Terms of Service

1. Provision of Services

1.1 Terms governing our services

These terms, together with your Order Form as updated from time to time, set out the basis on which the Vendor shall provide you with services. The most up‑to‑date terms will always be available on the Vendor’s website (https://binderr.com/terms-of-service). You agree to be bound by the terms available on the Vendor website.

In the event of a conflict between these terms and your Order Form (as updated from time to time), these terms shall prevail.

1.2 Effective date

These terms are effective as of the date you first click “I agree” (or a similar button or checkbox) or use or access the services. These terms do not need to be signed to be binding. You indicate your agreement by clicking “I agree” (or a similar button or checkbox) when you complete your Order Form.

2. Financial

2.1 Fees

You will compensate the Vendor for the services at the rates detailed in the Order Form.Fees are variable, and the Vendor will inform you of any changes from the initial fees documented in your Order Form.

2.2 Subscription term and renewals

The Vendor provides services on a subscription basis for a term or duration recorded in the Order Form.Except as otherwise specified in the Order Form, unless either party cancels in accordance with these terms prior to expiration of the subscription term, your term will automatically renew for another period equal to your initial term. As noted above, fees may increase and you will be informed of the new fees.

2.3 Invoices

Invoices are payable in the currency indicated in the Order Form within 30 days of the invoice date. We reserve the right to charge interest at the highest amount permitted by law (currently 8%) on amounts outstanding for more than 30 days.

We may stop providing services to you where an invoice is not paid within 30 days of the invoice date, without prejudice to our right to recover due amounts, however we will seek to discuss this with you before stopping provision of services.

Payment must only be made to the bank account printed on our invoice. Any communication received by you seeking to redirect such a payment is likely to be fraudulent. Please contact us immediately if you receive any such communication, and only using the telephone number on which you usually contact us (not any number contained in the suspect communication).

3. Confidentiality and Data

3.1 Your data

Your signed Order Form and these terms constitute your instruction to the Vendor to process your customer data in connection with the services. Data processing shall be regulated in accordance with the Data Processing Agreement (the “DPA”) in the Appendix.

In addition to processing your customer data, you acknowledge and agree that we will also collect certain data and information about you and your End Users in connection with your use of the services and otherwise in connection with these terms.

Strictly anonymised data may be used to develop and improve our services. We use analytics techniques to better understand how our services are used.

3.2 Data ownership and access rights

All data uploaded, stored, or processed within the Binderr platform, whether personal or business, remains your sole property. Binderr acts solely as a data processor and custodian.

Upon termination of services, you retain the right to export, retrieve, or request deletion of all data stored within your account.
Binderr does not access, reuse, or disclose your business data for any purpose other than providing the contracted services.
All data is securely deleted from Binderr’s systems within 30 days of account closure, unless retention is required by law or explicitly requested by you for extended access.
You retain all right, title and interest in and to your data in the form submitted to the services. Subject to these terms, and solely to the extent necessary to provide the services to you, you grant us a worldwide, limited‑term license to access, use, process, copy, distribute, perform, export, and display your data. To the extent that reformatting your data for display constitutes a modification or derivative work, the foregoing license also includes the right to make such modifications and derivative works. We may also access your accounts, End User accounts, and your services with End User permission to respond to support requests.

3.3 Your data obligations

You and your use of the services (including by your End Users) must comply at all times with these terms and all laws. You represent and warrant that:

You have obtained all necessary rights, releases and permissions to submit all your data to the Vendor and to grant the rights granted in these terms; and
Your data and its submission and use as authorised in these terms will not violate (1) any laws, (2) any third‑party intellectual property, privacy, publicity or other rights, or (3) any of your or third‑party policies or terms governing your data. Other than our express obligations under Section 3 (our security and data privacy policies), we assume no responsibility or liability for your data, and you are solely responsible for your data and the consequences of submitting and using it with the services.You will defend, indemnify and hold harmless us (and our affiliates, officers, directors, agents and employees) from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable legal fees and costs) resulting from any claim arising from or related to:

A. Your breach of the agreed terms regarding End User consent or any claims or disputes brought by your End Users arising out of their use of the services; and

B. Your breach (or alleged breach) of your data obligations.

3.4 Your personal information

We are committed to protecting and respecting your privacy and we will only use your information in accordance with:

Regulation (EU) 2016/679 (GDPR);
Chapter 586 of the Laws of Malta (Data Protection Act);
The UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003; and
all other applicable data protection and privacy laws as may apply in the EU from time to time, each as amended or superseded.

Our Privacy Notice explains the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read it carefully to understand our practices regarding your personal data and how we will treat it. A copy is in the Appendix. You will be notified of any significant updates.

3.5 Confidentiality

Confidentiality of your services will be maintained except:

where we are compelled by law or regulation to disclose information
where we are subject to a duty to the public to disclose;
where our interests reasonably require disclosure;
where we use third‑party IT providers to deliver our services (in each case under appropriate confidentiality arrangements and/or, where practicable, anonymised);
where disclosure is made with your consent or at your request, including to third‑party providers acting as your agents; and/or
within the Vendor Group.

In all such cases, we shall reveal only such information as is considered necessary and you consent to the disclosure.

3.6 Data loss

Where you ask us to use particular communication apps or social media, hosting, data processing and document storage/sharing technology of your choice rather than ours, you will be liable for any consequences of such use, including fines, financial loss, data loss or breach of confidentiality undertakings you may have given to another party.

