Skip to main content

Visigo Services Agreement

Visigo Services Agreement

This Agreement is made between:

  • (i)Smoothwall Limited (hereinafter referred to as “Smoothwall”), a limited liability company (registered in England under number 4298247) of: Avalon House, 1 Savannah Way, Leeds Valley Park, Leeds, LS10 1AB, United Kingdom; and
  • (ii) you (hereinafter referred to as the “Customer”)

Whereas

  1. Smoothwall provides an eSafety service to schools and colleges that monitors their network and alerts the Customer of activity that is potentially dangerous.
  2. The Customer wishes to subscribe to the Visigo® Services (as such term is defined below) subject to the terms and conditions of this Agreement, starting from (the “Commencement Date”).

It is hereby agreed that:

Definitions

“Agreement” means this agreement between the parties for the provision of the Visigo Services, as described more fully in clause 2.1;

“Client Software” means the Smoothwall supplied software installed on each PC or computing device monitored by the Visigo Services.  This software captures Customer’s Devices user input, associated metadata and screen images, sending this information via the Concentrator for analysis;

“Concentrator” means the Smoothwall cloud based system that accepts information from the Client Software;

“Contractor” means any company, organisation or people contracted by Smoothwall to provide elements of the Visigo Services;

“Customer’s Devices” means PC or other computing devices that are to be monitored by the Visigo Services, as specified in Schedule C;

“Data Protection Legislation” means the Data Protection Act 1998 as amended from time to time, the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”), the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, the Investigatory Powers Act 2016 and Regulation (EU) 2016/679 known as the General Data Protection Regulation (“GDPR”) and all applicable laws and regulations relating to the processing of personal data and privacy including where applicable the guidance and codes of practice issued by the ICO or other relevant supervisory authority and the equivalent of any of the foregoing in any relevant jurisdiction (whether mandatory or not);

ICO” means the Information Commissioner’s Office or any successor regulatory authority;

“Incident” means as defined in Schedule A to this Agreement;

“Portal” means the Smoothwall cloud based system that provides reporting and system management facilities;

“Quotation” means as defined in the Smoothwall UK Terms and Conditions of Business;

“Service Level Agreement” means the applicable Service Level Agreement, available at www.smoothwall.com/sla (as amended from time to time);

“Smoothwall Software Licence Agreement” means the document available at www.smoothwall.com/licenses (as amended from time to time);

“Smoothwall UK Terms and Conditions of Business” means the document available at www.smoothwall.com/legal/uk-terms-conditions (as amended from time to time);

“Subscription Fees” means the annual charge for the Visigo Services, per Customer Device; and “Visigo® Services” means the e-safety monitoring services to be provided pursuant to the terms and conditions of this Agreement, as described in more detail in Schedule A to this Agreement.

“Visigo® Services” means the eSafety monitoring services to be provided pursuant to the terms and conditions of this Agreement, as described in more detail in Schedule A to this Agreement.

