Parties
The physiotherapist company, partnership, or individual registered to MSK Physio’s Platform (hereinafter called the Principal)
MSKPhysio.org LND LTD, a company incorporated and registered in England and Wales under company number 12173899 whose registered office is at 111a George Lane, London, United Kingdom, E18 1AN (MSK Physio)
BACKGROUND
- MSK Physio arranges virtual physiotherapy consultations for patients in the United Kingdom and can introduce and assist with arranging UK patients to be consulted by the Principal.
- The Principal wishes to appoint MSK Physio as its non-exclusive agent for the promotion and sale of the Principal’s services within the Territory as defined below.
Agreed terms
Definitions and interpretation
The following definitions and rules of interpretation apply in this agreement.
Definitions:
Business Day: a day, other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.
Commencement Date: the date on which the Principal registers to use the Platform.
Customer(s): the UK patients using the Services of the Principal.
Local Regulations: laws and regulations applicable to the Services in the Territory.
Net Price: in relation to any Services, the price actually charged to the customer less any value added tax, or other sales tax included in the price or insurance charges included in the price and any discounts, rebates or returns.
Platform: MSK Physio’s website platform or App which manages the booking and management process of the Services between the Principal and Customer.
Services: the virtual physiotherapy consultation services carried out by the Principal
Territory: United Kingdom.
Headings. Clause, Schedule and paragraph headings shall not affect the interpretation of this agreement.
Definition of person. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality) and that person’s personal representatives, successors and permitted assigns.
Clause and paragraph references. References to clauses and Schedules are to the clauses and Schedules of this agreement and references to paragraphs are to paragraphs of the relevant Schedule.
Schedules. The Schedules form part of this agreement and shall have effect as if set out in full in the body of this agreement. Any reference to this agreement includes the Schedules.
Company. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.
Singular and plural. Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular.
Gender. Unless the context otherwise requires, a reference to one gender shall include a reference to the other genders.
Party. A reference to any party shall include that party’s personal representatives, successors and permitted assigns.
Statute. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
Subordinate legislation. A reference to a statute or statutory provision shall include all subordinate legislation made from time to time.
Writing and written. A reference to writing or written includes email.
Negative obligations. Any obligation on a party not to do something includes an obligation not to allow that thing to be done.
Inclusionary language. Any words following the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
Appointment
Sales promotion. By registering an account on the Platform the Principal appoints MSK Physio as its non-exclusive agent to assist promoting the sales of the Services in the Territory on behalf of the Principal on the terms of this agreement, and MSK Physio accepts the appointment on these terms.
Conclusion of sales on behalf of Principal. MSK Physio is authorised by the Principal to negotiate and conclude contracts for the sale of the Services in the name of and on behalf of the Principal, without prior reference to the Principal.
To issue invoices on behalf of the Principal relating to the supply of the Services.
To collect payment for the supply of the Services on behalf of the Principal.
No active marketing outside the Territory. MSK Physio shall not, outside the Territory, actively market the Services of the Principal.
MSK Physio’s obligations
MSK Physio undertakes and agrees at all times during the term of this agreement: Good faith. To act towards the Principal conscientiously and in good faith and not to allow its interests to conflict with the duties that it owes to the Principal under this agreement and any applicable laws. Sales promotion. To use its reasonable commercial efforts to promote the Services in the Territory with all due care and diligence. Correct description for MSK Physio. To describe itself in all dealings with the Services and in all associated advertising and promotional material and (if any description is provided there) at its premises as a “sales agent” or “selling agent” of the Principal. Invoices. To issue invoices to customers (in a form suitable for sales tax or value added tax purposes) for the sale of Services under this agreement, and to receive payment for the same. No authority to deal with disputes. Not without prior reference to the Principal (and then only acting strictly on the Principal’s express instructions) on behalf of the Principal to take part in any dispute or commence or defend any court or other dispute proceedings or settle or attempt to settle or make any admission concerning any such proceedings.
