Main Services Agreement

This Main Services Agreement (“Agreement”) governs Customer’s use of the Services provided by Notabene, Inc. or Notabene ID GmbH, as stated in an applicable Order Form (“Notabene”), and is effective between Customer and Notabene as of the date that Customer accepts this Agreement by (1) executing an Order Form that references or incorporates this Agreement or (2) clicking a box indicating acceptance (“Effective Date”). Under this Agreement, Notabene gives Customer access to the Services, and Customer accesses and uses these Services. This Agreement was last updated on September 3, 2024.

‍

1. ORDER FORM

1.1. Services. The “Services” are Notabene’s software-based services made available through Notabene’s platform. The Services include integrations with “Integrated Products,” which are third-party services that are usable on Notabene’s platform, so long as Customer separately pays the provider of these third-party services for their use.

1.2. Ordering Services. Customer executes an “Order Form” to order certain of these Services at agreed upon prices. Upon mutual agreement of the Parties, Order Forms may be upgraded or increased (for example, in terms of packages or price) at any time by entering into a new Order Form, but Order Forms may not be canceled without a new Order Form in effect.

1.3. Agreement. The terms of this Agreement are incorporated into each applicable Order Form as if fully set forth therein.

1.4. Binding Authority. The individual accepting or signing this Agreement for Customer represents that this individual has the authority to bind Customer and its Affiliated Entities, if any, to this Agreement. “Affiliates” are any entities that directly or indirectly control, are controlled by, or are under common control with the subject entity. “Control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. “Affiliated Entities” are Affiliates of Customer that are set forth as an “Included Entity” or as “Additional Entities” in an applicable Order Form.

1.5. User Information. “Documentation” includes the security and other information available to Customer at https://trust.notabene.id/, as well as other technical materials related to the Services which Notabene makes available to Customer, as updated from time to time.

1.6. Order of Precedence. In the event of any conflict or inconsistency among the following, the order of precedence is, first, the applicable Order Form, then this Agreement, and lastly the Documentation.

‍

2. SERVICES

2.1. Customer License. In consideration for Customer’s payment of Fees, and subject to the terms of this Agreement, Notabene hereby grants Customer and its Affiliated Entities (if any) a limited, non-exclusive, non-sublicensable, non-transferable (except for permitted assignees) right to access and use the Services (including the Integrated Products, provided that Customer pays for them separately) during the Term (defined below) and in the jurisdictions that pertain to an applicable Order Form, solely for Customer’s internal business purposes and in accordance with the terms of an applicable Order Form (collectively, the “Purpose”).

2.2. Provision of Services. Notabene will use commercially reasonable efforts to make the Services available to Customer at least 99.9% of the time on average, measured on a monthly basis, exclusive of scheduled downtime (of which Notabene will notify in advance via email). Notwithstanding the foregoing, Notabene is not responsible for unavailability, delays, or other problems in operating, accessing, or using the Services to the extent caused by: (i) misuse or unauthorized modification of the Services or violation of this Agreement, an applicable Order Form, or the Documentation by Customer, its Affiliated Entities, or its or their Authorized Users; (ii) failure of Customer’s or an Affiliated Entity’s infrastructure or connectivity or of any equipment not provided by Notabene; (iii) any Integrated Product (unless caused by Notabene’s work, if any, on the integration); or (iv) causes beyond Notabene’s reasonable control as provided in Section 13.7 below. The sole remedy for violation of this Section 2.2 is termination in accordance with Section 11 below.

2.3. Users. An “Authorized User” is an employee or contractor whom Customer or any Affiliated Entities have authorized to use the Services. Authorized Users will be subject to written confidentiality obligations that are at least as protective as those herein, and contractors may use the Services only on a need-to-know basis. Customer will not allow anyone other than Authorized Users to access or use the Services. Each Authorized User will use the Services solely for the Purpose and in accordance with Customer’s license grant and will comply with the terms of this Agreement and the applicable Order Form. Customer is fully liable for any Authorized User’s breach or violation of anything in the previous sentence and for any Authorized User’s acts or omissions in connection with their access or use of the Services. Customer will secure usernames, passwords, hardware, and software that are used to access the Services in accordance with customary security protocols and will require Authorized Users to do the same. Customer will promptly notify Notabene if Customer knows or reasonably suspects that any username, password, and/or other means of accessing the Services has been compromised. Customer is fully liable for the acts or omissions of its Affiliated Entities or for any breach of this Agreement by its Affiliated Entities as if Customer had itself undertaken such acts or omissions or had itself breached this Agreement.