3.7 Security and certifications

We implement and maintain physical, technical and administrative security measures designed to protect your data from unauthorised access, destruction, use, modification, or disclosure. These measures include, without limitation, encryption of data at rest and in transit, regular security audits, access controls, and employee training. We also maintain a compliance program that includes independent third‑party audits and certifications.

4. Our Services - Administration

4.1 Administrators

You may be able to specify certain End Users as Administrators, who will have important rights and controls over your use of the services and End User accounts, including taking actions that may incur additional fees; creating, de‑provisioning, monitoring or modifying End User accounts; setting End User permissions; and managing access to your data. You are responsible for whom you allow to become Administrators and any actions they take. Our responsibilities do not extend to the internal management or administration of your access to the services.

4.2 End User consent

You are responsible for providing all required disclosures to, and obtaining and maintaining all required consents from, End Users to allow:

Administrators to have the access described in these terms; and,
The Vendor’s provision of services to your chosen Administrators and End Users. You will provide evidence of such consents upon reasonable request.

4.3 End User responsibility

Our services have various user onboarding flows. Some require users to be designated by Administrators; some allow users to sign up for individual accounts which can later become associated with teams or organisations; some may allow users to invite other users. You are responsible for understanding the settings and controls for each service you use and for controlling who may become an End User.

If payment is required for End Users to use or access the services, we are only required to provide the services to those End Users for whom you have paid the applicable fees, and only such End Users may access and use the services.

Some services may allow you to designate different End User types (e.g., with different access levels). Pricing and functionality may vary by End User type. You are responsible for compliance with these terms by all End Users, including any payment obligations.

You are responsible for the activities of all End Users, including all additional fees and how End Users use your data, even if those End Users are not from your organisation or domain.

4.4 End User security

You must require that all End Users keep their user IDs and passwords strictly confidential and do not share them with any unauthorised person. User IDs are granted to individual, named persons and may not be shared. You are responsible for any actions taken using End User accounts and passwords and agree to immediately notify us of any unauthorised use of which you become aware.

5. Our Services - General

5.1 Access

Subject to these terms and during the applicable term specified in your Order Form (as updated from time to time), you may access and use the services for your own business purposes in accordance with these terms, the applicable Order Form and, where applicable, Vendor documentation.

5.2 Support

During the service term specified in your Order Form, we will provide support for the services.

5.3 Restrictions

Except as otherwise expressly permitted, you will not:

reproduce, modify, adapt or create derivative works of the services;
rent, lease, distribute, sell, sublicense, transfer or provide access to the services to a third party or anyone not specified in the Order Form;
use the services for the benefit of any third party;
incorporate any of the services into a product or service you provide to a third party;
interfere with or circumvent mechanisms in the services intended to limit use;
reverse engineer, disassemble, decompile, translate or otherwise seek to obtain or derive source code, underlying ideas, algorithms, file formats or non‑public APIs to any of the services, except to the extent expressly permitted by law (and then only upon advance notice to us);
remove or obscure any proprietary or other notices;
use the services for competitive analysis or to build competitive products; or
encourage or assist any third party to do any of the foregoing.

5.4 Warranty disclaimer

The services, software and tools are provided “as is,” without warranties of any kind, whether express, implied or statutory, including without limitation any implied warranties of merchantability or fitness for a particular purpose. The Vendor does not warrant that the functions of the services or tools will meet your requirements or that the services will be error‑free or uninterrupted.

5.5 Reliance

The Vendor makes no warranties for services or information accessed by you through use of the services. Binderr provides tools to access information provided by third parties which may assist you in fulfilling your compliance obligations; however, the Vendor is not responsible for the reliability of any information provided by third parties and you are solely responsible for conclusions you reach through the use of the services. Information you access through the services is not updated in real time and, as such, accuracy may be affected. This is outside the Vendor’s control and responsibility.

6. Additional Services

Subject to these terms, you may purchase additional services that we will provide pursuant to the applicable Order. Additional services may be subject to additional policies and terms (including fees) as specified by us.

7. Raising Queries or Concerns

Please discuss any concerns about any aspect of our services with your Relationship Manager. We shall try to resolve any problem quickly through our internal complaints procedure, a copy of which is available on request.

8. Electronic Communication

Unless you instruct us otherwise, you expressly consent to our communicating with you by email.

8.1 General risks

There are inherent risks associated with communication by internet‑based systems (e.g., email, SMS and mobile apps). We deploy various means to prevent such cyber threats and regularly review them; however we assume no responsibility or liability for damages or costs incurred by you due to such occurrences.

Please ensure you have proper means of checking for viruses and other malware in any emails and attachments, especially those received from third parties. We will be entitled to regard any email address you provide as secure and to assume you consent to the associated risks.

8.2 Our emails to you

We cannot accept responsibility for the accuracy or completeness of the content of emails or any attachments once they have left our server (including any corruption or alteration that may occur after sending).

Most businesses have experienced a situation where a client or third‑party email account has been hacked, and a scam email is sent seeking to redirect a payment to a new account.

8.3 Unintended consequences

We may use software intended to filter unsolicited or undesirable emails and this may inadvertently reject legitimate emails from you. We cannot accept liability where emails do not reach their intended recipient because of such software.

9. Liability

You agree to bring any claim (including negligence) in connection with the services provided by the Vendor only against the company and not against any individuals or other Vendor Group entities. In the event that you pursue any officer or employee of the Vendor or of any Vendor Group entity, they will be entitled to rely on these terms.

Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or invalidity thereof, shall be settled by arbitration, in accordance with Part IV (Domestic Arbitration) or Part V (International Arbitration) of the Malta Arbitration Act and the Arbitration Rules of the Malta Arbitration Centre as in force at the time of the claim. In other jurisdictions this will be under similar jurisdictional laws as applicable.

Our liability to you in relation to our services is subject to a limit of three (3) months’ fees applicable pursuant to your Order Form. That limit applies to any liabilities, losses, damages or costs.

Unless otherwise agreed in writing, we shall only ever be liable to you in relation to our services and not to any third party and no such third party will be entitled to enforce the terms of this agreement. We assume no liability for any act or omission attributable to another party.

We shall not be liable to you if we are unable to perform our services due to a cause beyond our reasonable control. In the event of any such occurrence affecting us, we shall notify you as soon as reasonably practicable.

10. Variation and Termination

No amendment, variation, rescission or termination of this agreement will require the consent of any person who is not a party to it.

You agree to enter into this Agreement for the Minimum Service Term which is always 12 months, and hence to pay the applicable minimum fees for that period, irrespective of early termination. Without prejudice and subject to the payment of the minimum fees, both you and the Vendor may terminate the provision of services at any time by written communication giving 30 days’ notice.

We may cease to provide services if you are in breach of our terms, there is a breakdown in our relationship, if continuing to act would cause us an issue in relation to any other services we may provide or have provided, or if you do not pay any invoice in accordance with these terms.

If our relationship is terminated, you will pay our fees incurred up to the date of termination. If you fail to pay our fees we will be entitled to charge interest at the judgment debt rate. Where we obtain a court order to compel payment of our fees together with interest, we will also be entitled to recover the costs of obtaining and enforcing such order.

In the event of termination for any reason, the terms of our agreement will remain in force regarding payments, confidentiality, data protection, liability and files/documents.

11. General

11.1 Applicable law and jurisdiction

These terms (including this paragraph) and our Order Form and any dispute or claim concerning them shall be governed by Maltese law excluding conflict of laws principles. By your agreement to these terms by clicking “I agree” (or similar) at the time you complete your Order Form, both we and you submit to the non‑exclusive jurisdiction of the Maltese Courts.

11.2 Elective arbitration

Notwithstanding clause 11.1, we may, at our sole option, elect in writing to have any dispute determined by arbitration. Any arbitration commenced in accordance with this clause will be subject to Part IV (Domestic Arbitration) of the Malta Arbitration Act, 1996 and the Arbitration Rules of the Malta Arbitration Centre in force at that time. The number of arbitrators shall be one.

11.3 Entire agreement

These terms and our Order Form constitute the entire agreement between the parties in relation to the services we provide. It replaces any earlier terms, representations or discussions.

11.4 Vendor Group

The following companies are wholly owned subsidiaries of Binderr Limited: Binderr Operations Limited and Binderr Mena Electronic Brokerage LLC.

12. Interpretation

If any provision of the agreement is held to be void, then that provision will be deemed not to form part of the agreement and the remaining provisions will continue in force.

In these terms, the following words and expressions have the meanings given below:

Administrator – the personnel of the specific entity specified in the Order Form designated by you who administer the Vendor’s services access to End Users on your behalf.
End User – an individual employed by the specific entity specified in the Order Form whom you permit or invite to use the Vendor’s services. You will control End User access by your appointed Administrator(s).
Minimum Service Term – the initial period of 12 months for which you agree to pay for the Vendor’s services.
Order Form – the Vendor form (as updated from time to time) signed by you recording the services you wish the Vendor to supply.
Vendor, we, us or our – the relevant Binderr entity as applicable by reference to the Order Form:

Binderr Limited, a company incorporated in Malta (number C‑96125), registered office: C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta.

Binderr Operations Limited, a company incorporated in Malta (number C‑107515), registered office: Ortigia, Tal Ferha, Limit ta’ Gharghur, GHR 1821, Malta.

Binderr Mena Electronic Brokerage LLC, a company incorporated in the UAE (number 2351664), registered office: The H Dubai Office Tower, Level 17, Sheikh Zayed Road, Dubai, United Arab Emirates.

Vendor Group – Binderr Limited and any of its affiliated entities or subsidiary undertakings from time to time.
You, your – the party or parties to these terms and the Order Form (excluding us).

Appendix 1 – Privacy Notice

1. The type of personal information we collect

name, address and date of birth;
passport and other identification documentation;
contact numbers and email addresses;
financial account details and asset ownership;
education and employment details;
family details including the names and ages of children;
communications (e.g., letters, emails and app exchanges);
open data and public records.

2. How we get the personal information and why we have it

Most personal information we process is provided by you in connection with our services under these terms. We also receive personal information indirectly, from companies and individuals that you introduce to us, or where you have requested they use the Vendor’s services.

We use the information to provide our services to you, including assisting you to fulfil your own policy requirements when onboarding clients.

all locations of the Vendor Group companies where appropriate;
authorities (e.g., central and local government, tax authorities, regulators including HM Revenue & Customs);
outside companies we work with to provide services to you (including those that store data required for AML/KYC identity verification);
outside companies we work with to run our business (agents, suppliers, sub‑contractors, advisers, credit reference agencies, fraud prevention agencies, etc.).

