Below is a summary of the conditions by which we will grant your company and its employees access to the Tallysticks Platform.
These terms and conditions set out the terms on which Tallysticks Limited (“Tallysticks”) will provide users with access to the Tallysticks platform, a digital sales documentation and post-sales transaction management tool directly connecting buyers and sellers (the “Tallysticks Platform”).
Tallysticks will provide you, the User and certain of your employees, with access to, and a profile on, the Tallysticks Platform, on which buyers and sellers can transact by recording, digitally signing, executing and settling sales contracts.
These terms and conditions govern the provision and receipt of the Tallysticks Platform (the “Agreement”). This Agreement will come into effect upon you confirming electronically (by clicking “Accept” below) that you (on behalf of yourself and your company) agree to the terms of the Agreement, and thereafter any interactions by you with Tallysticks and the Tallysticks Platform will be subject to the terms and conditions of this Agreement.
1.1 In this Agreement, where the context admits:
“Annual Subscription Fee” means the annual subscription fee selected by the User via the Order Form for the Tallysticks Platform;
“Available” means that the Tallysticks Platform is available and operable for Users and there is no failure causing either a complete loss of functionality or partial loss of functionality, which results in Users being unable to access or use the Tallysticks Platform in accordance with the provisions in this Agreement;
“Confidential Information” means in relation to either party, all correspondence, documents, specifications, papers, property or other information whether in oral, written or electronic form) belonging or relating to that party, its business affairs or activities which is not in the public domain (in relation to the User, this shall include Personal Data) and which: (i) either party has marked as confidential or proprietary, (ii) either party, orally or in writing has advised the other party is of a confidential nature, or due to its character or nature, a reasonable person in a like position and under like circumstances would treat as confidential;
“Discount” means any amount of discount subtracted from the annual subscription fee as provided by Tallysticks by way of a voucher code that may be issued by Tallysticks from time to time. “GDPR” means Regulation (EU) 2016.679 of the European Parliament and of the Council; and
“Personal Data Breach” means a breach of security leading to the accidental or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
We grant you permission for Users to access the Tallysticks Platform as long as they abide by the rules and agree to pay the cost agreed with Us. We will endeavour to keep the software available at all time. Due to unforeseen circumstances, we cannot assure that it will always be available.
2.1 Tallysticks grants the User with access to the Tallysticks Platform subject at all times to the User’s (and its employees’, contractors’ and agents’) compliance with the terms and conditions of this Agreement, as supplemented by such documentation, reasonable instructions and guidance in relation to the use of or access to the Tallysticks Platform as may be issued by Tallysticks from time to time. Tallysticks may make operational changes to the Tallysticks Platform at any time and Tallysticks will provide notification to the User of any material changes to its use of the Tallysticks Platform either a) by placing a message on the Tallysticks Platform or b) by email to Users.
2.2 Tallysticks shall use reasonable endeavours to provide the Tallysticks Platform to the User such that it is Available for 99.95% of the time in each calendar month (measured 24/7), excluding any period of time when the Tallysticks Platform is not Available due to any planned or unplanned maintenance carried out by Tallysticks over the Tallysticks Platform.
2.3 Tallysticks will provide the User with the security credentials which the User will need to access the Tallysticks Platform. These will include the username, password, two factor authentication and any other security information which the User requires from time to time (the “Security Credentials”).
User Rights and Obligations
You may have to share information in order to access some premium services. You must provide truthful information in order to use the Platform. We reserve the right to discontinue providing services to you if we learn that you intentionally provide us inaccurate information or misuse the software.
You agree to agree to use care in protecting your credentials, including your phone, for accessing the Tallysticks Platform. You also agree to notify us if there your credentials or phone has been lost or stolen.
Agreements Made on the Tallysticks Platform
Any agreements that you make with other users on Tallysticks are between you. We cannot be liable if something goes wrong or if other users accidentally or intentionally misuse the Tallysticks Platform. We provide a legal structure for using the Tallysticks Platform and any payment services, but this should not be considered advice. You should seek independent legal, financial and any other advice you think necessary to use the Tallysticks Platform.