Sale of Services
Prices. All sales of the Services by MSK Physio on behalf of the Principal shall be at the prices as specified on the Platform updated from time to time. Standard terms and conditions with Customers. The Principal agrees to provide the Services in accordance with MSK Physio’s Customer Terms and Conditions as specified on the Platform and varied from time to time.
Principal’s obligations
The Principal undertakes and agrees with MSK Physio during the term of this agreement: Good faith. To act at all times in its relations with MSK Physio dutifully and in good faith. Indemnity in favour of MSK Physio. to indemnify MSK Physio against any liabilities which MSK Physio may incur as a result of acting with reasonable care and skill within the scope of its authority under this agreement as MSK Physio for the Principal. Supply Services to, as part of the Services, supply to the Customer an exercise regime for the Customer within 24 hours after the virtual consultations’ start time and provide MSK Physio with their invoice to the Customer upon completion of the Services. Obligation to honour sales contracts. Within a reasonable period of becoming aware of the same, and subject to its rights under these, to perform any contracts for the sale of the Services made on its behalf by MSK Physio under this agreement. Management of complaints. Promptly and efficiently to deal with any complaint, dispute or after-sales enquiry relating to the Services raised by a customer in the Territory. Information re possible failure to fulfil contracts. Where appropriate, to inform the MSK Physio within a reasonable time if any contract concluded on its behalf by the MSK Physio will not be performed by it, and of the reason for such non-performance.
Commission and payments
Commission on sales. The Principal shall pay MSK Physio the fixed amount per consultation as shown on the Platform for each Service which the Principal enters into a sale contract with a customer during the term of this agreement. Time when commission is due. Commission shall become due to MSK Physio on completion of the Service for each customer.Commission payable if Principal fails to perform. If at any time Services sold by the Principal under a contract made by MSK Physio are not delivered to a customer because of the Principal’s fault, MSK Physio’s right to commission shall apply in relation to the sale of those Services as if they had been duly delivered and paid for on the due date for payment of the price under the relevant sale contract. VAT or other sales tax. All sums payable under this agreement are exclusive of any value added tax or other applicable sales tax, which shall be added to the sum in question (where applicable). A sales or value added tax invoice shall be provided against any payment if required by applicable law. Disputes re commission. If any dispute arises as to the amount of commission payable by the Principal to MSK Physio, the same shall be referred to the Principal’s auditors for settlement and their certificate shall be final and binding on both parties.
Commission payments. The procedure for payment of commission shall be as follows: MSK Physio shall, remit to the Principal in the currency of the relevant sale contract a sum equal to the aggregate Net Price less any deductions required by law and MSK Physio’s Commission payment but together with any value added tax or other sales tax relating to the aggregate Net Price collected on behalf of the Principal. At the same time, MSK Physio shall issue an invoice to the Principal (in a form suitable for value added tax or sales tax purposes) for the commission due to the MSK Physio per Service which shall then be deducted from the sum. MSK Physio is trustee for sums due to Principal. The MSK Physio shall collect and hold as trustee in a separate bank account in the name of the MSK Physio but designated as a trust account for the Principal’s benefit all moneys due to the Principal for such sales or otherwise (except for any remitted directly by the customer to the Principal), shall transfer the same to the Principal pursuant to clause 6.6.
Advertising and promotion
Principal’s right to advertise. The Principal reserves the right to advertise and promote the Services provided that they mention that they utilise MSK Physio’s Platform in the Territory.
Compliance with laws and policies
Compliance. Each party shall at its own expense comply with all laws and regulations relating to its activities under this agreement, as they may change from time to time, and with any conditions binding on it in any applicable licences, registrations, permits and approvals.
