Business Day means working days (Monday to Friday) from 03:00 hours to 17:00 hours Central European Time (CET) or Central European Summer Time (CEST), as applicable. https://www.timeanddate.com/worldclock/converter.html

Confidential Data means information, including Personal Data, in whatever form that the Parties hereto are obligated, by Law or contract, to protect from unauthorised access, use, disclosure, modification or destruction together with any data owned or licensed by the Parties that is not intentionally shared with the general public or that is classified by the Parties with a designation that precludes sharing with the general public.

Data means electronic data and information that You input and update onto the Services and/or that We input, update, process and store at Your request in accordance with the Contract.

Malicious Code means code, files, scripts, agents or programs intended to do harm, including but not limited to viruses, worms, time bombs and trojan horses.

Non-Oradian Product and Service means any products and/or services that are not owned, and/or produced by Oradian and which are purchased for the purposes of interoperating with the Services.

Personal Data has the meaning set out in the Data Processing Agreement.

Security Breach is any event involving a known, actual, or suspected compromise of the security, confidentiality or integrity of Confidential Data and Personal Data.

B.Terms of Service

1.Services

These terms apply to the Services that You have engaged Us to provide under the

Service Agreement and any addenda thereof. In case of any conflict between the Terms of Service and the Service Agreement or its addenda, the provisions of the Service Agreement and any such addenda shall govern.

Our responsibilities

2.Service levels

2.1 We will use commercially reasonable efforts to make Our Services available 99.5% of the time.

2.2 In the event that We do not meet the agreed service requirements as specified under the Service Agreement, You are eligible to receive a Service Credit. Service Credits apply only to the following year’s subscription. If You do not renew, no monetary compensation or refund will be provided.

(a)Service Credits are calculated based on a downtime percentage. The down time percentage is the percentage that 15–minute increments of service unavailability bears to the total time that the Services should be available to You during a Subscription Term (“Downtime Percentage”). Service Credits are calculated by multiplying the Downtime Percentage with the Subscription Fee.

(b)There is a weekly software maintenance window occurring outside of our business hours (“Weekly Maintenance”). During the Weekly Maintenance, Authorised Users may experience brief controlled service interruptions outside of our Business Day for a maximum of 10 minutes.

(c)In addition to the Weekly Maintenance there is also occasional planned maintenance for larger system updates (“Planned Maintenance”). We will send an email to You 24 (twenty- four) hours prior to the Planned Maintenance takes place. Subject to an email notification been sent to the Customer Representative, the downtime of Services during a Planned Maintenance shall not count towards the Downtime Percentage or a Service Credit. We will make reasonable efforts to carry out Planned Maintenance during a period of low activity such as weekends and/or public holidays.

(d)Unavailability of Services resulting from downtime of Your Internet service provider and related Internet connectivity problems or resulting from Your equipment or technology shall not count towards the Downtime Percentage or a Service Credit.

(e)Unavailability of Our Services due to a suspension of Services as detailed under Section J3 (Suspension of service and acceleration) of the Terms of Service shall not count towards the Downtime Percentage or a Service Credit.

(f)We shall report any identified problems including errors and omissions to You if We suspect that any identified problems may affect the proper usage of Our Services. We will endeavour to fix any errors that We become aware of or are reported to Us in accordance with the established process under this Section B3 (Service Support) of the Terms of Service.

(g)Unavailability of Our Services due to events beyond our reasonable control including, but not limited to, Force Majeure events as defined in Section P1.5 of the Terms of Service , issues caused by any Non-Oradian Product or Service purchased directly by you, or a denial-of-service (DOS) attack that we could not have reasonably prevented using then-applicable industry security standards shall not count towards the Downtime Percentage or entitle you to a Service Credit.

(h)Unavailability of Our Services due to DOS attacks that could have reasonably been prevented by following adequate security measures and practices shall count towards the Downtime Percentage and a Service Credit.

(i)To receive a Service Credit, You must submit your claim by emailing support@oradian.com and describing the service interruption including dates and times within 15 Business Days of the service interruption. Your failure to submit Your claim and details about the service interruption within 15 Business Days after the service interruption will disqualify You from receiving a Service Credit.

3.Service Support

3.1 We will provide support for the Services specified in the Service Agreement. We do not provide support for any malfunction or difficulties in connection with Your use of any content or services You obtained directly from third parties.

In providing support, We will use reasonable efforts to:

(a)Respond within the response times set forth below for all properly submitted cases from Authorised Users; and

(b)Work to identify and resolve the cases submitted.

3.2 When submitting a case We will classify the severity of the case based on Our professional opinion as defined under clause 3.6 here below.

3.3 All response times are measured from the point when a case has been properly submitted by an appointed Authorised User and Oradian has confirmed that the case has been received. Oradian shall confirm that the case has been received within one hour of having received the relevant support request during a Business Day. We do not represent, warrant, or guarantee that:

(a)We will always be able to resolve a case fully;

(b)You will no longer experience a problem; and

(c)We will always be able to provide a bug fix, patch or other workaround in connection with the identified problem.

3.4 You may ask for support by logging in to Our Services and submitting a support ticket directly through Zendesk https://support.instafin.com/ or by sending an email to Oradian Support Team via email support@oradian.com to which You have access at all times.

3.5 The response time indicates the time in which we guarantee to start working to resolve the submitted case, after we have confirmed receipt and confirmed the case.

3.6 Any changes and/or updates made to the below indicated response times shall be first notified to the Customer in advance via email to the duly appointed Customer Representative as defined under the Service Agreement.