3.1 The User may from time to time need to provide Tallysticks with data in order for Tallysticks to provide the User with the Tallysticks Platform and services, for example company name, information identifying each individual user and the type of company. Where the User provides Tallysticks with any Personal Data as part of such User data, Tallysticks will process this in accordance with its Privacy Notice.
3.2 In order to use Tallysticks’ premium services and have access to the Tallysticks Platform beyond the allowable free services, Users must also provide payment and billing details (e.g. credit card or bank account details).
3.3 In order to become a verified User or to use Tallysticks’ integrated financial services, Users will need to provide the following additional information, including but not limited to: registered company name, registered company address, company registration number, names of directors, names of all shareholders with 10% or more ownership and names of company officers.
3.4 It is the User’s responsibility to ensure that the data it uploads to the Tallysticks Platform is and remains up to date and materially accurate from time to time.
3.5 The User must not use the Tallysticks Platform:
(A) for any unlawful or immoral purpose;
(B) to knowingly supply false or misleading information with the intention to commit fraud;
(C) to transact in any restricted or unlawful goods including (but not limited to) any illegal drugs, weapons, radioactive material, or goods for which the User does not hold a valid licence; or
(D) to interfere with the security features of the Tallysticks Platform or any related website,
(together, the “Prohibited Uses”).
3.6 In the event that a User uses the Tallysticks Platform for any of the Prohibited Uses, then Tallysticks shall be entitled to immediately suspend the User’s access to the Tallysticks Platform and/or terminate this Agreement (without liability).
3.7 Platform security
(A) The User agrees to take all necessary steps to ensure that unauthorised access to the Tallysticks Platform is prevented.
(B) The User shall ensure that at all times the security measures within the User’s control are such as to ensure the security and safekeeping of all information relating to the Tallysticks Platform and any usage of and access to the Tallysticks Platform. The User shall inform Tallysticks immediately by contacting Tallysticks by telephone if the Security Credentials are compromised in any way.
3.8 Agreements made on the Tallysticks Platform
(A) The Tallysticks Platform provides functionality enabling the User to enter into transactions directly with other users of the Tallysticks Platform. Any agreements made on the Tallysticks Platform between the User and any other users are direct contractual agreements to which Tallysticks is not a party (each a “Direct Agreement”). Tallysticks expressly provides no warranties, assurances or advice (including legal advice) in respect of any Direct Agreements which the User enters into, including without limitation in respect of the performance of the Direct Agreement by the counterparty, the fitness for purpose of the terms of the Direct Agreement or the enforceability of the Direct Agreement.
(B) Nothing contained on the Tallysticks Platform constitutes investment advice, legal advice or an assurance or guarantee as to the expected outcome of using the Tallysticks Platform or entering into any Direct Agreements. The User agrees that it will not rely upon the contents of the Tallysticks Platform and that it will take all steps it deems necessary, at its own expense, including obtaining independent professional advice, to arrive at its independent opinion and its decision whether or not to enter into Direct Agreements.
You agree to pay us fees as agreed. These fees are non-cancellable and non-refundable. If you do not pay your fees within 30 days, we reserve the right to suspend access to the Tallysticks Platform. And, if you do not pay your fees within 60 days, we reserve the right to terminate any agreements with have with you. Our fees are exclusive of taxes and we will bill for taxes when appropriate. In certain cases, we reserve the right to work with you.
4.1 The User shall pay to Tallysticks the Annual Subscription Fee in accordance with this paragraph. The User acknowledges that payment obligations are non-cancellable and any fees paid by the User under this Agreement are non-refundable.
4.2 In the event that the Annual Subscription Fee agreed for the User in the Order Form is free, Tallysticks will provide the User with access to the Tallysticks Platform free of charge.
4.3 The User shall provide Tallysticks with valid and updated credit card information (“Payment Method”) and authorises Tallysticks to take payment of any fees due under this Agreement via the Payment Method on or shortly after the due date for any such payment. The User authorises Tallysticks to use the Payment Method to charge the User the Annual Subscription Fee in advance.
