This Binderr Services Agreement (the "BSA") is between Binderr Operations Limited, a limited liability company registered in Malta with company registration number C-107515 with main office situated at C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta (“Binderr”) and the organisation agreeing to these terms ("Customer"). Binderr and the Customer are each referred to as a “Party” and collectively as the “Parties.” This BSA governs access to and use of the Services and any Beta Services. This BSA, any Service-Specific Terms, each applicable Order Sheet, the Data Processing Agreement are collectively referred to as the "Agreement."

By clicking "I agree," signing your Order Sheet for the Services, or using the Services, you agree to the Agreement as a Customer. If you are agreeing to this Agreement for use of the Services by an organisation, you are representing and agreeing on behalf of that organisation. You must have the appropriate authority to bind that organization to these terms, otherwise you must not sign up for the Services. These Services will only be provided to a corporate entity.

1. Definitions.

   "Account Data" means the account and contact information submitted to the Services by Customer or End Users.

   "Ad-hocs" means an additional feature, component, service, or functionality for use with certain Services.

   "Admin" means any Customer-designated technical End User who administers the Services to End Users on Customer's behalf.

   "Admin Account" means an administrative account provided to Customer by Binderr for the purpose of administering the Services.

   "Admin Console" means the online tool provided by Binderr to Customer for use in administering the Services.

   "Affiliate" means any entity that controls, is controlled by or is under common control with a Party, where "control" means the ability to direct the management and policies of an entity.

   "Agreement" means, collectively, this BSA, each applicable Order Sheet, the Data Processing Agreement and any Service-Specific Terms and Addendum entered into by the Parties.

   "Audit Reports" means the audit reports for the applicable Services that are set out in the Service-Specific Terms.

   "Claim" means a claim by a third party, including a regulatory penalty.

   "Confidential Information" means information disclosed by one Party to the other Party that is identified as confidential at the time of disclosure or should be reasonably known by the Receiving Party to be Confidential Information due to the nature of the information disclosed and the circumstances surrounding the disclosure. Any performance information relating to the Service and the terms and conditions of this Agreement shall be deemed Confidential Information of Binderr without any marking or further designation.

   “Binderr Platform” means the online platform made available by Binderr on a Software As A Service (SaaS) model which aggregates the availability of Services as developed and improved by Binderr from time to time.

   "Customer Data" means Stored Data, Account Data, and messages, comments, structured data, images, and other content submitted to or generated by the Services by Customer or its End Users.

   "Data Processing Agreement" means the data processing agreement set out in Annex 3 of this Agreement.

   "Disclosing Party" means the Party disclosing Confidential Information to the other Party.

   "EEA" means European Economic Area.

   "Effective Date" means the date this BSA is entered into by the Parties, either by acceptance online or by the signing of the Order Sheet.

   "End Users" means users of Customer’s Services account. End Users may include Customer’s and its Affiliate’s employees, consultants, agents, representatives, students or any other person authorized by Customer to use the Services through Customer’s account.

   "End User Account" means a Binderr hosted account provisioned by Customer through the Services for an End User which can include an Admin Account or a Member Account.

   "End User License" means a user license purchased by Customer which enables Customer to provision an End User Account.

   "Data Protection Laws" consists in particular of the GDPR (Regulation 2016/679 – General Data Protection Regulation) and the Data Protection Act, Chapter 586 of the Laws of Malta and any other relevant data protection and privacy legislation which is applicable during the term of this Agreement, in so far as the same relates to the provisions and obligations of this Agreement.

   "Feedback" means any feedback, comments, or suggestions on the Services or Beta Services that Customer or End Users may send Binderr or post in Binderr ’s forums. Feedback may include oral or written comments, suggestions, error reports, and analysis.

   "Fees" means the amounts invoiced to Customer by Binderr.

   "Intellectual Property Rights" means current and future worldwide rights under patent, copyright, trade secret, trademark, moral rights, and other similar rights.

   “Member” means any customer-designated End User who may have permission restrictions in the Binderr Platform applied by an Admin on behalf of the Customer.

   “Member Account” means a customer-designated End User Account which may have functional restrictions in the Binderr Platform applied by an Admin on behalf of the Customer

   "Order Sheet" means an ordering document, order page, or user interface through which Customer purchases a subscription to the Services or enables access to the Services.

   “Payment Terms” means an arrangement for the amount and schedule for the payment of fees under this Agreement which may be set out in the Order Sheet or otherwise agreed to by the Parties.

   "Personal Data, "Process," and "Processing"" have the meaning given to those terms in the Data Protection Laws.

   "Receiving Party" means the Party receiving Confidential Information from the other Party.

   "Security Measures" means the technical and organizational security measures implemented by Binderr for the applicable Services, as may be further described in the Service-Specific Terms.

   "Services" means the services ordered by Customer on the Order Sheet, excluding any third-party Ad-hoc (as indicated at the time of purchase or enablement).

   "Service-Specific Terms" means additional terms that apply to certain Services or Ad-hocs as set forth in or otherwise attached to the Agreement.

   "Service Limits" means rate, storage, End User or other limits on Customers use of the Services as described in the applicable Order Sheet or product description page.

   "Software" means the client software provided as part of the Services, either directly by Binderr or through third party distribution channels such as app stores.

   "Stored Data" means the files uploaded to the Services by Customer or End Users.

   "Subcontractor" means an entity to whom Binderr subcontracts any of its obligations under the Agreement.

   "Taxes" means any sales, use, value added, goods and services, consumption, excise, local stamp, or other tax, (including but not limited to ISS, CIDE, PIS, CONFINS), duty or other charge of any kind or nature excluding tax that is based on Binderr's net income, associated with the Services or Software, including any related penalties or interest.

   "Term" means the duration of the Agreement, which will begin on the Effective Date and continue until the earlier of: (i) the end of the agreed duration; or (ii) the Agreement is terminated as set forth herein.

   "Third-Party Request" means a request from a third-party for records relating to an End User's use of the Services including information in or from an End User Account, or from Customer's Services account. Third-Party Requests may include valid search warrants, court orders, or subpoenas, or any other request for which there is written consent from End Users, or an End User's authorized representative, permitting a disclosure.

   "Withholding Taxes" mean any income taxes that are imposed on Binderr or Customer's reseller in which Customer is required by law to withhold or deduct on the payment to Binderr or Customer's reseller.

2. Services.

   1. Provision. The Agreement governs access to, and use of the Services, and any associated Software. Customer may access and use the Services in accordance with the Agreement.

   2. Service-Specific Terms. Certain Services, or portions thereof, may be subject to additional terms, including third party terms and conditions, that are specific to the particular Services and are set forth in the Service-Specific Terms. By accessing or using Services covered by any Service-Specific Terms, you agree to the applicable Service-Specific Terms. If there is a conflict between these Terms and the Service-Specific Terms, the Service-Specific Terms will control with respect to the applicable Services or portions thereof.

   3. Modifications. Binderr may update the Services from time to time. If Binder changes the Services in a manner that materially reduces their functionality it will notify the Customer and Customer may provide notice within 15 days of the change to terminate the Agreement. Binderr may add additional features to enhance the user experience of the Services which were not available on the Effective Date at no additional charge however, these free features which were not available on the Effective Date may be withdrawn without further notice.