Anti-bribery compliance
Compliance. MSK Physio shall: comply with all applicable laws, statutes, regulations relating to anti-bribery and anti-corruption including (Relevant Requirements) have and shall maintain in place throughout the term of this agreement its own policies and procedures to ensure compliance with the Relevant Requirements and the Relevant Policies, and will enforce them where appropriate;
Insurance
The Principal shall indemnify MSK Physio against any liability incurred by MSK Physio for damage to property, death or personal injury arising from any fault or defect in the Services and any reasonable costs, claims, demands and expenses arising out of or in connection with that liability (Relevant Claim), except to the extent that the liability arises as a result of the action or omission of MSK Physio. Insurance. The Principal shall maintain appropriate public indemnity insurance, professional indemnity insurance and any other appropriate commercial insurance for the duration of this agreement of at least £7,500,000 per claim with a reputable insurer and shall provide a copy of the insurance policy to MSK Physio on MSK Physio’s request.
Limitation of liability
Unlimited liability. Nothing in this agreement shall limit or exclude the Principal’s liability: for any matter in respect of which it would be unlawful for the Principal to exclude or restrict liability; under the indemnities set out in clause 5.2, and clause 10.1.
Limitations of liability. Subject to clause 11.1: the Principal’s total liability to MSK Physio in respect of all loss or damage arising under or in connection with this agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall in no circumstances exceed £7,500,000 per claim.
Liability re supply of Services. The liability of the Principal arising out of or in connection with the supply of Services in the Territory shall be subject to the limitations of liability set out in MSK Physio’s Customer terms and conditions as specified on the Platform.
Duration and termination
Commencement, initial term, and notice to terminate. This agreement shall commence on the Commencement Date. Unless terminated earlier in accordance with law or clause 12.2 or clause 15, it shall continue until MSK Physio notifies the Principal that it shall terminate the Principal’s account to use the Platform or the Principal deletes their account on the Platform.
Consequences of termination
Accrued rights. Termination of this agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the agreement which existed at or before the date of termination.
Consequences of termination. On termination of this agreement: MSK Physio shall cease to promote, market, advertise or sell the Services of the Principal; and MSK Physio shall immediately cease to describe itself as an agent of the Principal and cease to use all trade marks, trade names and brand names of the Principal (including without limitation on stationery and vehicles);
Commission rights post-termination. On termination of this agreement, the provisions of clause 6 shall continue in force in relation to all sales of the Services where the sale has been concluded before the date of termination. Survival of terms. Any provision of this agreement which expressly or by implication is intended to come into or continue in force on or after termination of this agreement shall remain in full force and effect, including in particular the following clauses:
clause 5.2;
clause 10.1;
clause 11;
clause 14;
clause 24; and
clause 25.
Confidentiality
Confidentiality obligation. MSK Physio undertakes that it shall not at any time during this agreement, and for a period of five years after termination of this agreement, disclose to any person any confidential information concerning the business, affairs, customers, clients or principals of the Principal, except as permitted by clause 14.2. Exceptions to confidentiality obligation. MSK Physio may disclose the Principal’s confidential information: to its employees, officers, representatives or advisers who need to know such information for the purposes of carrying out the party’s obligations under this agreement. Each party shall ensure that its employees, officers, representatives or advisers to whom it discloses the other party’s confidential information comply with this clause 14; and as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
Limited licence to use confidential information. MSK Physio shall not use the Principal’s confidential information for any purpose other than to perform its obligations under this agreement.
Confidential information. All medical documents and other records (in whatever form) containing confidential information supplied to or acquired by MSK Physio and the Principal shall be kept for ten years.
Force majeure
Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure result from events, circumstances or causes beyond its reasonable control. In such circumstances the time for performance the affected party shall be entitled to a reasonable extension of the time for performing such obligations. If the period of delay or non-performance continues for 8 weeks, the party not affected may terminate this agreement by giving 10 days’ written notice to the affected party.
Entire agreement
Entire agreement. This agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous drafts, agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to the subject matter.No remedies outside contract. Each party acknowledges that, in entering into this agreement, it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this agreement. Misrepresentation. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this agreement. Fraud. Nothing in this clause shall limit or exclude any liability for fraud.
Variation
No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
Assignment and other dealings prohibited
The parties shall not assign, transfer, mortgage, charge, subcontract, appoint delegates, declare a trust over or deal in any other manner with any or all of its rights and obligations under this agreement without the prior written consent of the Principal.