Agreement

  1. This Agreement shall be comprised of the terms and conditions set out in the main body of this Visigo Services Agreement, all Schedules and Appendices attached hereto (subject to clause 2.2 below) and any Order or Quotation to which the terms of this Visigo Services Agreement apply. In the event of a conflict between the various constituent parts of this Agreement, the following order of precedence shall apply:
    1. the Order/Quotation;
    2. the main body of this Visigo Services Agreement;
    3. the Schedules to this Visigo Services Agreement;
    4. the Smoothwall UK Terms and Conditions of Business;
    5. the Smoothwall Software Licence Agreement and
    6. the Service Level Agreement (SLA).
  2. The following sections of the Smoothwall UK Terms and Conditions of Business are expressly disapplied from this Agreement:
    1. Delivery (Clause 7) and
    2. Title and Risk (Clause 8).
  3. Visigo Services
    1. Smoothwall shall, with effect from the Commencement Date, provide the Customer with the Visigo Services for the Customer’s Devices in accordance with the terms of this Agreement.
    2. The Visigo Services will be provided for a maximum number of Customer’s Devices as specified in Schedule C, which may be updated by the Customer from time to time.
    3. Smoothwall will manage the operational use, monitoring and administration of the Visigo Services and provide technical support as described in the Service Level Agreement.  In the event that a technical problem affects service availability, Smoothwall will work with the Customer to achieve a resolution of the problem.  Smoothwall shall not be responsible for issues arising out of any misuse of the Visigo Services, the use of the non-compatible or miss-configured hardware, the use of non-compatible, mis-configured or defective software or the failure of the Customer to follow legitimate instructions from Smoothwall or a Contractor.
    4. As part of the Visigo Services, Smoothwall shall provide Client Software for use on each of the Customer’s Devices.  This software is provided solely for the purpose of enabling the Customer to receive the other elements of the Visigo Services as described in this Agreement.  Smoothwall will from time to time make available to the Customer, free of charge, updated versions of the Client Software.
    5. Use of the Client Software is subject to the Smoothwall Software Licence.  It may include open source and third party proprietary components, details of which are available upon request from Smoothwall.
  4. Term and renewal
    1. Subject to clause 3.2, and clause 20 of the Smoothwall UK Terms and Conditions of Business, the Visigo Services will be provided for a minimum term of One or Three Years starting from the Commencement Date (the Initial Term).
    2. Smoothwall may at any time, (including during the Initial Term), terminate this Agreement without liability on giving not less than ninety (90) days written notice to the Customer, such notice to take effect on the following anniversary of the Commencement Date.
    3. This Agreement shall automatically be renewed on expiry of the Initial Term for further annual terms of One (1) Year each (each a Renewal Term) unless it is terminated in accordance with clause 4.2 or the Customer notifies Smoothwall in writing of its intention not to renew this Agreement not less than Ninety (90) Days prior to the expiry of the Initial Term or Renewal Term (as appropriate).
  5. Fees
    1. The Customer will be invoiced annually for the provision of the Visigo Services.  After the first year, an invoice will be raised each year, which will normally be not less than 30 days prior to the anniversary of the Commencement Day.
    2. The Customer shall pay all fees due for the Visigo Services by invoice due date.  For invoices raised by Smoothwall, payment must be in accordance with Clause 12 of the Smoothwall Terms and Conditions of Business.
    3. The Subscription Fees due for the Visigo Services are as listed in the Quotation and are based on the number of Customer’s Devices specified in Schedule C.
    4. The Customer will be invoiced for additional subscriptions amounts if the actual number of Customer’s Devices using the Visigo Services exceeds that specified in Schedule C.  Such charges for additional Customer’s Devices will be calculated pro-rata to the number specified in Schedule C and the remaining term of the Agreement.
    5. If the Customer does not pay their Visigo Subscription Fees within the due period, Smoothwall shall have the right to suspend the Visigo Services until cleared funds are received.  Such suspension of service shall be without prejudice to Smoothwall’s other remedies, and the Customer’s obligation to pay the Subscription Fees.
    6. The Quotation may include charges for ancillary services provided with the Visigo Services, such as consultancy and / or training
  6. Customer Obligations
    1. The Customer is responsible for installation of the Client Software on the Customer’s Devices and checking that all of the Customer’s Devices are communicating with the Concentrator.  Smoothwall is not able to monitor devices upon which the Client Software is not installed or functioning properly.  The Portal provides system management and diagnostic facilities that enable the Customer to check that all of the Customer’s Devices are communicating with the Concentrator.
    2. The Customer is responsible for ensuring that its firewall and other network infrastructure is correctly configured to allow the Client Software to communicate with the Concentrator.
    3. The Customer will nominate one or more safeguarding staff (in Schedule C) to receive Incident reports.
    4. The Customer is responsible for the accuracy of the information supplied to Smoothwall in Schedule C and will promptly notify Smoothwall, in writing, of any changes to that information. Smoothwall cannot be held responsible for any failure to notify the Customer of an Incident if Smoothwall has not be provided with up-to-date contact details for the safeguarding officer(s)/nominated contact(s).
    5. The Customer shall, within reason, assist Smoothwall to the best of its abilities with the diagnosis of any technical issues.
    6. The Customer shall, upon reasonable notice, grant Smoothwall remote access to Customer’s Devices for the provision of technical support.
    7. The Customer shall comply with the licence terms of the Client Software and the Portal.
    8. The Customer is to implement and maintain the security measures listed in Schedule B.
  7. Smoothwall Obligations 
    1. Smoothwall shall provide the Visigo Services to the Customer in accordance with Schedule A and the Service Level Agreement.
    2. Smoothwall shall endeavour to inform the Customer of any changes or improvement to the Visigo Services in good time.
  8. Termination or Expiry 
    1. In the event that the Visigo Services are terminated, or expire, the Customer will ensure that all copies of the Client Software are promptly deleted from Customer’s Devices, as well as any copies held on servers/systems used for software distribution, maintenance and back-up.
  9. Data Protection and Privacy
    1. For the purposes of this Agreement, the parties agree that all data obtained from the Customer (including all data concerning users of the Customer’s IT systems) in the course of performing the Services and all data generated by Smoothwall and its subcontractors from the Shared Data (together the “Shared Data”) is deemed to be Personal Data, and shall be handled accordingly.