   4. Ad-hocs. Customer may purchase Ad-hocs that may be subject to additional Service-Specific Terms. Binderr reserves the right to change the pricing and the provider of any Ad-hocs at any time without any prior notice.

3. Subscriptions.

   1. Services Term. The Services are sold on a subscription basis. Binderr will deliver the Services throughout the Term.

   2. Usage-based Subscriptions. If Customer elects to purchase any Services based on usage, Customer acknowledges that Binderr will charge Customer the Fees for the Services as set forth in the Order Sheet or Service-Specific Terms based on the usage calculated by Binderr.

4. Customer Obligations

   1. Provisioning. Customer has to register for an End User Account to place orders or to access or use the Services. Account information must be accurate, current, and complete, and Customer agrees to keep this information up-to-date.

   2. Responsibility. Customer is responsible for maintaining the confidentiality of passwords, accounts, and access to accounts. Binderr’s responsibilities do not extend to the internal management or administration of the Services for Customer including any End User Accounts.

   3. Restrictions. Customer will not:

      1. sell, resell, or lease the Services, Software, or End User Licenses; reverse engineer the Services or Software, or attempt or assist anyone else to do so, unless this restriction is prohibited by law;

      2. reverse engineer the Services or Software, or attempt or assist anyone else to do so;

      3. violate or circumvent any Service Limits of the Services or otherwise configure the Services to avoid Service Limits;

      4. access the Services for the purpose of building a competitive product or service or copying its features or user interface;

      5. use the Services for evaluation, benchmarking, or other comparative analysis intended for publication without prior written consent;

      6. remove or obscure any proprietary or other notices contained in the Services, including in any reports or output obtained from the Services;

      7. use or permit the Services to be used for any illegal or misleading purpose;

   4. Compliance. Customer will comply with laws and regulations applicable to Customer's use of the Services. Customer will not take any action that would cause Binderr to violate EU Data Protection Laws, or any other applicable data protection, anti-bribery, anti-corruption, or anti-money laundering law. Customer must satisfy itself that:

      1. The Services are appropriate for its purposes, taking into account the nature of the Customer Data; and
      2. the technical and organizational requirements applicable to Binderr under EU Data Protection Laws or other data protection laws, if applicable, are satisfied by the Security Measures and the Agreement. Customer further declares and accepts that it has all the necessary rights, permissions, and clearances to make use of the Services provided by Binderr.

   5. Third-Party Apps and Integrations. Some parts of the Services depend on third-party APIs. Binderr does not guarantee the uptime or availability of such APIs. If the Customer uses any third-party service or applications, such as a service that uses an API, with the Services:

      1. Binderr will not be responsible for any act or omission of the third-party, including the third-party’s access to or use of Customer Data; and

      2. Binderr does not warrant or support any service provided by the third-party. Customer will comply with any API limits associated with the Services plan purchased by Customer.

5. Customer Data.

   1. Customer Data Use. This Agreement constitutes Customer’s instructions to Binderr to process Customer Data. Binderr, Binderr personnel and its Subcontractors will only process, access, use, store, and transfer Customer Data as Customer instructs in order to deliver the Services and to fulfill Binderr ’s obligations in the Agreement. If Customer accesses or uses multiple Services, Customer acknowledges and agrees that Binderr may transfer Customer Data between those Services. The processing of by Binderr in the provision of Services under this Agreement shall be regulated in accordance with the terms of the Data Processing Agreement.

   2. Security Measures. Binderr is built with multiple layers of advanced security to protect your data which is stored on AWS Cloud and their industry-leading servers, ensuring maximum security and durability. We also secure our system-to-system communication using TLS, a cryptographic security protocol designed for privacy and data security. Binderr’s web application is secured with HTTPS, which uses TLS and certificates to ensure that your data is encrypted when transmitted between our services.

   3. Audit Reports. In accordance with regulatory compliance and to maintain a robust record-keeping environment, all system audit reports within the Binderr Platform are duly logged and maintained in our Activity Log. This log serves as a comprehensive repository capturing various system interactions and is designed for the purpose of auditability, transparency, and accountability. By using our services, you acknowledge and consent to such logging practices as a condition of your continued use of the Binderr Platform.

   4. Aggregate/Anonymous Data. Customer agrees that Binderr will have the right to generate aggregate and anonymous data based on End Users’ use of the Services and this data is owned by Binderr. Binderr may use this data for its business purposes during or after the term of this Agreement (including without limitation to develop and improve Binderr’s products and services and to create and distribute reports and other materials). For clarity, Binderr will not disclose any aggregate or anonymous data externally in a manner that could reasonably identify Customer or its End Users.

6. Confidentiality

   1. Use and Non-Disclosure. Except as expressly authorized herein, the Receiving Party will hold in confidence and not use or disclose any Confidential Information. Each Party, as the Receiving Party, will: (i) take reasonable measures to protect the Disclosing Party’s Confidential Information including at least those measures it takes to protect its own confidential information of a similar nature; and (ii) not disclose Confidential Information to any third parties. A Party may disclose Confidential Information to its employees, advisors and consultants who have a need to know the Confidential Information, if that employee, advisor or consultant is bound to restrictions at least as protective of the other Party’s Confidential Information as those set forth in this Agreement.

   2. Exceptions. Confidential Information does not include information that: (i) is or becomes generally known or available to the public, through no act or omission of the Receiving Party; (ii) was known, without restriction, prior to receiving it from the disclosing Party; (iii) is rightfully acquired from a third party who has the right to disclose it and who provides it without restriction as to use or disclosure; (iv) or is independently developed without access to any Confidential Information of the Disclosing Party. Binderr reserves the right to disclose any information including Customer Data or Confidential Information to competent public authorities upon request.

7. Payment.

   1. Fees. Customer will pay Binderr all applicable Fees, in the currency and pursuant to the Payment Terms indicated in the Order Sheet. Customer authorizes Binderr, to charge Customer for all applicable Fees using Customer's selected payment method, and Customer will issue the required purchasing documentation. Fees are non-refundable except as otherwise specifically permitted in the Agreement.

   2. Payment. Customer will pay Binderr invoices on the payment interval set forth in the Order Sheet. Binderr may suspend or terminate the Services if Fees are past due. Customer will provide complete and accurate billing and contact information to Binderr or to Customer's reseller.

   3. Automatic-Renewal. If the Customer has already provided a payment method for Payment of Fees, and the Customer has not cancelled the Agreement as set forth in Clause 9.3, Binderr will automatically charge the Fees at the agreed interval according to any Payment Terms agreed.

8. Suspension and deletion.

   1. Of End User Accounts and Customer Data. If an End User: (a) violates the Agreement; (b) uses the Services in a manner that Binderr reasonably believes will cause it liability, or in an illegal manner, then Binderr may suspend, delete or terminate the applicable End User Account including any aspect of the Services and Customer Data.

   2. Of the Services. Binderr may suspend Customer’s access to the Services if: (i) Customer’s account is overdue; or (ii) Customer has exceeded any Service Limits. Binderr may also suspend Customer’s access to the Services or remove Customer Data if it determines that: (a) Customer has breached any portion of this Agreement. Binderr will have no liability for taking action as permitted above. For the avoidance of doubt, Customer will remain responsible for payment of fees during any suspension period under this Section 7.2 However, unless this Agreement has been terminated, Binderr will co-operate with Customer to promptly restore access to the Services once it verifies that Customer has resolved the condition requiring suspension.