Case severity	Case description	Response time (up to)
Critical	Critical production case that severely impacts Your use of the Service. The situation interrupts Your business operations, and no procedural workaround exists. Service is down or unavailable. Large set of data is corrupted or lost. A critical feature or function is not available.	1 (one) hour (if the support case is submitted during a Business Day) . 4 (four) hours (if the support case is submitted outside of a Business Day)
			High	The Services are operational but important functionality is impacted or performance degradation is experienced. The case is causing an impact to certain portions of Your business operations and no reasonable workaround exists.	4 (four) hours (if the support case is submitted during a Business Day) . 1 (one) Business Day (if the support case is submitted outside of a Business Day)
			Medium	There is a partial, non-critical loss of use of the Services with a medium impact on Your business, but Your business continues to function. Short-term workaround is available, but not scalable.	. . 3 (three) Business Days
Low	There is a partial, non-critical loss of use of the Services with a low impact on Your business and its function. Workaround is available.	. 5 (five) Business Days
Planned	Your use of the Services is not affected but You have a proposal that would improve Your use of the Services.	. Determined after the request is included in the product roadmap

4.Service changes

4.1 We will communicate changes, updates and interruptions to Services that may affect Your operations and availability thereof. Oradian uses service updates to update Instafin to the latest released version. We will notify You about upcoming Planned Maintenance that may affect the Services via email to the duly appointed Customer Representative.

4.3 In the event of unplanned or emergency maintenance, We will notify You as soon as reasonably possible and provide status updates until the issue is resolved.

4.4 It is important to note that a notification will not be sent to You when Weekly Maintenance takes place in accordance with section B2.2.2(b) (Service levels).

C.Your responsibilities

1.Service usage responsibilities

You are responsible for the following:

(a)Your Authorised Users’ compliance with the Contract;

(b)(b) Ensuring the accuracy, quality, and legality of the Data You input into the Services, as well as the lawful acquisition of such Data in compliance with applicable privacy and data protection laws;

(c)Using commercially reasonable efforts to prevent unauthorised use of the Services, providing immediate notice of any unauthorised third-party use of the Services and/or any event which might lead to unauthorised use the Services;

(d)Using the Services only according to the Service Agreement, Terms of Service and any other relevant document that may apply, including all laws and government regulations that apply to You;

(e)Ensuring appropriate security measures are in place at all times to monitor, control, and prevent fraud in compliance with Your regulatory requirements;

(f)Promptly notifying Us and Your relevant regulatory authority of any security breach, misuse, irregularity, suspected fraudulent transaction, or suspicious activities that may be connected with attempts to commit fraud or other illegal activity through Your use of the Services; and

(g)Immediately notifying Us of any act, omission, or error which may adversely affect Your ability to perform Your obligations under the Contract or cause loss or damage to Oradian.

2. Services Usage Restrictions

You shall not:

(a)Make (or permit to be made) the Services available to, or use the Services for the benefit of any person or entity aside from Your Authorised Users;

(b)Sell, resell, license, sublicense, distribute, rent or lease the Services, or include the Services in a service bureau or outsourcing offering;

(c)Use the Services to store or transmit infringing, libellous, or otherwise unlawful material, or store or transmit material in violation of third-party privacy rights;

(d)Use the Services to store or transmit Malicious Code;

(e)Interfere with or disrupt the integrity or performance of the Services or third-party data contained within;

(f)Attempt to gain unauthorised access to the Services, its related systems and/or networks;

(g)Permit direct or indirect access to or use of the Services or content therein in a way that circumvents a contractual usage limit;

(h)Copy the Services or any part thereof, feature, function or user interface;

(i)Frame or mirror the Services or any part thereof, other than framing on Your own intranet or for Your own internal business purposes, or as permitted under the Contract;

(j)Access the Services to build a competitive product or service;

(k)Reverse engineer the Services; and

(l)Use the Services for illegal activities including but not limited to fraud, money laundering, tax evasion or any other such illegal activity which is prohibited by the laws of the country where You and Your Customers operate in and/or have an established business.

D. Accountability and responsibility of the Parties in case of error, omission, fraud and breach of contract

1.1 In complying with Your local regulatory requirements, it is Your responsibility to ensure that:

(a)Appropriate security measures to monitor, control and prevent fraud are in place;

(b)To promptly notify Us and Your relevant regulatory authority of any security breach, misuse, irregularity, suspected fraudulent transaction or suspicious activities that may be connected with attempts to commit fraud or other illegal activity through the use of Our Services;

(c)Immediately send notification to Us if You become aware of any act, omission or error which may adversely affect Your ability to perform Your obligations under this Service Agreement or cause loss or damage to Oradian and/or Your Customers; and

(d)To provide immediate notice of any unauthorised third-party use of the Services and/or any event which might lead to unauthorised use of Our Services.

1.2 You will not in any manner use Our Services for the purpose of carrying out any activities which are considered illegal or unlawful under either the laws governing You or Oradian, including, but not limited to, fraud, money laundering, human trafficking and/or tax evasion. If We have reasonable belief that Our Services are being used to carry out illegal or unlawful activities, We will immediately suspend the provision of Our Services to You without prior written notification.

1.3 Oradian will report any identified incidents and/or problems, including but not limited to errors and omissions, security breach, misuse, irregularity, or fraud that may occur and affect the provision of Our Services to You, unless We are legally obliged not to report an incident of fraud that may be connected to You.

1.4 Except as otherwise set forth in the Contract, neither Party will be liable for immaterial breaches, provided that such breaches to the Contract are corrected following discovery thereof.

1.5 Upon the discovery of an inadvertent error, omission or breach by either Party, appropriate adjustments shall be made as soon as practicably possible to restore to the fullest extent possible to the position they would have been if no such inadvertent error or omission had occurred.

1.6 Notifications of any errors, omissions and/or breaches to the Contract relating to the provision of Services shall be sent in English Writing in accordance with Section Q1 (Notices) of the Terms of Service.

