscription Period, use and display Customer’s name, logo, trademarks, and service marks on OpenPlay’s website and in OpenPlay’s marketing materials in connection with identifying Customer as a client/customer of OpenPlay. Upon Customer’s written request, OpenPlay will promptly remove any such marks from OpenPlay’s website and, to the extent commercially feasible, from OpenPlay’s marketing materials. If OpenPlay requests, Customer will agree to participate in a case study, press release and/or cooperate with OpenPlay in speaking to the media.

15 Insurance. 

Without in any way limiting or altering its liability under the Agreement, OpenPlay shall, at its sole expense, maintain during the Subscription Period the following insurances: (a) public, products and employer’s liability coverage of not less than £5,000,000 in aggregate; (b) professional indemnity coverage of not less than £2,000,000 in aggregate; and (c) cyber liability insurance coverage of not less than £1,000,000 in aggregate. OpenPlay shall deliver to the Customer reasonable evidence of such insurances on written request.  

16 General

16.1 Entire agreement. The Agreement constitutes the entire agreement between the parties and supersedes all previous agreements, understandings and arrangements between them in respect of its subject matter, whether in writing or oral.  If Customer issues a purchase order in relation to the Order Form: (a) such purchase order will be for Customer’s internal or administrative purposes; and (b) no additional purchase order terms will apply to the Order Form or the Fees.  

16.2 Notices. Notices and other communications under the Agreement shall be sent by email to: (a) in the case of those to OpenPlay, to OpenPlay Limited for the attention of Sam Parton, CEO, to legal@openplay.co.uk and (b) in the case of notices to Customer, to any email or physical address or contact details notified to OpenPlay. This clause 16.2 does not apply to notices given in legal proceedings or other dispute resolution proceedings, for which service by email alone is not valid.

16.3 Variation and modification to the Service. No variation of the Agreement shall be valid or effective unless it is: (a) an update made in accordance with the Agreement; or (b) made in writing, refers to the Agreement and is duly signed or executed by, or on behalf of, each party. Customer acknowledges that OpenPlay shall be entitled, upon written notice to Customer to update the Service, using reasonable endeavours to ensure that any such modification does not materially adversely affect Customer’s use of the Service and at all times in accordance with the SLA.

16.4 Waivers. No failure, delay or omission by either party in exercising any right, power or remedy provided by law or under the Agreement shall operate as a waiver of that right, power or remedy, nor shall it preclude or restrict any future exercise of that or any other right, power or remedy.

16.5 Assignment. Neither party may assign the Agreement without the advance written consent of the other party, except that OpenPlay may, on written notice, assign the Agreement in its entirety (a) in connection with a merger, reorganization, acquisition, or other transfer of all or substantially all of its assets or voting shares to its successor; and/or (b) to any Affiliate.  The parties hereby irrevocably agree in advance to provide their cooperation to such assignment and shall perform any formality to complete such assignment. Any attempt to transfer or assign the Agreement except as expressly authorized under this clause will be null and void.

16.6 No joint venture. The Agreement does not establish any joint venture, partnership, trust, fiduciary or other relationship between the parties, other than the contractual relationship expressly provided for in it.

16.7 Force majeure. Neither party shall be in breach of the Agreement or otherwise liable to the other party for any delay in performance or non-performance of any of its obligations under the Agreement to the extent that the delay or non-performance is caused, in whole or in part, by an event of Force Majeure.  The corresponding obligations of the other party will be relieved or reduced to the same extent and where the relevant corresponding obligation relates to payment of a fixed amount, it shall be apportioned appropriately.

16.8 Severability; headings. If any provision of the Agreement is held to be unenforceable or invalid, that provision will be limited to the minimum extent necessary so that the Agreement will otherwise remain in effect. Clause headings are inserted for convenience only and shall not affect the construction of the Agreement.

16.9 Third party rights. A person who is not a party to the Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its provisions.