Authority
The parties declare that they each have the right, power and authority and have taken all action necessary to execute and deliver, and to exercise their rights and perform their obligations under this agreement.
Waiver
No failure or delay by a party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
Rights and remedies
Except as expressly provided in this agreement, the rights and remedies provided under this agreement are in addition to, and not exclusive of, any rights or remedies provided by law.
Severance
Modification or deletion invalid, illegal or unenforceable provisions. If any provision or part-provision of this agreement is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this agreement.
Notices
For the purposes of this clause, but subject to clause 23.7, notice includes any other communication.
A notice given to a party under or in connection with this contract: shall be signed by or on behalf of the party giving it; shall be sent to the party for the attention of the contact and at the address, email address, listed in clause 23.3, or such other address, email address, as that party may notify in accordance with clause 23.4 may be sent by a method listed in clause 23.5; and unless proved otherwise is deemed received as set out in clause 23.5 if prepared and sent in accordance with this clause.
The addresses and email addresses for service of notices are: Principal the details registered in the account profile to use the Platform.
MSK Physio:
Address: 111a George Lane, London, United Kingdom, E18 1AN
For the attention of: Alkiviadis Siokos
Email address: info@mskphysio.org
A party may change its details given in clause 23.3 by the Principal amending their account profile or by MSK Physio notifying the Principal of the change.
This clause 23.5 sets out the delivery methods for sending a notice to a party under this agreement and, for each delivery method, the date and time when the notice is deemed to have been received:
If delivered by hand, at the time the notice is left at the address; or
If sent by pre-paid national postal mail or other next working day delivery service providing proof of postage at 9.00am on the second Business Day after posting; or
If sent by pre-paid airmail providing proof of postage, at 9.00am on the fifth Business Day after posting; or
if sent by email, at the time of transmission;
If deemed receipt under clause 23.5 would occur outside business hours in the place of receipt, it shall be deferred until business hours resumes. In this clause, business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday.
This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
Governing law
This agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
Jurisdiction
Each party hereby irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this agreement or its subject matter or formation (including non-contractual disputes or claims).
Our terms
- These terms
- What these terms cover. We act as an agent to the physiotherapist by arranging bookings and taking payment from you on behalf of the physiotherapist providing you with virtual consultation services via the website platform or app which we provide.
- We may make changes to these terms We amend these terms from time to time and you should check the terms every time you make a booking with us.
- Information about us and how to contact us
- Who we are. We are MSKPHYSIO.ORG LDN LTD a company registered in England and Wales. Our company registration number is 12173899 and our registered office is at 111a George Lane, London E18 1AN.
- How to contact us. You can contact us by writing to our customer services team at info@mskphysio.org
- How we may contact you. If we have to contact you we will do so by telephone or by writing to you at the email address or postal address you provided to us in your booking.
- “Writing” includes emails. When we use the words “writing” or “written” in these terms, this includes emails.
- Communications. You acknowledge and agree that we may at times send you communications regarding your account or the service via email. If you have requested it, we may also send you communications about upgrades to the Service or other services that may be of interest to you. You can notify us at any time to let us know that you no longer want to receive these emails from us.
- The booking and the contract between you and the physiotherapist.
- How we will accept your booking. Our acceptance of your booking will take place when we email you your virtual consultation booking service details, at which point a contract will come into existence between you and the physiotherapist which shall be in accordance with these terms and conditions.
- Your information: When you register you must ensure that all the information that you provide us or the physiotherapist in connection with your account and the booking is true, accurate and complete and if any of your details change you must inform us promptly. You confirm that you are acting in a personal capacity and not as a business.
- Notifications of any medical issues or disabilities that may affect your booking. Please let us know promptly if you have any medical issues or disabilities that may affect your booking. You shall be contacted promptly by us if we as agents must refuse or cancel the booking as the physiotherapist is unable to make reasonable adjustments.
