Terms of Service
While this is an important and legally-binding document, we’ve tried to keep these Terms of Service as readable and user-friendly as possible.
Last updated: 05 September 2017
What is DataExchange?
DataExchange is a secure, cloud-based, platform that connects to an institution's Management Information System (MIS), extracts selected elements of your institution’s data, and stores it in a way that allows authorized applications to access that data in a secure and privacy driven way.
These Terms of Service explain how we process your data, how we protect your data, and what we expect from you when you use our platform.
Who do these terms apply to?
These Terms of Service are between you, an institution or vendor, and us, DataExchange. These terms do not apply to third parties such as pupils or parents.
Whilst using DataExchange you will send data to us about your institution/company for us to process on your behalf. Institutions at all times remain Data Controllers and DataExchange is the Data Processor. It is your responsibility to ensure that you are able to engage with DataExchange on these terms. You must not connect to the platform if you do not agree with these Terms of Service.
These Terms of Service apply only to DataExchange connectors and DataExchange. DataExchange stores data sent to us, and also stores data which is passed back to it from vendor applications. However, these terms do not apply to the processing of data by vendor applications that you can connect to through DataExchange.
Vendor applications, whether created by DataExchange or another party, are subject to their own Terms and Conditions and Policies. Before you deploy a vendor application in DataExchange you must also ensure that you read, and agree to, the application’s Terms and Conditions and Policies.
Summary Terms of Service
You agree to
- Only connect to DataExchange with the authorisation of the person with data protection responsibilities within your company / institution (a role commonly referred to as ‘data protection lead’, likely to be the head teacher or a senior leader)
- Retain your responsibility as the Data Controller, and comply with the legal responsibilities it brings, over the data held within the platform, including its accuracy and completeness
- Have full responsibility for your account, and the credentials related to your account, and ensure no unauthorised access to it
- Only connect to the platform if you are able to do so in accordance with the Data Protection Act
- Have full responsibility for who you choose to share your data with, and not connect to any third party applications unless satisfied with their terms and conditions, and the privacy policies which govern them
You agree not to
- Copy or share any of our tools or content
- Use our Intellectual Property (code, trademarks or other material) without our consent
- Do anything which adversely affects the security of the platform, for example infecting it with viruses, Trojan horses or other similar harmful components that could affect or delay delivery of our services
- Access, attempt to access, or inspect any data for which you do not have permission
We agree to
- Process the data received from you for the purposes of education and institution improvement only, and only for those purposes necessary to provide the service explicitly offered to you
- Adhere strictly to the terms of the Data Protection Act 1998 and any future amendments or applicable legislation
- Only store and process the minimum data required to provide our services, and to inform you in advance of using any of our services what data that service requires.
- Transport and store all personal data originating from institutions using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL) for encrypted data transfer over the internet, encryption of all data at rest, field-level encryption for personally identifiable data and password-protected identities for all end users
- Ensure the data we hold about you is correct
- Only retain data for as long as required, and delete all your data if you ask us to do so, or if your account becomes inactive.
- Ensure that all data is held securely by taking steps to ensure that data is not corrupted or lost
- Always maintain adequate liability insurance
- Report any breaches of security to The Data Controller, the Information Commissioner’s Office (ICO) and other authorities if required by law, and, in co-operation with the Data Controller, to Data Subjects
- Always notify you prior to connecting a vendor application which data that vendor application needs access to, and allow you to accept or reject that request
- Make Terms of Service and Privacy Policies clearly and publicly available on our website
We agree not to
- Store or transport personal or sensitive data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission
- Share your data with any third parties except where explicitly requested by you or required by law
- Use your data, made available via DataExchange, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to you
- Transport personal data originating from you in an unencrypted format
- Claim ownership or exclusive rights over any of the data processed or created as part of services provided to you
Terms of Service
Restrictions and Responsibilities
- Connecting your data source (e.g. MIS) DataExchange: In order to use our service, upon signing appropriate data sharing agreements, you will be providing access to information about your institution from your Management Information System (MIS). It is your responsibility to connect to the platform in a properly authorised way. DataExchange has access to your institution data only as requested by you, and only for the purposes of performing services on your behalf.
- Connecting your application to DataExchange: In order to use our service, upon signing appropriate data sharing agreements, you will be given credentials and connection details to access only the data you are authorised to process. It is your responsibility to connect to the platform in a properly authorised way.
- Data Ownership: The data provider (e.g. the institution) will remain the Data Controller. We process the data on thier behalf, in the manner they have requested. They remain responsible for their data, including any inaccuracies or changes that need to be made. Their responsibility as Data Controller covers all of their data on the platform, including new data created by using DataExchange and the applications it connects to.
- Account Security: If you decide to use DataExchange then you are responsible for maintaining the security of your account and are fully responsible for all of the actions in relation to it. The platform is for the sole use of those who have the necessary permission to access this data, and it is your responsibility to ensure that your account is secure and that access is restricted solely to those with the required permission. You must immediately notify us in the event of unauthorised access to your account or any other breaches of security.
- Ownership of IP: Unless we specifically designate an aspect of the platform as open source, DataExchange and all associated Intellectual Property remain the property of ZiNET Data Solutions Limited.
- Modification of Services: As an organisation that is constantly growing and improving, it may sometimes be necessary to modify our services. We may occasionally pause or remove particular tools or services at our sole discretion and we will give notice of any notifications before implementation where practicable or as soon afterwards as practicable.
- Payment: DataExchange offers a combination of free and paid‐for services. Unless otherwise agreed in writing, paid‐for services are non‐refundable.
- Disclaimer of Warranties: DataExchange and associated tools are provided on an “as is” and “as available” basis. They are provided without guarantees or warranties. ZiNET Data Solutions Limited makes no guarantee that the website or any of the tools are error free or that access will be continuous and uninterrupted.