4.4 If any amount owed by the User to Tallysticks under this Agreement is thirty (30) or more days overdue, Tallysticks may, without limiting their other rights and remedies, suspend the access of the User to the Tallysticks Platform until all amounts are paid in full. Should any amounts owed by the User to Tallysticks under this Agreement be sixty (60) or more days overdue, Tallysticks shall be entitled to terminate this Agreement immediately upon written notice to the User (without liability to the User).
4.5 Tallysticks agrees that it shall not be entitled to exercise its rights under clause 4.3 above if the User is disputing the applicable charges reasonably and in good faith, and is cooperating to resolve the dispute.
4.6 Any Annual Subscription Fees payable under this Agreement are exclusive of VAT and equivalent taxes in other countries which will be payable at the applicable rate.
4.7 [OPTION 3: Discount: A Discount may not be used in conjunction with any other Discount. Unless otherwise set forth in the terms of any Discount, Discounts will apply to the initial period of the subscription, and any renewals will be charged at the rate in effect at the time of renewal for the type of subscription purchased.]
Compliance with Law
You and other users must comply with the laws and regulations relating to the Agreement.
5.1 Each party shall, at all times, comply with all applicable laws and regulation in relation to its performance of its obligations under this Agreement.
Intellectual Property Rights
We grant you non-exclusive access to the Tallysticks Platform for the period you have agreed with us. This does not give you the right to make modifications or copy the Tallysticks Platform without our consent. You are also not allowed to grant anyone else permissions to make modifications or copy to the Tallysticks Platform without our consent. You agree that the Tallysticks Platform and all related IP belongs to Us. You agree to inform us if you learn that a third party is using the Tallysticks Platform to damage our reputation or is in breach of our intellectual property rights.
6.1 Tallysticks grants the User, for the period during which this Agreement applies, a non-transferable, non-exclusive, worldwide, royalty free licence to access and use the Tallysticks Platform solely to the extent permitted under the terms and conditions of this Agreement.
6.2 The User undertakes not to adapt, modify, copy, reproduce, reverse engineer, publish, redistribute, sell, sub-licence, exploit, or otherwise part with or make any other use of the intellectual property in or any data on the Tallysticks Platform, or the concept of the Tallysticks Platform more generally except for internal business purposes or to the extent required by law, nor to authorise, enable or assist any third party in doing so.
6.3 The User may not, nor permit others to, modify, decompile, reverse-engineer or disassemble the Tallysticks Platform or any part thereof except to the extent required by law.
6.4 The User acknowledges that all rights in the Tallysticks Platform are, and shall remain, the property of Tallysticks and/or its licensors and that the User shall not acquire any proprietary rights in the Tallysticks Platform and agrees not to infringe or challenge Tallysticks’s and/or its licensors’ rights in the Tallysticks Platform nor to do or permit anything to be done which may be detrimental to the Tallysticks Platform or which may be inconsistent with or damage the reputation of Tallysticks and/or its licensors. The User agrees to inform Tallysticks immediately if it becomes aware of any third party activity which infringes the intellectual property rights within the Tallysticks Platform.
Intellectual Property Rights Indemnity
We will be responsible for claims against you for using the Tallysticks Platform if a third party claims that we are in breach of any intellectual property rights. You agree to inform us of any breach of intellectual property rights by us as soon as you learn of the infraction. We reserve the right to assess all claims by you or a third party regarding our breach of any intellectual property rights.
7.1 Subject to clause 7.2 below, Tallysticks shall indemnify the User against all liabilities, costs, expenses, damages and losses suffered or incurred by the User arising out of or in connection with any claim made against the User for actual infringement of a third party's intellectual property rights arising out of or in connection with the Tallysticks Platform of which Tallysticks is aware (each an “IPR Claim”), provided that, if any third party makes a claim, or notifies an intention to make a claim, against the User which may reasonably be considered likely to give rise to a liability under this indemnity, the User:
(A) as soon as reasonably practicable, gives written notice of the IPR Claim to Tallysticks, specifying the nature of the IPR Claim in reasonable detail, and allows Tallysticks to take full conduct of the IPR Claim;
(B) shall provide all reasonable assistance to Tallysticks necessary to enable Tallysticks to defend the IPR Claim;
(C) shall not make any admission of liability, agreement or compromise in relation to the IPR Claim without the prior written consent of Tallysticks (such consent not to be unreasonably conditioned, withheld or delayed); and
(D) shall take such action as Tallysticks may reasonably require to avoid, dispute, compromise or defend the IPR Claim.