4. The lawful bases we rely on for processing

1. your consent (which you can withdraw by contacting your Relationship Manager);
2. contractual obligation;
3. legal obligation;
4. public task;
5. legitimate interests.
  
  Where applicable, if we transfer your personal data to a third country, we will only do so in line with our obligations under Chapter V of the GDPR or UK GDPR. Where the transfer is to a recipient in a country without an adequacy decision, we will rely on standard contractual clauses (with supplementary measures where appropriate) or an appropriate derogation.

5. How we store your personal information

Your information is securely stored. We will keep your personal information for as long as you are a client. After you stop being a client, we may keep your data for a period to:

maintain records to comply with legal and regulatory obligations; and
respond to questions or complaints.

We regularly review retention periods to ensure data is not kept longer than necessary.

6. Your data protection rights

Under data protection law, you have rights including:

right of access
right to rectification;
right to erasure (in certain circumstances);
right to restrict processing (in certain circumstances);
right to object (in certain circumstances);
right to data portability (in certain circumstances).

There are exemptions and restrictions that may apply to some or all of these rights.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond. Please contact your Relationship Manager.

7. How to complain

If you have any concerns about our use of your personal information, you can complain to us at Binderr Limited, Ortigia, Tal Ferha, Limit ta’ Gharghur, GHR 1821, Malta or email privacy@binderr.com.

You can also raise concerns with the Office of the Information and Data Protection Commissioner: https://idpc.org.mt/contact/

Appendix 2.1 – Data Processing Agreement

IntroductionYour signed Order Form and these Terms of Service constitute your instruction to the Vendor to process your customer data in connection with the services. This Data Processing Agreement ("DPA") regulates that processing. You and the Vendor agree that this DPA sets forth obligations with respect to the Processing of

Personal Data.

1. Definitions

(Controller, Data Importer, Data Exporter, Data Protection Legislation, Data Subject, European Data Protection Legislation, GDPR, Non‑European Data Protection Legislation, Personal Data, Processing, Processor, Pseudonymisation, Standard Contractual Clauses, Sub‑Processor, Supervisory Authority, UK GDPR) — as set out in the original text, unchanged for legal accuracy.

2. Roles & scope

This DPA applies to the Processing of your Personal Data by the Vendor pursuant to the Terms of Service and your Order Form. You are the Controller (except where you act as a Processor or Sub‑Processor, in which case the Vendor acts as your Sub‑Processor). Nothing alters the Vendor’s role as a Processor with respect to you. This DPA does not limit any data protection commitments in the Terms of Service. You acknowledge the Vendor’s security practices provide a level of security appropriate to the risk.

3. Details of processing

3.1 Data Subjects — determined and controlled by you at your sole discretion; may include your representatives, end users, employees, contractors, collaborators, clients, prospects and customers, and their personnel.

3.2 Categories of Personal Data — determined by you; may include first and last name, employer, role, title, and contact information.

3.3 Special categories of Personal Data — will not be processed by the Vendor; you agree never to share such data with the Vendor.

3.4 Processing operations — the Vendor shall Process Personal Data only: (i) to provide the services in accordance with your documented instructions; and (ii) for business operations incidental to providing the services (e.g., delivering functional capabilities, preventing/detecting/repairing problems including Security Incidents, and providing support, planning, advice and guidance).

4. Obligations of Binderr

4.1 Processing Personal Data — the Vendor will: (i) process only on documented instructions (including transfers), unless required by law; (ii) inform you if an instruction infringes applicable law and may suspend processing; (iii) ensure persons authorised to process are bound by confidentiality; (iv) provide periodic privacy and security training; (v) implement appropriate technical and organisational measures (including pseudonymisation and encryption; ensuring confidentiality, integrity, availability and resilience).

4.2 Systems and services — restore availability and access to Personal Data in a timely manner; regularly test and evaluate measures; prevent unauthorised access or disclosure; and adhere to conditions for Sub‑Processors (see clauses 6 and 7).

Documented Instructions include the Terms of Service, this DPA and the Order Form. The Vendor shall not retain, use, disclose or otherwise Process Personal Data other than for the purposes set out herein and shall not sell Personal Data.

5. Security incident management

5.1 Notice — the Vendor shall notify you without undue delay (and in any event within 48 hours) after becoming aware of any Security Incident. Notification may be provided via email to your administrators. You are responsible for your own incident notification obligations. Vendor’s reporting is not an acknowledgement of fault.

The Vendor will investigate, provide information (which may be provided in phases), and take reasonable steps to mitigate effects. If the Security Incident was not due to the Vendor’s fault, reasonable cooperation costs and expenses shall be covered by you. The Vendor will make reasonable efforts to assist with notifications to Supervisory Authorities and Data Subjects. You shall promptly notify the Vendor of any possible misuse or potential security incident related to the services.

6. Sub‑Processors

The Vendor may engage subcontractors and Sub‑Processors. The Vendor will: (i) provide prior notice of additions or replacements, giving you the opportunity to object; (ii) ensure Sub‑Processors are bound by no‑less‑protective obligations; and (iii) remain fully liable for Sub‑Processor obligations.

Approved Sub‑Processors:

Amazon Web Services — data storage, database hosting, container hosting, logging, load balancers (Germany).
DocuSign — data required for e‑signature verification and certification (France/Germany/Netherlands).
Sum and Substance Ltd — data required for AML/KYC identity verification (Germany).
ComplyAdvantage — data required for AML screening and watchlists (Germany).

