Addendum to General Products Ltd terms of service

Please read this addendum to our Terms of Service (“Terms”, “Terms of Service”) carefully before using the https://web.consonance.app/ website (the “Service”) operated by General Products Ltd (“us”, “we”, or “our”). Your access to and use of the Service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users and others who access or use the Service. By accessing or using the Service you agree to be bound by this Addendum. If you disagree with any part of the Addendum then you may not access the Service.

1. DEFINITIONS AND INTERPRETATION

In this Agreement:

• Data Protection Laws means the Data Protection Act 1998, together with successor legislation incorporating GDPR;
• Data means personal data passed under this Agreement, being in particular user email data, user IP addresses, contributor contact data, contributor date of birth; service provider contact data (such as typesetters).
• “GDPR” means the General Data Protection Regulation;
• Services means provision of publishing data entry and storage, and automatic production of exports including but not limited to ONIX XML reports, contract documents, royalty statements, excel spreadsheets and marketing sheets.

2. DATA PROCESSING

You are the Data Controller for the Data and we are the Data Processor for the Data.

We agree to process the Data only in accordance with Data Protection Laws and in particular on the following conditions:

• We shall only process the Data for completing the Services and only transfer the Data outside of the UK to Heroku.com (Article 28, para 3(a) GDPR) who provide database provision and hosting services for the Services.

• The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50). Heroku is compliant with EU-U.S. and Swiss-U.S. Privacy Shield Certification

  • Notice: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Privacy/privacy-shield-notice.pdf
  • Certification listing: https://www.privacyshield.gov/list

• We shall ensure that all employees and other representatives accessing the Data are (i) aware of this Addendum and have received comprehensive training on Data Protection Laws and related good practice, and are bound by a commitment of confidentiality (Article 28, para 3(b) GDPR);

• You and us have agreed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, complying with Article 32 of GDPR. Details of these can be read on our documentation website in the Policies section (Article 28, para 3 (c ) GDPR);

• We shall not involve any third party in the processing of the Data without notice in this Addendum (Article 28, para 3(d) GDPR). Such third parties are: heroku.com

• Taking into account the nature of the processing, we shall assist you by appropriate technical and organisational measures, in so far as this is possible and reasonable, for the fulfilment of your obligation to respond to requests from individuals exercising their rights laid down in Chapter III of GDPR – rights to erasure, rectification, access, restriction, portability, object and right not to be subject to automated decision making etc (Article 28, para 3(e) GDPR);

• We shall assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR – security, notification of data breaches, communication of data breaches to individuals, data protection impact assessments and when necessary consultation with the ICO, taking into account the nature of processing and the information available to us (Article 28, para 3(f) GDPR);

• On your request we shall safely delete or return the Data. It has been agreed that we will in any event securely delete the Data at the end of the Services except for data in backups where the risk has been assessed to be low, where data is immutable, and where backups are destroyed after 12 months (Article 28, para 3(g) GDPR)

You agree to use the Services in accordance with Data Protection Laws and in particular on the following conditions:

• Enter types of data into the correct fields. For example, do not enter email addresses into a free text notes field.

Termination

You or we may immediately terminate this Agreement on written notice. Upon termination, your right to use the Service will immediately cease.

General

This Agreement represents the entire understanding of the parties relating to necessary legal protections arising out of their data controller/processor relationship under Data Protection Laws. This Agreement is subject to English law and the exclusive jurisdiction of the English Courts.

ANNEX

Compliance with Article 32, para 1 of GDPR

Consideration of anonymisation, pseudonymisation and encryption.

Traffic between the Service and its database is encrypted.

The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and related services.

We ensure this through the services of the Service’s hosting provider, Heroku a salesforce.com company, who are certified as follows to adhere to the above:

• International Organization for Standardization (ISO) 27001 and 27018 standard,
• the American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) reports,
• the Payment Card Industry Data Security Standards (PCI),
• the TÜV Rheinland Certified Cloud Service,
• TRUSTe Certified seal,
• and the UK Cyber Essentials Scheme.

In addition, we are certified by the UK Cyber Essentials Scheme.

The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Application data storage is on PostgreSQL, the world’s most advanced open source database. We backup the database twice a day, send copies of the backups to multiple AWS Regions, and keep them for six months with Amazon Glacier.The lifecycle management of database backups is entirely automated. Storage of database backups and client files such as cover images and ebooks is via Amazon Web Services Simple Storage Service, which is designed to provide 99.999999999% durability of objects over a given year.

A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

General Products Ltd security policy available on our website details this process.

Compliance with Article 32, para 2 of GDPR

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to data transmitted, stored or otherwise processed. The Service uses HTTPS to ensure secure data transmission. General Products Ltd security policy available on our website provides more detail.

Compliance with Article 32, para 3 of GDPR

Adherence to an approved code of conduct referred to in Article 40 (GDPR) or an approved certification mechanism as referred to in Article 42 (GDPR) may be used as an element by which to demonstrate compliance with the requirements set out in para 1 of GDPR – see above. There is no particular code of practice but General Products Ltd is certified by the UK Cyber Essentials scheme.