9. Intellectual Property Rights.

   1. Reservation of Rights. Except as expressly set forth herein, the Agreement does not grant: (a) Binderr any Intellectual Property Rights in Customer Data; or (b) Customer any Intellectual Property Rights in the Services or Binderr trademarks and brand features. Customer acknowledges that it is obtaining only a limited right to use the Services and that irrespective of any use of the words “purchase”, “sale” or similar terms, no ownership rights are transferred to Customer (or its End Users) under this Agreement.

   2. Limited Permission. Customer grants Binderr only the limited rights that are reasonably necessary for Binderr to deliver the Services. This limited permission also extends to Subcontractors or Sub-processors.

   3. Feedback. Binderr may use, modify, and incorporate into its products and services, license and sublicense, any Feedback that Customer or End Users may provide without any obligation to Customer. Customer agrees to: (i) and hereby does, assign to Binderr all right, title, and interest in any Feedback; and (ii) provide Binderr any reasonable assistance necessary to document and maintain Binderr ’s rights in the Feedback.

10. Term, Termination and Cancellation.

    1. Agreement Term. The Agreement will remain in effect for the Term which may be automatically-renewed for a successive Term of the same duration and shall be charged according to Clause 6.3.

    2. Termination. Binderr may terminate the Agreement, if: (i) the other Party is in material breach of the Agreement and fails to cure that breach within thirty days after receipt of written notice; or (ii) the other Party ceases its business operations or becomes subject to insolvency proceedings and the proceedings are not dismissed within ninety days. Binderr may terminate this Agreement and suspend Customer's access to the Services if required to do so by law or for an egregious violation by Customer.

    3. The Customer may request to cancel the Services subject to any conditions set out in the Order Sheet by giving 30 days notice before the lapse of a Payment Term. If the request to cancel the Services is received before an upcoming Auto-Renewal date, the Services will be offered until the end of the Term

    4. Effects of Termination. If the Agreement terminates:

       1. except as set forth in this Section, the rights and licenses granted by Binderr to Customer will cease immediately;

       2. Binderr will delete any End User Accounts and Stored Data in Customer’s account.

11. Indemnification.

    1. By Customer. Customer will indemnify defend and hold Binderr harmless from and against all liabilities , damages, and costs (including settlement costs and reasonable lawyer fees) arising out of any Claim against Binderr and its Affiliates regarding:

    1. Customer Data;

    2. Customer’s or Customer’s End Users’ use of the Services in violation of the Agreement.

12. Disclaimers and Limitations.

    1. General. THE SERVICES, SOFTWARE, AND ANY RELATED DOCUMENTATION ARE PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. TO THE FULLEST EXTENT PERMITTED BY LAW, EXCEPT AS EXPRESSLY STATED IN THE AGREEMENT, BINDERR AND ITS AFFILIATES, SUPPLIERS, AND DISTRIBUTORS MAKE NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR USE, OR NON-INFRINGEMENT. BINDERR MAKES NO REPRESENTATION, WARRANTY OR GUARANTEE THAT SERVICES WILL MEET CUSTOMER’S REQUIREMENTS OR EXPECTATIONS, THAT CUSTOMER DATA WILL BE ACCURATE, COMPLETE, OR PRESERVED WITHOUT LOSS, OR THAT THE SERVICES WILL BE TIMELY, UNINTERRUPTED OR ERROR-FREE. BINDERR WILL NOT BE RESPONSIBLE OR LIABLE IN ANY MANNER FOR ANY CUSTOMER PROPERTIES, CUSTOMER DATA, THIRD-PARTY PRODUCTS, THIRD-PARTY CONTENT, OR NON- BINDERR SERVICES (INCLUDING FOR ANY DELAYS, INTERRUPTIONS, TRANSMISSION ERRORS, SECURITY FAILURES, AND OTHER PROBLEMS CAUSED BY THESE ITEMS). CUSTOMER IS RESPONSIBLE FOR USING THE SERVICES OR SOFTWARE IN ACCORDANCE WITH THE TERMS SET FORTH HEREIN AND BACKING UP ANY STORED DATA ON THE SERVICES.

    2. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, BINDERR AND ITS AFFILIATES, SUPPLIERS, AND DISTRIBUTORS WILL NOT BE LIABLE UNDER THE AGREEMENT FOR (I) INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR (II) LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. TO THE FULLEST EXTENT PERMITTED BY LAW, BINDERR’S AGGREGATE LIABILITY UNDER THE AGREEMENT WILL NOT EXCEED THE AMOUNT PAID BY CUSTOMER TO BINDERRHEREUNDER DURING THE SIX MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

13. Miscellaneous.

    1. Governing Law. This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of Malta.

    2. Jurisdiction. Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or invalidity thereof, shall be settled by arbitration in accordance with Part IV (Domestic Arbitration) of the Malta Arbitration Act, 1996 and the Arbitration Rules of the Malta Arbitration Centre as at present in force. The number of arbitrators shall be one.

    3. Severability. If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this Agreement.

    4. Notices. Any notice or other communication given to a party under or in connection with this Agreement or its Schedules shall be in writing. Writing includes email.

    5. Electronic Signature. This Agreement may be electronically signed.

    6. Assignment. Customer may not assign or transfer the Agreement or any rights or obligations under the Agreement except that Customer may assign the Agreement to the surviving entity in connection with a merger, acquisition, or sale of all or substantially all of its assets by providing written notice to Binderr.

    7. No Agency relationship. Binderr and Customer are independent contractors.

    8. Subcontracting. Customer consents to Binderr's appointment of Subcontractors, including Sub-processors, to perform the Services. Binderr will remain liable for all acts or omissions of its Subcontractors or Sub-processors, and for any subcontracted obligations.

    9. Force Majeure. Except for payment obligations, neither Binderr nor Customer will be liable for inadequate performance to the extent caused by a condition that was beyond the Party's reasonable control (for example, natural disaster, act of war or terrorism, riot, labor condition, governmental action, and Internet disturbance).

Appendix 1 - Service-Specific Terms.

1. Automations. An “Automation” is the combination of tasks initiated by the End User to create a form that is to be completed by the End Useror by other End Users or external recipients and executed via Qualified Electronic Signature.Binderr does not warrant that an Automation is fit for any specific purpose and will not be held liable for any claims that such an Automation did not comply with any mandated purpose including any purpose that may be mandated by any authority or entity other than Binderr itself. Automations are all additionally subject to the Third-Party Terms identified below.

2. Limits. Ad-hocs are subject to Third-Party Terms referenced below which include usage limits.

3. Electronic signature responsibilities. Customer acknowledges and agrees that:

   1. as between Binderr and Customer, Customer has exclusive control and responsibility for the content of all Customer Data, including any documents used with the Services;

   2. certain types of documents, agreements, or contracts may be excluded from general electronic signature laws (such as wills, trusts, court orders, or family law matters), or may have specific regulations that are applicable to them;

   3. Customer is solely responsible for ensuring that the documents, agreements or contracts it uses with the Services are appropriate for electronic signatures, and Binderr is not responsible or liable for any such determination or use; and

   4. consumer protection laws or regulations may impose specific requirements for electronic transactions involving consumers. Customer is solely responsible for ensuring it complies with all such laws/regulations and Binderr has no obligations to make such determination or assist with fulfilling any requirements therein.

