MSA before August 5, 2024

SUBSCRIPTION SERVICES AGREEMENT

This Subscription Services Agreement (this “Agreement”), effective as of the “Effective Date” (identified in Exhibit A – Order Form), is by and between Notabene, Inc. (“Notabene”) and the Customer (identified in Exhibit A – Order Form). Notabene and Customer may be referred to herein collectively as the “Parties” or individually as a “Party”. Capitalized terms used but not otherwise defined herein shall have the meanings ascribed to them in Section 1 of Exhibit B.

This Agreement provides the terms under which Notabene will provide access to the Subscription Services to Customer, and Customer will access and use such Subscription Services. This Agreement includes and incorporates the following exhibits:

• Exhibit A – Order Form
• Exhibit B – Terms and Conditions
• Exhibit C – Customer Success Packages
• Exhibit D – Support and Service Levels
• Exhibit E – Data Processing Agreement(s)

IN WITNESS WHEREOF, in consideration of the mutual covenants, terms, and conditions set forth herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties have executed this Agreement as of the Effective Date.

‍

EXHIBIT B – TERMS AND CONDITIONS

‍

1. DEFINITIONS

‍In this Agreement, unless the context otherwise requires and in addition to other terms defined elsewhere in this Agreement, each of the following words and expressions shall have the following meanings:

• Aggregate Data: Any data derived or aggregated in deidentified form from (i) any Customer Materials; or (ii) Customer’s and/or its Authorized Users’ use of the Subscription Services, including, without limitation, any usage data or trends with respect to the Subscription Services.
• API’s: Application programming interface(s) made available by API Provider, and includes any documentation, source code, executable applications, and other materials that accompany such application programming interface(s).
• Application: The relevant web, online platform, or other software service or application developed by API Consumer that utilises or interacts with APIs, and shall include any modifications, customisations, and derivatives of the same.
• API Consumer: (i) In relation to Notabene APIs, Customer or (ii) in relation to Customer APIs, Notabene.
• API Data: Data stored or transmitted through the APIs or in connection with the Subscription Services.
• API Provider: (i) In relation to Notabene APIs, Notabene or (ii) in relation to Customer APIs, Customer.
• Authorized User: An employee or contractor whom Customer has authorized to use the Subscription Services.
• Customer Materials: All information, data, content, and other materials, in any form or medium, that is submitted, posted, collected, transmitted, or otherwise provided by or on behalf of Customer through the Subscription Services or to Notabene in connection with Customer’s use of the Subscription Services, but excluding, for clarity, Aggregate Data and any other information, data, data models, content, or materials owned or controlled by Notabene and made available through or in connection with the Subscription Services.
• Documentation: The user manuals, training materials, specifications, minimum system configuration requirements, compatible device and hardware list, and other similar materials in hard copy or electronic form if and as provided by Notabene to Customer (including any revised versions thereof) relating to the Subscription Services, which may be updated from time to time upon notice to Customer.
• Intellectual Property Rights: Patent rights (including, without limitation, patent applications and disclosures), inventions, copyrights, trade secrets, know-how, data and database rights, mask work rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.

‍

2. SUBSCRIPTION SERVICES; ACCESS AND USE

2.1. Subscription Services. Subject to the terms and conditions of this Agreement, Notabene hereby grants Customer a limited, non-exclusive, non-transferable (except in compliance with Section 14(f) below) right to Use the Subscription Services during the Term, solely for Customer’s internal business purposes in accordance with, and subject to, the Licensed Volume.

2.2. Additional Features. You may subscribe to additional features of the Subscription Service by placing an additional Order or activating the additional features from within your Notabene account. This Agreement will apply to all additional Order(s) and all additional features that you activate from within your Notabene account.

2.3. Use Restrictions. Customer will not at any time and will not permit any Person (including, without limitation, Authorized Users) to, directly or indirectly: (i) use the Subscription Services in any manner beyond the scope of rights expressly granted in this Agreement; (ii) modify or create derivative works of the Subscription Services or Documentation, in whole or in part; (iii) reverse engineer, disassemble, decompile, decode or otherwise attempt to derive or gain improper access to any software component of the Subscription Services, in whole or in part; (iv) frame, mirror, sell, resell, rent or lease use of the Subscription Services to any other Person, or otherwise allow any Person to use the Subscription Services for any purpose other than for the benefit of Customer in accordance with this Agreement; (v) use the Subscription Services or Documentation in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property right or other right of any Person, or that violates any applicable law; (vi) interfere with, or disrupt the integrity or performance of, the Subscription Services, or any data or content contained therein or transmitted thereby; (vii) access or search the Subscription Services (or download any data or content contained therein or transmitted thereby) through the use of any engine, software, tool, agent, device or mechanism (including spiders, robots, crawlers or any other similar data mining tools) other than software or Subscription Services features provided by Notabene for use expressly for such purposes; or (viii) use the Subscription Services, Documentation or any other Notabene Confidential Information for benchmarking or competitive analysis with respect to competitive or related products or services, or to develop, commercialize, license or sell any product, service or technology that could, directly or indirectly, compete with the Subscription Services.

2.4. Authorized Users. Customer will not allow any Person other than Authorized Users to access or use the Subscription Services. Customer may permit Authorized Users to Use the Subscription Services, provided that Customer ensures each Authorized User complies with all applicable terms and conditions of this Agreement and Customer is responsible for acts or omissions by Authorized Users in connection with their use of the Subscription Services. Customer will, and will require all Authorized Users to, use all reasonable means to secure user names and passwords, hardware, and software used to access the Subscription Services in accordance with customary security protocols, and will promptly notify Notabene if Customer knows or reasonably suspects that any user name and/or password has been compromised.

2.5. Reservation of Rights. Subject to the limited rights expressly granted hereunder, Notabene reserves and, as between the Parties, will solely own, the Notabene IP and all rights, title, and interest in and to the Notabene IP. No rights are granted to Customer hereunder (whether by implication, estoppel, exhaustion, or otherwise) other than as expressly set forth herein.

2.6. Feedback. From time to time Customer or its employees, contractors, or representatives may provide Notabene with suggestions, comments, feedback, or the like with regard to the Subscription Services (collectively, “Feedback”). Customer hereby grants Notabene a perpetual, irrevocable, royalty-free, and fully-paid up license (with the right to sublicense) to use and exploit all Feedback in connection with Notabene’s business purposes, including, without limitation, the testing, development, maintenance, and improvement of the Subscription Services.

‍

3. FEES AND PAYMENT

3.1. Fees. Customer will pay Notabene the non-refundable fees set forth in the Order Form in accordance with the terms therein (“Fees”) and without offset or deduction. If you add additional features or exceed limits as specified in the order form, any additional items will be added to either a new invoice or the next regular invoice. Except if agreed otherwise by the Parties, Notabene will update the fees on an annual basis in accordance with the Consumer Price Index of the United States of America (price update based on CPI will occur in January every year). In addition, Notabene reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Term or then-current Renewal Term upon sixty (60) prior notice to Customer (which may be sent by email).

3.2. Payments. Payments due to Notabene under this Agreement must be made in U.S. dollars by wire transfer of immediately available funds to an account designated by Notabene or such other payment method mutually agreed by the Parties. All payments are non-refundable and neither Party will have the right to set off, discount, or otherwise reduce or refuse to pay any amounts due to the other Party under this Agreement. If Customer fails to make any payment when due, late charges will accrue at the rate of 1.5% per month or, if lower, the highest rate permitted by applicable law, and Notabene may suspend Services until all payments are made in full. Customer will reimburse Notabene for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.