7.2 Without prejudice to clause 11.2 (Warranties), Tallysticks shall have no obligation to indemnify the User in respect of any IPR Claim:
(A) caused or contributed to by the User's use of the Tallysticks Platform not in accordance with this Agreement and/or Tallysticks’ reasonable direction from time to time, or otherwise in combination with software, operating systems or mobile devices not approved in writing by Tallysticks;
(B) which results from an infringement that Tallysticks was unaware of before being notified of this current infringement claim; or
(C) based on use of any release or version of any part of the Tallysticks Platform other than the latest release or version supplied or made available by Tallysticks, if such claim could have been avoided by the use of such supplied release or version.
7.3 If use of the Tallysticks Platform becomes the subject of an IPR Claim, Tallysticks may:
(A) replace all or part of the Tallysticks Platform with functionally equivalent software or documents without any charge to the User;
(B) modify the Tallysticks Platform as necessary to avoid such claim, provided that the Tallysticks Platform (as modified) functions in substantially the same way as the Tallysticks Platform before modification; or
(C) procure for the User a licence from the relevant third parties to continue using the Tallysticks Platform.
Subject to compliance by law, you and we agree to keep this Agreement and any information gained by it, confidential. We will ask your consent to share some information you provide to us with third parties in order to service your requests.
8.1 Subject to clause 5 (Compliance with Law), the parties agree that the terms and existence of this Agreement between the parties, as well as all information gained by either party relating to the business, personnel and assets of the other, will be kept strictly confidential at all times and will not be divulged to any person (other than the senior employees and professional advisors of the parties, or as may be required by law) without the prior written consent of the disclosing party.
8.2 Notwithstanding the foregoing and unless notified otherwise from time to time by the User, the User agrees that Tallysticks may disclose on a limited basis that the User is a user of the Tallysticks Platform in Tallysticks’ marketing materials and website, and grants to Tallysticks a licence to use its trade marks and trade names solely to the extent necessary to enable Tallysticks to do so.
User Data and Cookies
9.1 User data collected in respect of the User's application for the Tallysticks Platform or via the Tallysticks Platform shall be used for the purpose of operating and ensuring the security of the Tallysticks Platform and contacting the User in connection with their use of the Tallysticks Platform. By accepting the terms and conditions of this Agreement and using the Tallysticks Platform, the User consents to the use of their data as is described in this Agreement.
9.2 The User grants to Tallysticks a perpetual, irrevocable, non-exclusive, worldwide, royalty-free licence to use all information provided by the User, including any intellectual property rights or data, to Tallysticks in using the Tallysticks Platform and (if applicable) all information relating to the total volume of transactions executed or confirmed via the Tallysticks Platform, provided that in the case of transaction volumes, Tallysticks's use of such information does not disclose the identity of the User. The User consents to Tallysticks using the information (including but not limited to company name, information identifying each individual user, company address and trading habits) it obtains from the User for its own internal analytical purposes and the purposes specified in or contemplated by this Agreement.
9.3 In connection with the licence granted by clause 9.2 above, and any rights granted subject to clause 9.2, Tallysticks is required to maintain records of each User to whom use of the Tallysticks Platform is licensed and to make such records available to any licensor provided that the licensor can demonstrate reasonable grounds to suspect a possible violation of licensor's intellectual property rights by the User. Furthermore, Tallysticks may at any time be required by applicable law or regulation to disclose User data to relevant regulatory authorities or bodies. The User consents to the use of their data for the reasons described in this Agreement.
Data Protection and Data Security
We work with a reputable data storage vendor – Amazon Web Services – to protect your data. AWS also services banks. So, they have high security measures in place. We have implemented further security measures to control who can access data on our servers, how it is accessed and why it may be accessed. AWS is also compliant with Global Data Protection Requirements.