2.4. Use Restrictions. Customer will not at any time and will not permit anyone (including, without limitation, Affiliated Entities or Authorized Users) to, directly or indirectly: (i) use or access the Services in an unauthorized manner or beyond the scope of rights expressly granted in this Agreement or otherwise misuse the Services; (ii) modify, or create derivative works of, the Services or Documentation, in whole or in part; (iii) reverse engineer, disassemble, decompile, decode, or otherwise attempt to derive or gain improper access to any software component of the Services, in whole or in part; (iv) frame, mirror, distribute, sell, resell, rent, or lease the use of the Services to anyone or any entity or otherwise allow anyone to use the Services other than for the benefit of Customer in accordance with this Agreement; (v) use the Services in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of a third party or that violates any applicable law, including but not limited to privacy laws; (vi) provide or use, or permit Notabene or its Affiliates to use, Customer Materials that infringe, misappropriate, or otherwise violate any intellectual property right or other right of a third party or that violate any applicable law, including but not limited to privacy laws; (vii) interfere with or encumber, or disrupt the integrity or performance of, the Services or any data or content that the Services contain or transmit; (viii) interfere with, modify, bypass, or disable any security controls or other protection mechanism of or in the Services, or share any access credentials with a third party; (ix) introduce or expose the Services to malware, viruses, trojan horses, worms, or other software routine or hardware components designed to permit unauthorized access or to disable, erase, or harm software, hardware, or data; or (x) use the Services, Documentation, or any other Notabene Confidential Information for benchmarking or competitive analysis for competitive or related products or services, or to develop, commercialize, license or sell any product, service, or technology that could, directly or indirectly, compete with the Services. For clarity, the foregoing also restricts the use of the Integrated Products to the extent applicable. Any use of the Services in breach of this Section 2.4 may result in Notabene’s immediate suspension of the Services (upon Notabene’s written notice, which is permitted by email), provided that Notabene reserves all other remedies available to it under this Agreement.

2.5. Additional Responsibilities. When using any Integrated Product, Customer is responsible for adhering to the applicable terms of service imposed by such Integrated Product’s third-party provider, in addition to Section 2.4 above as applicable. Customer is also responsible for paying such third-party provider the full amount of subscription fees or other charges due for use of an Integrated Product. Notabene disclaims all liability in the event that Customer does not fulfill the foregoing responsibilities.

2.6. Feedback. From time to time, Customer or its Affiliated Entities or its or their employees, contractors, or representatives may provide Notabene with suggestions, comments, feedback, or the like with regard to the Services (collectively, “Feedback”). Customer hereby grants Notabene a perpetual, irrevocable, sublicensable, royalty-free, and fully-paid up license to use and exploit all Feedback in connection with Notabene’s business purposes, including, without limitation, the testing, development, maintenance, and improvement of the Services.

‍

3. CUSTOMER MATERIALS AND DATA

3.1. Definition. “Customer Materials” means all information, data, content, and other materials, in any form or medium, that is submitted, posted, collected, transmitted, or otherwise provided by or on behalf of Customer or its Affiliated Entities through the Services or to Notabene in connection with Customer’s or its Affiliated Entities’ use of the Services, but excluding Aggregated Data (defined below) and any other information, data, data models, content, or materials that Notabene owns or controls and makes available in connection with the Services.

3.2. Notabene License. Customer hereby grants Notabene a non-exclusive, worldwide, royalty-free right and license to use, host, reproduce, display, perform, modify the Customer Materials solely for the purpose of hosting, operating, improving, and providing the Services and Notabene’s related products, services, and technologies during the Term.

3.3. Warranties. Customer represents and warrants that (i) it has obtained all necessary rights, authority, and licenses required for Notabene to access and use the Customer Materials to provide the Services or as otherwise contemplated by this Agreement, and (ii) Notabene’s use of the Customer Materials in accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or obligations between Customer and any third party. If Customer fails to obtain such rights, authority, or license at any time during the Term, Customer shall promptly inform Notabene.

3.4. Processed Data. Where Notabene processes, on behalf of Customer, Customer Materials that are “personal data” or “personal information” that are not the names or professional contact details of Customer’s representatives, Notabene qualifies as a Customer processor under applicable data protection laws, and the attached Data Processing Agreement applies.

3.5. Aggregated Data. Notwithstanding anything herein, Notabene may compile, use, analyze, disclose, or distribute any anonymized data that is derived or aggregated in de-identified form from (i) any Customer Materials, (ii) any use of the Services by Customer, its Affiliated Entities, and/or its Authorized Users, including, without limitation, any usage data or trends with respect to the Services, or (iii) performance of the Services (“Aggregated Data”), provided that such information does not contain any “personal data” or “personal information.”

‍

4. OWNERSHIP

4.1. Rights of Each Party. Subject to the rights expressly granted in this Agreement, Customer solely owns the Customer Materials and reserves all rights, title, and interest in and to the Customer Materials. Subject to the rights expressly granted in this Agreement, Notabene solely owns the Notabene IP (defined below) and reserves all rights, title, and interest in and to the Notabene IP. No intellectual property rights or other proprietary rights are granted (whether by implication, estoppel, exhaustion, or otherwise) other than as expressly set forth in this Agreement.

4.2. Definition. “Notabene IP” means the Services (excluding the Integrated Products), Documentation, Aggregated Data, and Notabene’s APIs; the software, websites, programs, interfaces, and applications used for the Services, and the user experience and look and feel of the foregoing; the source code, algorithms, technology, data, databases, tools, processes, methods, and materials used to provide the Services; all improvements, modifications, or enhancements to, or derivative works of, any of the foregoing (regardless of inventorship or authorship); and all intellectual or proprietary property rights in and to any of the foregoing, recognized in any country or jurisdiction in the world and however designated, whether arising by operation of law, contract, license, or otherwise, including patent rights (including, without limitation, patent applications, filings, and disclosures, whether provisional or otherwise), inventions, trademarks, service marks, copyrights, trade secrets, know-how, data and database rights, mask work rights, and all applications or registrations for the protection of such rights.