3.3. Taxes. Customer is responsible for all sales, use, ad valorem, and excise taxes, and any other similar taxes, duties, and charges of any kind imposed by any federal, state, multinational, or local governmental regulatory authority on any amount payable by Customer to Notabene hereunder, other than any taxes imposed on Notabene’s income. Without limiting the foregoing, in the event that Customer is required to deduct or withhold any taxes from the amounts payable to Notabene hereunder, Customer will pay an additional amount so that Notabene receives the amounts due to it hereunder in full, as if there were no withholding or deduction.

3.4. Excluded Fees. Notabene is not responsible for any membership fees or other associated costs required to access a protocol not managed by Notabene. If these are required, they shall be assumed and paid by Customer.

‍

4. CONFIDENTIAL INFORMATION

4.1. Confidential Information. As used herein, “Confidential Information” means any information that one Party (the “Disclosing Party”) provides to the other Party (the “Receiving Party”) in connection with this Agreement, whether orally or in writing, that is designated as confidential or that reasonably should be considered to be confidential given the nature of the information and/or the circumstances of disclosure. For clarity, the Subscription Services and the Documentation will be deemed Confidential Information of Notabene. However, Confidential Information will not include any information or materials that: (i) were, at the date of disclosure, or have subsequently become, generally known or available to the public through no act or failure to act by the Receiving Party; (ii) were rightfully known by the Receiving Party prior to receiving such information or materials from the Disclosing Party; (iii) are rightfully acquired by the Receiving Party from a third party who has the right to disclose such information or materials without breach of any confidentiality or non-use obligation to the Disclosing Party; or (iv) are independently developed by or for the Receiving Party without use of or access to any Confidential Information of the Disclosing Party.

4.2. Receiving Party. The Receiving Party will maintain the Disclosing Party’s Confidential Information in strict confidence and will not use the Confidential Information of the Disclosing Party except as necessary to perform its obligations or exercise its rights under this Agreement; provided that Notabene may use and modify Confidential Information of Customer in deidentified form for purposes of developing and deriving Aggregate Data. The Receiving Party will not disclose or cause to be disclosed any Confidential Information of the Disclosing Party, except (i) to those employees, representatives, or contractors of the Receiving Party who have a bona fide need to know such Confidential Information to perform under this Agreement and who are bound by written agreements with use and nondisclosure restrictions at least as protective as those set forth in this Agreement, or (ii) as such disclosure may be required by the order or requirement of a court, administrative agency, or other governmental body, subject to the Receiving Party providing the Disclosing Party reasonable written notice to allow the Disclosing Party to seek a protective order or otherwise contest the disclosure.

4.3. Obligation of Non-Disclosure. Each Party’s obligations of non-disclosure with regard to Confidential Information are effective as of the Effective Date and will expire five (5) years from the date first disclosed to the Receiving Party; provided, however, with respect to any Confidential Information that constitutes a trade secret (as determined under applicable law), such obligations of non-disclosure will survive the termination or expiration of this Agreement for as long as such Confidential Information remains subject to trade secret protection under applicable law.

4.4. Terms and Conditions. The terms and conditions of this Agreement will constitute Confidential Information of each Party but may be disclosed on a confidential basis to a Party’s advisors, attorneys, actual or bona fide potential acquirers, investors, or other sources of funding (and their respective advisors and attorneys) for due diligence purposes.

‍

5. SUPPORT AND SERVICE LEVELS

5.1. Support. Notabene will provide Customer with technical support for the Subscription Services in accordance with the support terms set forth in Exhibit C.

5.2. Service Levels. Subject to the terms and conditions of this Agreement, Notabene will use commercially reasonable efforts to make the Subscription Services available in accordance with the service levels set forth in Exhibit C. Customer acknowledges and agrees that the service levels are performance targets only and any failure of Notabene to meet any service level shall not result in any breach of this Agreement or any liability of Notabene to Customer.

‍

6. CUSTOMER MATERIALS AND DATA

6.1. Customer Rights. Notabene acknowledges that, as between Customer and Notabene and except as set forth in Section 5(1), Customer owns and retains all right, title, and interest in and to all Customer Materials.

6.2. Notabene Rights. Customer hereby grants Notabene a non-exclusive, worldwide, royalty-free right and license to use, host, reproduce, display, perform, modify the Customer Materials (which are not personal identifiable data) solely for the purpose of hosting, operating, improving, and providing the Subscription Services and Notabene’s other related products, services, and technologies during the Term.

6.3. Warranties. Customer represents and warrants that (i) it has obtained and will endeavor its best efforts to obtain, during the Term, all necessary rights, authority, and licenses for the access to and use of the Customer Materials (including any personal data provided or otherwise collected pursuant to Customer’s privacy policy) as contemplated by this Agreement and (ii) Notabene’s use of the Customer Materials in accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or obligations between Customer and any third party. If Customer fails to obtain such rights, authority, or license during the Term, it shall promptly inform Notabene.

6.4. Processed Data. Where Notabene processes Customer Materials that are “personal data” or “personal information” which is not Customer’s representatives' name or professional contact details under applicable data protection laws (“Processed Data”) on behalf of Customer, Notabene is qualified as a Customer processor, and likewise, the Data Processing Agreement attached herein as Exhibit E – Data Processing Agreement shall apply.

6.5. Aggregated Data. Notabene may anonymously compile Aggregated Data, including from the Customer Materials, related to the performance of the Subscription Services for purposes of improving the Subscription Services, provided that such information does not contain any Personal Information.

‍

7. API LICENSING

7.1. Ownership and Licensing. All Intellectual Property Rights in the APIs (and all modifications thereto) that either Party makes available to the other shall remain vested in that Party (or its licensors). Subject to Section 7.2 below, API Provider grants to API Consumer a fully paid-up, royalty-free, non-exclusive, non-transferable, worldwide, revocable right and license (without the right to sub-license) during the Term and on the terms of this Agreement to use APIs solely for the purpose of integrating the relevant Subscription Services into the relevant Applications, and developing and distributing the Applications.

7.2. License Conditions.

7.2.1. API Consumer shall:

• a. Use the APIs, Subscription Services, and API Data in accordance with this Agreement, Policies, and terms governing the use of and access to APIs (including all technical and policy-implemented limitations of the APIs, Subscription Services and/or API Data), and all applicable laws and regulations. Without limiting the foregoing, API Consumer shall not violate any express rate limitations on calling or otherwise utilizing APIs;
• b. API Consumer shall ensure that any information provided to API Provider will always be accurate and up-to-date; and
• c. Ensure that the Applications: (i) do not violate or infringe the Intellectual Property Rights of any third party; (ii) are not, and do not contain any content which is, offensive, obscene, libelous, illegal, misleading, or otherwise objectionable; (iii) are not, and do not contain any content which is, disparaging or harmful to API Provider and/or its reputation and associated goodwill; and (iv) do not contain Malware or introduce Malware into the Subscription Services, APIs, or API Data.

7.2.2. API Consumer shall not:

• a. Distribute, license, sell, rent, lease, or otherwise deal in or encumber the APIs, Services, or API Data, or any part thereof;
• b. Use the APIs, Subscription Services, or API Data in any manner that is or could be harmful to or threaten the integrity, performance, or reliability of API Provider’s systems or data, and shall not use the APIs to disrupt, interfere with, or attempt to gain unauthorized access to services, servers, or networks connected to or which can be accessed via such APIs;
• c. Use the APIs or allow any person to use the APIs, Subscription Services, or API Data in a way that violates any applicable laws or regulations, including illegal activities such as gambling, piracy, violating copyright, trademark or other intellectual property laws, threatening, stalking, defaming, defrauding, intimidating, or harassing anyone for any reason, and/or violating any applicable data protection and privacy laws;
• d. Interfere with, modify, or disable any features, functionality, or security controls of the APIs, Subscription Services, or API Data, defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any protection mechanisms for the APIs, Subscription Services, or API Data, or reverse engineer, decompile, disassemble, or derive the source code, underlying ideas, algorithms, structure, or organizational form of the APIs, Subscription Services, or API Data, or make any attempts to do so.
• e. Through the Applications, display any form of advertising unauthorized by API Provider within or connected to the APIs, Subscription Services, or API Data;
• f. Share the unique API credentials issued by API Provider to API Consumer with any third party. API Consumer shall keep such credentials and all account information secure against unauthorized disclosures to or access by third parties; or
• g. Incorporate any unauthorized modifications to APIs in the Applications.