- If we cannot accept your order. If we are unable to accept your order, we will inform you of this and shall return any payment made by you for the physiotherapist’s virtual consultation.
- How we will refund you. Any refunds shall be by the method you used for payment.
- Price and payment
- Where to find the price for the treatment. The price of the physiotherapist virtual consultation is on the Platform.
- When you must pay and how you must pay. We accept payment by the methods shown on the Platform and payment is due on booking the physiotherapist’s virtual consultation services of the Physiotherapist.
- The physiotherapist’s responsibility for loss or damage suffered by you
- Nothing in these terms limits any liability which cannot legally be limited, including but not limited to liability for:
- death or personal injury caused by negligence; and
- fraud or fraudulent misrepresentation;
- The physiotherapist has obtained insurance cover in respect of certain aspects its own legal liability for individual claims not exceeding £1,000,000.00 (one million pounds sterling) per claim. The limits and exclusions in this clause reflect the insurance cover the physiotherapist has been able to arrange.
- Subject to clause 6.1 the Physiotherapists total liability to you for the virtual consultation shall not exceed £1,000,000.00 (one million pounds sterling).
- Nothing in these terms limits any liability which cannot legally be limited, including but not limited to liability for:
- Our responsibility for loss or damage suffered by you
- We do not exclude or limit in any way our liability to you where it would be unlawful to do so. This includes liability for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors; for fraud or fraudulent misrepresentation.
- We cannot accept any responsibility for any inaccurate, incomplete, or misleading information about the physiotherapist service. We cannot accept any responsibility for any inaccurate, incomplete, or misleading information about the physiotherapist service passed to you in good faith, unless this was caused by our own negligence. If we become aware of any such information being untrue, we shall promptly correct it.
- We as agents, accept no legal responsibility for the virtual consultation services provided by the physiotherapist. We as agents accept no legal responsibility for the virtual consultation services provided by the physiotherapist or any acts or omissions of the physiotherapist or anyone representing or employed by them in relation to your consultation. We are responsible only for the making of the booking in accordance with these booking terms.
- We have no liability to you for business loss. We have no liability to you for any loss of profit, loss of business, business interruption, or loss of business opportunity.
- Use of our site and your account
- We are not responsible for viruses, and you must not introduce them. We do not guarantee that our site will be secure or free from bugs or viruses. You are responsible for configuring your information technology, computer programmes and platform to access our site. You should use your own virus protection software.
- You must not misuse our site. You must not misuse our site by knowingly introducing viruses, trojans, worms, logic bombs or other material that is malicious or technologically harmful. You must not attempt to gain unauthorised access to our site, the server on which our site is stored, or any server, computer or database connected to our site. You must not attack our site via a denial-of-service attack or a distributed denial-of service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities, and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our site will cease immediately.
- How you may use material on our site We are the owner or the licensee of all intellectual property rights in our site, and in the material published on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. You may print off one copy, and may download extracts, of any page(s) from our site for your personal use.
- Do not rely on information on this site The content on our site is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site. Although we make reasonable efforts to update the information on our site, we make no representations, warranties or guarantees, whether express or implied, that the content on our site is accurate, complete or up to date.
- We are not responsible for websites we link to Where our site contains links to other sites and resources provided by third parties, these links are provided for your information only. Such links should not be interpreted as approval by us of those linked websites or information you may obtain from them. We have no control over the contents of those sites or resources.
- You must keep your account details safe If you have a password or any other piece of information as part of our security procedures, you must treat such information as confidential. You must not disclose it to any third party.
- We have the right to disable any user password, We have the right to disable any user password whether chosen by you or allocated by us, at any time, if in our reasonable opinion you have failed to comply with any of the provisions of these terms.
- If you know or suspect that anyone other than you know your user password, you must promptly notify us.
- How we may use your personal information
- How we may use your personal information. We will only use your personal information as set out in accordance with our Privacy Policy, Cookie Policy.
- Other important terms
- About the physiotherapist. The physiotherapist confirms that they are registered on the Health & Care Professions Council.