4. Migration Assistance. Binderr offers data migration assistance upon request. This will be subject to a separate addendum.

5. Third-Party Terms. The Third-Party Terms apply to all Automations and Ad-hocs. The Customer warrants to have read these Third-Party Terms and is bound by them in addition to this Agreement.

   1. DocuSign Terms:  https://www.docusign.com/legal/terms-and-conditions

   2. AWS Terms:  https://aws.amazon.com/service-terms

Appendix 2 - Data Processing Agreement

Agreement entered into on the Effective Date whose provisions come into effect fully on the date of the electronic signature by both Parties identified below, between:

PARTIES

Customer (hereinafter the “ Data Controller”)

and

Binderr Operations Limited (hereinafter referred to as the “ Data Processor” or “ Processor”)

 

The Data Controller and the Data Processor are individually referred to as a “ Party” and collectively referred to as the “ Parties”.

 

BACKGROUND

Whereas:

1. The Data Processor provides Services to the Data Controller as part of their contractual relationship regulated by the Binderr Services Agreement, (hereinafter referred to as the ‘ BSA’) which currently governs their relationship including that related to the protection and management of data.

2. In providing the Services, the Data Processor may collect, use or otherwise process Personal Data sourced from the Data Controller within the meaning of Data Protection Laws.

3. The Parties are aware that Regulation (EU) 2016/679 of the European Parliament and of the Council of the 27th of April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation), hereinafter referred to a GDPR, is the new global bar for privacy rights, security and compliance, entering into force on May 25 2018.

4. The Parties agree to enter into this Data Processing Agreement, hereinafter referred to as the DPA, which regulates the data protection obligations of the Parties when processing the Personal Data and governs the relationship between the Parties in respect of the processing of Personal Data, and this in order to ensure compliance with the GDPR and other applicable law.

5. The conditions contained within this DPA supplement any BSA in respect of the aspects related to the processing of data and supersede any provisions of the Principal Agreement in the event of a conflict.

6. Any terms not defined in this DPA shall have the meaning set forth in the BSA.

NOW THEREFORE BOTH PARTIES AGREE AS FOLLOWS:

1. DEFINITIONS

   1. The following definitions and rules of interpretation apply within this agreement:

      1. “ Anonymous Data​ means Personal Data that has been processed in such a manner that it can no longer be attributed to an identified or identifiable natural person.

      2. “ Authorized Employees” means an Authorized Employee or contractor of either Party, regardless of where they are located worldwide, who has a need to know or otherwise access Personal Data to enable them to perform their obligations under this DPA or the BSA.

      3. The terms “ Data Controller”, “ Data Subject”, “ Personal Data Breach”, “ Data Processor”, “ Consent”, “ Third Party” shall, from the 25 ^th May 2018 onwards, have the same meaning given to these terms in the GDPR.

      4. “ Data Protection Officer” means theperson nominated from time to time tohold the responsibility within Data Processor related to the protection of data, where applicable.

      5. “ EEA” means, for the purposes of this DPA, the European Economic Area and Switzerland.

      6. “ Effective Date” means the effective date of this Data Processing Agreement shall be the date at which this Agreement has been accepted by both Parties, whichever is the earlier.

      7. “ Instruction​” means a direction or request for action, either in writing, in textual form (e.g. by e-mail) or by using a software or online tool, issued by the Data Controller to the Data Processor and directing the Data Processor to perform an action with regard to Personal Data, including but not limited to the correction, blocking and deletion of Personal Data, which instruction may thereafter be amended, supplemented or replaced by the Data Controller by separate written or text form instruction.

      8. “ Legitimate Business Interest” means a reason that enables the Processing of Personal Data which is necessary for the performance of a contract or provision of an agreed Service.

      9. "Services" means any product or service provided by the Data Processor to the Data Controller pursuant to the BSA.

      10. “​ Special Categories of Personal Data​” mean Personal Data which reveals:

          1. Racial or ethnic origin;

          2. Political opinions;

          3. Religious

          4. Philosophical beliefs

          5. Trade union membership;

          6. Genetic data;

          7. Biometric data;

          8. Data concerning Health;

          9. Data concerning Sex Life;

          10. Data concerning Sexual Orientation.

      11. “ Standard Contractual Clauses” means the standard contractual clauses set forth in EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as may be amended or superseded from time to time;

      12. "Sub-processor" means any person (including any third party but excluding an employee of the Data Processor) engaged by the Data Processor to assist in fulfilling its obligations with respect to its obligations pursuant to this DPA.

      13. “ Supervisory Authority” shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction in which the Personal Data subject to this DPA agreement is held.

      14. “ Technical and Organisational Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, such measures being appropriate to the risks involved.

      15. “ Third Party” means an individual or corporate entity other than the Parties.

   2. This DPA covers all Affiliates of the respective Party.

   3. References to clauses and schedules are to the clauses and schedules of this DPA; references to paragraphs are to paragraphs of the relevant schedule to this DPA.

   4. The heads given to any Clause, schedule or paragraph shall not affect the interpretation of this DPA.

   5. A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person's legal and personal representatives, successors or permitted assigns.

   6. A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

   7. Words in the singular shall include the plural and vice versa.

   8. A reference to one gender shall include a reference to the other genders.

   9. The word "include" shall be construed to mean include without limitation.

   10. A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.

   11. A reference to writing or written shall be in the form of either a letter or e-mail.

   12. The language of this Agreement shall be the English language and for the purposes of interpretation, the provisions as they are stated in English shall be those which are considered binding.

2. TERM

   1. This DPA shall commence on the Effective Date and shall continue throughout the entire duration of any applicable, valid agreement covering the provision of Services which is still in force between the Data Controller and the Data Processor.

   2. Except for the changes made by this DPA, the BSA remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

3. TYPE AND PURPOSE OF USE OF DATA

   1. The Data Processor agrees to Process the Personal Data held by the Data Controller only on documented instructions of the Data Controller, as set out within the BSA, unless required to do so by European Union or Maltese law to which the Data Processor is subject. In this case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.

   2. The Data Processor shall immediately inform the Data Controller if, in the Data Processor’s opinion, instructions given by the Data Controller infringe applicable European Union or Maltese legal data protection provisions.