E.Change of ownership and assignment

1.1 Subject to clause 1.2 below, the Parties may not assign any of their rights or obligations under the Contract whether by operation of law or otherwise, without the other Party’s prior written consent which shall not be unreasonably withheld.

1.2 A Party may assign the Contract in its entirety without the other Party’s consent where such assignment is made in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of the Party’s assets PROVIDED THAT such assignment is made to:

(a) a corporate related party which includes an entity that directly or indirectly controls, is under common control with, or is controlled by such Party; and/or

(b) has entered into a Sale and Purchase Agreement to acquire all or substantially all of the assets of such Party and such assignment does not change and/or adversely affect the terms of the Contract including but not limited to security standards, data protection and service levels.

1.3 Subject to the foregoing, this Contract will bind and inure to the benefit of the Parties, their respective successors and permitted assigns.

F.Our personnel

1.1 We are responsible for the performance of Our personnel (including Our employees and contractors) and their compliance with Our obligations under the Contract, except as otherwise specified. Nothing under this Terms of Service and Service Agreement shall be construed to establish employer-employee relationship between You and Our personnel.

1.2 The roles and responsibilities of Our personnel are defined under Section F of the Service Agreement.

G.Our Service Security

1.1 We will ensure the security and integrity of the Services as well Your Data by complying with the following security measures:

(a)Secure communication between the Authorised User and the Services’ entry points by ensuring data is transmitted in encrypted form through HTTPS or other encrypted protocol;

(b)Ensure the availability of password protection for all Authorised User accounts;

(c)Use reasonable endeavours to ensure that the infrastructure hosting the Data is, at all times, physically located in secure data centres to enforce adequate security policies;

(d)Implement network security measures to restrict network access, including but not limited to, usage of firewalls, VLANs and VPNs;

(e)Implement multiple layer security policies to limit access to only those of Our employees who possess a legitimate business need for such access;

(f)Use intrusion prevention technologies to monitor and detect suspicious behaviour; and

(g)Continuously improve security of the Services and of its infrastructure.

1.2 We shall further ensure that all software and infrastructure related to Our Services are kept up to date by applying the latest available security patches and upgrades. We shall also ensure full segregation of Your Data so that each Customer is running inside an isolated environment where Your Data and can only communicate within its dedicated database as well as only respond to Your Authorised User requests.

1.3 A Party will notify the other Party, immediately upon discovery and without unreasonable delay, any Security Breach involving any Confidential Data. The Party undergoing a Security Breach will use commercially reasonable efforts to contain such a breach and provide the other Party with a description of the Security Breach and the type of data that was the subject of the Security Breach. The Party undergoing the Security Breach agrees to take action at its own expense, to investigate the Security Breach, to take all commercially reasonable actions to identify, prevent, and mitigate the effects of any such Security Breach, and to carry out any recovery or other action necessary to remedy the Security Breach. Each Party must keep the Security Breach and information it receives about the other Party in connection with the Security Breach confidential and must not use or disclose that information without the prior written consent of the other Party except to the extent that it is required by Law.

1.4. A Security Breach if not remedied within a reasonable time, that is by no later than the date and time agreed between the Parties, will be construed as a material breach of Contract.

1.5 Subject to the Terms of Service in the event that the breaching party fails to rectify its Security Breach within an agreed period of time the non-breaching party shall be entitled to seek any possible remedy including but not limited to claiming for compensation for any loss or damage.

H.Disaster Recovery and Business Continuity

1.1 We shall ensure availability of Our Services by implementing procedures and policies for backup, high availability and disaster recovery as well as continuously improve those procedures and policies to minimise possible data loss and recovery times, including periodically validating such procedures.

1.2 Our Services offers a maximum recovery point objective (“RPO”) of 15 (fifteen) minutes and recovery time objective (RTO) of 8(eight) hours.

I.Non-Oradian Product and Service

1.1 Any acquisition by You of a Non-Oradian Product and Service and any exchange of data between You and the provider of a Non-Oradian Product or Service is solely between You and the provider of the Non-Oradian Product and Service. We do not warrant nor support any Non-Oradian Product and Service and shall not be held liable or responsible for any loss or damage to any persons, property or information arising from Your acquisition, maintenance or use of a Non-Oradian Product and Service.

1.2 In cases where We procure a product and/or service from a third-party service provider as part of our services to You, We guarantee that the service will be at all times fully licenced and/or legally authorised for the purposes for which it has been purchased. In instances where a service provider ceases to make available to Us usage of their application for whatever reason beyond Our control, Oradian shall in the first instance endeavour to rectify such position by engaging a suitable service provider to replace the original service provider. If Oradian is unable to find a suitable service provider to replace the original service provider, You will not be entitled to any refund, credit, or other compensation, unless the removal of the service materially decreases the functionality of the Services. In cases where a refund is determined We will compensate You with the equivalent value of the decrease in functionality.

1.3 If You procure, install and/or enable a Non-Oradian Product and Service for use with Our Services, You will automatically grant Us permission to allow the provider of the Non-Oradian Product and Service to access Your Data as required for the interoperation between the Non-Oradian Product and Service with Our Services. We are not responsible for any disclosure, modification or deletion of Your Data resulting from use of a Non-Oradian Product and Service.

1.4 Subject to obtaining confirmation that Our duly appointed service providers are complying with the relevant data protections laws, You also hereby consent to Oradian sharing Your Data with Our service providers in cases where We procure a service from a third-party service provider as part of Our services to You.