‍

5. FEES AND PAYMENT

5.1. Fees. Customer will pay Notabene the amount set forth as “Total Fees” in any applicable Order Form (“Fees”) in accordance with the terms of such Order Form. Customer is obligated to pay all Fees, for the Term, regardless of billing frequency, payment terms, or any term in this Agreement or otherwise, and Notabene reserves the right to enforce this obligation. Unless otherwise stated in an applicable Order Form, Notabene may update the Fees or applicable charges at the end of an Order Term or any Renewal Term to Notabene’s then-current rates for the Services. The updated Fees will be reflected in Customer’s next applicable invoice.

5.2. Payments. Notabene will issue invoices to Customer (by email, digitally, or otherwise) according to the billing frequency specified in an applicable Order Form (if none is specified, then annually in advance). Customer will pay all Fees and other charges (including, but not limited to, transaction overages) set forth on any invoice within thirty (30) days of the invoice’s date of issuance (unless stated otherwise in an Order Form), subject to Section 5.4 below. Payments due to Notabene under this Agreement will be made in the currency specified in an Order Form (if none is specified, then U.S. dollars) by wire transfer of immediately available funds to an account designated by Notabene or such other payment method mutually agreed by the Parties. Except as expressly provided herein, all payments made are non-refundable.

5.3. Failure to Pay. If Customer fails to make any payment when due, late charges will accrue at the rate of 1.5% per month (or, if lower, the maximum rate permitted by applicable law), and Notabene may suspend Services until all payments due are made in full. Notabene reserves the right to claim reimbursement from Customer for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.

5.4. Disputes. An invoice will be final if it is not disputed within fifteen (15) days of its date of issuance. Subject to the foregoing sentence, in the event that Customer timely disputes an invoice or payment in good faith and provides Notabene with written notice and an explanation for the dispute, Notabene will temporarily suspend the remedies in Section 5.3 for thirty (30) days only, during which the Parties will discuss in good faith to endeavor to reach resolution, and after which, if not resolved, Notabene may pursue any available remedies, including but not limited to those in Section 5.3.

5.5. Taxes. Customer is responsible for paying all taxes and duties of any kind, in all applicable jurisdictions, on amounts payable by Customer to Notabene under this Agreement, other than any taxes imposed on Notabene’s income. Without limiting the foregoing, in the event that Customer is required to deduct or withhold any taxes from the amounts payable to Notabene, Customer will pay an additional amount, so that Notabene receives the due amounts in full, as if there were no withholding or deduction.

‍

6. CONFIDENTIAL INFORMATION

6.1. Definition. “Confidential Information” means any information that one Party (the “Discloser”) provides to the other Party (“Recipient”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered confidential given the nature of the information and/or the circumstances of disclosure. The Notabene IP, the Documentation, and Order Forms (including but not limited to pricing) are Confidential Information. However, Confidential Information will not include any information that: (i) is or became public without any act or omission by the Recipient; (ii) was lawfully known by the Recipient without any restriction or confidentiality obligation; (iii) was rightfully disclosed to the Recipient by a third party that did not have a confidentiality obligation; or (iv) was independently developed by the Recipient without use of or access to Discloser’s Confidential Information.

6.2. Obligations. The Recipient will maintain the Discloser’s Confidential Information in strict confidence, using at least the same degree of care as the Recipient uses to protect its own Confidential Information of a similar nature and importance, but in any event no less than a commercially reasonable standard of care. Except with the Discloser’s prior written consent, the Recipient will use Confidential Information solely as necessary to perform its obligations or exercise its rights under this Agreement. The Recipient will promptly notify the Discloser if the Recipient discovers any misuse or misappropriation of Confidential Information.

6.3. Exceptions. The Recipient will not disclose, or cause to be disclosed, any of the Discloser’s Confidential Information to any third party, except: (i) to employees, representatives, or contractors of the Recipient or its Affiliates (for Customer, its Affiliated Entities only) who are subject to written confidentiality obligations that are at least as protective as those herein and have a bona fide need to know such Confidential Information to perform under this Agreement; (ii) if the Recipient is required to disclose Confidential Information by law, a court order, subpoena, or a competent governmental authority, subject to the Recipient providing to the Discloser (if legally permitted) prompt written notice to allow the Recipient to seek protective measures or other remedies to prevent or limit disclosure, at the Discloser’s sole expense; or (iii) as otherwise provided in this Agreement. The Recipient is fully liable for any breach or violation of Section 6 of this Agreement by its Representatives (whether by act or omission). Notabene may disclose the content of this Agreement and any applicable Order Form to the third-party provider of an Integrated Product that is subject to written confidentiality obligations that are at least as protective as those herein, but only to the extent necessary to perform Notabene’s obligations pursuant to this Agreement.

6.4. Term of Non-Disclosure. Each Party’s non-disclosure obligations for Confidential Information are effective for one year following the Term or for a total of three (3) years, whichever is longer. However, for Confidential Information that is a trade secret under applicable law, non-disclosure obligations last for as long as the Confidential Information remains subject to trade secret protection.

6.5. Due Diligence. Notwithstanding anything herein, the content and existence of this Agreement may be disclosed on a confidential basis to a Party’s advisors and attorneys, and to actual or potential acquirers, investors, or other sources of funding, and their respective advisors and attorneys, for due diligence purposes.