- If a court finds part of this contract illegal, the rest will continue in force. Each of the paragraphs of these terms operates separately. If any court or relevant authority decides that any of them are unlawful, the remaining paragraphs will remain in full force and effect.
- Which laws apply to this contract and where you may bring legal proceedings. These terms are governed by English law, and you can bring legal proceedings in respect of these terms in the English courts.
Privacy / information security policy
Introduction
This Policy document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All company employees must read this document in its entirety and sign the form confirming they have read and fully understand this policy. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and re-distributed to all employees and contractors where applicable.
Information Security Policy
MSKPHYSIO.ORG LND LTD handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect the cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the organisation.
MSKPHYSIO.ORG LND LTD commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.
Employees handling sensitive cardholder data should ensure:
- Handle Company and cardholder information in a manner that fits with their sensitivity and classification;
- Limit personal use of MSKPHYSIO.ORG LND LTD information and telecommunication systems and ensure it doesn’t interfere with your job performance;
- MSKPHYSIO.ORG LND LTD reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
- Do not use e-mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
- Do not disclose personnel information unless authorised;
- Protect sensitive cardholder information;
- Keep passwords and accounts secure;
- Request approval from management prior to establishing any new software or hardware, third party connections, etc.;
- Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit management approval;
- Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;
- Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.
We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.
-
Network Security
A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.
In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendor, where applicable. Evidence of these scans should be maintained for a period of 18 months.
-
Acceptable Use Policy
Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to MSKPHYSIO.ORG LND LTD established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and the Company from illegal or damaging actions, either knowingly or unknowingly by individuals. MSKPHYSIO.ORG LND LTD will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.
- Employees are responsible for exercising good judgement regarding the reasonableness of personal use.
- Employees should take all necessary steps to prevent unauthorised access to confidential data which includes card holder data.
- Keep passwords secure and do not share accounts. Authorised users are responsible for the security of their passwords and accounts.
- All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
- All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
- The List of Devices in Appendix B will be regularly updated when devices are modified, added or decommissioned. A stocktake of devices will be regularly performed and devices inspected to identify any potential tampering or substitution of devices.
- Users should be trained in the ability to identify any suspicious behaviour where any tampering or substitution may be performed. Any suspicious behaviour will be reported accordingly.
- Information contained on portable computers is especially vulnerable, special care should be exercised.
- Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of MSKPHYSIO.ORG LND LTD, unless posting is in the course of business duties.
- Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
-
Protect Stored Data
- All sensitive cardholder data stored and handled by MSKPHYSIO.ORG LND LTD and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by MSKPHYSIO.ORG LND LTD for business reasons must be discarded in a secure and irrecoverable manner.
- If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.
- PAN’S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,
It is strictly prohibited to store:
- The contents of the payment card magnetic stripe (track data) on any media whatsoever.
- The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever.
- The PIN or the encrypted PIN Block under any circumstance.
-
Information Classification
Data and media containing data must always be labelled to indicate sensitivity level.
- Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to MSKPHYSIO.ORG LND LTD if disclosed or modified. Confidential data includes cardholder data.
- Internal Use data might include information that the data owner feels should be protected to prevent unauthorised disclosure.
- Public data is information that may be freely disseminated.
-
Access to the Sensitive Cardholder Data
All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined.
- Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data.
- Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.
- No other employees should have access to this confidential data unless they have a genuine business need.
- If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C.
- MSKPHYSIO.ORG LND LTD will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.
- MSKPHYSIO.ORG LND LTD will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider.
- The Company will have a process in place to monitor the PCI DSS compliance status of the Service provider.
-
Physical Security
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
- Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
- Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.
- Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.
- Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on MSKPHYSIO.ORG LND LTD sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.
- A list of devices that accept payment card data should be maintained.
- The list should include make, model and location of the device.
- The list should have the serial number or a unique identifier of the device
- The list should be updated when devices are added, removed or relocated
- POS devices surfaces are periodically inspected to detect tampering or substitution.