7.2.3. Subject to remaining in compliance with this Agreement and applicable laws, API Provider reserves the right to make modifications to the APIs at any time for any reason, with or without notice to API Consumer.

‍

8. REPRESENTATIONS AND WARRANTIES

8.1. Representations and Warranties. Each Party hereby represents and warrants to the other Party that: (i) it is duly organized, validly existing, and in good standing under its jurisdiction of organization and has the right to enter into this Agreement; and (ii) the execution, delivery, and performance of this Agreement and the consummation of the transactions contemplated hereby are within the corporate powers of such Party and have been duly authorized by all necessary corporate action on the part of such Party, and constitute a valid and binding agreement of such Party.

‍

9. INDEMNIFICATION

9.1. Notabene Indemnification. Subject to Section 9.2, Notabene will defend Customer against any claim, suit, or proceeding brought by a third party (“Claims”) alleging that Customer’s Use of the Subscription Services infringes or misappropriates such third party’s Intellectual Property Rights, and will indemnify and hold harmless Customer against any damages awarded against Customer or agreed in settlement by Notabene (including reasonable attorneys’ fees) resulting from such Claim.

9.2. Exclusions. Notabene’s obligations under Section 9.1 will not apply if the underlying third-party claim arises from or as a result of: (i) Customer’s breach of this Agreement, negligence, willful misconduct, or fraud; (ii) any Customer Materials; (iii) Customer’s failure to use any enhancements, modifications, or updates to the Subscription Services that have been provided by Notabene; (iv) modifications to the Subscription Services by anyone other than Notabene; or (v) combinations of the Subscription Services with software, data, or materials not provided by Notabene.

9.3. IP Remedies. If Notabene reasonably believes the Subscription Services (or any component thereof) could infringe any third party’s Intellectual Property Rights, Notabene may, at its sole option and expense, use commercially reasonable efforts to: (i) modify or replace the Subscription Services, or any component or part thereof, to make it non-infringing; or (ii) procure the right for Customer to continue use. If Notabene determines that neither alternative is commercially practicable, Notabene may terminate this Agreement, in its entirety or with respect to the affected component, by providing written notice to Customer. In the event of any such termination, Notabene will refund to Customer a pro-rata portion of the Fees that have been paid for the unexpired portion. The rights and remedies set forth in this Section 9 shall constitute Customer’s sole and exclusive remedy for any infringement or misappropriation of Intellectual Property Rights in connection with the Subscription Services.

9.4. Customer Indemnification. Subject to Section 9.5, Customer will defend Notabene against Claims arising from (i) any Customer Materials, including, without limitation, (A) any Claim that the Customer Materials infringe, misappropriate, or otherwise violate any third party’s Intellectual Property Rights or privacy or other rights; or (B) any Claim that the use, provision, transmission, display, or storage of Customer Materials violates any applicable law, rule, or regulation; and in each case, will indemnify and hold harmless Notabene against any damages awarded against Notabene or agreed in settlement by Customer resulting from such Claim.

9.5. Indemnification Procedures. The Party seeking defense and indemnity (the “Indemnified Party”) will promptly notify the other Party (the “Indemnifying Party”) of the claim for which indemnity is being sought, and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the defense of any claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not settle any claim without the Indemnified Party's prior written approval unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party's business, products, or services). The Indemnified Party may participate in the defense or settlement of any such claim at its own expense and with its own choice of counsel or, if the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.

‍

10. DISCLAIMER.

EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SUBSCRIPTION SERVICES AND OTHER NOTABENE IP ARE PROVIDED ON AN “AS IS” BASIS, AND NOTABENE MAKES NO WARRANTIES OR REPRESENTATIONS TO CUSTOMER, ITS AUTHORIZED USERS, OR TO ANY OTHER PARTY REGARDING THE NOTABENE IP, THE SUBSCRIPTION SERVICES, OR ANY OTHER SERVICES OR MATERIALS PROVIDED HEREUNDER. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NOTABENE HEREBY DISCLAIMS ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, NOTABENE HEREBY DISCLAIMS ANY WARRANTY THAT USE OF THE SUBSCRIPTION SERVICES WILL BE ERROR-FREE, BUG-FREE, OR UNINTERRUPTED.

‍

11. LIMITATIONS OF LIABILITY

11.1. Exclusion of Damages. EXCEPT FOR: (I) ANY INFRINGEMENT BY ONE PARTY OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS, GROSS MISCONDUCT BY EITHER PARTY, (III) BREACH OF CUSTOMER’S PAYMENT OBLIGATIONS OR (IV) BREACH OF CONFIDENTIALITY, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR ANY LOSS OF INCOME, DATA, PROFITS, REVENUE, OR BUSINESS INTERRUPTION, OR THE COST OF SUBSTITUTE SERVICES OR OTHER ECONOMIC LOSS, ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, THE NOTABENE IP, OR THE PROVISION OF THE SUBSCRIPTION SERVICES, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED ON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

11.2. Total Liability. EXCEPT FOR INDEMNIFICATION OBLIGATIONS UNDER SECTION 8, IN NO EVENT WILL NOTABENE’S TOTAL LIABILITY TO CUSTOMER OR ITS AUTHORIZED USERS IN CONNECTION WITH THIS AGREEMENT, THE NOTABENE IP, OR THE PROVISION OF THE SUBSCRIPTION SERVICES EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO NOTABENE IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE CLAIM, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT NOTABENE WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

11.3. Basis of the Bargain. THE PARTIES HEREBY ACKNOWLEDGE AND AGREE THAT THE LIMITATIONS OF LIABILITY IN THIS SECTION 10 ARE AN ESSENTIAL PART OF THE BASIS OF THE BARGAIN BETWEEN NOTABENE AND CUSTOMER AND WILL APPLY EVEN IF THE REMEDIES AVAILABLE HEREUNDER ARE FOUND TO FAIL THEIR ESSENTIAL PURPOSE.

‍

12. TERM AND TERMINATION

12.1. Term. The initial term of this Agreement (“Initial Term”) will be as set forth in the Order Form. Following the Initial Term, this Agreement will automatically renew for additional terms of the duration set forth in the Order Form (each, a “Renewal Term,” and together with the Initial Term, the “Term”), unless either Party provides the other with at least ninety (90) days’ written notice of its intent not to renew this Agreement prior to the end of the then-current Term.

12.2. Termination. Either Party may terminate this Agreement, effective on written notice to the other Party, if the other Party materially breaches this Agreement, and such breach remains uncured thirty (30) days after the non-breaching Party provides the breaching Party with written notice of such breach.

12.3. Survival. This Section 11(3) and Sections 2(2), 2(3), 2(4), 3, 4, 6(1), 6(2), 6(3), 7, 8, 9, 10, 11(3) and 14 (in addition to Section 1) survive any termination or expiration of this Agreement.

12.4. Effect of Termination. Upon expiration or termination of this Agreement: (i) the rights granted pursuant to Section 2(1) will terminate; and (ii) Customer will return or destroy, at Notabene’s sole option, all Notabene Confidential Information in its possession or control, including permanent removal of such Notabene Confidential Information (consistent with customary industry practice for data destruction) from any storage devices or other hosting environments that are in Customer’s possession or under Customer’s control, and at Notabene’s request, certify in writing to Notabene that the Notabene Confidential Information has been returned, destroyed, or, in the case of electronic communications, deleted. No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due or otherwise accrued through the effective date of expiration or termination, or entitle Customer to any refund.