‍

7. WARRANTIES

7.1. Notabene Warranties. Notabene warrants that, during the Term, Notabene will not materially decrease the overall security of the Services and will not materially decrease the overall functionality of the Services (excluding the Integrated Products). For any breach of a warranty in this Section 7.1, the sole remedy is termination in accordance with Section 11 below.

7.2. Mutual Warranties. Each Party represents and warrants that: (i) it is duly organized, validly existing, and in good standing under its jurisdiction of organization and has the right to enter into this Agreement; (ii) the execution, delivery, and performance of this Agreement are within that Party’s corporate powers, have been duly authorized, and have resulted in a valid and binding agreement by that Party; and (iii) each Party complies, and will continue to comply, with all applicable laws and regulations, including but not limited to those pertaining to privacy and export compliance.

‍

8. INDEMNIFICATION

8.1. Notabene Indemnity. Notabene will defend Customer and its employees, directors, agents, and Affiliated Entities against any action, suit, or proceeding brought by a third party (“Claim”) alleging that the Services, excluding the Integrated Products, infringe or misappropriate such third party’s intellectual property rights, and Notabene will indemnify Customer from any damages, attorneys’ fees, and costs finally awarded against Customer, or for amounts paid by Customer under a settlement, resulting from such Claim. However, the foregoing defense and indemnity will not apply to a Claim arising out of or relating to: (i) Customer’s misuse or unauthorized use of the Services, (ii) Customer’s breach of this Agreement, negligence, willful misconduct, or fraud; (iii) any Customer Materials or any Integrated Products; (iv) Customer’s failure to use any enhancements, modifications, or updates to the Services that Notabene provided to Customer and notified Customer to implement; (v) modifications to the Services by anyone other than Notabene; or (vi) combinations of the Services with software, data, or materials not provided by Notabene.

8.2. IP Remedies. If Notabene reasonably believes the Services (or any component thereof) could infringe any third party’s intellectual property rights, Notabene may, in its sole discretion and at its sole expense, (i) modify or replace the Services, or any component or part of the Services, so they are no longer claimed to be infringing; (ii) obtain the right for Customer to continue use of the Services in accordance with this Agreement; or (iii) terminate the applicable Order Form and/or this Agreement by providing written notice to Customer. In the event of such termination, Notabene will refund to Customer, on a pro-rated basis, any Fees that have been pre-paid for Services that will not be provided due to the termination. Notwithstanding the foregoing, with respect to the Integrated Products, Notabene disclaims all liability associated with any actual or potential infringement of a third party’s intellectual property rights. Sections 8.1 and 8.2 state Customer’s sole and exclusive remedy for any infringement or misappropriation of intellectual property rights in connection with the Services.

8.3. Customer Indemnity. Customer will defend Notabene and its employees, directors, agents, and Affiliates against any Claim arising out of or relating to (i) Customer’s misuse or unauthorized or illegal use of the Services, including but not limited to Customer’s violation of Section 2, or (ii) any Customer Materials or the use of Customer Materials with the Services, and Customer will indemnify Notabene from any damages, attorneys’ fees, and costs finally awarded against Notabene, or for amounts paid by Notabene under a settlement, resulting from such Claim.

8.4. Procedures. For Sections 8.1 and 8.3, the Party seeking defense or indemnity (the “Indemnified Party”) will promptly notify the other Party (the “Indemnifying Party”) of the Claim for which defense or indemnity is being sought and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement of such Claim. The Indemnifying Party will have the sole right to conduct the defense of any Claim for which the Indemnifying Party is responsible; provided that the Indemnifying Party may not settle any Claim without the Indemnified Party's prior written approval (unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party's business). If the Indemnifying Party entirely refuses to defend the Indemnified Party, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.

‍

9. DISCLAIMER

9.1. General. EXCEPT AS EXPRESSLY PROVIDED HEREIN, THE NOTABENE IP AND THE SERVICES, INCLUDING THE INTEGRATED PRODUCTS, ARE PROVIDED “AS IS” AND AT CUSTOMER’S AND ITS AFFILIATED ENTITIES’ SOLE RISK. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NOTABENE DISCLAIMS, TO THE MAXIMUM EXTENT THAT APPLICABLE LAW PERMITS, ALL WARRANTIES AND REPRESENTATIONS, EXPRESSED OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. EXCEPT AS EXPRESSLY PROVIDED HEREIN, NOTABENE DISCLAIMS ANY WARRANTY THAT THE USE OF THE SERVICES WILL BE ERROR-FREE, BUG-FREE, OR UNINTERRUPTED. USE OF THE SERVICES DOES NOT REPLACE, NOR DELEGATE TO NOTABENE, ANY OBLIGATIONS THAT CUSTOMER, ITS AFFILIATED ENTITIES, OR ITS AUTHORIZED USERS MAY HAVE UNDER APPLICABLE LAW.

9.2. Integrated Products. Notwithstanding anything herein, Notabene may discontinue access to any Integrated Product at any time in Notabene’s sole discretion, and Notabene disclaims any and all responsibility, without exception and to the maximum extent that applicable law permits, for the performance or accuracy of the Integrated Products.