7. Changes to Sub‑Processors

At least 60 days before authorising any new Sub‑Processor, the Vendor shall post notice at www.binderr.com. You may object on reasonable grounds within 30 days, and the Vendor may (at its discretion): cancel use; take corrective steps; or cease providing the particular aspect of the services, with a fee adjustment as mutually agreed. If none of these are reasonably available or agreed within 30 days, either party may terminate the affected services.

7.1 Emergency replacement — the Vendor may urgently replace a Sub‑Processor where necessary and beyond its control, with notice as soon as practicable; you retain the right to object.

8. Cooperation with requests from Data Subjects

The Vendor will reasonably assist with Data Subject requests consistent with the services’ functionality. You are responsible for costs beyond existing functionality. If the Vendor receives a request directly, it will instruct the Data Subject to contact you. Unless prevented by law, the Vendor will notify you without undue delay if a Supervisory Authority makes any inquiry or request for disclosure.

9. Other cooperation

Taking into account the nature of processing and information available, the Vendor shall provide reasonable assistance to ensure compliance with security, notifications, DPIAs, consultations with Supervisory Authorities, and audits (see clause 11).

10. Retention and deletion of Personal Data

10.1 Personal Data — the Vendor shall delete or return Personal Data in accordance with mutual agreement, save where retention is required by law (and then only for so long as required).

10.2 Services — you will have the ability to access, extract, and delete Personal Data during the term. The Vendor shall retain Personal Data for 90 days after expiration or termination so you may extract it. After 90 days, the Vendor will disable your account and delete all Personal Data within 30 days (and certify deletion where required), save where retention is required by law. Backups or other media created for disaster recovery/business continuity may be overwritten or remediated in the ordinary course and in any event not longer than 90 days after creation. The Vendor has no liability for deletion of any data as described in this clause.

11. Security reports, audits and records

Where your audit requirements cannot reasonably be satisfied through available reports and documentation, the Vendor shall, not more than once per calendar year, respond to audit requests subject to scope, timing, duration, control/evidence requirements and fees agreed in advance. Audits to be by an independent, accredited firm during business hours with at least 20 days’ notice and subject to confidentiality/security procedures. No access to other customers’ data or systems not involved in your services. You are responsible for all costs and Vendor time. Material findings will be promptly cured. Where SCCs apply, nothing here varies or modifies them. The Vendor shall maintain records of processing as required and make them available upon request.

12. Your obligations

12.1 Your acknowledgment — you shall comply with all applicable Data Protection Legislation; determine whether the services are appropriate for storage/processing of Personal Data; have the right to transfer or provide access to Personal Data to the Vendor and its Sub‑Processors; are solely responsible for third‑party notification obligations related to a Security Incident; and shall not violate any Data Subject rights.

12.2 Personal Data sharing — the services may enable authorised users to share Personal Data or invite third‑party users. Such third parties may access, view, download, and share Personal Data. Your (and/or your authorised users’) choice to share is solely your responsibility, and the Vendor cannot control third parties with whom you share Personal Data.

13. Modification, supplementation and term

The Vendor may modify or supplement this DPA with notice to you if required by a Supervisory Authority or law, to implement SCCs, or to adhere to an approved code of conduct/certification. If such changes render you non‑compliant with applicable law, you may terminate the Terms of Service and receive a pro‑rata refund for prepaid, undelivered services. This DPA is effective upon your use of the services and remains in force while the Vendor processes Personal Data on your behalf.

14. Transfer of Personal Data and location

You acknowledge the Vendor and its Sub‑Processors may process Personal Data outside the EEA and the UK (including where hosting is in the EEA/UK) if necessary to provide the services. The Vendor shall comply with applicable transfer requirements, including SCCs, adequacy decisions, or other appropriate safeguards.

14.1 Location of Personal Data — Personal Data processed by the Vendor shall be stored in the EEA. Sub‑Processors’ personnel in other regions may have access. The Vendor does not control or limit the regions from which you or authorised users may access or process Personal Data.

14.2 Miscellaneous — the Vendor has appointed a DPO, EU representative, and UK representative (as documented in the Privacy Policy at www.binderr.com). If there is a conflict between the Terms of Service and this DPA, the DPA prevails; if between this DPA and the SCCs, the SCCs prevail. Aggregate liability arising out of this DPA and/or the SCCs shall not exceed the limitations in the Terms of Service.

Appendix 2.2 – DPA Schedule 1 (SCCs and UK Addendum)

(Condensed summary; populated as in the original text for legal completeness.)

SCCs: Module 2 (Controller→Processor), Module 3 (Processor→Processor), Module 4 (Processor→Controller) apply as appropriate.
UK Addendum: Incorporated by reference; tables populated per Annexes and governed by England & Wales law; effective from the date you accept the Terms.
Supplementary clauses cover erasure/deletion, audit alignment with DPA clause 11, notifications routing, sub‑processor notifications, Data Subject rights handling, transfer impact assessment (countries may include Cyprus, Germany, UK, USA), and governing law/jurisdiction (Malta; England & Wales for the UK Addendum and Module 4).

Appendix 2.3 – DPA Annex 1

(Parties and description of transfer) — as in the original text, streamlined for readability without altering legal effect.

Appendix 2.4 – DPA Annex 2 – Security Measures

Security measures implemented by the Vendor (reorganised for clarity; substance unchanged).