10.1 In respect of any Confidential Information or other data provided by the User to Tallysticks from time to time, which may include User data and personal data (the personal data of the personnel of the User being the “Personal Data”), Tallysticks will:
(A) ensure that the Tallysticks Platform is designed, built and operated in accordance with a high standard of IT security, including but not limited to [bank-grade infrastructure encryption and safeguards, the latest techniques for application protection, and robust policies for data access controls, as further described in appendix 1 (Data Security);
(B) comply with the requirements of applicable data protection legislation and ensure that all Personal Data held by Tallysticks will remain within the European Economic Area at all times;
(C) process the Personal Data received from the User only in accordance with reasonable and lawful instructions of the User;
(D) take all appropriate security, technical and organisational measures against unauthorised or unlawful processing of the Personal Data and against accidental loss or destruction of, or damage to, the Personal Data, and perform regular and secure backups of all the Personal Data in its possession or control;
(E) if any Personal Data is accessed by an unauthorised person or lost, corrupted, degraded or otherwise altered, due to an act or omission of Tallysticks or any Tallysticks personnel, immediately notify the User and take all steps to mitigate or avoid such breach;
(F) not disclose the User’s Security Credentials to any person other than its personnel who need to be provided with such Personal Data in order to deliver the Tallysticks Platform under this Agreement;
(G) procure that each of its personnel to whom Personal Data is disclosed (pursuant to (F) above) is made aware of Tallysticks’ obligations in relation to such Personal Data;
(H) deliver up to the User upon request all Personal Data and all other documents and materials in its possession, custody or control which contain or incorporate any part of the Personal Data received from the User;
(I) notify the User of any Personal Data Breach, without undue delay and in any event no later than 24 hours after it becomes aware of such Personal Data Breach (where notification of any Personal Data Breach is not made to the User within 72 hours Tallysticks shall provide the User with written reasons for the delay in notification);
(J) the notification in (I) above shall at least:
(1) describe the nature of the Personal Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; and
(2) describe the measures taken or proposed to be taken by Tallysticks to address the Personal Data Breach, including, where appropriate, measures to mitigate possible adverse effects.
Where, and in so far as, it is not possible to provide the information in (1) and (2) above at the same time, Tallysticks may provide the information to the User in phases without undue further delay;
(K) allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User for the purposes of assessing Tallysticks’ compliance with this clause 10.1 provided that:
(1) the User shall, if requested by Tallysticks, procure that its third party auditors enter into confidentiality undertakings with Tallysticks that are no less onerous than those set out in this Agreement; and
(2) the User shall be permitted to conduct no more than one such audit or inspection in any calendar year;
(L) it shall not engage another entity to process the Personal Data without prior specific or written authorisation of the User;
(M) taking into account the nature of the processing activities it shall implement appropriate measures to assist the User in complying with the rights of data subjects under the GDPR;
(N) it shall be co-operative with any instructions from any independent regulatory office dealing with the GDPR including, but not limited to, the Information Commissioner’s Office and any successor thereto;
(O) at the choice of the User, delete or return all the Personal Data to the User after the end of this Agreement and delete existing copies unless Member State law requires storage of the Personal Data; and
(P) provide the User with any information necessary to demonstrate compliance with the GPDR.
This agreement sets out the assurances we provide you. Any violation of this agreement voids those assurances.
11.1 Except as expressly set out in this Agreement and to the extent permitted by law, Tallysticks disclaims all warranties, conditions, guarantees, representations and statements with respect to the Tallysticks Platform, including without limitation any warranties or other statements relating to fitness for purpose, availability, absence of errors or otherwise.
11.2 Any unauthorised modifications, use or improper installation of the Tallysticks Platform by, or on behalf of, the User shall render all Tallysticks' warranties and obligations under this agreement null and void.
Terms of this Agreement
This Agreement will start when agreed and extend without notice until it is formally terminated by you or Us.
12.1 The term shall commence on execution of this Agreement. Unless terminated earlier in accordance with clause 12 (Term of this Agreement), this agreement shall continue for one (1) year (“Initial Term”) and shall automatically extend for further one (1) year periods (“Extended Term”) at the end of the Initial Term and at the end of each Extended Term.