    2. Fothe purposes of this clause 9, the expressions “Processing“, “Personal Data“, “Controller” “Processor“, “Personal Data Breach” and “Data Subject” shall bear their respective meanings given under GDPR.
    3. The Customer and Smoothwall each: (a) acknowledges that for the purposes of the Data Protection Legislation, they are each a Controller of the Shared Data; (b) warrants that it is registered as a Controller with the ICO and (c) shall at all times maintain appropriate and adequate records of its Processing activities in respect of the Shared Personal Data as required under GDPR.
    4. The Customer and Smoothwall consider this data sharing initiative necessary to enable the Customer to meet its safeguarding obligations in respect of its students’ online safety and it is therefore in the public interest as well as the interests of the students who are subject to the monitoring.
    5. The parties agree to only Process the Shared Data for the purpose of providing, testing, developing and improving the Visigo® Services (the Agreed Purpose). The parties shall not Process the Shared Data in a way that is incompatible with the Agreed Purpose. The parties agree that the Shared Data is not irrelevant or excessive with regard to the Agreed Purpose.
    6. The parties shall ensure that the Shared Data is Processed fairly and lawfully in accordance with this Agreement during the term of this Agreement and shall be Processed under this agreement on the basis of the Data Subject’s explicit consent, the legitimate interests of the parties and that it is necessary for reasons of substantial public interest.
    7. Smoothwall may sub-contract some or all of its obligations to perform the Visigo® Services to Contractors from time to time. Each of the Customer and Smoothwall shall, and Smoothwall shall procure that its Contractors shall, at all times, in the performance of their respective obligations under this Agreement, comply with the provisions of the Data Protection Legislation.
    8. Prior to the Commencement Date, the Customer shall provide all users of the Customer’s Devices (and where a user is under 16 years of age, their parent or guardian) with a privacy notice (in the form provided by Smoothwall) which contains all information required to be provided to Data Subjects under GDPR in respect of the Visigo Services. The Customer shall obtain the explicit consent of users (or their parent or guardian) to the Processing of the Shared Data.
    9. Each party shall at all times provide the other party with reasonable co-operation and assistance to comply with their obligations under the Data Protection Legislation including without limitation:
      1. promptly notifying the other party if it receives any complaint, notice or communication which relates directly or indirectly to the Processing of Shared Data or to either party’s compliance with the Data Protection Legislation;
      2. promptly notifying the other party if it suffers a Personal Data Breach that affects any Shared Data and assisting with the notification of such a Personal Data Breach to the ICO and any affected Data Subjects in accordance with GDPR;
      3. promptly notifying the other party of any request from a Data Subject to exercise any of their rights under the Data Protection Legislation, including without limitation, any objection to the Processing of a Data Subject’s Personal Data, and assisting with complying with such a request and responding to any other queries or complaints from Data Subjects;
      4. assisting the other party to (a) complete any data protection impact assessment which is necessary in relation to the Processing of Shared Data and (b) consult with the ICO where necessary in relation to such assessment;
      5. at all times implementing sufficient and appropriate technical and organisational security measures to: (a) protect the Shared Data in its possession or under its control against unauthorised or unlawful Processing, disclosure or access and accidental or unlawful destruction, loss, alteration or damage, including without limitation, restricting access to Shared Data to those who require it in order to comply with this Agreement and the Data Protection Legislation and (b) ensure the Shared Data is Processed in accordance with the Data Protection Legislation and to be able to demonstrate such compliance.
    10. Smoothwall and its Contractors shall neither retain or Process Shared Data for longer than is necessary to carry out the Agreed Purpose nor disclose or transfer Shared Data to a third party outside the European Economic Area (“EEA”) unless it complies with the provisions of Articles 25 and 26 of the Data Protection Directive.
  10. Liability
    1. The express terms of this Agreement are in lieu of all warranties, conditions, terms, undertakings and obligations implied by statute, common law, custom, trade usage, course of dealing or otherwise, all of which are hereby excluded to the fullest extent permitted by law.
    2. The Customer acknowledges that Smoothwall aims to perform the alert action(s) in accordance with Schedule A.  However, given the nature of the service, it is not possible to guarantee that all incidents will be identified.  This may happen for a variety of reasons, including but not limited to: the Customer Device on which the incident occurred not being connected to the Internet, deliberate evasion by the user and the use of language or dialogue not understood by the analysis algorithms, origination of incidents outside of the Customer’s network, computer or network malfunction.
    3. The Customer accepts that operational practicalities mean that it can take some time to identify and properly understand an incident, which may result in the alert or report not being made prior to the occurrence of an event referred to or otherwise identifiable from a monitored communication.
    4. Nothing in this Agreement shall limit or exclude liability for death or personal injury caused by the negligence of Smoothwall or its contractors, for fraud or fraudulent misrepresentation and any other loss or damage the exclusion or limitation of which is prohibited by English law.
  11. General
    1. Entire Agreement: This Agreement and the documents referred to herein set out the entire agreement between the parties in relation to the Visigo Services and supersedes any previous agreement relating to the subject matter of this Agreement, whether written or oral.   The Customer acknowledges and agrees that in entering into this Agreement it places no reliance on any representation or warranty in relation to the subject matter of this Agreement other than as expressly set out in this Agreement, nor shall have any remedy in relation to the subject matter of the same save as expressly set out in this Agreement, provided always that nothing in this clause or in this Agreement shall operate to exclude or restrict any remedy or liability for fraud or fraudulent misrepresentation.
    2. References:  Any reference to a statute or a provision of a statute shall be construed as a reference to that statute or provision as amended, re-enacted or extended from time to time.
    3. Headings: Clause and Schedule headings are for convenience only and do not affect the interpretation of this Agreement and, (except where a contrary intention appears), a reference to a clause or Schedule is a reference to a clause of, or Schedule to, this Agreement.