1. Pseudonymisation and encryption

Hosting in AWS (Germany).
Data encrypted at rest and in transit; key management via platform functionality.
External systems encrypt data in transit/at rest; transfers outside the EEA only with appropriate safeguards.
Pseudonymisation applied to residual logs upon account deletion.
Logging retention: XXXX days (after which pseudonymised data is deleted).

2. Data protection controls

Email: encrypted by default where supported by the recipient.
Secure file exchange: encrypted in transit and at rest; dedicated repository per external party; least‑privilege access.

3. Ongoing confidentiality, integrity, availability, and resilience

Standards — commercially reasonable safeguards protect confidentiality, availability and integrity of Personal Data.

Confidentiality — personnel authorised to access Personal Data are bound by confidentiality or statute.

Training — personnel with access to Personal Data receive annual training.

Backups — 24/7 managed backups; at least daily; retained 90 days in primary and 90 days in secondary site.

Disaster recovery — capabilities designed to minimise disruption; incident management; recovery procedures; periodic testing.

4. Regular testing and evaluation

Annual independent penetration testing of IT infrastructure.

5. IT security controls

Authentication — complex passwords (minimum XXXX characters) and MFA.

Infrastructure security — hardened builds; host firewalls; anti‑virus; minimal end‑user device software; application allow‑listing; no local admin rights; secure email gateway scanning inbound/outbound/internal mail; URL filtering with category blocks; managed XDR with SIEM integration (incl. AWS, firewalls, email gateway); single sign‑on where supported.

Network controls — network managed by IT; firewalls implemented; minimal on‑prem infrastructure; guest Wi‑Fi segregated; personal devices cannot connect to corporate Wi‑Fi; extensive network access controls in AWS; segregated test and production.

Backup & resilience — encryption at rest/in transit; mix of daily/weekly/monthly backups, 30‑minute snapshots and log shipping; immutable backups off‑site; cloud availability zones; cloud‑native backups; automated failure alerts; documented restore processes; periodic restore testing.

Access control — role‑based access on least‑privilege basis; administrative access limited to IT.Patching & vulnerability management — policy‑driven patching by severity; daily/weekly scans; vendor advisories monitored; XDR threat intel; staged testing; systems management tooling for deployment.

Third‑party access — rare, for support; time‑bound and disabled when no longer needed; confirmation obtained.

6. Protection of Personal Data during transmission and storage

Transmission — HTTPS and/or VPN for data in transit.Storage — encryption at rest using ciphers at least as strong as AES‑256 (or equivalent).Backups — backups encrypted and stored in a secondary data centre.

7. Physical security

Safeguards — physical access only by formal authorisation; access reviewed periodically.Facilities — Tier 3 (or higher) data centres; protections against power failure, fire and other hazards; limited access to authorised individuals.

8. Event logging

Network security — enterprise‑class SIEM; firewalls and additional controls to ensure appropriate network access.Logging — access and use of information systems containing Personal Data are logged.

9. System configuration

Malicious software — anti‑malware controls to mitigate accidental/unlawful destruction, loss, alteration, unauthorised disclosure or access.
Asset inventory — maintained for computing equipment and media; access restricted to authorised personnel.

10. Governance and management

1. Information security & data protection — security and privacy embedded across technical, procedural and governance processes; controls configured robustly.
2. Data Protection Officer ensures cyber and privacy risks are addressed (operations, projects, suppliers, regulatory)
3. Monthly updates on cyber/privacy to senior management.
4. Policies — security policies and Information Governance Framework reviewed at least annually; country‑specific supplements where necessary.
5. Risk management — assessments at project start, major upgrades, supplier due diligence and ongoing; residual risks tracked; monthly reporting of significant risks to senior management.
6. Security Working Group — monthly meetings (IT, business units, Compliance, security) to raise and address issues.
7. Incident management — detailed process with lessons‑learned and remedial actions; customer communications where data may be affected; scenario‑based tests.
8. Vendor personnel — written policies and procedures define roles/responsibilities for those with access to Personal Data.

11. Certification of processes

Standards — Binderr Ltd holds the following ISO certification:

1. 1. ISO9001:2015 (Certificate Number: BIND4443Q2402; Obtained: 25/11/24; Expiry: 24/11/27).
  2. ISO27001:2015 (Certificate Number: BIND4443A2401; Obtained: 25/11/24; Expiry: 24/11/27).

AWS data centres used by Binderr have numerous certifications (see provider Trust Portals).Independent assessments — annual independent security assessment.

Business continuity — plan maintained and compliant with ISO 22301.

12. Security Measure: Training of Personnel

Practices: Security Awareness Training

The Vendor uses an externally provided security training and awareness platform, which also includes an email phishing simulation component.

Security training courses are delivered frequently throughout the year, with completion monitored and followed up where necessary.
Phishing simulations are sent to staff periodically. If a user fails a phishing test, feedback is provided highlighting the “red flags” they should have noticed. Repeated phishing test failures are followed up by the security team.
Security and awareness-related information is shared via staff bulletins, internal emails, and the company intranet.
All staff are required to sign an Acceptable Use Policy.
Mandatory annual training covers employee responsibilities relating to data protection and GDPR.
All new starters undergo an induction session that includes security and privacy training, policy acceptance, and completion of core security modules.
Training content and frequency are consistent for all employees, regardless of their work location (office or remote), and include best practices for secure remote work.