   3. The Data Processor may process the following type of Personal Data for the following purposes:

      Category of Data	Category of Data Subjects	Purpose
      The contact data of the Data Controller’s employees including but not limited to contact names, work addresses, phone numbers, e-mail addresses, and billing details.	Data Controller’s Employees	To administer Data Processor’s relationship with the Data Client in the provision of the Services including administrative, financial, licensing, billing, consulting, communicating, marketing, including sign-up registration in pursuit of its contractual obligations in respect of its Legitimate Business Interests. This data will be stored for (X)
      The contact data of the Data Controller’s clients’ officers and shareholders, as per data found on business registries, including but not limited to contact names, work addresses, phone numbers, e-mail addresses, and billing details.	Data Controller’s Clients’ Officers	To be able to prepare the necessary corporate documentation as part of the Corporate Actions, and any other Services ordered by and provided to the Data Controller through the CSP Tool.
      General Personal Data (full name, gender, address, email address, personal identification code or number, date of birth, legal capacity, nationality and citizenship).	Individuals which Data Controller engages the Data Processor to screen.	AML and KYC screening in the performance of the obligations under the Agreement.
      ID document data (document type, issuing country, address, ID number, expiry date, information embedded into document such as barcodes or QR codes (may vary depending on the document)).	Individuals which Data Controller engages the Data Processor to screen.	AML and KYC screening in the performance of the obligations under the Agreement.
      Facial Image data (photos of face including selfie images and photo or scan of face on the ID document), Biometric data (numeric facial features).	Individuals which Data Controller engages the Data Processor to screen.	Source of Funds and Wealth Checks in the performance of the obligations under the Agreement.
      General Personal Data (full name, gender, personal identification code or number, date of birth, legal capacity, nationality and citizenship); Data extracted from documents provided as proof of source of funds/wealth	Individuals which Data Controller engages the Data Processor to screen.	AML and KYC screening in the performance of the obligations under the Agreement.
      Corporate [company] documents, containing information about name, position, share owning of a particular person considered as shareholder.	Individuals which Data Controller engages the Data Processor to screen.	Determination of ultimate beneficial ownership and shareholder AML and KYC screening in the performance of the obligations under the Agreement.

   4. The Data Controller agrees that the Data Processor’s Authorised Employees shall be granted access by the Data Controller to such Personal Data in the course of the provision of the Services and, in so doing take on the role of persons acting under the authority of the Data Processor.

   5. Personal Data shall only be processed for the purposes listed in this DPA and shall not be further processed in a manner that is incompatible with those purposes.

4. PROCESSING OF PERSONAL DATA

   1. The Data Controller is solely responsible for the accuracy, quality and legality of:

      1. the Personal Data provided to the Data Processor by or on behalf of the Data Controller,

      2. the means by which the Data Controller has acquired any such Personal Data, and

      3. the Instructions it provides to the Data Processor regarding the Processing of such Personal Data.

   2. The Data Controller shall not provide or make available to Processor any Personal Data in violation of the DPA or otherwise inappropriate for the nature of the Services, and shall indemnify Processor from all claims and losses in connection therewith.

5. DATA RETENTION

   1. Personal Data will be retained by the Data Processor in accordance with the Data Retention Policy of the Data Processor applicable at the time, a copy of which can be made available to the Controller, upon request.

   2. The Data Processor shall hold the Controller’s Personal Data only as long as is necessary to provide the Services, including administration, accounting, marketing and reporting in the context of a Legitimate Business Interest, and subject to:

      1. the rights of a Data Subject in terms of the Data Protection Law, such as requests for data access or deletion;

      16. any legal requirement for data retention as specified in any other law of the Republic of Malta;

      17. a request by an authorised Governmental or regulatory authority for an additional retention period.

6. DATA CONTROLLER’S OBLIGATIONS & RIGHTS

   1. The Data Controller shall be responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The Data Controller shall ensure in its area of responsibility that the necessary legal requirements are so that the Processor can provide the agreed services in a way that does not violate any legal regulations.

   2. In case the Data Controller intends to conduct (or mandate a third party to conduct) an audit at Processor’s working premises, the Data Controller shall give reasonable notice of at least two (2) working days to Processor. The time and duration of the audit shall be agreed to by both Parties. The results of the audit shall be recorded by both Parties in writing.

7. DATA PROCESSOR’S OBLIGATIONS

   1. In fulfilling its obligations, the Data Processor shall:

      1. Ensure that persons authorised to Process the Personal Data (including but not limited to the Data Processor’s Authorised Employees) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that the said confidentiality obligations are effectively implemented and enforced;

      2. Not engage any Sub-Processors to perform any processing of Personal Data, except for the current Sub-Processors listed in the Schedule A to this DPA, without informing the Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Controller the opportunity to object and terminate their Service;

      3. Where the Data Processor engages a Sub-Processor for carrying out specific processing activities on behalf of the Controller, it shall do so by way of a contract which imposes on the Sub-Processor the same data protection obligations set out in this DPA;

      4. Where that Sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that Sub-processor's obligations and for any breach of this DPA, and shall notify the Data Controller of any failure by the Sub-Processor to fulfil its contractual obligations;

      5. Assist the Data Controller, by way of appropriate Technical and Organisational Measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR, taking into account the nature of the processing;

      6. Inform the Data Controller of any Personal Data Breach (including any suspected Personal Data Breach) that the Data Processor becomes aware of, irrespective of whether or not the Personal Data Breach was caused directly or indirectly by the Data Processor;

      7. At the choice of the Data Controller, delete or return all the Personal Data to the Controller after the end of the provision of services relating to processing in terms of the DPA, and delete existing copies unless EU or Maltese law requires storage of the Personal Data;

      8. Make available to the Data Controller all reasonable information necessary to demonstrate compliance with the obligations laid down in this DPA;

      9. Carry out regular tests and self-audits ensuring that the processing of the Data Controller’s Personal Data conforms with the provisions of this DPA;

      10. Allow for and contribute to reasonable audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller for the purpose of and to the extent required for verifying whether the Data Processor complies with Data Protection Laws and the contractually agreed measures in this DPA;

      11. Inform the Data Controller, as soon as possible, in text form (including by e-mail) of any requests from any third parties (including the concerned Data Subjects or from a Supervisory Authority) in any way relating to the Data Controller‘s Personal Data. In case the Data Processor receives any Data Subject access requests and/or any other claims on the basis of any rights under Data Protection Law in connection with the Personal Data covered by this DPA, the Data Processor shall refer the concerned data subject directly to the Controller.

8. SUB-PROCESSORS

   1. The Data Controller acknowledges, agrees and is hereby providing a general written authorisation allowing the Processor to engage Sub-Processors to access and Process Personal Data in connection with the Services and solely on the instructions of the Data Processor in line with Article 28 GDPR.

   2. A list of the Data Processor’s current Sub-Processors is listed in Schedule A of this DPA.

   3. In line with the same Article 28, GDPR, at least ten (10) days before instructing any Third Party, other than the current Sub-Processors, to access or participate in the Processing of Personal Data as Sub-Processors, the Data Processor will notify the Data Controller of such a change and:

      1. Should the Data Controller object, Data Processor warrants to allow the Controller to terminate its use of the Services without loss as long as this is done within ten (10) days of receipt by Controller of the aforementioned notice;

      2. Termination shall not relieve Data Controller of any fees previously owed to Data Processor under the BSA or any other Agreement signed between the Parties.

      3. If the Data Controller does not object to the engagement of a Sub-Processor in accordance with this Section of the DPA within ten (10) days of notice by the Data Processor, such Third Party will be deemed a Sub-Processor for the purposes of this DPA.

   4. In any case, the objection by the Data Controller to the engagement of a potential Sub-Processor shall be based on reasonable grounds relating to data protection.

   5. The Data Processor shall, through implementation of a contract with the Sub-Processor, ensure that every Sub-Processor is subject to obligations regarding the Processing of Personal Data that are equal to, and no less onerous than, those to which the Data Processor is subject under this DPA.

   6. At the Data Controller’s request, the Data Processor shall provide a copy of the agreement in place with the Sub-Processor and any subsequent amendments to the Data Controller. To the extent necessary to protect business secrets or other confidential information, including personal data, the Data Processor may redact the text of the agreement prior to sharing the copy of the same.