‍

10. LIMITATIONS OF LIABILITY

10.1. Exclusion of Damages. IN NO EVENT WILL EITHER PARTY OR ITS AFFILIATES (FOR CUSTOMER, ITS AFFILIATED ENTITIES ONLY) HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICES FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, INDIRECT, OR CONSEQUENTIAL DAMAGES, OR FOR ANY LOSS OF INCOME, LOSS OF DATA, LOSS OF REVENUE, LOSS OF GOODWILL, COVER, OR BUSINESS INTERRUPTION, WHETHER SUCH LIABILITY ARISES FROM CONTRACT OR TORT (INCLUDING NEGLIGENCE) OR FROM ANY OTHER THEORY OF LIABILITY, AND EVEN IF A PARTY OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR ITS AFFILIATES’ REMEDY OTHERWISE FAILS IN ITS ESSENTIAL PURPOSE.

10.2. Total Liability. IN NO EVENT WILL THE AGGREGATE LIABILITY OF EITHER PARTY OR ITS AFFILIATES (FOR CUSTOMER, ITS AFFILIATED ENTITIES ONLY) ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICES EXCEED THE TOTAL AMOUNT OF FEES (AND TRANSACTION OVERAGES) PAID OR PAYABLE BY CUSTOMER AND ITS AFFILIATED ENTITIES, OR OTHERWISE DUE, UNDER THIS AGREEMENT OR ANY APPLICABLE ORDER FORM FOR THE TWELVE (12) MONTHS PRECEDING THE FIRST INCIDENT OUT OF WHICH THE LIABILITY AROSE, WHETHER SUCH LIABILITY ARISES FROM CONTRACT OR TORT (INCLUDING NEGLIGENCE) OR FROM ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF THIS LOSS OR DAMAGE; BUT NOTHING IN THIS SECTION 10 WILL LIMIT CUSTOMER'S AND ITS AFFILIATED ENTITIES’ PAYMENT OBLIGATIONS UNDER SECTION 5 (“FEES”) ABOVE.

‍

11. TERM AND TERMINATION

11.1. Term of Agreement. This Agreement commences on the date that the Customer first accepts it and continues until Customer no longer has any Order Forms that are in effect (the “Term”).

11.2. Term of Order Forms. The “Order Term” is as specified in an applicable Order Form. Except as otherwise specified in an applicable Order Form, at the end of the Order Term, an Order Form automatically renews for successive one-year terms (or for a different term length as specified in an Order Form) (each, a “Renewal Term”), unless (i) either Party provides sixty (60) days’ prior written notice to terminate the Order Form at the end of the Order Term or any Renewal Term, or (ii) Customer signs a new Order Form with increased total fees and/or upgraded packages or terms prior to the end of the Order Term or any Renewal Term, at which point the new Order Form is in effect and subject to the terms herein.

11.3. Termination. Notwithstanding the foregoing, either Party may terminate this Agreement only (i) upon material breach by the other Party which is not cured within thirty (30) days of the receipt of written notice, or (ii) if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors. If a Party terminates this Agreement pursuant to this Section 11.3, then any Order Form in effect will terminate.

11.4. Refund to Customer. If Customer terminates this Agreement pursuant to Section 11.3 above, Notabene will refund to Customer, on a pro-rated basis, any Fees that have been pre-paid for Services that will not be provided due to the termination. Notwithstanding the foregoing, no expiration or termination of this Agreement will relieve Customer of its obligations under Section 5 (“Fees”) for payments that are payable or due for the period prior to expiration or the effective date of termination.

11.5. Return or Destroy Confidential Information. Within thirty (30) days of the expiration or effective termination date of this Agreement, each Party will return or destroy, at the other Party’s option, all of the other Party’s Confidential Information in the possession or control of the first Party. Any such destruction will include the permanent deletion of Confidential Information from storage devices or other hosting environments, consistent with customary industry practices. Upon request, each Party will certify in writing that the Confidential Information has been returned or destroyed.

11.6. Survival. Provisions of this Agreement which are reasonably intended to survive termination of this Agreement, or that are needed subsequent to termination, will survive termination.

‍

12. PUBLICITY

Unless explicitly advised in writing otherwise, each Party shall have the right to publicly announce the existence of the business relationship between the Parties. Unless explicitly advised in writing otherwise, Notabene may, during the Term, use Customer’s name, trademarks, and logos on Notabene’s website and in its marketing materials to identify Customer as Notabene’s customer. If Customer provides any usage guidelines directly to Notabene, Notabene will use commercially reasonable efforts to follow them.

‍

13. GENERAL

13.1. Governing Law and Jurisdiction. This Agreement will be governed by and construed under the laws of the State of New York without regard to any conflicts of law provisions, and the Parties unconditionally consent to resolve all disputes exclusively in a competent federal or state court in Kings County, New York, in the United States. Notwithstanding the foregoing, if Customer is domiciled in the European Union, the United Kingdom, or Switzerland, this Agreement will be governed by and construed under the laws of Switzerland without regard to any conflicts of law provisions, and the Parties unconditionally consent to resolve all disputes exclusively in a competent federal or cantonal court in the Canton of Zug, Switzerland.

13.2. Regulatory Compliance. The European Union Regulatory Compliance Exhibit at www.notabene.id/agreements/eu_regs will apply only to any of Customer and/or its Affiliated Entities that is/are domiciled in the European Union and regulated by the European Banking Authority. The Singapore Regulatory Compliance Exhibit at www.notabene.id/agreements/sg_regs will apply only to any of Customer and/or its Affiliated Entities that is/are domiciled in Singapore and regulated by the Monetary Authority of Singapore. These exhibits will not apply (i) to any companies or entities that do not meet the foregoing requirements or (ii) in the event that Customer is not paying, under an Order Form, for such companies or entities to use the Services.