13. Security Measure: Accountability

Practices: Accountability

The Vendor defines accountability as holding individuals responsible for internal control obligations.Control Activities
An employee sanction procedure is documented, stating that employees may be terminated for noncompliance with policies and procedures.
Annual performance reviews evaluate each employee’s performance, conduct, and adherence to internal control responsibilities.

14. Security Measure: Data Minimisation and Data Quality

Practices: Data Minimisation

The Vendor makes reasonable efforts to ensure only the minimum necessary Personal Data is collected, used, and retained to provide the services.

Practices: Data Quality

Throughout the term of the agreement, clients may amend Personal Data to maintain accuracy and fulfil their data quality obligations.

15. Security Measure: Data Retention

Practices: Data Retention

The Vendor retains Personal Data in its systems for ninety (90) days after expiration or termination of this agreement, allowing clients to extract their data.

After this 90-day period, the Vendor disables the client account and deletes all Personal Data within thirty (30) days. Where required by law, the Vendor will certify deletion. Data may be retained longer only where legally mandated.

16. Security Measure: Portability and Erasure

Practices: Portability

During the agreement, clients have the ability to access, extract, and delete their Personal Data within the Vendor’s service.

Practices: Erasure

Upon disposal or removal of storage media, the Vendor destroys, deletes, or otherwise makes Personal Data irrecoverable.

Client data is logically separated from all other Vendor customer data to ensure confidentiality and integrity.

1. Provision of Services

1.1 Terms governing our services

In the event of a conflict between these terms and your Order Form (as updated from time to time), these terms shall prevail.

1.2 Effective date

2. Financial

2.1 Fees

2.2 Subscription term and renewals

2.3 Invoices

3. Confidentiality and Data

3.1 Your data

Strictly anonymised data may be used to develop and improve our services. We use analytics techniques to better understand how our services are used.

3.2 Data ownership and access rights

All data uploaded, stored, or processed within the Binderr platform, whether personal or business, remains your sole property. Binderr acts solely as a data processor and custodian.

Upon termination of services, you retain the right to export, retrieve, or request deletion of all data stored within your account.
Binderr does not access, reuse, or disclose your business data for any purpose other than providing the contracted services.
All data is securely deleted from Binderr’s systems within 30 days of account closure, unless retention is required by law or explicitly requested by you for extended access.
You retain all right, title and interest in and to your data in the form submitted to the services. Subject to these terms, and solely to the extent necessary to provide the services to you, you grant us a worldwide, limited‑term license to access, use, process, copy, distribute, perform, export, and display your data. To the extent that reformatting your data for display constitutes a modification or derivative work, the foregoing license also includes the right to make such modifications and derivative works. We may also access your accounts, End User accounts, and your services with End User permission to respond to support requests.

3.3 Your data obligations

You and your use of the services (including by your End Users) must comply at all times with these terms and all laws. You represent and warrant that:

You have obtained all necessary rights, releases and permissions to submit all your data to the Vendor and to grant the rights granted in these terms; and
Your data and its submission and use as authorised in these terms will not violate (1) any laws, (2) any third‑party intellectual property, privacy, publicity or other rights, or (3) any of your or third‑party policies or terms governing your data. Other than our express obligations under Section 3 (our security and data privacy policies), we assume no responsibility or liability for your data, and you are solely responsible for your data and the consequences of submitting and using it with the services.You will defend, indemnify and hold harmless us (and our affiliates, officers, directors, agents and employees) from and against any and all claims, costs, damages, losses, liabilities and expenses (including reasonable legal fees and costs) resulting from any claim arising from or related to:

A. Your breach of the agreed terms regarding End User consent or any claims or disputes brought by your End Users arising out of their use of the services; and

B. Your breach (or alleged breach) of your data obligations.

3.4 Your personal information

We are committed to protecting and respecting your privacy and we will only use your information in accordance with:

Regulation (EU) 2016/679 (GDPR);
Chapter 586 of the Laws of Malta (Data Protection Act);
The UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003; and
all other applicable data protection and privacy laws as may apply in the EU from time to time, each as amended or superseded.

3.5 Confidentiality

Confidentiality of your services will be maintained except:

where we are compelled by law or regulation to disclose information
where we are subject to a duty to the public to disclose;
where our interests reasonably require disclosure;
where we use third‑party IT providers to deliver our services (in each case under appropriate confidentiality arrangements and/or, where practicable, anonymised);
where disclosure is made with your consent or at your request, including to third‑party providers acting as your agents; and/or
within the Vendor Group.

In all such cases, we shall reveal only such information as is considered necessary and you consent to the disclosure.

3.6 Data loss

3.7 Security and certifications

4. Our Services - Administration

4.1 Administrators

4.2 End User consent

You are responsible for providing all required disclosures to, and obtaining and maintaining all required consents from, End Users to allow:

Administrators to have the access described in these terms; and,
The Vendor’s provision of services to your chosen Administrators and End Users. You will provide evidence of such consents upon reasonable request.

4.3 End User responsibility

4.4 End User security

5. Our Services - General

5.1 Access

5.2 Support

During the service term specified in your Order Form, we will provide support for the services.