1.5 The Services may contain features designed to interoperate with a Non-Oradian Product and Service. To use such features, You may be required to obtain the relevant authorisation from the provider of the Non-Oradian Product and Service as well as grant Us access to Your Non-Oradian Product and Service account(s). If the provider of the Non-Oradian Product and Service ceases to make its product and/or service available for interoperation with the Services on reasonable terms, We may cease providing the relevant service features without entitling You to any refund, credit, or other compensation.

1.6 We shall notify You if We are required by a licensor to remove a Non-Oradian Product and Service or receive information that the Non-Oradian Product and Service provided to You may violate the applicable law or any third-party rights. In such an event, You must promptly remove the Non-Oradian Product and Service from Your systems. If You do not take the required action accordingly, We may disable the applicable Non-Oradian Product and Service until the potential violation is resolved.

J.Fees and payment for services

1.Fees

1.1 The Service Agreement shall stipulate the Services to be provided and any work to be performed.

1.2 You will pay all fees specified in the Service Agreement. Fees are based on the Services purchased and/or Your actual usage. Our fees are non-cancellable and non-refundable to the extent permitted by law.

1.3 You may not disclose the pricing terms and fee agreed under the Contract to any third party without prior consent from Oradian. You will notify Us immediately upon becoming aware of any unauthorised disclosure by You of the pricing terms and fee agreed under the Contract to a third party and will provide Us with assistance in remedying such unauthorised disclosure to the third party.

2.Overdue charges

If any invoiced amount is not received by Us within 5 (five) Business Days of the invoice date, without limiting Our rights or remedies, outstanding fees may accrue late interest at the rate of 1% of the outstanding balance per month or 12% per annum of the outstanding balance. We may also amend future Subscription renewals and the Service Agreement to include payment terms shorter than those specified under Your current Service Agreement.

3.Suspension of service and acceleration

3.1 If payment for any amount or any fees due under the Service Agreement is overdue for 15 (fifteen) or more Business Days, We may, without limiting Our rights and remedies, accelerate Your overdue fees in that the amount becomes immediately due and payable and We may suspend Our Services to You until the outstanding amount is paid in full.

3.2 We will notify You at least 7 (seven) Business Days before We suspend Our Services in accordance with clause 3.1 above and You acknowledge that We are not obliged to continue providing the Services in such a case. It is in Our discretion to suspend Our Services to You or terminate the Service Agreement in accordance with Section P1.2 (Termination of Contract) of the Terms of Service.

3.3 You shall not, in any manner, use Our Services for the purpose of carrying out any activities which are considered illegal or unlawful under either of the laws governing You or Oradian including, but not limited to, fraud, money laundering, human trafficking, and/or tax evasion. In the event that Oradian has reasonable belief that the Services are being used to carry out illegal or unlawful activities, We will immediately suspend the provision of the Services to You without prior written notification.

3.4 During the period of suspension, You will continue to have access to Your Data. and You retain Your right to remove and/or extract your Data, except in cases of suspension based on Section K3.3 (Suspension of service and acceleration) of the Terms of Service , or when Oradian is mandated or compelled by law, rules and regulations to restrict Your access to Your Data and the Services, or upon an order of a competent court of government entity to limit Your access and Your statutory right over Your Data.

4.Payment disputes

We may elect not to exercise Our rights under Section J2 (Overdue charges) or Section J3 (Suspension of service and acceleration) of the Terms of Service if in Our opinion You are disputing the applicable fees reasonably and are cooperating diligently to resolve the dispute.

K.Proprietary rights

1.Reservation of rights

1.1 Subject to the limited rights stated under this Terms of Service, We and Our licensors reserve all rights, titles and interest in and to all the software used for the purposes of Your Subscription Services, including training material, documents shared with You to assist You with the use of the Services. No rights, titles and interests are granted to You under the Contract.

1.2 We own the Services including its source code and We and/or Our contractors own the hardware and software infrastructure which the Services run on. We own all documentation including but not limited to infrastructure documentation and procedures documentation used to maintain the Services.

1.3 You own Your Data that is inputted into the Services. You may at any time request export or remove parts of or all Your Data within thirty (30) days of Your written request to Us.

2.Consent by You to host Your data and applications

2.1 You grant Us and Our Affiliates a worldwide, limited-term access to host, copy, transmit and display Your Data, any Non-Oradian Product and Service and program code created by or (in the case of any Non-Oradian Product and Service) for You as necessary for the purposes of rendering the Services. Accordingly, You warrant that Your Data has been collected in accordance with the applicable laws, rules and regulations, prior consent has been secured and appropriate notice has been given to data subjects on the extent and purpose of the data sharing between You and Oradian, and all requirements for data sharing under the applicable laws are complied with.

2.2 We acquire no right, title or interest from You or Your licensors under the Contract to Your Data of any Non-Oradian Product or Service.

2.3 You grant Us and Our Affiliates free worldwide, perpetual, irrevocable consent to incorporate any suggestions, enhancement requests, recommendations, corrections and feedback provided by You in relation to the Services.

L.Confidentiality

1.Definition of confidential information

1.1 Your Confidential Information includes Your Data.

1.2 Receiving Party means a party when it receives Confidential Information, directly or indirectly, from the other party and Disclosing Party means a party when it discloses its Confidential Information, directly or indirectly, to the other party.

1.3 Our Confidential Information includes:

(a)Our Services;

(b)Terms of Service and applicable Service Agreements and all other referenced contractual documents including pricing;

(c)Business and marketing plans;

(d)Technology and technical information;

(e)Product plans and designs; and

(f)Business processes.

1.4 Confidential Information does not include any information that:

(a)Is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party;

(b)Was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party;

(c)Is received from a third party without breach of any obligation owed to the Disclosing Party; and

(d)Was independently developed by the Receiving Party.