16.10 Disputes. If a dispute arises out of or in connection with the Agreement or the performance, validity or enforceability of it (Dispute) then the parties shall follow the procedure set out in this clause:

• 16.10.1 either party shall give to the other written notice of the Dispute, setting out its nature and full particulars (Dispute Notice), together with relevant supporting documents. On service of the Dispute Notice, executive level members of each party shall attempt in good faith to resolve the Dispute; 

• 16.10.2 if the individuals referred to in clause 16.10.1 are for any reason unable to resolve the Dispute within 45 days of service of the Dispute Notice, the Dispute shall be referred to the CEO of the Customer and CEO of OpenPlay who shall attempt in good faith to resolve it; and

• 16.10.3 No party may commence any court proceedings under clause 16.12 in relation to the whole or part of the Dispute until 30 days after referral of the Dispute under clause 16.10.2, provided that the right to issue proceedings is not prejudiced by a delay.

16.11 Conflict. In case of any conflict between the provisions of the Agreement and the documents referred to in it, the following order of priority will apply (in descending order of priority): (a) DPA; (b) the Order Form; (c) other Schedules to Terms; and (d) body of the Terms.

16.12 Jurisdiction. The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any Dispute.

16.13 Governing law. The Agreement and any dispute or claim arising out of, or in connection with, it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of England and Wales.

SCHEDULE 1 DEFINITIONS 

In the Agreement:

Affiliate means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a party. As used herein, control means the power to direct the management or affairs of an entity and ownership means the beneficial ownership of more than fifty percent (50%) of the voting equity shares or other equivalent voting interests of an entity.

API Services means the product and services related to the OpenPlay API’s functionality, including the systematic interactions between Customer’s system and the Service through the OpenPlay API.

Applicable Laws: all binding local, national and international laws, regulations and conventions that apply to the provision and receipt of the Services, including Data Protection Laws.

Business Day means a day other than a Saturday, Sunday or bank or public holiday in England.

Contractor means an independent contractor or consultant permitted by Customer to serve as a Customer User. 

Confidential Information means all information (whether in oral, written or electronic form) that is identified as confidential at the time of disclosure or should be reasonably known by the receiving party to be confidential or proprietary due to the nature of the information disclosed and the circumstances surrounding the disclosure, including: Customer Data and the technology, know-how, intellectual property rights, assets, finances, strategy, products, clients and customers of either party. All information relating to the Fees, OpenPlay’s pricing terms, the User Guides, and any other technical or operational specifications or data relating to the provision of the Service shall be OpenPlay’s Confidential Information. 

Customer Branding has the meaning given in clause 7.2.

Customer Data means all data, information, and files (excluding Feedback) inputted, or submitted by Customer or on Customer’s behalf into the Service, or shared with OpenPlay by any means, which may include Customer Personal Data (as defined in the DPA in Schedule 2) and data relating to Users, or to Customer’s customers, suppliers, contacts, employees or other third parties.

Customer User means any employee, agent or Contractor of the Customer, authorised by Customer to access and use the Service and the User Instructions in accordance with the terms of the Agreement.

Customer Site means a sport or leisure centre that is under the management or control of Customer.

Data Protection Laws has the meaning given in the DPA.

Deliverables means the guides, code or other deliverables that OpenPlay provides to Customer in connection with Technical Services (excluding third party compilers, assemblers, similar tools or other third party software used in the provision of the Technical Services). 

DPA means OpenPlay’s data processing addendum found at Schedule 2.

End User means an individual end user, authorised by Customer to access and use parts of the Service ordered by Customer but excluding a Customer User. 

Feedback has the meaning given in clause 7.1. 

Fees means the fees payable for the Services and any other amounts payable to OpenPlay under the Agreement, each as initially provided under the Order Form and amended from time to time in accordance with the Agreement. 

Force Majeure means an event or sequence of events beyond a party’s reasonable control preventing or delaying it from performing its obligations under the Agreement (provided that an inability to pay is not Force Majeure), including any matters relating to transfer of data over public communications networks and any delays or problems associated with any such networks or with the internet.

Initial Subscription Period: the minimum initial period for which Customer agrees to subscribe to the Services as detailed in the Order Form, commencing on the Subscription Start Date.

Installed Software means any desktop software that is made available to Customer by OpenPlay as part of the Services for installation on Customer User computers.

Minimum System Requirements means the minimum requirements for Customer’s operating system in order for Customer to receive the Services, as may be reasonably updated from time to time on written notice to Customer. The requirements as at the Subscription Start Date are: browser – Google Chrome; RAM - >8GB; disk type – SDD hard drive; internet connection download bandwidth >12mbps.