13.3. Local Law. In the event that either Party requires any exhibit, appendix, or amendment to this Agreement in order to comply with the laws of any applicable jurisdiction, such Party will notify the other Party in writing, and, upon this notice, the Parties agree to negotiate such exhibit, appendix, or amendment in good faith. The Parties further agree that this Agreement and/or any Order Form may be accepted or executed with the intent of the Parties to negotiate such an exhibit, appendix, or amendment in good faith subsequent to this acceptance or execution.

13.4. Assignment. Neither Party may assign or transfer this Agreement or any Order Form without the other Party’s prior written consent. Any attempt to assign or transfer this Agreement or any Order Form without such consent will be void. Notwithstanding the foregoing, either Party may assign or transfer this Agreement or any Order Form to (i) an Affiliate (for Customer, only to an Affiliated Entity) upon at least thirty (30) days’ prior written notice or (ii) to a third party that succeeds to all or substantially all of the assigning Party’s business and assets, whether by sale, merger, acquisition, operation of law, or otherwise. Subject to the foregoing, this Agreement is binding upon, and will inure to the benefit of, solely the Parties and their respective successors and permitted assigns, and no other rights will be implied or construed to any other entity or third party.

13.5. Notices. Any notice required under this Agreement (or any Order Form) will be via email (pdf files are also permitted) with a request for a responsive email. The notice will be deemed effective when the sender receives a responsive email that the notice has been received; provided that, if no response is received after three (3) business days, then another email shall be sent, and if no response is received after another three (3) business days, then the notice will be deemed effective. If, at any time, the sender receives an email stating that the notice has bounced or not been transmitted, then the notice shall be sent to a second email address (or a third and so on, as necessary), and the process above shall be repeated until the notice is sent without bouncing. Notabene will be notified at [email protected] (or, if necessary, at [email protected] or [email protected]), and Customer’s email addresses are as provided in an applicable Order Form or as otherwise communicated to Notabene.

13.6. Equitable Relief. A Party’s breach or threatened breach of any obligations under Section 6 (“Confidential Information”) would cause the other Party irreparable harm and significant damages for which there may be no adequate remedy under law. In such event, the other Party will have the right to seek equitable relief or remedies, without posting a bond or other security, provided that such relief or remedies are not exclusive.

13.7. Force Majeure. Neither Party will be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control, which may include, without limitation, labor disputes, strikes, lockouts, shortages of or inability to obtain energy, raw materials, or supplies, failure or degradation of internet service or other telecommunication services, network intrusions or denial-of-service attacks, pandemics, epidemics, public health emergencies, governmental orders and acts (including travel restrictions and quarantines), material changes in law, war, terrorism, riots, or acts of God.

13.8. Waiver. No failure or delay in enforcing any term or right or exercising any option in this Agreement or any Order Form will be deemed a waiver, unless a waiver is in writing and signed by the grantor.

13.9. Relationship of the Parties. The Parties are independent contractors. Nothing in this Agreement shall be construed to establish any partnership, joint venture, or agency relationship between the Parties. Neither Party will have the power or authority to bind the other or incur any obligations on the other, except with the other Party’s prior written consent.

13.10. Severability. If any provision of this Agreement is held invalid, illegal, or unenforceable, that provision will not affect the validity, legality, or enforceability of the remaining provisions of this Agreement which will remain in full force and effect.

13.11. Headings. The headings in this Agreement are for convenience only and will not affect the meaning or interpretation of this Agreement.

13.12. Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

13.13. Entire Agreement. This Agreement, including all documents linked herein and/or exhibits attached hereto, constitutes the complete and exclusive agreement between the parties with respect to its subject matter and supersedes any and all prior or contemporaneous agreements, communications, and understandings (including, but not limited to, any prior non-disclosure agreements), both written and oral, with respect to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the Parties.

‍

Data Processing Agreement

This document sets out the Data Processing Agreement (“DPA”) for the processing of personal data during the execution and after the termination of the Main Services Agreement (“Agreement”), as required by article 28, no. 3 of GDPR (defined below). Notabene is qualified as a Processor (defined below) and this DPA shall apply where, while performing the Services under the Agreement, Notabene processes Customer Materials that are “personal data” or “personal information” under applicable data protection laws on behalf of Customer, which are not Customer’s representatives’ names or professional contact details.

‍

1. DEFINITIONS

1.1. In addition to the terms defined in the Agreement, in this DPA all the definitions set forth in article 4 of GDPR shall be adopted, namely the terms “Personal Data,” “Data Subjects,” “Processing,” “Personal Data Breach,” “Pseudonymization,” “Controller,” and “Processor.”