- Personnel using the devices should be trained and aware of handling the POS devices
- Personnel using the devices should verify the identity of and=y third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.
- Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel. MSKPHYSIO.ORG LND LTD sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day.
- Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management
- Strict control is maintained over the storage and accessibility of media
- All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.
-
Protect Data in Transit
All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.
- Card holder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat or any other end user technologies.
- If there is a business justification to send cardholder data via email or by any other mode then it should be done after authorisation and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, etc.).
- The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.
-
Disposal of Stored Data
- All data must be securely disposed of when no longer required by MSKPHYSIO.ORG LND LTD, regardless of the media or application type on which it is stored.
- An automatic process must exist to permanently delete on-line data, when no longer required.
- All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.
- MSKPHYSIO.ORG LND LTD will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
- MSKPHYSIO.ORG LND LTD will have documented procedures for the destruction of electronic media. These will require:
- All cardholder data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;
- If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
- All cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” – access to these containers must be restricted.
-
Security Awareness and Procedures
The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.
- Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
- Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A).
- All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with the Company.
- All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
- Company security policies must be reviewed annually and updated as needed.
10.Credit Card (PCI) Security Incident Response Plan
- MSKPHYSIO.ORG LND LTD PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and Merchant Services. MSKPHYSIO.ORG LND LTD PCI security incident response plan is as follows:
- Each department must report an incident to the Information Security Officer (preferably) or to another member of the PCI Response Team.
- That member of the team receiving the report will advise the PCI Response Team of the incident.
- The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.
- The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
- The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the institution.
MSKPHYSIO.ORG LND LTD PCI Security Incident Response Team:
CIO |
Alkiviadis Siokos |
||
Communications Director |
Alkiviadis Siokos |
||
Compliance Officer |
Alkiviadis Siokos |
||
Counsel |
Alkiviadis Siokos |
||
Information Security Officer |
Alkiviadis Siokos |
||
Collections & Merchant Services |
Alkiviadis Siokos |
||
Risk Manager |
Alkiviadis Siokos |
Information Security PCI Incident Response Procedures:
- A department that reasonably believes it may have an account breach, or a breach of cardholder information or of systems related to the PCI environment in general, must inform MSKPHYSIO.ORG LND LTD PCI Incident Response Team. After being notified of a compromise, the PCI Response Team, along with other designated staff, will implement the PCI Incident Response Plan to assist and augment departments’ response plans.
Incident Response Notification
Escalation Members (or equivalent in your company):
Escalation – First Level:
Information Security Officer Controller
Executive Project Director for Credit Collections and Merchant Services Legal Counsel
Risk Manager
Director of MSKPHYSIO.ORG LND LTD Communications
Escalation – Second Level:
MSKPHYSIO.ORG LND LTD President
Executive Cabinet
Internal Audit
Auxiliary members as needed
External Contacts (as needed)
Merchant Provider Card
Internet Service Provider (if applicable)
Internet Service Provider of Intruder (if applicable) Communication Carriers (local and long distance) Business Partners
Insurance Carrier
External Response Team as applicable (CERT Coordination Centre 1, etc.) Law Enforcement Agencies as applicable inn local jurisdiction
In response to a systems compromise, the PCI Response Team and designees will:
- Ensure compromised system/s is isolated on/from the network.
- Gather, review and analyse the logs and related information from various central and local safeguards and security controls
- Conduct appropriate forensic analysis of compromised system.
- Contact internal and external departments and entities as appropriate.
- Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.
- Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.
How to notify Elavon in the event of an incident
1. UK:
• E-mail: #ADCqueries-GB@elavon.com
• Phone: 0 1923 651 622
2. Ireland:
• E-mail: #ADCqueries-IE@elavon.com
• Phone: 0402 25322
3. Germany:
4. Poland:
5. Norway:
6. Other Countries:
-
Transfer of Sensitive Information Policy
- All third-party companies providing critical services to MSKPHYSIO.ORG LND LTD must provide an agreed Service Level Agreement.