   7. The Data Processor shall agree a third party beneficiary clause within the agreement with the Sub-Processor whereby – in the event that the Data Processor has factually disappeared, ceased to exist in law or has become insolvent – the Data Controller shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the Personal Data.

9. RIGHTS OF DATA SUBJECTS

   1. The Parties recognize and acknowledge the rights of Data Subjects to their Personal Data as defined within Data Protection Law including rights of access, rectification, restriction of Processing, erasure, data portability, restriction or cessation of Processing, withdrawal of consent to Processing, and/or objection (such requests individually and collectively “​ Data Subject Request(s)​”).

   2. The Data Processor shall, to the extent permitted by law, promptly notify the Controller upon receipt of a request by a Data Subject to exercise any of these Data Subject’s rights.

   3. The Data Processor shall, at the request of the Controller, and taking into account the nature of the Processing applicable to any Data Subject request, apply appropriate Technical and Organisational Measures to assist the Controller in complying with the Controller’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, ​provided that:

      1. The Controller is itself unable to respond without the Data Processor’s assistance and

      2. The Data Processor is able to do so in accordance with all applicable laws, rules, and regulations.

10. TRANSFERRING DATA OUTSIDE THE EEA

    1. The Data Processor is located within the European Economic Area (EEA), and shall endeavour to process the Data Controller’s Personal Data within the EEA. The Data Controller however authorises the storage of Personal Data to locations outside of the EEA. The relevant storage locations relevant to the data processing operation are set out within Schedule B to this DPA.

    2. Where the Personal Data is processed by the Data Processor and/or Sub-Processors in a manner which constitutes a transfer in accordance with the terms of the GDPR, the Data Processor shall ensure that such transfer of data to a third country or an international organisation shall be done only on the basis of documented instructions from the Data Controller or in order to fulfil a specific requirement under EU or Maltese law to which the Data Processor is subject.

    3. The Data Controller agrees that where the Data Processor engages a Sub-Processor in accordance with Clause 8, for carrying out specific processing activities on behalf of the Data Controller, and those processing activities involve a transfer of Personal Data outside of the EEA, the Data Processor and Sub-Processor shall ensure compliance with the provisions of the GDPR by using Standard Contractual Clauses, provided the conditions for the use of those Standard Contractual Clauses are met.

    4. Where the Data Processor effects a data transfer outside the EEA in accordance with Clause 10.2, the Data Processor binds itself that this Personal Data will be stored and processed in conformity with Data Protection Laws and that all appropriate Technical and Organisational Measures are taken by the Data Processor and its Sub-Processors, if any, to ensure that data protection obligations at least as onerous as those set out in this DPA shall be imposed on that Sub- Processor.

11. THIRD PARTY REQUESTS FOR DISCLOSURE OF PERSONAL DATA

    1. Unless prohibited by applicable law, the Data Processor shall promptly notify the Data Controller of:

       1. Any request for the transfer of Personal Data covered by the DPA, by any governmental, regulatory, Supervisory Authority;

       2. Any request for access received directly from a Third Party;

       3. Any requirement by law, court order, warrant, subpoena, or other legal judicial process to disclose any Personal Data to any person or entity other than the Controller.

    2. The Data Processor shall provide all reasonable assistance to the Data Controller, to enable the Data Controller to respond, object or challenge any such demands, inquiries, communications, requests or complaints and to meet applicable statutory or regulatory deadlines.

12. SECURITY

    1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate Technical and Organisational Measures to protect any Personal Data that may be processed on behalf of the Data Controller against accidental destruction or loss or unlawful forms of processing, which Measures are listed in Schedule C of this DPA.

    2. The Data Controller is responsible for reviewing the information made available by the Data Processor relating to data security and making and independent determination as to whether the Measures meet the Data Controller’s requirements and legal obligations under Data Protection Laws. The Data Controller acknowledges that the Technical and Organisational Measures are subject to technical progress and development and that the Data Processor may update or modify the Technical and Organisational Measures it has in place provided that such updates and modifications do not result in the degradation of the overall security of the Services.

    3. The Data Processor shall keep the Data Controller’s Personal Data logically separate to Personal Data Processed on behalf of any other Third Party or its own behalf.

13. RELIABILITY OF PERSONNEL

    1. The Parties shall take all reasonable steps to ensure the reliability of any Authorized Employees and staff of Sub-Processors who may have access to the Data Controller’s Personal Data, ensuring in each case that access is limited to those individuals who need to know and to access the relevant Personal Data, as necessary for the purposes of the BSA.

    2. The Data Processor shall ensure that all Authorized Employees and Sub-Processors are made aware of the confidential nature of the Personal Data and have executed confidentiality agreements that prevent them from disclosing or otherwise Processing, both during and after their engagement with the Data Processor, any Personal Data except in accordance with their obligations in connection with the Services and as may be enforced by relevant laws.

14. PERSONAL DATA BREACH AND NOTIFICATION

    1. In the event of a Personal Data Breach, the Data Processor shall cooperate with and assist the Data Controller for the Data Controller to comply with its obligations as arising under the GDPR.

    2. In the event of a Personal Data Breach concerning Personal Data processed by the Data Controller, the Data Controller shall agree to inform the Data Processor in writing upon it becoming aware of any Personal Data Breach within 72 hours, and the Data Processor shall assist the Data Controller in notifying the Personal Data Breach to the relevant Supervisory Authority.

    3. In the event of a Personal Data Breach concerning Personal Data processed by the Data Processor, the Data Processor shall without undue delay inform the Controller in writing upon it or any Sub-Processor becoming aware of any Personal Data Breach.

    4. The notification as considered in Clause 14.3 shall include:

       1. a detailed description of the Personal Data Breach;

       2. the type of data that was the subject of the Personal Data Breach;

       3. the identity of each affected person (or, where not possible, the approximate number of Data Subjects and of Personal Data records concerned);

       4. the name and contact details of the Data Processor’s Data Protection Officer, where applicable, or other point of contact where more information can be obtained;

       5. a description of the likely consequences of the Personal Data Breach;

       6. a description of the measures taken or proposed to be taken by the Data Processor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

    5. The Data Processor agrees to provide the Controller with any and all information reasonably necessary for the compliance with the Controller’s own obligations pursuant to the GDPR.

    6. The Data Processor agrees to co-operate with the Controller or their representatives and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

    7. The Parties shall not release or publish any filing, communication, notice, press release, or report concerning any Personal Data Breach without the other Party’s written approval.

15. MODIFICATIONS & NOTICES

    1. Notices sent in pursuit of this DPA are to be effected in writing, sent to the official place of business of the Party concerned or to its then current registered office address, or via email addressed to the principle contact of record for the Controller.

    2. The Parties undertake to keep each other informed of any change in the contact details of the person to whom notices are to be sent.

16. NON-COMPLIANCE & TERMINATION

    1. In the event that the Data Processor is in breach of its obligations under this DPA, the Data Controller may instruct the Data Processor to suspend the processing of the Personal Data until the latter complies with the Clauses of this DPA or the DPA is terminated. The Data Processor shall promptly inform the Data Controller in case it is unable to comply with the Clauses of this DPA, for whatever reason.