Moves+ means a Service offering that allows Customers to reward End Users for their activities.

OpenPlay API means OpenPlay’s application programming interface.

Order Form means OpenPlay’s ordering document or documents (including any schedules and attachments) for ordering the Services, entered into by Customer and OpenPlay, incorporating this MSA.

Security Measures means OpenPlay’s information security practices and measures in relation to the Service referred to in the DPA at Schedule 2.

Service means OpenPlay’s software-as-a-service offerings made generally available and ordered by Customer as set out in an Order Form and more particularly described in the User Guides.

Serviced Customer Sites means a Customer Site with a reception desk at which Customer Users access the Service (excluding use of Moves+ by End Users).

Services means together the Service and the Technical Services.

Service Level Agreement or SLA means OpenPlay's service level agreement for the Services, as set out at Schedule 3.

Subscription Period has the meaning given in clause 4. 

Subscription Start Date has the meaning given in clause 4.

Taxes means taxes, levies, duties or similar governmental assessments of any nature, including, for example, any sales, use, GST, value-added, withholding, or similar taxes, whether domestic or foreign, or assessed by any jurisdiction, but excluding any taxes based on net income, property, or employees of OpenPlay. 

Technical Services means the implementation, configuration, training or other professional services provided by OpenPlay to Customer under an Order Form.

Third Party Services has the meaning given in clause 6.4.

Usage Data means (i) any data derived from the operation, support and/or use by Customer or Users of the Service, including data regarding applications used in connection with the Service, configurations, log data, and the performance results for the Service; and (ii) aggregated and anonymised Customer Data, so that an individual person or the Customer cannot be identified from such data.

Users means Customer Users and End Users. 

User Guides means OpenPlay’s technical documentation and user guides to the Service, including OpenPlay’s ‘Frequently Asked Questions’ document, each made available through the Service (as amended from time to time).

SCHEDULE 2 DATA PROCESSING ADDENDUM (DPA)

This DPA forms part of the Agreement.

1. Definitions.

The definitions below are additional defined terms specific to this DPA. Any capitalised terms used in this DPA, which are not specifically defined below, shall have the meaning set out in Schedule 1 of the Agreement. 

“Account” means Customer’s account in the Service, in which Customer stores and processes Customer Data.

“adequate country”, “controller”, “processor”, and “supervisory authorities” have the meanings given in the Data Protection Laws.

"Customer Personal Data" means the types of Personal Data that the Customer may instruct OpenPlay to Process as specified in clause 3.5(f) below on behalf of the Customer.

“Data Protection Laws" means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR");  (ii) the United Kingdom’s Data Protection Act 2018 (as well as any subsequent data protection law enacted by the United Kingdom); and (iii) any local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, as amended, replaced or superseded from time to time.  

“Data Subject” means the identified or identifiable natural person to whom the Personal Data relates. 

“Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as “personal data”, “personal information,” or other similar terms under applicable Data Protection Laws.

"Processing" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination and "Process", "Processes" and "Processed" will be interpreted accordingly. 

"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.

"Sub-processor" means any other Data Processors engaged by OpenPlay to Process Customer Personal Data.  

2. Applicability of this DPA and Role of the Parties.  

2.1 This DPA applies where and only to the extent that OpenPlay Processes Customer Personal Data on behalf of the Customer in the course of providing the Services. 

2.2 The Customer is the data controller of Customer Personal Data and OpenPlay is the processor. 

3. Details of Data Processing.

• (a) Subject matter: The subject matter of the Processing under this DPA is the Customer Personal Data. 

• (b) Duration: As between Customer and OpenPlay, the duration of the processing is the Subscription Period plus any period after the termination or expiry of the Agreement during which OpenPlay will process Customer Personal Data in accordance with the Agreement.

• (c) Purpose: OpenPlay will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services. 

• (d) Nature of the Processing: OpenPlay may Process Personal Data in the following ways in order to provide the Services to Customer: collection, recording, organisation, structuring, storage, copying, displaying, reformatting, adaptation or alteration, anonymisation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or synchronisation with cloud services.

• (e) Categories of Data Subjects: The categories of Data Subjects to which Customer Personal Data relate are determined and controlled by Customer in its sole discretion, and may include, but are not limited to: 

  • Customer Users

  • End Users

  • Data Subject of any other Customer Personal Data submitted to the Service, including its representatives, agents, or contractors.  