2.Protection of confidential information

2.1 The Receiving Party will use reasonable care to protect the Disclosing Party’s Confidential Information and to only use the Disclosing Party’s Confidential Information within the scope of the Contract.

2.2 Except as otherwise authorised by the Disclosing Party in writing, access to Confidential Information of the Disclosing Party shall be limited to the Receiving Party, its Affiliates’ employees and contractors who need access to the Confidential Information for purposes of meeting their obligations under the Contract.

3.Compelled disclosure

The Receiving Party may disclose Confidential Information of the Disclosing Party to the extent compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a part of, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to that Confidential Information.

4.Parties Consent to use each other’s trademarks.

The Parties hereby grant each other the right to use and display each other’s name and logo (“Trademarks”), as well as share and post articles, photos, videos and advertisements related to the Services for promotional means on their respective websites, social media platforms and other promotional material. Any usage of Trademarks and other promotional material and articles may be subject to the proprietor Party’s guidelines as may be provided from time to time. The Parties may also notify each other by email to discontinue the use of each other’s Trademarks with immediate effect. Neither Party shall use the other Party’s Trademarks in any manner that will disparage, harm or otherwise damage the other Party’s goodwill in its Trademarks. The Party using the Trademarks or sharing any social media articles related to the Services shall not, at any time, misuse the same or mispresent itself as an affiliate or other legal agent of the Party whose Trademarks are being used. Any rights relating to the usage of Trademarks or sharing of social media articles related to the Services shall be immediately discontinued in the event that the Contract between the Parties is terminated.

M.Representations, warranties, exclusive remedies and disclaimers

1.Representations

The Parties represent that they are validly entering and agreeing to the Contract with legal power to do so.

2.Our warranties

Oradian warrants that:

(a)The Contract and any other relevant document that relates to Our Services accurately describe the applicable administrative, physical, and technical safeguards to protect the security, confidentiality and integrity of Your Data;

(b)We will not materially decrease the overall security of the Services;

(c)Subject to any unforeseen circumstances which are beyond Our control, the functionality of the Services will not materially decrease;

(d)The Services will not introduce Malicious Code into Your systems.

In case of a breach of the said warranties, Your exclusive remedies under the Contract, are those described under Section P1 (Termination of Contract) and Section P2 (Refund of Payment upon termination) of the Terms of Service.

3.Disclaimers

Except as expressly provided in this Terms of Service, neither party makes any warranty of any kind, whether the warrant is express, implied, statutory or otherwise stated. Each party disclaims all implied warranties, including any implied warranties of merchantability, fitness for a particular purpose or non-infringement to the maximum extent permitted by law. Beta services are provided “as is” and are exclusive of any warranties. Each party disclaims all liability and indemnification obligations for any harm or damages caused by any third-party providers.

N.Mutual indemnification

1.Indemnification by Us

1.1 We will defend You against any claim, demand, suit or proceeding made or brought against You by a third party alleging that the use of the Services infringes or misappropriates their third–party rights to intellectual property (“Third–Party Rights Claim”). We will indemnify You from any damages, attorney fees and costs awarded against You as a result of the Third– Party Rights Claim and/or for amounts that You may have had to pay under a court-approved settlement in relation to a Third–Party Rights Claim, provided that You:

(a)Promptly give Us written notice of the Third-Party Rights Claim;

(b)Give Us sole control of the defence and settlement of the Third-Party Rights Claim, except in cases where settlement of the Third-Party Rights Claim does not release You of all liability; and

(c)Provide Us with reasonable assistance at Our expense.

1.2 If We receive information in relation to an infringement or misappropriation claim related to the Services, We may in Our discretion and at no cost to You:

(a)Modify the Services so that they no longer infringe or misappropriate, without breaching Our warranties detailed under Section M2 (Our warranties) of the Terms of Service;

(b)Obtain a license for Your continued use of the Services; and

(c)Terminate Your subscriptions of the Services upon thirty (30) days’ written notice and refund You any prepaid fees covering the remainder of the Subscription Term.

(d)The above defence and indemnification obligations do not apply to the extent that a claim is made against You in relation to a subscription or use of a Non-Oradian Product and Service that You purchased directly, or Your breach of the Contract.

2.Indemnification by You

You will defend Us against any claim, demand, suit or proceeding made or brought against Us by a third party alleging that Your Data, or Your use of the Services is in breach of the Contract, infringes or misappropriates such third party’s intellectual property rights or violates the applicable law (a “Third-Party Claim Against Us”), and You will indemnify Us from any damages, attorney fees and costs finally awarded against Us as a result of, or for any amounts paid by Us under a court-approved settlement of, a Third-Party Claim Against Us, provided We:

(a)Promptly give You written notice of the Third-Party Claim Against Us;

(b)Give You sole control of the defence and settlement of the Third-Party Claim Against Us except in cases where settlement does not unconditionally release Us of all liability; and

(c)Provide You all reasonable assistance at Your expense.

O.Limitation of liability

1.Limitation of liability

1.1 Neither Party’s liability with respect to any single incident arising out of or related to the Contract will exceed the amount You pay within the 12 (twelve) months preceding the incident, provided that neither Party’s aggregate liability for all claims, losses, damages and costs incurred or suffered out of or related to the Contract exceeds the total amount You paid. The foregoing limitations apply to the maximum extent permitted by law, whether an action is in contract or tort and regardless of the theory of liability. The above limitations will not limit Your payment obligations under Section J (Fees and payment for services) of the Terms of Service.

1.2 Nothing in this agreement limits any liability which cannot legally be limited, including but not limited to liability for:

(a) death or personal injury caused by negligence;

(b) fraud or fraudulent misrepresentation.