- All third-party companies providing hosting facilities must comply with the Company’s Physical Security and Access Control Policy.
- All third-party companies which have access to Card Holder information must
- Adhere to the PCI DSS security requirements.
- Acknowledge their responsibility for securing the Card Holder data.
- Acknowledge that the Card Holder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service or for uses specifically required by law.
- Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
- Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third party.
-
12.User Access Management
- Access to MSKPHYSIO.ORG LND LTD is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.
- Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.
- There is a standard level of access; other services can be accessed when specifically authorised by HR/line management.
- The job function of the user decides the level of access the employee has to cardholder data
- A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request is free format, but must state:
Name of person making request;
Job title of the newcomers and workgroup;
Start date;
Services required (default services are: MS Outlook, MS Office and Internet access).
- Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access.
- Access to all MSKPHYSIO.ORG LND LTD systems is provided by IT and can only be started after proper procedures are completed.
- As soon as an individual leaves MSKPHYSIO.ORG LND LTD employment, all his/her system logons must be immediately revoked.
- As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.
-
13.Access Control Policy
- Access Control systems are in place to protect the interests of all users of MSKPHYSIO.ORG LND LTD computer systems by providing a safe, secure and readily accessible environment in which to work.
- MSKPHYSIO.ORG LND LTD will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.
- Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
- The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) shall be restricted and controlled, and authorisation provided jointly by the system owner and IT Services. Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality.
- Access rights will be accorded following the principles of least privilege and need to know.
- Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
- Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data’s classification.
- Users are obligated to report instances of non-compliance to MSKPHYSIO.ORG LND LTD CISO.
- Access to MSKPHYSIO.ORG LND LTD IT resources and services will be given through the provision of a unique Active Directory account and complex password.
- No access to any MSKPHYSIO.ORG LND LTD IT resources and services will be provided without prior authentication and authorisation of a user’s MSKPHYSIO.ORG LND LTD Windows Active Directory account.
- Password issuing, strength requirements, changing and control will be managed through formal processes. Password length, complexity and expiration times will be controlled through Windows Active Directory Group Policy Objects.
- Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed or revoked must be made in writing.
- Users are expected to become familiar with and abide by MSKPHYSIO.ORG LND LTD policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
- Access for remote users shall be subject to authorisation by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.
- Access to data is variously and appropriately controlled according to the data classification levels described in the Information Security Management Policy.
- Access control methods include logon access rights, Windows share and NTFS permissions, user account privileges, server and workstation access rights, firewall permissions, IIS intranet/extranet authentication rights, SQL database rights, isolated networks and other methods as necessary.
- A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with IT Services to review users’ access rights. The review shall be logged and IT Services shall sign off the review to give authority for users’ continued access rights.
Cookie Policy
Effective date: 1st April 2023
Introduction
This Cookie Policy explains how strictly necessary cookies are used on “mskphysio.org” (the “Website”), operated by MSKphysio.org Lnd Ltd. By using the Website, you consent to the use of strictly necessary cookies in accordance with this policy.
What are strictly necessary cookies?
Strictly necessary cookies are essential for the operation of a website and are necessary for providing services or features that you have requested. These cookies do not gather information about you that could be used for marketing or remembering where you’ve been on the internet.
What cookies are used on the Website?
The Website only uses strictly necessary cookies. These cookies are necessary for the proper functioning of the Website and cannot be turned off in our systems. They are usually only set in response to actions made by you, such as logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the Website may not work without them.
How to control cookies?
As the Website only uses strictly necessary cookies, there is no option to control these cookies. However, most web browsers allow you to control cookies through their settings preferences. If you limit the ability of websites to set cookies, you may worsen your overall user experience, since it will no longer be personalized to you. It may also stop you from saving customized settings like login information.
Changes to this Cookie Policy
We may update this Cookie Policy from time to time to reflect changes in technology, legislation, or our practices. If we make significant changes to this policy, we will notify you through a prominent notice on the Website or by email.
Contact us
If you have any questions or concerns about this Cookie Policy, please contact us at info@mskphysio.org.