• (f) Types of Customer Personal Data: Customer Personal Data may include but is not limited to: 

  • Identification and contact data (name, address, title, contact details);

  • Financial information (credit card details, account details, payment information);

  • Employment details (employer, job title, geographic location, area of responsibility); 

  • IT information (IP addresses, usage data, cookies data, location data); and

  • Any other Customer Personal Date submitted to the Service.

• (g) Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Agreement and under the Data Protection Laws, Customer may also include 'special categories of personal data' or similarly sensitive personal data (as described or defined in Data Protection Laws) in Customer Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Customer Personal Data revealing racial or ethnic origin, or data concerning health, illness or disability and physical activity levels.

4. Roles and Scope of Processing.

   4.1 Customer Instructions. OpenPlay will Process Customer Personal Data only in accordance with Customer's documented instructions (including the Purpose above) and will not process Customer Personal Data for its own purposes, except as set out in the Agreement and this DPA or where required by applicable law(s). The Agreement, including this DPA, along with Customer’s configuration of any settings or options within the Service (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to OpenPlay regarding the Processing of Customer Personal Data. Additional Processing instructions (if any) require prior written agreement between the parties. The Customer shall ensure its Processing instructions are lawful and that the Processing of Customer Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. 

   4.2 Customer Processing of Personal Data.  The Customer agrees that it: (a) will comply with its obligations under Data Protection Laws with respect to its Processing of Customer Personal Data; (b) will make appropriate use of the Service to ensure a level of security appropriate to the particular content of the Customer Personal Data; and (c) has obtained all consents, permissions and rights necessary under Data Protection Laws for OpenPlay to lawfully Process Customer Personal Data for the Purpose, including, without limitation, Customer's sharing and/or receiving of Customer Personal Data with Third party Services. 

5. Sub-processing.

   5.1 Authorised Sub-processors. Customer grants OpenPlay a general authorisation to subcontract the processing of Customer Personal Data to Sub-processors, including those listed at Annex B (as such list may be updated by written notice to Customer). 

   5.2 Sub-processor Obligations.  OpenPlay shall: (a) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Customer Personal Data as OpenPlay’s obligations in this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (b) remain liable for each Sub-processor’s compliance with the obligations in this DPA. Upon written request, OpenPlay shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Data Protection Laws.   

   5.3 Changes to Sub-processors.  OpenPlay shall provide Customer with written notification at least thirty (30) days in advance of allowing any new Sub-processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, Customer may object in writing to OpenPlay’s appointment of the new Sub-processor, provided that such objection is based on reasonable grounds relating to Sub-processor’s ability to comply with Data Protection Laws.  In such event, the parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If Customer can reasonably demonstrate that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and OpenPlay cannot provide an alternative Sub-processor, or the parties are not otherwise able to achieve resolution as provided in the preceding sentence, Customer, as its sole and exclusive remedy, may terminate the Order Form(s) with respect only to those aspects of the Services which cannot be provided by OpenPlay without the use of the new Sub-processor by providing written notice to OpenPlay. OpenPlay will refund Customer any prepaid unused fees of such Order Form(s) following the effective date of termination with respect to such terminated Services.

6. Security.

   6.1 Security Measures.  OpenPlay shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data in accordance with its security practices, including the measures set out at Annex A to this DPA (“Security Measures”).  OpenPlay may review and update its Security Measures from time to time, provided that any such updates shall not materially diminish the overall security of the Services or Customer Personal Data. Customer is responsible for reviewing the information made available by OpenPlay relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.

   6.2 Confidentiality of Processing.  OpenPlay shall ensure that any person who is authorised by OpenPlay to Process Customer Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

   6.3 No Assessment of Customer Personal Data by OpenPlay. OpenPlay shall have no obligation to assess the contents of Customer Personal Data to identify information subject to any specific legal requirements. 

7. Customer Audit Rights. 

   7.1 Upon written request, at no additional cost to Customer, and no more than once every 12 months (save in the case of a confirmed Security Incident or where a supervisory authority requires it) OpenPlay shall provide Customer, or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation evidencing OpenPlay's compliance with its obligations under this DPA (collectively, “Reports”).