2.Exclusion of consequential and related damages

To the maximum extent permitted by the law, in no event will either Party have any liability to the other Party for any lost profits, revenues or indirect, special, incidental, consequential, cover or punitive damages, whether an action is in contract or tort and regardless of the theory of liability, even if a Party has been advised of the possibility of such damages.

P.Term and termination

1.Termination of Contract

1.1 Either Party may terminate the Contract for cause:

(a)Upon 30 (thirty) days written notice to the other Party of a material breach, if such breach remains unresolved at the expiration of such period; and

(b)If the other Party must file a petition for bankruptcy or any other proceeding relating to insolvency, receivership, liquidation or assignment for the benefit of creditors.

1.2 Oradian may terminate the Contract by providing 10 (ten) Business Days written notice to You in case of late payment of any outstanding invoice issued to You. In such cases the Contract will terminate with the expiration of the notice period unless the full outstanding payment is paid by You and received by Oradian before the expiry of the notice period.

1.3 You may terminate the Contract in accordance with clause 1.1 above. In such cases the Contract will terminate with the expiration of the notice period unless there are no outstanding payments due to Us and in which case, We may agree to terminate the Contract prior to the expiration of the notice period.

1.4 The Parties will not be considered in breach nor incur any liability to the other Party for any losses or damages of any nature whatsoever incurred or suffered by that other Party if and to the extent that the performance of their respective obligations, excluding payment obligations, is prevented by an event of Force Majeure that arises during the Subscription Term.

1.5 An event of “Force Majeure” shall mean an event beyond the control of the Party, which prevents it from complying with any of its obligations under the Contract including but not limited to: acts of government or sovereignty; hostilities; war (whether declared or not); invasion; act of foreign enemies; embargo; rebellion; revolution; insurrection, or military or usurped power; riot; civil commotion; labour strike/dispute; slowdown; sabotage; pandemic; epidemic; other disturbances; flood; Acts of God; non-performance by suppliers or subcontractors due to an event of Force Majeure (other than by companies in the same group as the party seeking to rely on this clause); or any other causes and more generally any other circumstances or situation whether similar or different which is reasonably beyond the control of the Party claiming Force Majeure.

1.6 The Party affected by Force Majeure (“Affected Party”) shall give notice to the other Party in writing within 2 (two) Business Days from the time of the occurrence of the Force Majeure.

1.7 Provided the Affected Party has complied with clause 1.6 above, if a party is prevented, hindered or delayed in or from performing its obligations under this agreement by a Force Majeure event, the Affected Party shall not be in breach of this agreement or otherwise liable for any such failure or delay in the performance of such obligations. The time for performance of such obligations shall be extended accordingly.

1.8 If an event of Force Majeure prevents, hinders or delays the Affected Party’s performance of its obligations for a continuous period of more than ten (10) Business Days, the Party not affected by the Force Majeure event may terminate this agreement by giving written notice to the Affected Party.

2.Refund of payment upon termination

If the Contract is terminated by You in accordance with Section P1 (Termination of Contract) of the Terms of Service, We will not refund any prepaid fees except in circumstances where it has been determined that Oradian has committed a material breach. If the Contract is terminated by Us in accordance with Section P1 (Termination of Contract) of the Terms of Service, You will pay any unpaid fees covering the Subscription Term. No event (save an event of Force Majeure), including terminating the Contract with cause will relieve You of Your obligation to pay any outstanding Subscription Fees payable to Us.

3.Your data portability and deletion

Upon termination of the Contract, We will make Your Data available to You for export or download within 30 (thirty) days after the Contract is terminated or expired provided that all Your fees payable to Us are paid in full. After the 30 (thirty) days following Your Contract’s termination or expiration, We are not obliged to maintain or provide Your Data unless there is a dispute as to the fees payable by You, in which case We shall be obliged to maintain Your Data until the dispute is resolved. We will delete or destroy all copies of Your Data stored in Our systems or otherwise in Our possession or control, unless legally prohibited or there is an unresolved dispute between the Parties. Upon request, Oradian shall issue a certificate confirming that Your Data has been deleted.

4.Surviving Provisions

Section J (Fees and Payment for Services), Section K (Proprietary rights), Section L (Confidentiality), Section M (Representations, warranties, exclusive remedies and disclaimers.), Section N (Mutual Indemnification), Section O (Limitation of liability), Section P2 (Refund of Payment upon termination), Section P3 (Your data portability and deletion), Section Q (Governing law jurisdiction, notices) and Section R (General provisions) of the Terms of Service will survive any termination or expiration of the Contract.

Q.Governing law, jurisdiction, notices

1.Notices

• Any notice or other communication to be given or made hereunder shall be in English

and made in writing (which for the avoidance of doubt includes email or letter).

• Notices to Oradian must be addressed and sent to the Oradian Customer Success Manager via e-mail to the corresponding contact details specified under section F (Key Roles) of the Service Agreement.

• Notices to You shall be addressed and sent to the appointed Customer Representative via e-mail to the corresponding contact details specified under the Service Agreement.

• All notices shall be deemed to have been delivered on the first Business Day after sending by e-mail.

• In the cases where a Security and/or data breach has been determined notices are to be submitted to each Party’s Legal and Compliance manager and/or Data Protection Officer as specified under section F (Key Roles) of the Service Agreement.

2.Governing Law

The Contract shall be governed by, and construed in accordance with, the laws of England. The courts of England shall have exclusive jurisdiction to settle any dispute or claim that arises out of, or in connection with the Contract.

The Parties agree to the applicable governing law above without regard to conflicts of law rules, and to the exclusive jurisdiction of the applicable courts above.