Visigo Services (Schedule A)

Activity Monitoring

Visigo assesses content generated on Customer’s Devices and uses it to build the following risk profiles:

Profile

Description

Potential Paedophile (Grooming and child sexual exploitation)

A person who is suspected to be over the age of 18 who has contact with someone who is suspected to be under 18 for sexual purposes. Who may establish trust with the child by appearing sympathetic to their problems and on their side, who may encourage the child to share details about their life or share information that will make then contactable online or offline.

 

A person who may establish the child’s sexual experience, de-sensitize the child to sexual discussion, normalise it and encourage the child to participate in it. Someone who may send or request nude photos or webcam sessions with the child and who may ultimately attempt an offline meeting.

Terrorist Groomer (Extremism)

A person who makes direct threats to undertake acts of terrorism including bombing, biological attack, kidnap and execution, against a high profile person or the general public.

OR

A person who promotes terrorist activity carried out by others as rational, morally just or a duty. One who encourages others to carry out unofficial or unauthorised acts of violence or intimidation against others in the pursuit of their political or religious aims. A person who encourages demonization of those outside their ideological sphere, often with the use of political or religious propaganda.

Cyber Criminal (Illegal including Drugs and Substance Abuse)

A person who appears to be actively engaging in, or distributing the tools for, credit card fraud, hacking, denial of service attacks, password phishing, keylogging, malware distribution, pirated films/software or is engaged in the illegal sale of weapons or drugs.

 

Oversharer

A person who regularly attempts to share personal information that would make them contactable online or offline or would result in a serious personal data breach.

 

Offensive User

A person who engages in high use of profanity, without personally abusing others in a bullying manner. One who may introduce subjects or images that are highly distressing to others.

Cyberbully (Bullying and Discrimination)

A person who singles out individuals for a campaign or intimidation, abuse, harassment and exclusion and may encourage others to join in. Someone who may post material intended to shame and humiliate their target and who regularly engages in personal abuse against others.

Cybersexer

A person who makes frequent sexual overtures to others or engages in cybersex or talk of a highly sexual nature.

Vulnerable Person (Suicide / Self Harm)

A person who makes credible threats of suicide or self-harm or engages in suicidal talk. Someone who appears to be at current risk of sexual or physical abuse offline or is giving indications of suffering from an untreated eating disorder, being severely distressed.

 

Troll

A person who deliberately disrupts the community for their own amusement via means of screen flooding, deliberately provocative statements or nit-picking others communications in order to rile.

 

Incident Response/Notification Procedures

Within each profile content is ranked between levels 1-5 depending on the severity of the incident and previous history of the user where level 5 is the most serious.