1.2. In addition to the above, the following definitions shall be adopted:
a. “Data Protection Law” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly known as the “General Data Protection Regulation” or “GDPR” as well as any other applicable national rule and legislation on the protection of personal data in the European Union or locally that is already in force or that will come into force during the term of this DPA, including any measure, guideline and opinion issued by the European data protection authorities or by the European Data Protection Board (“EDPB”).
b. “Persons in Charge of Data Processing” means the employees and any natural persons who, authorized by the Processor and/or its sub-processors, if any, can process the Processed Data;
c. “Platform” means the relevant web, online platform or other software service or application developed by Notabene, and shall include any modifications, customizations and derivatives of the same;
d. “Processed Data” all the personal data processed by the Processor on behalf of the Controller under the Services, as better defined in Appendix 1 – Description of Processing;
e. “Security Measures” means the security measures and any other obligations under the Data Protection Law for the purposes of guaranteeing the security and confidentiality of the Processed Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures, as well as procedures and activities to be performed in case of a personal data breach to prevent and reduce the adverse effects of the breach on the affected data subjects, in particular, those described on our security policies available in the Processor’s Trust Center at https://trust.notabene.id/;
f. “Sub-Processor” means the legal person, company or independent professional who, authorized by the Controller and engaged by the Processor, is allowed to carry out activities entailing the process of the Processed Data, as permitted under Data Protection Law and this DPA. Authorized sub-Processors are detailed in Appendix 2 – General Authorization for Sub-processing; and
g. “Standard Contractual Clauses” means the Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914, of 4 June 2021, as amended or updated from time to time, and similar clauses enacted pursuant to the Data Protection Law, which may be attached to this DPA as Appendix 3 – Standard Contractual Clauses.

‍

2. SCOPE

2.1. Notabene shall act as the Processor (“Processor”) in relation to the processing of Processed Data on behalf of the Customer which is qualified as the Controller (“Controller”), exclusively for the purposes of executing the Agreement or as required by law, according to the terms and conditions of this DPA and of the Data Protection Law.

2.2. The type of personal data and processing activities to be handled by the Processor are exhaustively described in Appendix 1 – Description of Processing. Any amendment to this list must be done in writing by the signature of both Parties, and a copy of said updated list must be enclosed on the final versions of this DPA.

2.3. In relation to any processing of Processed Data carried out by the Processor or by a Sub-processor, directly or through the respective Persons in Charge of Data Processing, for purposes other than those within the scope of this DPA and the Service engaged, and on the basis of different relationships with data subjects, the Processor or its subsequent Subcontractors shall not act as processors of the Controller in relation to the Processed Data, but as independent data controllers, or processors of entities other than the Controller, as the case may be.

‍

3. TERM

3.1. This DPA shall be effective from the Effective Date of the Agreement up to the end of the transitional period of thirty (30) days granted after the termination of such Agreement or its related services.

3.2. During the transitional period the Controller will be able to delete, remove or transfer the Processed Data resulting from the Services. After such transitional period, the Processor may permanently delete all the Processed Data from the Platform and all the existing copies, unless any applicable law requires storage of the Processed Data.

3.3. The Processor shall ensure that all Persons in Charge of Data Processing, its Sub-Processors, if any, and their Persons in Charge of Data Processing, comply with the obligations laid down in this DPA, as applicable, in the manner and in accordance with the timing indicated thereunder.

‍

4. OBLIGATIONS OF THE CONTROLLER

4.1. The Controller undertakes to:

• 4.1.1. Ensure that the collection and further processing of all Processed Data is done in a lawful manner;
• 4.1.2. Provide clear and timely written instructions to the Processor regarding the Processed Data;
• 4.1.3. Assist and cooperate, within a reasonable manner, with the Processor whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
• 4.1.4. Inform the Processor of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority;
• 4.1.5. Keep the Processor up to date about the Processed Data or any other relevant information for its processing by the Processor or by its Sub-processors, namely about any notification or request for information from a relevant data supervisory authority.

‍

5. OBLIGATIONS OF THE PROCESSOR

5.1. The Processor undertakes to:

• 5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA and the Data Protection Law, and in strict compliance with the written instructions given by the Controller and shall immediately inform in writing the Controller should it deem that any of the aforesaid instructions is in breach of the Data Protection Law or, in general, of any applicable law;
• 5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable law;
• 5.1.3. Process the Processed Data lawfully, fairly and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller;
• 5.1.4. Assist and cooperate, within a reasonable manner, with the Controller whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy and/or security of the Processed Data;
• 5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority, unless if prohibited by law;
• 5.1.6. Keep the Controller up to date about the Processed Data or any other relevant information, namely about any notification or request for information from a relevant data supervisory authority;
• 5.1.7. Cooperate with and assist the Controller in the response to any notifications from a supervisory authority in connection with the Processed Data, including, without limitation, the provision of supporting documentation to be submitted to the relevant supervisory authority as evidence that the Processor is legally bound by the terms of this DPA;
• 5.1.8. Provide to the Controller, upon request, all the information in its possession or control referring to the processing of the Processed Data under this DPA, namely for the latter to assess whether such processing is carried out in accordance with this DPA;
• 5.1.9. Disclose the information reasonably required by the Controller for the performance of privacy impact assessments concerning the processing activities and cooperate on the implementation of mitigation actions agreed by the Parties to address privacy risks which may have been identified; and
• 5.1.10. Permit, provide information for and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.

‍

6. SUB-PROCESSORS

6.1. Regarding the Processed Data, the Processor undertakes to engage and work only with sub-processors to which the Controller did not reasonably oppose in writing to said collaboration.