    2. The Data Controller shall be entitled to terminate the DPA insofar as it concerns the processing of personal data in accordance with these Clauses if:

    3. The processing of Personal Data by the Data Processor has been suspended by the Data Controller pursuant to Clause 16.1. and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;

    4. The Data Processor is in substantial or persistent breach of these Clauses or its obligations under the GDPR;

    5. The Data Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or the GDPR.

    6. The Data Processor shall be entitled to terminate the DPA insofar as it concerns processing of personal data under these Clauses where, after having informed the Data Controller that its instructions infringe applicable legal requirements in accordance with Clause 3.2, the Data Controller insists on compliance with the instructions.

    7. On termination of the Services or termination of the DPA in accordance with Clause 16, the Data Processor shall:

       1. Upon the Data Controller’s request, furnish the Data Controller with all of the Data Controller’s Personal Data under its control in a format priorly agreed by the Parties which is appropriate to facilitate its use by the Data Controller

       2. Subject to the then applicable data retention policy, securely delete any of the Data Controller’s Personal Data in its possession.

17. FORCE MAJEURE

    1. The Parties shall have no liability to each other under this DPA if they are prevented from or delayed in performing their obligations under this Agreement, or from carrying on their business, by acts, events, omissions or accidents beyond their reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes, failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, compliance with any law or governmental order, rule, regulation or direction, accident, breakdown of plant or machinery, fire, flood, storm or default of suppliers or subcontractors, provided that the other Party is notified of such an event and its expected duration.

18. WAIVER

    1. A waiver of any right under this DPA is only effective if it is in writing and it applies only to the Party to whom the waiver is addressed and to the circumstances for which it is given.

    2. Unless specifically provided otherwise, rights arising under this DPA are cumulative and do not exclude rights provided by law.

19. SEVERANCE

    1. If any provision (or part of a provision) of this DPA is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

    2. If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the Parties.

20. GOVERNING LAW, JURISDICTION AND DISPUTE RESOLUTION

    1. This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the laws of the Republic of Malta.

    2. Both Parties agree that any dispute, controversy or claim arising out of or relating to this DPA, or the breach, termination or invalidity thereof, shall be settled by arbitration in accordance with the rules of the Malta Arbitration Centre in force at the time of the dispute. It is also agreed that:

       1. the appointing authority and administrator shall be the Malta Arbitration Centre;

       2. the number of arbitrators shall be one;

       3. the place of arbitration shall be Malta;

       4. the applicable substantive law shall be the laws of Malta.

SCHEDULE A

1. SUB-PROCESSORS

   The table below defines a list of Sub-Processors and the location of the data related to these services.

Name	Contact Person & Address	Nature of Services Sub-Contracted	Location of Hosting	List of the Sub-Processor’s authorised Sub-Processors
Amazon Web Services	AMAZON WEB SERVICES EMEA SOCIÉTÉ À RESPONSABILITÉ LIMITÉE 38 AVENUE JOHN F. KENNEDY, L-1855 LUXEMBOURG	data storage, database hosting, container hosting, logging services, load balancers	Germany	https://aws.amazon.com/compliance/sub-processors/ N.B. The entities included in this list which are sub-processors in this Agreement are only those which are related to the location of hosting stipulated herein.
DocuSign	DocuSign, Inc. 251 LITTLE FALLS DRIVE, WILMINGTON, New Castle, DE, 19808	Receiving and storage of data required for e-Signature verification and certification	Germany, France and the Netherlands.	https://www.docusign.com/trust/privacy/subprocessors-list AND https://assets.ctfassets.net/3fcisxc3a6xz/6LQVYGx40gOd9myhgDcUqV/3ddbd0186f1aa6824b1825f4812d6d8b/DocuSign_Services_Subprocessor_List__current_2023.10.13__-_Google_Docs.pdf
Sum and Substance Ltd	30 St. Mary Axe, London, England, EC3A 8BF Contact person: hello@sumsub.com	Receiving and storage of data required for AML/KYC identity verification purposes.	Germany.	IVXS UK Limited trading as ComplyAdvantage.
Comply Advantage	IVXS Technology Romania SRL 34-36 Somesului Street Cluj-Napoca Romania 400145	Receiving and storage of data required for AML screening and watchlist.	Germany.	IVXS Technology Romania SRL

SCHEDULE B

STORAGE LOCATIONS OUTSIDE EEA

The table below defines a list of Categories of Personal Data and the location of the data related to these categories of Personal Data.

Categories of Personal Data	Location of Storage
N/A	N/A

SCHEDULE C

2. TECHNICAL & ORGANISATIONAL MEASURES

The table below defines a list of Categories of Personal Data and the technical and organisational measures applied to that category of Personal Data.

Category of Personal Data

External - Identifying

Technical and Organisational Measures:

Measures of pseudonymisation and encryption of personal data

All of our data is encrypted when in transit and stored. Pseudonymisation is done if we need to store the client's data when they request us to delete their account. Since we don't really need their data at that point - we would delete it all. If there are traces left in logging systems - the data is pseudonymized. Logging has a retention time - a few months - after that the pseudonymized data is deleted as well.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

We use highly available state of the art system - Kubernetes which guarantees high uptime. HTTPS/SSL guarantees that the Binderr server is secure and guarantees integrity.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

We use AWS RDS which creates and saves automated backups of your DB instance during the backup window of your DB instance. RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. If necessary, you can recover your database to any point in time during the backup retention period.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

We follow regular sprints and every feature developed is peer reviewed, tested automatically and tested by a manual tester.

Measures for user identification and authorisation

Users are open to create their account and invite their team members using the email they provide. We use JSON Web Tokens. JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.

Measures for the protection of data during transmission

We use HTTPS during the communication between the client and the server. Internal server to server data is inside a private VPC.

Measures for the protection of data during storage

Amazon RDS encrypts your Amazon RDS DB instances. Data that is encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots.

Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts Amazon RDS DB instances.

Measures for ensuring physical security of locations at which personal data are processed

AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides us with services that we can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS compliance programs.

Measures for ensuring events logging

We use a self-hosted internal logging where only selected personnel has access to.

Measures for ensuring system configuration, including default configuration

We use Terraform scripts to configure our system. Terraform configurations and state are encrypted at rest with uniquely derived encryption keys backed by Vault.

Measures for internal IT and IT security governance and management

Only select few have access to the data, source code and system passwords.

Measures for certification/assurance of processes and products

Since we use AWS as our underlying structure, we are certified through them.

Measures for ensuring data minimisation

Database tables keep user personal data and other data in separate tables and can only be connected with a unique identifier.

Measures for ensuring data quality

Data entered by the user gives them the resposibility to ensure that the data is correct. Data quality from the Binderr app is quaranteed from automated tests, manual tests and peer reviewed code.

Measures for ensuring limited data retention

Our logging service has a set data retention time of 30 days. Data that is needed for the client is kept until the client deletes it or asks to be deleted.

Measures for ensuring accountability

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Binderr is responsible for ensuring that their development processes follow the industry standard and select few have access to required components.

Measures for allowing data portability and ensuring erasure

When required, Binderr offers to export the user's data and delete the data

Binderr Platform KYC/AML Addendum

This Binderr Platform KYC/AML Addendum (the "Addendum") is between Binderr Operations Limited, a limited liability company registered in Malta with company registration number C-107515 with their main office situated at C1, Midland Micro Enterprise Park, Triq Burmarrad, Naxxar, NXR 6345, Malta. (“Binderr”) and the organisation agreeing to these terms ("Customer"). Binder and the Customer are each referred to as a “Party” and collectively as the “Parties.” This Addendum is an extension to the Services as defined and as provided under the BSA, the Binderr Services Agreement, which is considered as the master agreement in effect between the parties.