Levels are defined individually for each profile, with alerts customised based on both the profile and the age range of students in the organisation.  Definitions of profile, level and required alerts will be subject to improvement/refinement over time.  Details of the current profiles and alerts are available in the tables below:

Primary

Profile Level 1 Level 2 Level 3 Level 4 Level 5
Potential Paedophile Portal Portal Portal Portal + Email Portal + Email + Phone
Terrorist / Terrorist Groomer Portal Portal + Email Portal + Email Portal + Email + Phone Portal + Email + Phone
Cyber Criminal Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Oversharer Portal Portal Portal + Email Portal + Email Portal + Email
Offensive User Portal Portal Portal Portal + Email Portal + Email + Phone
Cyberbully Portal Portal Portal + Email Portal + Email Portal + Email
Cybersexer Portal Portal Portal + Email Portal + Email Portal + Email
Vulnerable User Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Troll Portal Portal Portal Portal Portal + Email

 

Secondary

Profile Level 1 Level 2 Level 3 Level 4 Level 5
Potential Paedophile Portal Portal Portal Portal + Email Portal + Email + Phone
Terrorist / Terrorist Groomer Portal Portal + Email Portal + Email Portal + Email + Phone Portal + Email + Phone
Cyber Criminal Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Oversharer Portal Portal Portal Portal Portal + Email
Offensive User Portal Portal Portal Portal Portal + Email
Cyberbully Portal Portal Portal + Email Portal + Email Portal + Email
Cybersexer Portal Portal Portal + Email Portal + Email Portal + Email
Vulnerable User Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Troll Portal Portal Portal Portal Portal + Email

 

Further Education

Profile Level 1 Level 2 Level 3 Level 4 Level 5
Potential Paedophile Portal Portal Portal Portal + Email Portal + Email + Phone
Terrorist / Terrorist Groomer Portal Portal + Email Portal + Email Portal + Email + Phone Portal + Email + Phone
Cyber Criminal Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Oversharer Portal Portal Portal Portal Portal
Offensive User Portal Portal Portal Portal Portal + Email
Cyberbully Portal Portal Portal Portal + Email Portal + Email
Cybersexer Portal Portal Portal Portal + Email Portal + Email
Vulnerable User Portal Portal Portal + Email Portal + Email Portal + Email + Phone
Troll Portal Portal Portal Portal Portal + Email

 

Response Times

Customer will receive alert notification of moderator confirmed incidents within thirty minutes of being detected.  Except in the event of circumstances outside of the control of Smoothwall or Contractor, Smoothwall commit to achieve this performance for 90% of all Incidents averaged over a twelve month period.

Security Measures (Schedule B)

The Customer shall implement and maintain the following security measures:

  • Web filtering solution (to monitor devices when they are on site):
    • Web Content filtering (preferably dynamic / content aware filtering)
    • Filtering of HTTPS secure web requests through decryption and interception
    • Scan for malicious as well as inappropriate content
    • BYOD system linked to user identification
    • Regular updates to lists of known malicious and undesirable sites
  • Firewall (software or hardware):
    • Be maintained, updated and supported accordingly
    • Secure configurations that can extend to routers and switches
    • Effective monitoring of alerts etc.
    • Manage (track/control/correct) the ongoing operational use of ports, protocols, applications and services on networked devices in order to minimize the window of vulnerability available to attackers
  • Device Security:
    • Use of external media (eg USB memory sticks) can be restricted / monitored as required
    • Current Anti-Virus subscription for all Windows and Mac devices with signatures updates automatically installed
    • Student users must not have Administrator rights (on Windows devices and wherever possible)
    • MDM system used for Apple iOS devices
  • Monitoring policies and AUP’s
    • AUP should explain if a solution is in place and what this covers (online, offline, on site, off site etc.)
    • Data protection policy in place and reviewed annually
    • User education and awareness
  • For effective identification of Incidents, Schools must be using individual logins for all users, eg: not a generic “year4” Login ID
  • Management of user privileges to be able to control of what users can and cannot do on devices (eg not able to install or de-install software) on devices or the school/college their network
  • Regular implementation of manufacturers updates/patches to remove vulnerabilities
  • Governing bodies and proprietors should ensure that the school or college designates an appropriate senior member of staff to take lead responsibility for child protection.  This person should have the status and authority within the school to carry out the duties of the post, including committing resources and, where appropriate, supporting and directing other staff.
  • The designated safeguarding lead should receive appropriate training at least every two years.

Schools that are part of a wider network (LA, regional network etc.) should also consider how their decisions could affect others on their network with regards to things like DDoS attacks.

Visigo Onboarding Form (Schedule C)