6.2. Sub-Processors identified in Appendix 2 – General Authorization for Sub-processing are hereby authorized by the Controller to process Processed Data provided that said Sub-Processor:

• 6.2.1. has committed to confidentiality obligations and enters into a written agreement providing the same data protection obligations as set out in this DPA and other obligations as may be required by the Controller under the instructions of the Processor.
• 6.2.2. acts exclusively on behalf of the Controller or the Processor instructions;
• 6.2.3. provides adequate guarantees with reference to the technical and organizational measures adopted for the processing of the Processed Data, including, without limitation, ensuring that the Sub-Processor immediately ceases the processing of the Processed Data should such guarantee be no longer available.

6.3. In case of any intended changes concerning the addition or replacement of any of the Sub-Processors identified in Appendix 2 – General Authorization for Sub-processing, the Processor undertakes to notify the Controller, giving the Controller the opportunity to reasonably object to such change within 30 (thirty) days counting from said notification. If the Controller notifies the Processor of any objection to the proposed appointment, the Parties shall work together to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor. Costs related to this change, if any, will be borne by the Controller.

‍

7. SECURITY MEASURES

7.1. Without limiting the foregoing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing of the Processed Data, and the likelihood and severity of the risk to the rights and freedoms of natural persons, Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data, including, without limitation, the measures provided for by Article 32, paragraph 1 of the GDPR, and particularly including, but not limited to, the measures set forth in Section 7.2.

7.2. Processor shall maintain and enforce various policies, standards and processes, available in the Processor’s Trust Center at https://trust.notabene.id/, which are designed to secure personal data and other data to which Processor employees are provided access, and updates such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Section 7.1 above, the Processor shall implement appropriate technical and organizational measures, available in the Processor’s Trust Center at https://trust.notabene.id/. These measures ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. These measures shall ensure full compliance with Article 32 of the GDPR.

‍

8. PROCESSED DATA BREACH

8.1. In the event of a Personal Data Breach or any other incidents that may compromise the security of the Processed Data (such as loss, damage or destruction of the Processed Data in an electronic or hard copy format, third-party unauthorized access to the Processed Data or any other breach of the Processed Data) including, without limitation, any breach or other incident resulting from the conduct of, if any, the Processor’s Sub-Processors and/or its Persons in Charge of Data Processing, the Processor shall:

• 8.1.1. without undue delay, not to exceed within forty-eight (48) hours, inform the Controller by email which shall include at least information regarding the type and description of the Personal Data Breach, identification of the Processed Data and of the Data Subjects affected and potential consequences of said breach, as well as any remedies already put in place (if any). Where and insofar is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay; and
• 8.1.2. in collaboration with the Controller, adopt immediately, and in any case without undue delay, all necessary measures to minimize any type of risk that may derive for the Data Subjects from such breach or incident, remedy such breach or incident and mitigate any possible adverse effect.

8.2. The Controller is fully liable, whenever required, for notifying such Personal Data Breach to the relevant data protection supervisory authority and to the Data Subjects, if applicable.

‍

9. DATA SUBJECTS’ RIGHTS

9.1. The Controller shall ensure that the rights granted to the Data Subjects by the Data Protection Law are effectively executed. The Processor undertakes to notify the Controller in writing within 5 (five) Business Days of receipt of any request made in this respect by the Data Subjects.

9.2. The Processor shall cooperate with the Controller to ensure that all requests by Data Subjects exercising their rights under the Data Protection Law (including, without limitation, the right to object to the processing and the right to the Processed Data portability) are complied with within the time period and in accordance with all other requirements provided for by the Data Protection Law.

‍

10. AUDITS

10.1. The Processor acknowledges and accepts that the Controller may assess the organizational, technical, and security measures adopted by the Processor in the processing of the Processed Data by way of audit no more frequently than annually (unless in the context of a Processed Data Breach). To this end, upon no less than ten (10) Business Days’ prior written notice (except if there is a reasonable urgency of the Controller for an earlier prior notice), the Controller will be entitled to access, directly or through any authorized third-party, the premises, computers, and any other IT system/file of the Processor and its Sub-Processors, if, at its sole discretion, the Controller deems it necessary to verify compliance by the Processor and/or one of its Sub-Processors with this DPA and the Data Protection Law or to ascertain any breach of the Processed Data.

‍

11. TRANSFERS OF PROCESSED DATA OUTSIDE THE EEA

11.1. The Processor will carry out the processing only in the European Economic Area (“EEA”) and agrees not to transfer the Processed Data outside the EEA, without the Controller's prior written consent or unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

11.2. When the Processor transfers personal data with the Controller’s consent, as provided for in clause 11.1 above, such transfer is made in accordance with the provided for in Chapter V of the GDPR and with the instructions given by the Controller in relation to such transfer.

11.3. In case the Processor transfers data outside the EEA, the Processor, acting as data exporter, shall ensure that whenever there is no adequacy decision in place as set forth in article 45 of the GDPR, it will execute additional safeguards, including but not limited to, the Standard Contractual Clauses as timely approved by the European Commission.

11.4. If any of the Sub-Processors engaged by the Processor is based out of the EEA or transfers Processed Data to any country outside of the EEA, the Processor will execute with such Sub-Processor the equivalent Standard Contractual Clauses model as required by law.

‍

12. LOCAL LAW

12.1. As of the Effective Date, Notabene has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent Notabene from fulfilling its obligations under this DPA. In the event either Party is legally required to amend this Agreement in order to comply with applicable privacy laws, the Parties will negotiate such amendments in good faith.

‍

Appendix 1 - Description of Processing

‍

Appendix 2 – General Authorization for Sub-Processing