‍

13. PUBLICITY

Subject to the provisions of Section 4, each Party shall have the right to publicly announce the existence of the business relationship between the Parties. In addition, during the term of Customer’s use of the Subscription Services, Notabene may use Customer’s name, trademarks, and logos (collectively, “Customer’s Marks”) on Notabene’s website and in its marketing materials to identify Customer as Notabene’s customer, and for the purpose of providing the Subscription Services to Customer, provided that Notabene shall use commercially reasonable efforts to adhere to the usage guidelines furnished by Customer with respect to Customer’s Marks.

‍

14. GENERAL

14.1. Entire Agreement. This Agreement, including its exhibits, is the complete and exclusive agreement between the parties with respect to its subject matter and supersedes any and all prior or contemporaneous agreements, communications, and understandings, both written and oral, with respect to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the parties.

14.2. Notices. All notices required or permitted under this Agreement will be in writing, will reference this Agreement, and will be sent to the relevant address set forth in the Order Form or to such other address as may be specified by the relevant Party to the other Party in accordance with this Section 14(2). Such notices shall be deemed given: (i) when delivered personally; (ii) one (1) business day after deposit with a nationally recognized express courier, with written confirmation of receipt; or (iii) three (3) business days after having been sent by registered or certified mail, return receipt requested, postage prepaid.

14.3. Waiver. Either Party’s failure to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the Party granting the waiver.

14.4. Severability. If any provision of this Agreement is held invalid, illegal, or unenforceable, that provision will be enforced to the maximum extent permitted by law, given the fundamental intentions of the parties, and the remaining provisions of this Agreement will remain in full force and effect.

14.5. Governing Law and Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of New York without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in [Switzerland/the State of New York], and the parties irrevocably consent to the personal jurisdiction and venue therein.

14.6. Assignment. Neither Party may assign or transfer this Agreement, by operation of law or otherwise, without the other Party’s prior written consent. Any attempt to assign or transfer this Agreement without such consent will be void. Notwithstanding the foregoing, either Party may assign or transfer this Agreement to a third party that succeeds to all or substantially all of the assigning Party’s business and assets relating to the subject matter of this Agreement, whether by sale, merger, operation of law, or otherwise. Subject to the foregoing, this Agreement is binding upon and will inure to the benefit of each of the Parties and their respective successors and permitted assigns.

14.7. Equitable Relief. Each Party agrees that a breach or threatened breach by such Party of any of its obligations under Section 4 or, in the case of Customer, Section 2(2) would cause the other Party irreparable harm and significant damages for which there may be no adequate remedy under law and that, in the event of such breach or threatened breach, the other Party will have the right to seek immediate equitable relief, including a restraining order, an injunction, specific performance, and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity, or otherwise.

14.8. Force Majeure. Neither Party will be responsible for any failure or delay in the performance of its obligations under this Agreement (except for any payment obligations) due to causes beyond its reasonable control, which may include, without limitation, labor disputes, strikes, lockouts, shortages of or inability to obtain energy, raw materials, or supplies, denial of service or other malicious attacks, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God.

14.9. Export Regulation. Customer will comply with all applicable federal laws, regulations, and rules that prohibit or restrict the export or re-export of the Subscription Services or related software, or any Customer Materials, outside the United States (“Export Rules”), and will complete all undertakings required by Export Rules, including obtaining any necessary export license or other governmental approval.

14.10. Relationship of the Parties. The relationship between the Parties is that of independent contractors. Nothing in this Agreement shall be construed to establish any partnership, joint venture, or agency relationship between the Parties. Neither Party will have the power or authority to bind the other or incur any obligations on the other’s behalf without the other Party’s prior written consent.

14.11. No Third-Party Beneficiaries. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or liabilities hereunder upon any Person other than the Parties and their respective successors and assigns.

14.12. Counterparts. This Agreement may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement.

‍

EXHIBIT C – CUSTOMER SUCCESS PACKAGES

Achieving Success with Notabene: Customizable Customer Success Packages

At Notabene, we’re dedicated to helping our customers achieve success through the use of our Travel Rule compliance tool. Whether you’re just starting out or looking to optimize your compliance workflows, our Customer Success Packages are designed to provide the support your team needs.

With options for businesses of all sizes and varying levels of complexity, our Opus package offers a self-learn onboarding plan with access to weekly training webinars and resources. For those seeking more personalized support, our Solis and Echo packages include 1:1 training and access to our in-house experts.

‍

EXHIBIT D – NOTABENE SERVICE LEVEL AGREEMENT AND DISASTER RECOVERY

Introduction: This service level agreement (“SLA”) consists of the general terms and conditions set forth below, together with Attachment 1 (Service Level Agreement Definitions), Attachment 2 (Service Level Standards for Notabene Software as a Service), and Attachment 3 (Disaster Recovery). This SLA is a part of and is subject to the terms of the Order Form under which the Service is provided to the Customer. This SLA, together with the applicable terms of the Order Form, constitutes the entire agreement of the parties with respect to the subject matter of this SLA and supersedes any prior oral or written proposals, representations, promises, or agreements with respect to its subject matter. Notwithstanding anything to the contrary set forth in the Order Form, in case of a conflict between the terms of the Order Form and the terms of this SLA, the terms of this SLA will control.

GENERAL TERMS AND CONDITIONS.

1. SLA Term. This SLA takes effect upon the Order Form Effective Date, and will continue in effect for the duration of the [Service Term] (as defined in Exhibit A – Order Form). Upon any renewal of the Service Term, this SLA will continue in effect unless the Parties otherwise agree in writing.
2. Definitions. Definitions of terms in the Order Form are applicable to this SLA. In addition, the definitions contained in Attachments 1, 2, and 3 apply to this SLA only. In the case of conflicting definitions, the definitions contained in this SLA control with respect to the interpretation of this SLA.
3. General.
   • 3.1. Service Requirements. Notabene shall use commercially reasonable efforts to comply with the obligations set forth in these general terms and conditions, as well as the requirements set forth in Attachment 1 and Attachment 2 that are specific to the Service. Notabene is not responsible for delays or other problems in the operation of the Service to the extent caused by Customer’s failure to meet any specific obligations that are relevant to the operation of the Service or by any Outside Factors.
   • 3.2. Temporary Suspension. Notabene may temporarily suspend the Service for necessary repairs (“Necessary Suspensions”). If Notabene will effect a Necessary Suspension, Notabene will provide Customer with reasonable prior written notice (e-mail form acceptable) when commercially practicable under the circumstances, and Notabene shall restore Availability of the Service as soon as commercially practicable.
4. Support.
   • 4.1. Support Generally. Notabene is committed to providing its Customers with necessary support and access to knowledgeable personnel. Questions and issues related to the Service will be addressed during Product Support Hours, which may differ from Standard Service Availability Hours.
   • 4.2. Errors. Notabene shall use commercially reasonable efforts to resolve Errors in a manner consistent with the requirements of this SLA. If at any point Notabene determines that a problem reported by Customer is not the result of an Error, Notabene will promptly report that determination to Customer. Resolution of problems caused by Outside Factors or not the result of Errors is not covered under Notabene’s Support obligations, and Notabene reserves the right to charge for services performed, at Customer’s request, to diagnose or repair problems not covered under Notabene’s Support obligations.
   • 4.3. Severity Levels and Response Times. Upon Customer’s report of a problem with theService, a Notabene representative will acknowledge the report by issuing a confirmation toCustomer, by email, and Notabene will assign a severity level to the problem based on thetype of issue reported, according to the following schedule:

• 4.4 Customer’s Obligations Relating to Support Requests. In order to ensure that Notabene is able to meet the response times set forth above and provide Support in the most efficient manner, Customer agrees, in addition to using its reasonable efforts to provide Notabene with all relevant information reasonably necessary for Notabene to respond to aSupport request and Customer’s general Cooperation: (a) to designate primary and secondary liaisons who have been trained on the Service and to provide Notabene with all necessary after-hours contact information for those individuals; (b) that all Support requests will be centralized through the primary and secondary liaisons; (c) to submit Support requests to Notabene’s Product Support; (d) to use reasonable efforts to diagnose and resolve problems in the operation of Customer’s interface to the Service prior to contacting Notabene for Support; (e) to use reasonable efforts to confirm that reported problems are due to a malfunction of the Service; (f) to use reasonable efforts to consult Notabene-supplied documentation before submitting questions about the Service to Notabene; and (g) to work with Notabene to return Support requests to reasonable levels if Notabene deems that Customer’s Support requests exceed reasonable or typical levels for the Service. Customer must notify Notabene of any problems with the Service in a timely manner (depending on the circumstances, but in no event later than thirty (30) days after becoming aware of an issue with the Service).
• 4.5. Updates; Releases. As a part of Support, Notabene will make available to Customer all updates and releases to the Service and the Application. Optional, separately-priced Service features that may be made available with new updates and releases of the Service are not included in Support unless otherwise agreed in writing. Customer shall comply with any published update and release schedules applicable to Notabene-supplied Software. IfCustomer fails to adhere to the update or release schedule, this failure may cause Notabene to be unable to meet the Service levels defined in this SLA. Unless otherwise agreed, installation of software and updates on Customer systems is Customer’s responsibility.

‍

• 5. Exclusions; Additional Service
  • Outside Scope: If the Customer requests services outside the scope of Notabene’s support obligations under this SLA, Notabene may provide those services at its discretion, subject to resource availability, and the Customer will pay for such services based on Notabene’s current rates.
  • Specific Exclusions:
    • Requests for support outside of product support hours for reasons other than Severity 1 or Severity 2 issues.
    • Support required due to hardware or software failures not provided by Notabene.
    • Maintenance or support for hardware, software, or data connections owned by the Customer.
    • Development, customization, installation, integration, consulting, and training not covered unless specifically agreed upon.

‍

ATTACHMENT 1 TO SERVICE LEVEL AGREEMENT

DEFINITIONS

• Application: The combination of computer hardware, computer software programs, and data transmission facilities under the control of Notabene that Notabene uses to provide the Service to the Customer.
• Available or Availability: Indicates that the Application is performing substantially according to the applicable user guide or other documentation.
• Business Day: Refers to any day from Monday through Friday, excluding Notabene holidays. Notabene will provide the Customer a list of Notabene holidays upon request, which are subject to change by Notabene from time to time.
• Commencement Date: The date on which Notabene first notifies the Customer in writing that the Service is available for commercial use.
• Completed Restoration Time: The time when the Application is Available after a Disaster Declaration.
• Cooperation: Refers to the Customer's general cooperation, providing assistance, access to necessary personnel, and suitably configured Customer systems as required for Notabene to perform its obligations. It includes the Customer’s timely submission of data in an agreed-upon format and furnishing necessary information and responses to Notabene’s requests promptly.
• Disaster Declaration: A written statement from Notabene informing the Customer that a disaster has been declared affecting the Availability of the Application.
• Disaster Recovery Plan: Notabene's plan to recover the Application in an alternate data center.
• Errors: Verified and reproducible malfunctions of the Application or any related Notabene-supplied software that prevent the Service from performing as described in the Order Form or applicable documentation.
• Force Majeure Event: Events beyond Notabene’s reasonable control, including but not limited to denial-of-service attacks, strikes, shortages, riots, insurrections, fires, floods, storms, explosions, acts of God, war, terrorism, governmental actions, labor conditions, earthquakes, and material shortages.
• Outside Factors: Downtime caused by circumstances beyond Notabene's control, including but not limited to customer modifications, general internet outages, failure of Customer’s infrastructure or connectivity, computer and telecommunications failures not within Notabene’s control, delays from credit bureaus or ISPs, and network intrusions or denial-of-service attacks where Notabene has implemented commercially reasonable measures to mitigate such events.
• Possible Available Uptime: The possible hours of Service Availability in a month, based on Standard Service Availability Hours, minus any Scheduled Downtime and Downtime caused by Outside Factors.
• Product Support Hours: The hours during which Notabene’s support teams are available for routine Support. Specific hours are outlined in Attachment 2.
• Scheduled Downtime: Time designated in advance by Notabene when the Service will be unavailable, generally for maintenance or updates. This is typically scheduled to minimize disruption to Customer operations.
• Service: The service(s) provided by Notabene to the Customer under the Order Form.
• Service Term: The duration of the Service as specified in the Order Form, including any extensions or renewals.
• Standard Service Availability Hours: Specific times when the Service is expected to be available, as outlined in Attachment 2.
• Support: Work performed by Notabene or its agents to ensure the Service functions as described in the Order Form and related documentation.
• Unscheduled Downtime: Any time when the Notabene service is unavailable or the Error Rate is greater than 5%. It does not include Scheduled Downtime or downtime due to Outside Factors.
• Uptime: The time when the Service operates in accordance with the SLA and relevant documentation.

‍

ATTACHMENT 2 TO SERVICE LEVEL AGREEMENT - SERVICE LEVEL STANDARDS FOR THE NOTABENE SOFTWARE AS A SERVICE

General

‍1.1. Data Expectations: Service level objectives set forth in this SLA are based upon a normal volume of data that complies with Notabene’s operating expectations. If Customer furnishes Notabene with any Customer Data that is not formatted in accordance with the applicable format specified in the Documentation, such Customer Data may impact system performance, and Notabene will not be responsible for failure to meet agreed-upon service levels if such failure results from Customer Data volume exceeding any limitations set forth in the Order Form or incorrectly formatted data.

1.2. Standard Service Availability Hours; Scheduled Downtime

• a. Standard Service Availability Hours in the United States are every day, 24 hours per day, but not including Scheduled Downtime. Every Sunday between 12:01 a.m. and 6:00 a.m. CET/Eastern Time is Scheduled Downtime reserved for Application maintenance, updating, and repair without further notice to Customer.
• b. Scheduled Downtime may also be scheduled by Notabene as reasonably necessary for Application maintenance, updating, or repair. Notabene shall use commercially reasonable efforts to minimize the effects of such Scheduled Downtime on Customer’s regular business operations.

1.3. Product Support Hours: Product Support Hours are 24/5, Monday through Friday.

1.4. Third-Party Providers: Notabene shall maintain connections to the Internet and to any of its business partners that are necessary to the Service. Customer understands that Notabene’s access to such third-party business partners is subject to the operating hours, network availability, and performance of each business partner.