Suspension and Termination
You or we can terminate this Agreement at any time with 30 days notice. If there is a breach of this Agreement, we reserve the right to terminate this Agreement immediately.
13.1 Either party shall have the right, without prejudice to its other rights or remedies, to terminate this Agreement at any time:
(A) on thirty (30) days’ prior written notice to the other party, such notice to expire no earlier than the end of the Initial Term or the then-current Extended Term;
(B) if a party is in material or persistent breach of any of its obligations under this Agreement and either that breach is incapable of remedy or the party shall have failed to remedy that breach within thirty (30) days after receiving written notice requiring it to remedy that breach;
(C) if a party is unable to pay its debts (within the meaning of section 123 of the Insolvency Act 1986) or becomes insolvent or an order is made or a resolution passed for the administration, winding-up or dissolution of the party (otherwise than for the purposes of a solvent amalgamation or reconstruction) or an administrative or other receiver, manager, liquidator, administrator, trustee or similar officer is appointed over all or any substantial part of the assets of the party or the party enters into or proposes any composition or arrangement with its creditors generally; or
(D) if the party suffers or is subject to any equivalent event, circumstance or procedure to those set out above in clause 13.1(C) in any other jurisdiction.
13.2 In addition to either clause 4.3 (Fees), Tallysticks shall have the right to suspend the User’s access to the Tallysticks Platform in any of the following circumstances:
(A) where required by a regulator, court or otherwise by operation of law;
(B) where such is necessary to enable Tallysticks to carry out maintenance or repairs to the Tallysticks Platform;
(C) where circumstances have occurred (or where Tallysticks reasonably believes that they have or will occur) which gives Tallysticks the right to terminate this Agreement under this clause 13; or
(D) where the User commits (or Tallysticks reasonably believes that the User) any breach of the Prohibited Uses.
Unless otherwise stated in this Agreement, you and we shall not be liable to each other. If you incur damages as a result of us, we will refund you a maximum of 100% of the total fees we collected from you over the previous 12 months.
14.1 Subject to the following sentence, neither party to this Agreement shall be liable to the other party, whether in contract, tort or otherwise, for any indirect or consequential losses, costs, liabilities and expenses incurred by that other party in connection with this Agreement. Nothing in this Agreement shall operate so as to limit or exclude either party’s liability for losses which cannot be excluded or limited by applicable law or regulation, or for any liability arising as a result of any breach of clause 8 (Confidentiality).
14.2 Subject to clause 14.1, the parties agree that Tallysticks’ total aggregate liability to the User and any of its affiliates in any twelve (12) month period for any and all claims arising out of or in connection with this Agreement (whether in contract, tort (including negligence) or otherwise) shall not exceed a figure equal to 100% of the total fees paid under this Agreement during that twelve (12) month period.
You should only rely on what is written in this Agreement and not on what anyone may have told you when deciding to agree these terms.
15.1 The User acknowledges that, in entering into this Agreement, it has not relied on any representation, warranty, collateral contract or other assurance (except those set out in this Agreement) made by or on behalf of Tallysticks. The User therefore waives all rights and remedies which, but for this paragraph, might otherwise be available to the User in respect of any such representation, warranty, collateral contract or other assurance. Nothing in this paragraph limits or excludes any liability for fraud.
We will not update this Agreement unless we give you 30 days advance notice. You may terminate this Agreement 30 days after you give us written notice.
16.1 Tallysticks shall have the right to amend this Agreement at any time upon giving to the User not less than thirty (30) days’ prior written notice of such amendments (the “Amendment Notice Period”). In the event that the User objects to any amendments proposed by Tallysticks pursuant to this clause, it shall have the right to terminate this Agreement by giving to Tallysticks not less than thirty (30) days’ prior written notice, provided that such notice is served on Tallysticks within the Amendment Notice Period. Amendments made by Tallysticks pursuant to this clause shall become effective at the end of the Amendment Notice Period and will be binding on the User from that point in time, if no notice to terminate is provided by the User pursuant to this clause during the Amendment Notice Period.
If you or we delay or fail to act upon this Agreement, we both can still exercise the rights given to either party by it, unless you or we have waived that right in writing.