Service Description. Binderr Platform KYC/AML is a service offered by Binderr to allow you to purchase extra KYC and AML functions directly from within the Binderr Platform. The scope of the service covers various KYC and AML screening tools made available for purchase as listed in Order Sheet which can be utilized within the Binderr Platform, hereinafter the “ KYC/AML Services”.

In the event of inconsistencies between these terms and the BSA, these terms will prevail solely in relation to the performance of the KYC/AML Services.

1. Binderr relies on a sub-contractor (hereinafter the “Service Provider”) to provide the KYC/AML Services to you.

2. The Service Provider requires that any employee and/or other third party associated with Us who is performing any part of the KYC/AML Services does so only on the basis of a written contract which includes terms equivalent to those imposed by the Service Provider on Us.

3. All capitalized terms used in these terms, unless otherwise defined herein, have the meaning as defined in the relevant Data Protection Laws.

4. As regards any Personal Data which may be part of the KYC/AML Services, once associated, You are Data Controller of that Personal Data for Your own purposes and Binderr is a Data Processor based on its contractual relationship with You. The terms set-out in the BSA concerning Data Protection shall also apply here and the DPA set-out in the BSA also foresees the processing of Personal Data to provide the KYC/AML Services.

5. The Service Provider shall be entitled to audit your usage of the KYC/AML Services. Should the Service Provider reasonably believe that such usage poses a threat to confidentiality, Intellectual Property Rights, data privacy and/or security, it reserves the right to suspend or terminate, at its own discretion, all access to the System/Software/Services and we shall in turn terminate your access to the KYC/AML Services, regardless of payment status or pending progress.

6. Confidential Information

   1. If you are a Recipient of any Confidential Information you shall: (a) maintain all Confidential Information in strict and absolute confidence and to refrain from any disclosure and/or publication and/or description and/or communication of Confidential Information, in whole or in part, to any third party whatsoever; (b) take all necessary precautions to keep Confidential Information confidential and apply the same security measures and degree of care to Confidential Information as the Recipient applies to its own confidential information; (c) inform the Discloser of any damage to or accidental loss of Confidential Information, including transfer to or use by unauthorized persons immediately; (d) not reverse engineer, de-compile or disassemble Confidential Information.

   2. The Recipient shall not: (a) use the Confidential Information in order to build a product or service which competes with the Services; (b) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of Confidential Information (as applicable) in any form or media or by any means to any individual or entity; or (ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of Confidential Information. Any breach of this clause will be deemed to be a material breach.

   3. The Recipient shall not be prevented from disclosing Confidential Information to employees and/or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep confidentiality no less restrictive than those contained herein. The Recipient will ensure that those people and entities: (a) use such Confidential Information only to exercise rights and fulfil obligations under this Addendum; and (b) keep such Confidential Information confidential. The Recipient shall remain liable for any act or omission by its employees and/or professional advisors.

   4. The Recipient may also disclose Confidential Information when required by law after giving reasonable notice to the Discloser, such notice to be sufficient to give the Discloser the opportunity to seek confidential treatment, a protective order or similar remedies or relief prior to disclosure.

   5. Confidential Information means information disclosed by (or on behalf of) one party (the “Discloser”) to the other party (the “Recipient”) in connection with or in anticipation of this Addendum (including the content of this Addendum and the KYC/AML Services itself) that is marked as confidential or, from its nature, content or the circumstances in which it is disclosed, might reasonably be supposed to be confidential. It does not include information (i) that the Recipient already knew, (ii) that becomes public through no fault of the Recipient, (iii) that was independently developed by the Recipient or (iv) that was lawfully given to the Recipient by a third party.

7. If so requested by the Discloser at any time by written notice to the Recipient, the Recipient shall promptly: (a) destroy or return to the Discloser all documents and materials (and any copies thereof) containing, reflecting, incorporating or based on the Discloser 's Confidential Information; (b) erase all Confidential Information from its own computer and communications systems, devices and other means of electronic storage; (c) erase all Confidential Information stored in electronic form in systems and data storage services owned by third parties; and (d) certify in writing to the Discloser that it has complied with the requirements of this clause.

8. YOUR USE OF THE KYC/AML SERVICES IS ENTIRELY AT YOUR OWN RISK. EXCEPT AS DESCRIBED IN THESE TERMS, THE KYC/AML SERVICES ARE PROVIDED "AS IS." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, BINDERR, ITS AFFILIATES, AND ITS THIRD PARTY PROVIDERS, LICENSORS, DISTRIBUTORS OR SUPPLIERS (COLLECTIVELY,"SUPPLIERS") DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY THAT THE SERVICES ARE FIT FOR A PARTICULAR PURPOSE, TITLE, MERCHANTABILITY, DATA LOSS, NON- INTERFERENCE WITH OR NON-INFRINGEMENT OF ANY INTELLECTUAL PROPERTY RIGHTS, OR THE ACCURACY, RELIABILITY, QUALITY OR CONTENT IN OR LINKED TO THE SERVICES. BINDERR AND ITS AFFILIATES AND SUPPLIERS DO NOT WARRANT THAT THE SERVICES ARE SECURE, FREE FROM BUGS, VIRUSES, INTERRUPTION, ERRORS, THEFT OR DESTRUCTION.

9. BINDERR, ITS AFFILIATES AND SUPPLIERS DISCLAIM ANY REPRESENTATIONS OR WARRANTIES THAT THE RENDERING OF THE SERVICES TO YOU, OR THE RESULTS THEREFROM WILL SATISFY OR ENSURE COMPLIANCE WITH ANY LEGAL OBLIGATIONS OR LAWS OR REGULATIONS.

10. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, BINDERR AND ITS AFFILIATES, SUPPLIERS, AND DISTRIBUTORS WILL NOT BE LIABLE UNDER THE ADDENDUM FOR (I) INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR (II) LOSS OF USE, DATA, BUSINESS, REVENUES, OR PROFITS (IN EACH CASE WHETHER DIRECT OR INDIRECT), EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND EVEN IF A REMEDY FAILS OF ITS ESSENTIAL PURPOSE. TO THE FULLEST EXTENT PERMITTED BY LAW, BINDERR’S AGGREGATE LIABILITY UNDER THE ADDENDUM WILL NOT EXCEED THE AMOUNT PAID BY CUSTOMER TO BINDERR HEREUNDER DURING THE THREE MONTHS PRIOR TO THE EVENT GIVING RISE TO LIABILITY.

11. You will not own any intellectual property rights arising from or in connection with the KYC/AML Services.

    1. You acknowledge and agree that all Intellectual Property Rights in the KYC/AML Services are the property of the Service Provider or its service providers (as the case may be) and you shall have no rights in or to the KYC/AML Services other than the right to use them in accordance with the express terms of this Addendum.

    2. You also acknowledge and agree that to the extent you provide feedback or ideas to Binderr, you grant all rights in the feedback or ideas to Binderr.

12. Any variation of the provisions of these Terms will only apply if this has been confirmed in writing by You and Binderr.