Service Availability2.1. Uptime SLA Percentage: Notabene shall endeavor to ensure that the Uptime SLA Percentage, exclusive of Scheduled Downtime and downtime caused by Outside Factors, measured on a monthly basis, averages at least 99.9% (“Uptime SLA Percentage”). For the purpose of determining Uptime SLA Percentage, the following formula will be used:
UptimeSLAPercentage=(PossibleAvailableUptime−Unscheduled Downtime)/Possible Available Uptime×100 Uptime SLA Percentage = (Possible Available Uptime - Unscheduled Downtime) / Possible Available Uptime \times 100% Uptime SLA Percentage (Possible Available Uptime−Unscheduled Downtime)/Possible Available Uptime×100

• 2.2. Service Level Credit: Applicable to customers on the Echo Customer Success Plan as identified in Exhibit - A - The Order Form only. Subject to the applicable assumptions, dependencies, and exceptions provided under this Exhibit, Customer, with written request within thirty (30) days of the month identified with a deficiency, will be entitled to a credit in the calendar month following a missed Uptime SLA Percentage as follows:
  • < 99.9% - ≥ 99.5%: 5% credit
  • < 99.5% - ≥ 99.0%: 10% credit
  • < 99.0% - ≥ 98.5%: 15% credit
  • < 98.5% - ≥ 98.00%: 20% credit
  • < 98.00% - ≥ 97.50%: 25% credit
  • < 97.50% - ≥ 95.00%: 40% credit
• 2.3. Service Level Termination Event: If the Uptime SLA Percentage falls below 98% on a rolling three (3) month average, then Customer has the right to terminate the applicable Order Form without penalty upon thirty (30) days’ prior written notice to Notabene of its intent to terminate; provided that such notice is given within sixty (60) days of the Service Level Termination Event.

‍

Attachment 3 to Service Level Agreement - Disaster Recovery

1. Disaster Recovery. Notabene shall maintain a Disaster Recovery Plan in the event of a catastrophe or other Force Majeure Event that prevents Notabene from delivering the Service, and will use commercially reasonable efforts to have the Service restored to operation as soon as practicable. This plan shall include geographic diversity of data center locations with target service levels as follows:
   • Recovery Point Objective (RPO): Less than twenty-four (24) hours. “Recovery Point Objective” or “RPO” shall mean the maximum amount of data that may be lost when the Service is restored after an interruption. Recovery Point Objective is expressed as a length of time before the failure.
   • Recovery Time Objective (RTO): No more than forty-eight (48) hours. “Recovery Time Objective” or “RTO” shall mean the maximum time allowed for recovery of the Service following an interruption. Recovery Time Objective is expressed as the length of time between a Disaster Declaration and the Completed Restoration Time to the Service.
2. Data Backup and Retention. Notabene shall back up data on a daily basis using a combination of full and incremental backup procedures. Backups will be executed automatically using a predefined schedule.

‍

Exhibit E – Data Processing Agreement

This document sets out the Data Processing Agreement (“DPA”) for the processing of personal data during the execution and after the termination of the Services Subscription Agreement (“Agreement”), as required by article 28, no. 3 of GDPR. Where, while performing the Subscription Services (“Services”) under the Agreement, Notabene processes Customer Materials that is “personal data” or “personal information” under applicable data protection laws on behalf of Customer, which are not Customer’s representatives' names or professional contact details, Notabene is qualified as a Processor (as defined below) and this DPA shall apply.

‍

1. Definitions

1.1. In addition to the terms defined in the Agreement, in this DPA all the definitions set forth in article 4 of GDPR shall be adopted, namely the terms “Personal Data”, “Data Subjects”, "Processing", "Personal Data Breach", “Pseudonymization”, “Controller” and “Processor”.

1.2. In addition to the above, the following definitions shall be adopted:

• Data Protection Law: means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, commonly known as the “General Data Protection Regulation” or “GDPR”, as well as any other applicable national rule and legislation on the protection of personal data in the European Union or locally that is already in force or that will come into force during the term of this DPA, including any measure, guideline, and opinion issued by the European data protection authorities or by the European Data Protection Board (“EDPB”).
• Persons in Charge of Data Processing: means the employees and any natural persons who, authorized by the Processor and/or its sub-processors, if any, can process the Processed Data.
• Platform: means the relevant web, online platform, or other software service or application developed by Notabene, and shall include any modifications, customizations, and derivatives of the same.
• Processed Data: means the personal data processed under this DPA.
• Security Measures: means the security measures and any other obligations under the Data Protection Law for guaranteeing the security and confidentiality of the Processed Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.
• “Sub-Processor” means the legal person, company or independent professional who, authorized by the Controller and engaged by the Processor, is allowed to carry out activities entailing the process of the ProcessedData, as permitted under Data Protection Law and this DPA. Authorized sub-Processors are detailed in Appendix E.c – General Authorization for Sub-processing

‍

2. Scope

2.1. Notabene shall act as the Processor (“Processor”) in relation to the processing of Processed Data on behalf of the Customer, which is qualified as the Controller (“Controller”), exclusively for the purposes of executing the Agreement or as required by law, according to the terms and conditions of this DPA and the Data Protection Law.

2.2. The type of personal data and processing activities to be handled by the Processor are described in Appendix E.a – Description of Processing. Any amendment to this list must be done in writing by the signature of both Parties, and a copy of the updated list must be enclosed in the final versions of this DPA.

2.3. In relation to any processing of Processed Data carried out by the Processor or by aSub-processor, directly or through the respective Persons in Charge of Data Processing, for purposes other than those within the scope of this DPA and the Service engaged, and on the basis of different relationships with data subjects, the Processor or its subsequentSubcontractors shall not act as processors of the Controller in relation to the ProcessedData, but as independent data controllers, or processors of entities other than the Controller, as the case may be.

‍

3. Term

3.1. This DPA shall be effective from the Effective Date of the Agreement up to the end of the transitional period of 15 (fifteen) days granted after the termination of such Agreement or its related services.

3.2. During the transitional period, the Controller will be able to delete, remove, or transfer the Processed Data resulting from the Services. After such a transitional period, the Processor will permanently delete all the Processed Data from the Platform and all the existing copies, unless any applicable law requires the storage of the Processed Data.

3.3. The Processor shall ensure that all Persons in Charge of Data Processing, its Sub-Processors, if any, and their Persons in Charge of Data Processing, comply with the obligations laid down in this DPA, as applicable, in the manner and in accordance with the timing indicated thereunder.

‍

4. Obligations of the Controller

4.1. The Controller undertakes to:

• Ensure that the collection and further processing of all Processed Data is done in a lawful manner;
• Provide clear and timely written instructions to the Processor regarding the Processed Data;
• Assist and cooperate, within a reasonable manner, with the Processor whenever required under the processing of the Processed Data, namely if it suspects of any data breach that could undermine the availability, integrity, privacy, and/or security of the Processed Data;
• Inform the Processor of any restriction required to the processing of any Processed Data, regardless if required by a Data Subject or instructed by a relevant data protection supervisory authority.
• Keep the Processor up to date about the Processed Data or any other relevant information for its processing by the Processor or by its Sub-processors, namely about any notification or request for information from a relevant data supervisory authority.

‍

5. Obligations of the Processor

5.1. The Processor undertakes to:

• 5.1.1. Process the Processed Data for the sole purpose of performing the Services, subject to the limits and in the manner provided for by the Agreement between Controller and Processor for the provision of such Services, this DPA, and the Data Protection Law, and in strict compliance with the written instructions given by the Controller. The Processor shall immediately inform the Controller in writing if it deems that any of the instructions is in breach of the Data Protection Law or any applicable law.
• 5.1.2. Process exclusively the Processed Data that is strictly necessary for correctly and fully performing the Service or meeting the obligations provided for by Data Protection Law or other applicable laws.
• 5.1.3. Process the Processed Data lawfully, fairly, and in full compliance with the principles applicable to data processing, with the requirements laid down by the Data Protection Law, and the information on the processing of the Processed Data provided to the relevant data subjects by the Controller.
• 5.1.4. Assist and cooperate reasonably with the Controller whenever required under the processing of the Processed Data, including if the Processor suspects any data breach that could undermine the availability, integrity, privacy, and/or security of the Processed Data.
• 5.1.5. Inform the Controller of any restriction required to the processing of any Processed Data, whether required by a Data Subject or instructed by a relevant data protection supervisory authority, unless prohibited by law.
• 5.1.6. Keep the Controller up-to-date about the Processed Data or any other relevant information, including any notification or request for information from a relevant data supervisory authority.
• 5.1.7. Cooperate with and assist the Controller in responding to any notifications from a supervisory authority concerning the Processed Data, including providing supporting documentation to submit to the relevant supervisory authority as evidence of compliance with the DPA.
• 5.1.8. Provide the Controller, upon request, with all the information in its possession or control referring to the processing of the Processed Data under this DPA, for the Controller to assess whether such processing is carried out in accordance with the DPA.
• 5.1.9. Disclose the information reasonably required by the Controller for performing privacy impact assessments concerning the processing activities and cooperate on implementing mitigation actions agreed by the Parties to address privacy risks identified.
• 5.1.10. Permit, provide information for, and cooperate with the Controller regarding audits, including any inspections conducted by the Controller or another auditor mandated by the Controller.