- Liability: We shall not, under any circumstances, be liable to you, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, arising under or in connection with this agreement for: loss of profits, sales, business, or revenue (direct or indirect); business interruption; loss of anticipated savings; loss or corruption of data or information; loss of business opportunity, goodwill or reputation; or, any indirect or consequential loss or damage. We are not excluding liability for death or personal injury caused by negligence, breach of any implied term and any other matter for which it would unlawful to exclude liability.
- Vendor applications: DataExchange allows you to connect your data to third party vendors. Data Controllers are responsible for ensuring that all terms of any vendor applications are understood and agreed to. Whilst we aim to ensure strict standards of security and privacy within DataExchange, we are not liable for any vendor applications. We also accept no responsibility for any sums payable by you to any vendors.
- Termination: We will suspend or restrict your access to our services if we have reason to believe you may have breached the conditions of this agreement.
Security and Privacy
Your privacy is our top priority, and we will not use your data for anything other than what is set out in this agreement.
- Data Storage and Access: All personal and sensitive DataExchange data is stored and transported within EEA or countries which are granted to have Adequate Levels of Protection as defined by the European Commission. Internal access to information is limited to only those who require it to perform their jobs. Other security safeguards include firewalls and physical building access controls. We use role-based identities and password protection on all platform services and apps.
- Security and Encryption: We have invested heavily in security and we use a suite of modern encryption methods to secure the data held within DataExchange. All our data is encrypted at rest. We use additional field level encryption within the platform where we deem it necessary to protect the integrity of the data we store (for example, UPN). All external data transmissions to and from DataExchange are encrypted using modern SSL/TLS protocols and ciphers.
- Third Parties: We will share information if required to do so by law, but will never rent or sell your data for marketing purposes. We will not share any sensitive or confidential information with third parties except in instances where we are specifically requested to do so by you. Access to data is managed via “bearer tokens". These can be revoked at any time and must be refreshed frequently to remain active.
- Data sharing permissions for vendor applications: Data is shared only between data providers (e.g. institutions) and data consumers (e.g. vendor applications) when valid data sharing agreements are signed. Data sharing agreements specify what information is to be collected and shared at the attribute level, minimizing any potential data leaks.
- Data sharing permissions for DataExchange analytics: In some limited circumstances we may collect non-personal and non-sensitive platform data through third party services. For example, we may use website analytics traffic providers to analyse metadata such as platform usage. Where we do this, we audit the service to ensure they have a similarly high level of commitment to security and privacy. These services may store your IP address, but we do not have access to this information ourselves. These services may store such data outside of the EEA. DataExchange may also collect, analyse or make available non-sensitive data to third parties (for example aggregated or non-identifiable data). We do not use or analyse this aggregated data in any way which would make data identifiable at an individual or institution level.
- Support: As a Data Processor, DataExchange does not look ‘under the hood’ or inspect any of the data to which the platform connects. The only exceptions to this are where you have explicitly given us permission to inspect your data; for example, to provide technical support to correct a technical problem. You can revoke this permission at any time, or we will turn off the permission ourselves when the technical work is complete.
- Permission: As the Data Controller, it is your responsibility to ensure that you can engage with DataExchange in accordance with the Data Protection Act and that Data Subjects (or their guardians as required) are suitably informed about Data Processing services, such as DataExchange, that the institution chooses to use.
- Communication: If you are a registered user of DataExchange, or have expressed interest in DataExchange and have supplied your email address, we may occasionally send you an email to tell you about new features, ask for feedback or keep you up to date with our products. If you no longer wish to be included on these communications, then please email email@example.com and we will remove you from the list.
- Privacy or Security Breaches: We take all reasonable, necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a breach of security or privacy did occur, DataExchange will contact the Data Controller, and inform the Information Commissioner’s Office (ICO) and other authorities if required by law.
Questions and Grievances
If you have any questions or grievances in relation to security or privacy, please email us on firstname.lastname@example.org.
Information for students and parents
DataExchange as the Data Processor only has access to data as requested by the institution as Data Controller and only for the purposes of performing services on a institution’s behalf.
Your child’s institution remains the Data Controller of any data we process. If you have questions about your or your child’s data, how your institution is making use of services like DataExchange, or wish to make a data access request, please contact the institution directly.
Changes to the Terms of Service
We are constantly updating and expanding our services. This means that sometimes we have to add to or modify the terms under which we offer our services. If we make material changes, we will let you know via email before these changes take effect. We also keep a log of material changes at the bottom of this page. The email will designate a reasonable period of time after which the new terms will take effect.
If you disagree with the changes then you must discontinue your use of our service. Continuing to use our services constitutes agreement to the new terms, and your continued use will be subject to these terms.
If you do not comply with any part of this agreement, we reserve the right to suspend or terminate your access to DataExchange with immediate effect.
We and you both agree that
- no failure or delay to exercise any right or remedy under this agreement or by law shall constitute a waiver of that right or any other right or remedy
- if any part of this agreement becomes invalid it will be modified to the minimum extent necessary to make it valid. If we cannot agree this with you, the relevant provision shall be deleted. Any modification to or deletion of a provision shall not affect the validity of the rest of the agreement
- any dispute or claim arising out of or relating to this agreement that cannot be resolved by negotiation within 14 days shall be resolved through arbitration. Either party shall give notice of seeking a resolution through arbitration using the CEDR procedure and English law. Either party may seek an interim remedy in court if necessary.
- any dispute or claim arising out of or relating to this agreement shall be governed by the law of England and that the courts of England shall have exclusive jurisdiction provided that we can take action in other places if you are in breach of this agreement.