5.3 Restrictions

Except as otherwise expressly permitted, you will not:

reproduce, modify, adapt or create derivative works of the services;
rent, lease, distribute, sell, sublicense, transfer or provide access to the services to a third party or anyone not specified in the Order Form;
use the services for the benefit of any third party;
incorporate any of the services into a product or service you provide to a third party;
interfere with or circumvent mechanisms in the services intended to limit use;
reverse engineer, disassemble, decompile, translate or otherwise seek to obtain or derive source code, underlying ideas, algorithms, file formats or non‑public APIs to any of the services, except to the extent expressly permitted by law (and then only upon advance notice to us);
remove or obscure any proprietary or other notices;
use the services for competitive analysis or to build competitive products; or
encourage or assist any third party to do any of the foregoing.

5.4 Warranty disclaimer

5.5 Reliance

6. Additional Services

7. Raising Queries or Concerns

8. Electronic Communication

Unless you instruct us otherwise, you expressly consent to our communicating with you by email.

8.1 General risks

8.2 Our emails to you

Most businesses have experienced a situation where a client or third‑party email account has been hacked, and a scam email is sent seeking to redirect a payment to a new account.

8.3 Unintended consequences

9. Liability

10. Variation and Termination

No amendment, variation, rescission or termination of this agreement will require the consent of any person who is not a party to it.

In the event of termination for any reason, the terms of our agreement will remain in force regarding payments, confidentiality, data protection, liability and files/documents.

11. General

11.1 Applicable law and jurisdiction

11.2 Elective arbitration

11.3 Entire agreement

These terms and our Order Form constitute the entire agreement between the parties in relation to the services we provide. It replaces any earlier terms, representations or discussions.

11.4 Vendor Group

The following companies are wholly owned subsidiaries of Binderr Limited: Binderr Operations Limited and Binderr Mena Electronic Brokerage LLC.

12. Interpretation

If any provision of the agreement is held to be void, then that provision will be deemed not to form part of the agreement and the remaining provisions will continue in force.

In these terms, the following words and expressions have the meanings given below:

Administrator – the personnel of the specific entity specified in the Order Form designated by you who administer the Vendor’s services access to End Users on your behalf.
End User – an individual employed by the specific entity specified in the Order Form whom you permit or invite to use the Vendor’s services. You will control End User access by your appointed Administrator(s).
Minimum Service Term – the initial period of 12 months for which you agree to pay for the Vendor’s services.
Order Form – the Vendor form (as updated from time to time) signed by you recording the services you wish the Vendor to supply.
Vendor, we, us or our – the relevant Binderr entity as applicable by reference to the Order Form:

Binderr Limited, a company incorporated in Malta (number C‑96125), registered office: C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta.

Binderr Operations Limited, a company incorporated in Malta (number C‑107515), registered office: Ortigia, Tal Ferha, Limit ta’ Gharghur, GHR 1821, Malta.

Binderr Mena Electronic Brokerage LLC, a company incorporated in the UAE (number 2351664), registered office: The H Dubai Office Tower, Level 17, Sheikh Zayed Road, Dubai, United Arab Emirates.

Vendor Group – Binderr Limited and any of its affiliated entities or subsidiary undertakings from time to time.
You, your – the party or parties to these terms and the Order Form (excluding us).

Terms of Service

1. Provision of Services

2. Financial

3. Confidentiality and Data

4. Our Services - Administration

5. Our Services - General

6. Additional Services

7. Raising Queries or Concerns

8. Electronic Communication

9. Liability

10. Variation and Termination

11. General

12. Interpretation

Appendix 1 – Privacy Notice

1. The type of personal information we collect

2. How we get the personal information and why we have it

3. Who we may share this information with

4. The lawful bases we rely on for processing

5. How we store your personal information

6. Your data protection rights

7. How to complain

Appendix 2.1 – Data Processing Agreement

1. Definitions

2. Roles & scope

3. Details of processing

4. Obligations of Binderr

5. Security incident management

6. Sub‑Processors

7. Changes to Sub‑Processors

8. Cooperation with requests from Data Subjects

9. Other cooperation

10. Retention and deletion of Personal Data

11. Security reports, audits and records

12. Your obligations

13. Modification, supplementation and term

14. Transfer of Personal Data and location

Appendix 2.2 – DPA Schedule 1 (SCCs and UK Addendum)

Appendix 2.3 – DPA Annex 1

Appendix 2.4 – DPA Annex 2 – Security Measures

1. Pseudonymisation and encryption

2. Data protection controls

3. Ongoing confidentiality, integrity, availability, and resilience

4. Regular testing and evaluation

5. IT security controls

6. Protection of Personal Data during transmission and storage

7. Physical security

8. Event logging

9. System configuration

10. Governance and management

11. Certification of processes

12. Security Measure: Training of Personnel

13. Security Measure: Accountability

14. Security Measure: Data Minimisation and Data Quality

15. Security Measure: Data Retention

16. Security Measure: Portability and Erasure

Terms of Service

1. Provision of Services

2. Financial

3. Confidentiality and Data

4. Our Services - Administration

5. Our Services - General

6. Additional Services

7. Raising Queries or Concerns

8. Electronic Communication

9. Liability

10. Variation and Termination

11. General

12. Interpretation

Appendix 1 – Privacy Notice

1. The type of personal information we collect

2. How we get the personal information and why we have it

3. Who we may share this information with

4. The lawful bases we rely on for processing

5. How we store your personal information

6. Your data protection rights

7. How to complain

Appendix 2.1 – Data Processing Agreement

1. Definitions

2. Roles & scope

3. Details of processing