5.2. Regarding the Persons in Charge of Data Processing, the Processor further undertakes to:

• 5.2.1. Guarantee that the Persons in Charge of Data Processing can access and process only the Processed Data that is strictly necessary for correctly and fully performing the Services or meeting the legal requirements, subject to the limits and in accordance with this DPA, the principal agreement between Controller and Processor for the provision of the Services, and the Data Protection Law.
• 5.2.2. Guarantee that the Persons in Charge of Data Processing are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
• 5.2.3. Ensure that the Processed Data is processed only by the Persons in Charge of Data Processing who, based on their experience, capabilities, and training, can ensure compliance with the Data Protection Law and need to access the data for performing the Service; and that they attend periodic training courses on obligations prescribed by the Data Protection Law.
• 5.2.4. Adopt any physical, technical, and organizational measures aimed at enabling:
  • 5.2.4.1. Each Person in Charge of Data Processing to access exclusively the Processed Data they are authorized to process, taking into account the activity required to perform the Service.
  • 5.2.4.2. Any processing of the Processed Data that is in breach of the DPA and/or the Data Protection Law to be promptly identified and reported to the Controller.
  • 5.2.4.3. Upon termination of the Services and, with respect to each Person in Charge of Data Processing, upon termination of the appointment of such a person, ensure total confidentiality, availability, and integrity of the Processed Data.

‍

6. Sub-processors

6.1. Regarding the Processed Data, the Processor undertakes to engage and work only with sub-processors to which the Controller did not reasonably oppose in writing to said collaboration.

6.2. Sub-Processors identified in Appendix E.c – General Authorization for Sub-processing are hereby authorized by the Controller to process Processed Data provided that said Sub-Processor:

6.2.1. has committed to confidentiality obligations and enters into a written agreement providing the same data protection obligations as set out in this DPA and other obligations as may be required by the Controller under the instructions of the Processor.

6.2.2. acts exclusively on behalf of the Controller or the Processor instructions;

6.2.3. provides adequate guarantees with reference to the technical and organizational measures adopted for the processing of the Processed Data, including, without limitation, ensuring that the Sub-Processor immediately ceases the processing of the Processed Data should such guarantee be no longer available.

6.3. In case of any intended changes concerning the addition or replacement of any of the Sub-Processors identified in Appendix E.c – General Authorization for Sub-processing, the Processor undertakes to notify the Controller, giving the Controller the opportunity to reasonably object to such change within 30 (thirty) days counting from said notification. If the Controller notifies the Processor of any objection to the proposed appointment, the Parties shall work together to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed sub-processor. Costs related to this change, if any, will be borne by the Controller.

6.4. The Processor shall correctly and completely adopt all the Security Measures in compliance with the Data Protection Law and this DPA.

‍

7. Security Measures

7.1. Without limiting the aforementioned provisions, the Processor shall implement appropriate technical and organizational measures to ensure a level of security that is proportionate to the risk associated with the processing of the Processed Data. This will be determined by considering the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons. These measures will include those outlined in Article 32, paragraph 1 of the GDPR, particularly the measures specified in Appendix E.b – Security Measures.

‍

8. Processed Data Breach

8.1. In the event of a Personal Data Breach or any incidents that may compromise the security of the Processed Data (including loss, damage, or destruction of the data in either electronic or hard copy format, unauthorized access by third parties, or any other breaches), the Processor shall:

8.1.1. Immediately inform the Controller via email without undue delay. This notification must include details about the type and description of the Personal Data Breach, identification of the Processed Data and affected Data Subjects, potential consequences of the breach, and any remedies already implemented (if applicable). If all relevant information cannot be provided simultaneously, it may be shared in phases without undue delay.

8.1.2. Collaborate with the Controller to adopt necessary measures immediately, and in any case without undue delay, to minimize risks that may arise for the Data Subjects from such breaches, remedy the breach, and mitigate any potential adverse effects.

8.2. The Controller is fully responsible for notifying the relevant data protection supervisory authority and Data Subjects of any Personal Data Breach, as required.

‍

9. Data Subjects’ Rights

9.1. The Controller shall ensure that the rights granted to Data Subjects under the Data Protection Law are effectively executed. The Processor agrees to notify the Controller in writing within five (5) Business Days of receiving any request from Data Subjects in this regard.

9.2. The Processor shall work with the Controller to ensure compliance with all requests from Data Subjects exercising their rights under the Data Protection Law, including but not limited to the right to object to processing and the right to data portability, within the required timeframes and in accordance with other requirements set forth by the Data Protection Law.

‍

10. Audits

10.1. The Processor acknowledges that the Controller may assess the organizational, technical, and security measures adopted by the Processor in processing the Processed Data through an audit, which will occur no more frequently than annually (unless triggered by a Personal Data Breach). The Controller must provide at least ten (10) Business Days' prior written notice (unless urgency requires an earlier notice) to access the Processor’s premises, computers, and any other IT systems/files, directly or via an authorized third party, if the Controller deems it necessary to verify compliance with this DPA and the Data Protection Law or to ascertain any breaches of the Processed Data.

‍

11. Transfers of Processed Data Outside the EEA

11.1. The Processor shall conduct processing only within the European Economic Area (EEA) and shall not transfer the Processed Data outside the EEA without the Controller's prior written consent, unless mandated by Union or Member State law applicable to the Processor. In such cases, the Processor must inform the Controller of the legal requirement before processing, unless such notification is prohibited by law for important public interest reasons.

11.2. When transferring personal data with the Controller's consent, as stipulated in clause 11.1, such transfers shall comply with Chapter V of the GDPR and adhere to the instructions given by the Controller concerning the transfer.

11.3. If the Processor transfers data outside the EEA, acting as the data exporter, it shall ensure that, whenever no adequacy decision is in place as outlined in Article 45 of the GDPR, additional measures are executed, including but not limited to the Standard Contractual Clauses approved by the European Commission.

11.4. If any Sub-Processors engaged by the Processor are based outside the EEA or transfer Processed Data to any non-EEA country, the Processor will implement the equivalent Standard Contractual Clauses model as legally required.