R.General provisions

1.Anti-corruption

By accepting the Terms of Service You confirm that You have not received, been offered and/or will accept any illegal or improper bribe, kickback, payment, gift, or thing of value from any of Our employees or agents in connection with the Contract. Reasonable gifts and entertainment provided in the ordinary course of business do not form part of the above restriction. If You learn of any violation of the above restriction, You will use reasonable efforts to promptly notify Our legal department at legal@oradian.com.

2.Contract and order of precedence

2.1 Subject to section B1 (Services) of the Terms of Service the Terms of Service supersedes all prior and current agreements, proposals or representations, written or oral, concerning its subject matter.

2.2 We have the right to modify and amend the Terms of Service from time to time and the most current version will be posted on Oradian’s website and/or sent to You by email. If an amendment is material, as determined in Oradian’s reasonable discretion We will notify You by email 30 (thirty) days in advance of any material change being effected. Except in the case of an amendment being made to satisfy legal requirement We will provide You with advance notice of material amendments.

2.3 If an amendment has a material adverse impact on the data privacy or security of Your Data and You do not agree to the amendment You may terminate the Contract by notifying Us within 30 (thirty) days of receiving notice of the amendment or date of publication of the updated version (otherwise, you will have been deemed to have consented to the amendment).

2.4 The terms and conditions of the updated version of the Terms of Service shall apply to all existing Service Agreements following the date of publication of the updated version.

2.5 Any changes made to the Service Agreement must be in writing and signed by both Parties. The Service Agreement shall take precedence in cases of a conflict or inconsistency between the Service Agreement and the Terms of Service.

3.Relationship of the parties

The Parties are independent contractors. The Contract does not create a partnership, franchise, joint venture, agency, fiduciary or employment relationship between the Parties.

4.Third-party beneficiaries

This Contract is entered into solely between and may only be enforced by the Customer and Oradian, and, subject to section N (Mutual indemnification), and section O (Limitations of liability) hereof “, this Contract will not be deemed to create any rights in third parties, or to create any obligations of a Party to any such third parties.

5.Waiver

No failure or delay by a Party to exercise any right or remedy provided under this agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

6.Severability

6.1 If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of the Contract.

6.2 If any provision or part-provision of the Contract is deemed deleted under clause 6.1 above, the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

7.Attorney fees

You will pay on demand all of Our reasonable attorney fees and other costs incurred by Us to collect any fees or charges due to Us under the Contract following Your breach of Section J (Fees and payment for services)).

8.Data Privacy and Protection

Our Services include processing of personal data on behalf of and in accordance with Your instructions. Your Data is processed in accordance the EU General Data Protection Regulation 2016/679 and other applicable laws.

By signing the Service Agreement You are agreeing and providing consent for Us to process Your Data and those of Your clients in accordance with the Data Processing Agreement included under Appendix 1 herein for the purposes of providing the Services.

You also confirm that You have obtained the necessary consent from Your clients, the data subjects to share their personal data with Us for the purposes of procuring the Services for which you have engaged Us.

Appendix 1: Data Processing Agreement

Background

(A)This Data Processing Agreement (“DPA“) forms part of the Contract, namely the Service Agreement and its Terms of Service (“the Contract“) made between the Customer and Oradian (“Provider”)

(B)This DPA sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Contract. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

Operative Provisions

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1.1Definitions:

Authorised Persons: the Data Protection Officers as defined in the Service Agreement;

Business Purposes: the services to be provided by the Provider to the Customer as described in the Contract.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018);

Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing: have the meanings given to them in the Data Protection Legislation;

Data Protection Legislation:

(a)To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of personal data.

(b)To the extent applicable any other data protection legislation that the Customer or Provider is subject to.

EU GDPR: the General Data Protection Regulation ((EU) 2017/679);

EEA: the European Economic Area;

Records: has the meaning given to it in Clause 12.

DPA Term: this Agreement’s term as defined in Clause 10.1.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2This Agreement is subject to the terms of the Contract and is incorporated into the Contract. Interpretations and defined terms set forth in the Contract apply to the interpretation of this Agreement.

1.3A reference to writing or written includes faxes and email.

1.Personal data types and processing purposes

1.1The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

(a)the Customer is the Controller and the Provider is the Processor.

(b)the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.

2.Provider’s obligations

2.1The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.

2.2The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

2.3The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.

2.4The Provider will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

2.5The Provider must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Contract or this Agreement.

3.Provider’s employees

3.1The Provider will ensure that all of its employees:

(a)are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

(b)have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

(c)are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.Security

4.1The Provider must at all times implement reasonable appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data.

4.2The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

(a)the pseudonymisation and encryption of personal data;

(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

(d)a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

5.Personal data breach

5.1The Provider will within 48 (forty-eight) hours and in any event without undue delay notify the Customer in writing if it becomes aware of:

(a)the loss, unintended destruction or damage, corruption, or non-usability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible.

(b)any accidental, unauthorised or unlawful processing of the Personal Data; or

(c)any Personal Data Breach.

5.2Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information:

(a)description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

(b)the likely consequences; and

(c)a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

5.3Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the Parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer’s handling of the matter, including but not limited to:

(a)assisting with any investigation;

(b)providing the Customer with physical access to any facilities and operations affected;

(c)facilitating interviews with the Provider’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;

(d)making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and

(e)taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

5.4The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic or EU law.

5.5The Provider agrees that the Customer has the sole right to determine:

(a)whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and

(b)whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

5.6The Provider will cover all reasonable expenses associated with the performance of the obligations under clause 6.1 to clause 6.3 unless the matter arose from the Customer’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.

5.7The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in clause 6.5.