No delay or failure by either party to exercise any of its powers, rights or remedies under this Agreement will operate as a waiver of them, nor any single or partial exercise of any such powers, rights or remedies preclude any other or further exercise of them. Any waiver to be effective must be in writing.
Third Party Beneficiaries
A third party who has not agreed this Agreement cannot exercise the rights or benefits of it.
This Agreement does not create any right or benefit enforceable by any person not a party to it (within the meaning of the Contracts (Rights of Third Parties) Act 1999).
Governing Law and Jurisdictions
The laws of England and Wales will be used settle any legal disputes relating to this Agreement.
19.1 This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
19.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
Data security is of the utmost importance to Tallysticks because it values its clients. Tallysticks conducts regular security awareness training sessions for its entire staff, including contractors, in line with its Information Security Policy.
Tallysticks uses its reasonable endeavours to adhere to the highest security standards at all times. Those standards include, but not limited to the following.
Infrastructure encryption and safeguarding:
• Full encryption at rest using AES-256 of all storage services including but not limited to file storage with Amazon S3 and master database storage on Amazon RDS.
• All external communications are encrypted during transit over HTTPS with TLS 1.2.
• The cloud hosting infrastructure is ISO 27001 certified, PCI compliant, SOC 1,2,3 certified.
o See https://aws.amazon.com/compliance/iso-27018-faqs/ for more information.
• No direct database connections are permitted.
• Data held by Tallysticks is always stored within the European Economic Area, specifically Ireland.
• All environments (Production, Staging, QA, Development) are fully segregated.
• Regular data backups are performed and the backups are encrypted at rest.
• Patching is automated where possible and performed manually on a regular basis.
Application protection and access control:
• Application is developed to protect against OWASP Top 10.
o See https://www.owasp.org/index.php/Top_10-2017_Top_10 for more information.
• Unauthorised logins are mitigated with, but not limited to, rate limiting (to prevent brute force account access) and traffic filtering (by restricting IPs, HTTP headers and other indicators)
• Account recovery can only be performed via email using cryptographically secure tokens.
• Multi-factor authentication (using Time-based-One-Time-Passwords) is always required to authenticate and also to perform sensitive actions whilst logged-in.
• Traffic monitoring is automated where possible and performed manually on a regular basis.
• Passwords use industry standard practices which includes a minimum-complexity requirement. and are storage in salted-hashed form with bcrypt algorithm.
• Password verification attempts and password resets are logged and monitored.
• User authentication uses oAuth 2 protocol, an industry adopted standard for authentication that conforms with OWASP Top 10.
• Internal application services authenticate using tokens which are generated and validated using modern industry standard cryptographic algorithms
• Discrete credentials are issued for different activities that are performed within the hosting infrastructure which can be revoked.
• The principle of least privilege permissions is applied for both authenticated users and for internal services within the application.
Policy and Procedures for limiting access control to Tallysticks employees:
• The following techniques are used to safeguard access to the hosting infrastructure.
o User credentials and access tokens are used for authentication.
o Access is restricted to only authorised Tallysticks employees and/or contractors.
o The principle of least privilege to permission credentials is applied.
o Minimum password complexity requirements are enforced.
o Multi-factor authentication is required for all user accounts.
o Access logs are created for all authenticated actions with the logs manually as well as automatically monitored.
• The following protocols are used to safeguard access to/usage of the developer tooling (such as version control systems, “continuous integration” services and monitoring services).
o User credentials and access tokens are used for authentication.
o Access is restricted to only authorised Tallysticks employees and/or contractors.
o Minimum password complexity requirements are enforced.
o Multi-factor authentication is required for all user accounts.
• The following protocols are used to safeguard access to IT systems used by the company. Third party software includes, but is not limited to: G-Suite, Slack, Microsoft Office 365, Intercom and CurrencyCloud.
o Access is restricted to only authorised Tallysticks’ employees and/or contractors.
o Minimum password complexity requirements are enforced.
o Multi-factor authentication is required for all user accounts on all services where possible.
o Measures are taken to ensure that hardware devices used by the Company are kept up-to-date and secure (firewall enabled, malware protected, automatic updates enabled)