   7.2 Any Reports or other written responses to an Auditor shall be subject to the confidentiality provisions of the Agreement.  Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with OpenPlay prior to any review of Reports or an audit of OpenPlay, and OpenPlay may object in writing to such Auditor, if in OpenPlay's reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of OpenPlay. Any such objection by OpenPlay will require Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any review of Reports or an audit, shall be borne exclusively by the Auditor. 

8. Data Transfers 

   8.1 Hosting and Processing Locations. OpenPlay will only host Customer Personal Data in the region(s) offered by OpenPlay and selected by Customer on an Order Form or as Customer otherwise configures via the Services (the “Hosting Region”). Customer is solely responsible for the regions from which its Users access the Customer Personal Data, for any transfer or sharing of Customer Personal Data by Customer or its Users and for any subsequent designation of other Hosting Regions (either for the same Account, a different Account, or a separate Service). Once the Customer has selected a Hosting Region, OpenPlay will not Process Customer Personal Data from outside the Hosting Region except as reasonably necessary to provide the Services procured by Customer (provided that for any such Processing, the Processing shall only involve remote access and will not involve relocating the storage location of Customer Personal Data to a new country) or as necessary to comply with the Applicable Law. OpenPlay shall not process or transfer Customer Personal Data (nor permit such data to be processed or transferred) outside of EEA, Switzerland or UK, unless it first takes such measures as are necessary to ensure the transfer is in compliance with Data Protection Laws.

9. Return or Deletion of Data. Customer may retrieve or delete all Customer Personal Data upon expiration or termination of the Agreement as set out in the Agreement.  Any Customer Personal Data not deleted by Customer shall be deleted by OpenPlay promptly upon the later of: (a) expiration or termination of the Agreement; and (b) expiration of any post-termination “retrieval period” set out in the Agreement. Upon Customer’s written request, OpenPlay shall confirm such deletion in writing.

10. Security Incident Response.  

    10.1 Security Incident Reporting.  If OpenPlay becomes aware of a Security Incident, OpenPlay shall notify Customer without undue delay, and in any case notify Customer within seventy-two (72) hours after becoming aware. OpenPlay shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident.  

11. Cooperation.

    11.1 Data Subject Requests. To the extent legally permitted, OpenPlay shall promptly (and in any case within five (5) days) notify Customer if OpenPlay receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Customer Personal Data (“Data Subject Request”). The Service provides Customer with a number of controls that Customer may use to assist it in responding to a Data Subject Request and Customer will be responsible for responding to any such Data Subject Request. Taking into account the nature of OpenPlay’s Processing, OpenPlay shall (upon Customer's written request) provide commercially reasonable cooperation to assist Customer in responding to any Data Subject Requests.  

    11.2 Data Protection Impact Assessments. OpenPlay shall provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Customer does not otherwise have access to the relevant information.

Annex A - Security Measures

OpenPlay will implement and maintain appropriate technical and organizational measures to meet its obligations under applicable Data Protection Laws. For example, OpenPlay will: 

1. inform all employees that Customer Personal Data is confidential and subject to contractual and legal protections;

2. instruct employees to access or display Customer Personal Data only in secure locations;

3. require that all devices used to store or transfer Customer Personal Data are encrypted and subject to a strong password policy that requires a password at initial startup and upon waking from sleep;

4. require multi-factor authorization and other account protection as available;

5. protect servers behind a firewall and perform annual vulnerability tests;

6. use reasonable technical and organizational measures to ensure that Customer Personal Data is (i) encrypted when in transit; and (ii) anonymized or pseudonymized where appropriate in light of the purposes of the relevant Processing activities; and

7. use secure AWS (or comparable service provider) service to allow the restore of Customer Data. OpenPlay takes daily snapshots of data which gives it restore points that it can implement should it ever need to.

In addition, OpenPlay implements the following.

8. Access Control

• Preventing Unauthorized Product Access Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

• Physical and environmental security: We host our product infrastructure with outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centres. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The physical and environmental security controls are audited for ISO 27001 and Cyber Essentials Plus compliance, among other certifications.

9. Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

10. Authorisation: Customer Data is stored in a single tenant storage system accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorisation to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

11. Preventing Unauthorized Product Use: We implement industry standard access controls and detection capabilities for the internal networks that support its products.

12. Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

13. Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

14. Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

15. Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of the OpenPlay web application at least annually. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.

16. Limitations of Privilege & Authorization Requirements: Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. 

17. Input Control 

• Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

• Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by technical, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement. 

18. Availability Control

• Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.

• Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

• Online DB backups: Production databases are backed up and maintained using at least industry standard methods.

• Disaster Recovery Plans: We maintain and test at least annually a disaster recovery plan to help ensure availability of information following interruption to, or failure of, critical business processes.

Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

19. Security Incident Communications. OpenPlay shall provide Customer timely information about the Security Incident, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by OpenPlay to mitigate or contain the Security Incident, the status of OpenPlay's investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because OpenPlay personnel do not have visibility to the content of Customer Personal Data, it will be unlikely that OpenPlay can provide information as to the particular nature of the Customer Personal Data, or where applicable, the identities, number or categories of affected Data Subjects. Communications by or on behalf of OpenPlay with Customer in connection with a Security Incident shall not be construed as an acknowledgment by OpenPlay of any fault or liability with respect to the Security Incident.

Annex B - List of Sub-processors

The following table sets out the list of Sub-processors that OpenPlay has specifically authorised as of the Subscription Start Date. 

SCHEDULE 3 SERVICE LEVEL AGREEMENT (SLA)

This Schedule sets out the service level agreement (SLA) for the OpenPlay Service and is subject to, and incorporated into, the Agreement.

Definitions

Business Days: any weekday other than a bank or public holiday in England.

Service Hours: the hours of 09:00 to 17:00 GMT/BST on a Business Day.

Incident: a failure of the Services to comply with the User Guides.

1. Support Services

a. Customer Obligations: 

• Customer will operate a 1st line support function where all issues/requests will be triaged. Low level issues and configuration will be performed by Customer.  Customer will escalate Incidents to OpenPlay by contacting the OpenPlay support team as detailed in section 1.c. below

• Customer will endeavour to make appropriately skilled people available to OpenPlay when resolving an Incident or related request. Incident resolution may be impacted if Customer cannot provide the appropriately skilled personnel. 

b. OpenPlay obligations: 

• OpenPlay provides a support portal (Zendesk) within the Service and will provide Customer support services during Service Hours.  

• OpenPlay will use all reasonable endeavours to meet the Availability requirements in section 2 below and to resolve Incidents in accordance with section 3 below.  

• In the event that an End User contacts OpenPlay directly, OpenPlay will direct that End User to Customer’s service desk via email. As an exception, where the End User’s request implies a P1 incident (See Section 3 below for definition of P1), OpenPlay will verify availability and performance of the Service. Should a P1 incident be discovered, OpenPlay will handle the Incident.

c. Contacting OpenPlay Support

• Email: support@openplay.co.uk 
• Ticketing System: OpenPlay will provide an online response ticketing system for logging all Customer Incidents and responding via email within a queued ticketing system for prioritisation. When raising an online support ticket, Customer must ensure that it provides accurate and thorough information.  Customer submitter will receive a confirmation email with a ticket number.

2. Availability 

a. This SLA shall only apply to the availability of the OpenPlay Service subscribed to by Customer.  OpenPlay shall make the Service available 99.5% of the time (“Availability”).

b. Availability shall be measured per calendar month based on the monthly average percentage availability and calculated as the total actual uptime minutes divided by total possible uptime minutes in the month, excluding any unavailability caused by:

• scheduled maintenance of the Service, for which OpenPlay will give Customer no less than 2 weeks’ written notice. OpenPlay will use reasonable endeavours to perform such scheduled maintenance outside of Service Hours;

• a Force Majeure Event;

• Service interruptions of less than 10 minutes;

• Issues with Customer’s local area network or other public network, or Customer’s own Internet connectivity or software or hardware not provided by OpenPlay; and/or

• Customer’s failure to follow agreed procedures, or caused by Customer’s unauthorised changes to the Service.

3. Incident Response

OpenPlay will use all reasonable endeavours to:

• classify all Incidents in accordance with the definitions below;

• respond to all Incidents within the Response Time according to the definitions and times as set out below.

¹ Response Times start from the time at which Customer’s Incident is reported to OpenPlay through the support ticketing system during Support Hours. For tickets raised outside of these hours, the applicable times are taken from 09:00am on the next day Business Day.