6.Cross-border transfers of personal data

6.1The Provider (and any subcontractor) may only transfer, process or permit the processing of Personal Data outside the UK or, the EEA if the transfer and/or processing complies with at least one of the following conditions:

(a)the Provider is processing the Personal Data in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals. The Provider has identified in Annex A the territory that is subject to such adequacy regulations;

(b)the Provider participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Provider (and, where appropriate, the Customer) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and/or EU GDPR. The Provider has identified in Annex A the transfer mechanism that enables the parties to comply with these cross-border data transfer provisions and the Provider must immediately inform the Customer of any change to that status; or

(c)the transfer otherwise complies with the Data Protection Legislation for the reasons set out in Annex A.

7.Subcontractors

7.1The Provider may not authorise any third party or subcontractor to process the Personal Data.

7.2The Provider may only authorise a third-party (subcontractor) to process the Personal Data if:

(a)the Customer is provided with an opportunity to object to the appointment of each subcontractor within 3 (three) working days after the Provider supplies the Customer with full details in writing regarding such subcontractor];

(b)the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer’s written request, provides the Customer with copies of the relevant excerpts from such contracts;

(c)the Provider maintains control over all of the Personal Data it entrusts to the subcontractor; and

(d)the subcontractor’s contract terminates automatically on termination of this Agreement for any reason.

7.3Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement, the Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

7.4The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.

8.Complaints, data subject requests and third-party rights

8.1The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

(a)the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

(b)information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

8.2The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

8.3The Provider must notify the Customer within 5 (five) days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

8.4The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

8.5The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic or EU law.

9.Term and termination

9.1This Agreement will remain in full force and effect so long as the Contract remains in effect.

9.2Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Contract in order to protect the Personal Data will remain in full force and effect.

9.3If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Contract obligations, the Parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the Parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 (thirty) days, either party may terminate the Contract on not less than 30 (thirty) working days on written notice to the other Party.

10.Data return and destruction

10.1At the Customer’s request, the Provider will give the Customer, or a third party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

10.2If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.Records

11.1The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in clause 5.1 (“Records”).

11.2The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.

12.Audit

12.1On the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review, including as applicable: Statement on Standards for Attestation Engagements No. 16 audit reports for Reporting on Controls at a Service Organisation, reports relating to its ISO/IEC 27001 certification. The Customer will treat such audit reports as the Provider’s confidential information under the Contract.

12.2The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

13.Warranties

The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

ANNEX A

ORADIAN APPPOINTED SUB-PROCESSORS

(A)CORE SUBSCRIPTION SERVICES

Personal Data Processing Purposes and Details

• Subject matter of processing: Oradian provides software as a service.

• Duration of Processing: for the duration of the customer subscription agreement.

• Nature of Processing: data hosting and processing of personal data and financial data.

• Business Purposes: delivery of software subscription services in accordance with customer subscription agreements.

• Personal Data Categories: names, bank account number, loan, and loan deposit details. The precise Personal Data is determined and controlled by the Customer.

• Data Subject Types: Customers and their end- clients.

• Authorised Persons: Customer Support Team for the legitimate purpose of providing customer support services as stipulated in the customer service agreement.

Cloud Service Providers (Sub-processors) for Customers located in Africa:

Amazon Web Services Private Limited

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy,

L-1855, Luxembourg

Special Categories of Personal Data

The Provider does not intentionally collect or process any special categories of Personal Data unless the Customer includes such types of data that are uploaded or submitted to the Provider while using the services.

(B)ORADIAN NOTIFIER SERVICES

Personal Data Processing Purposes and Details

• Subject matter of processing: Oradian provides software as a service.

• Duration of Processing: for the duration of the customer subscription agreement

• Nature of Processing: processing of personal data and financial data for the purposes of providing messaging/bank notification services.

• Business Purposes: delivery of messaging services in accordance with customer subscription agreements.

• Personal Data Categories: Receiver/ Sender contact data (MSISDN, land phone number, e-mail address), and communications content (e.g. message text, voice, files or other media content).

• The precise Personal Data is determined and controlled by the Customer.

• Authorised Persons: Customer Support Team for the legitimate purpose of providing customer support services as stipulated in the customer service agreement.

Messaging service provider (sub-processor) details for Customers located in Africa:

Infobip Nigeria Limited

Close Off Ahmadu Bello Way

Victoria Island

Lagos

Nigeria

Special Categories of Personal Data

Think bigger. Go further.

Come and see the future with us. Talk to one of our core banking experts.

Protected: test

2. Services Usage Restrictions

1.5 Upon the discovery of an inadvertent error, omission or breach by either Party, appropriate adjustments shall be made as soon as practicably possible to restore to the fullest extent possible to the position they would have been if no such inadvertent error or omission had occurred.

1.6 Notifications of any errors, omissions and/or breaches to the Contract relating to the provision of Services shall be sent in English Writing in accordance with Section Q1 (Notices) of the Terms of Service.

1.2 You will pay all fees specified in the Service Agreement. Fees are based on the Services purchased and/or Your actual usage. Our fees are non-cancellable and non-refundable to the extent permitted by law.

1. Definitions and Interpretation

Think bigger. Go further.

Africa

Asia

Europe

Protected: test

2. Services Usage Restrictions

1.5 Upon the discovery of an inadvertent error, omission or breach by either Party, appropriate adjustments shall be made as soon as practicably possible to restore to the fullest extent possible to the position they would have been if no such inadvertent error or omission had occurred.

1.6 Notifications of any errors, omissions and/or breaches to the Contract relating to the provision of Services shall be sent in English Writing in accordance with Section Q1 (Notices) of the Terms of Service.

1.2 You will pay all fees specified in the Service Agreement. Fees are based on the Services purchased and/or Your actual usage. Our fees are non-cancellable and non-refundable to the extent permitted by law.

1. Definitions and Interpretation

Think bigger. Go further.

Contact Us

Africa

Asia

Europe