‍

Appendix E.a - Description of processing

‍

Appendix E.b – Security Measures

Processor shall maintain and enforce various policies, standards, and processes designed to secure personal data and other data to which Processor employees are provided access, and updates such policies, standards, and processes from time to time consistent with industry standards. Without prejudice to the rules contained within Clause 6 (Security Measures) of the Data Processing Agreement, the Processor shall implement appropriate technical and organizational measures to ensure a level of security adequate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects. These measures shall ensure full compliance with Article 32 of the GDPR. Following is a description of some of the core technical and organizational security measures implemented by Processor as of the date of signature:

1. General Security Procedures
   1. ‍Processor shall be responsible for establishing and maintaining an information security program that is designed to: (i) protect the security and confidentiality of Personal Data; (ii) protect against anticipated threats or hazards to the security or integrity of the Personal Data; (iii) protect against unauthorized access to or use of the Personal Data; (iv) ensure the proper disposal of Personal Data, as further defined herein; and, (v) ensure that all employees and subcontractors of Processor, if any, comply with all of the foregoing. Processor will designate an individual to be responsible for the information security program. Such individual shall respond to Controller inquiries regarding computer security and to be responsible for notifying Controller-designated contact(s) if a breach or an incident occurs, as further described herein.
   2. 1.2 Processor shall conduct formal privacy and security awareness training for all personnel and contractors as soon as reasonably practicable after the time of hiring and/or prior to being appointed to work on Personal Data and annually recertified thereafter. Documentation of security awareness training shall be retained by Processor, confirming that this training and subsequent annual recertification process have been completed.
   3. Controller shall have the right to review an overview of Processor’s information security program prior to the commencement of Service and annually thereafter upon Controller request.
   4. In the event of any apparent or actual theft, unauthorized use, or disclosure of any Personal Data, Processor shall immediately commence all reasonable efforts to investigate and correct the causes and remediate the results thereof, and within 2 business days following confirmation of any such event, provide Controller notice thereof, and such further information and assistance as may be reasonably requested. Upon Controller’s request, remediation actions and reasonable assurance of resolution of discovered issues shall be provided to Controller.
   5. Processor will not transmit any unencrypted Personal Data over the internet or any unsecured network, and will not store any Personal Data on any mobile computing device, such as a laptop computer, USB drive, or portable data device, except where there is a business necessity and then only if the mobile computing device is protected by industry-standard encryption software. Processor shall encrypt Personal Data in transit into and out of the Services over public networks using industry standard protocols.‍
2. Network and Communications Security
   1. ‍All Processor connectivity to Controller computing systems and/or networks and all attempts at same shall be only through Controller’s security gateways/firewalls and only through Controller-approved security procedures.
   2. Processor will not access, and will endeavor its best efforts to prevent unauthorized persons or entities from accessing Controller computing systems and/or networks without Controller’s express written authorization, and any such actual or attempted access shall be consistent with any such authorization.
   3. Processor will take appropriate measures to ensure that Processor’s systems connecting to Controller’s systems and anything provided to Controller through such systems does not contain any computer code, programs, mechanisms, or programming devices designed to, or that would enable, the disruption, modification, deletion, damage, deactivation, disabling, harm, or otherwise be an impediment, in any manner, to the operation of Controller’s systems.
   4. Processor will maintain technical and organizational measures for data protection including: (i) firewalls and threat detection systems to identify malicious connection attempts, to block spam, viruses, and unauthorized intrusion; (ii) physical networking technology designed to resist attacks by malicious users or malicious code; and (iii) encrypted data in transit over public networks using industry standard protocols.‍
3. Personal Data Handling Procedures
   1. ‍Disposal of Personal Data on paper shall be done in a secure manner, to include shredders or secure shredding bins within Processor space from which Personal Data is handled or accessed (“Controller Work Area”). Shredding must take place within the Controller Work Area before disposal or transit outside of the Controller Work Area or be performed offsite by a reputable third party under contract with Processor.
   2. Erasure of Information and Destruction of Electronic Storage Media. All electronic storage media containing Personal Data must be wiped or degaussed for physical destruction or disposal, in a manner meeting forensic industry standards such as the NIST SP800-88 Guidelines for Media Sanitization, prior to departing Controller Work Area(s), with the exception of encrypted Personal Data residing on portable media for the express purpose of providing service to the Controller. Processor shall maintain commercially reasonable documented evidence of data erasure and destruction for infrastructure level resources. This evidence must be available for review at the request of Controller.
   3. Processor shall maintain authorization and authentication technologies and processes to ensure that only authorized persons access Personal Data, including: (i) granting access rights on the basis of the need-to-know principle; (ii) reviewing and maintaining records of employees who have been authorized or who can grant, alter, or cancel authorized access to systems; (iii) requiring personalized, individual access accounts to use passwords that meet complexity, length, and duration requirements; (iv) storing passwords in a manner that makes them undecipherable if used incorrectly or recovered in isolation; (v) encrypting, logging, and auditing all access sessions to systems containing Personal Data; and (vi) instructing employees on safe administration methods when computers may be unattended such as use of password protected screen savers and session time limits.
   4. Processor shall maintain logical controls to segregate Personal Data from other data, including the data of other customers.
   5. Processor shall maintain measures to provide for separate processing of data for different purposes including: (i) provisioning Controller within its own application-level security domain, which creates logical separation and isolation of security principles between customers; and (ii) isolating test or development environments from live or production environments.‍
4. Physical Security‍
   1. All backup and archival media containing Personal Data must be contained in secure, environmentally controlled storage areas owned, operated, or contracted for by Processor. All backup and archival media containing Personal Data must be encrypted.
   2. Technical and organizational measures to control access to data center premises and facilities are in place and include: (i) staffed reception desks or security officers to restrict access to identified, authorized individuals; (ii) visitor screening on arrival to verify identity; (iii) all access doors, including equipment cages, secured with automatic door locking systems with access control systems that record and retain access histories; (iv) monitoring and recording of all areas using CCTV digital camera coverage, motion detecting alarm systems, and detailed surveillance and audit logs; (v) intruder alarms present on all external emergency doors with one-way internal exit doors; and (vi) segregation of shipping and receiving areas with equipment checks upon arrival.
   3. Processor shall maintain measures to protect against accidental destruction or loss of Personal Data including: (i) fire detection and suppression, including a multi-zoned, dry-pipe, double-interlock, pre-action fire suppression system and a Very Early Smoke Detection and Alarm (VESDA); (ii) redundant on-site electricity generators with adequate supply of generator fuel and contracts with multiple fuel providers; (iii) heating, ventilation, and air conditioning (HVAC) systems that provide stable airflow, temperature, and humidity, with minimum N+1 redundancy for all major equipment and N+2 redundancy for chillers and thermal energy storage; and (iv) physical systems used for the storage and transport of data utilizing fault tolerant designs with multiple levels of redundancy.‍
5. Security Testing‍
   1. During the performance of services under the Agreement, Processor shall engage periodically a Third-Party (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data.
   2. The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters, or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party.
   3. Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un-sanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing.
   4. Within a reasonable period after the Security Test has been performed, Processor shall notify Controller in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Processor shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution
6. Security Audit
   1. ‍Processor, and all subcontracted entities (as appropriate) will perform whenever convenient detailed security and vulnerability tests and assessments against all systems processing Personal Data conducted by independent third-party security experts that include a thorough code analysis and a comprehensive security audit, and shall perform regular (i.e. at least bi-annually) penetration tests (for exploits including, but not limited to, XSS, SQL injection, access controls, and CSRF) against any Internet-facing systems used in connection with the Services. Processor further agrees to perform regular risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data. Processor will provide Controller, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks, and attest to Controller the date of the most recent security and vulnerability assessment at Controller reasonable request.
7. Anonymisation and Pseudonymisation of Personal Data
   1. ‍When possible, the Processor should ensure that data is anonymised or pseudonymised before data processing operations.
   2. When pseudonymising data, the key for reverting the process should be protected and stored in an adequate manner and according to industry standards.
   3. Anonymisation should be preferred to pseudonymisation.
   4. The Processor should guarantee the anonymisation is not reversible, in accordance with the technological state of the art.
8. Other Technical and Organizational Measures
   1. ‍A Data Protection Officer should be appointed when the applicable legislation or good practices requires it.
   2. When available for the Processor’s industry, the Processor should acquire/adhere to Codes of Conduct and/or independent Certification regarding the processing of Personal Data and in accordance with the GDPR.
   3. The Processor should keep itself updated of any developments to legislation, case-law or opinions from supervisory authorities regarding subjects that are relevant for the provision of services and inform the Controller if it considers that any of the above may have an impact on the services the Processor provides.

‍