THIS MASTER SUBSCRIPTION AGREEMENT (“AGREEMENT”) GOVERNS YOUR ACCESS TO AND USE OF THE PAYLOOP APPLICATION AND/OR RELATED SOFTWARE-AS-A-SERVICE (SaaS) SERVICES, THIS AGREEMENT ALSO GOVERNS YOUR PURCHASE AND ACQUISITION OF SUCH SUBSCRIPTIONS AND/OR RELATED SERVICES AND YOUR ONGOING USE OF THOSE SUBSCRIPTIONS AND THE SaaS SERVICES.

BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE, EXECUTING THIS AGREEMENT, AND/OR BY EXECUTING AN ORDER FORM THAT REFERENCES THIS AGREEMENT, YOU AGREE TO THE TERMS OF THIS AGREEMENT.  

IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES.  IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT ACCESS OR USE THE SERVICES.

UNLESS OTHERWISE AGREED IN AN ORDER FORM, IF THE COMPANY OR OTHER LEGAL ENTITY ON BEHALF OF WHICH YOU ARE ENTERING INTO THIS AGREEMENT IS INCORPORATED OR FORMED UNDER THE LAWS OF THE UNITED STATES OF AMERICA.

You may not access the Services if You are Our direct competitor, except with Our prior written consent.  In addition, You may not access the Services for purposes of monitoring their availability, performance or functionality, or for any other benchmarking or competitive purposes.

This Agreement was last updated on October 9, 2025. It is effective between You and Us as of the date You accept this Agreement as described above.

1.  DEFINITIONS

"Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with the subject entity.  "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means this Master Subscription Agreement, and if applicable its Exhibit 1 or Exhibit 2, each Order Form, the Support policies, the Data Processing Addendum, and the Documentation, together with their appendices and amendments.

“Beta Services” means services or functionality that may be made available to You to try at Your option at no additional charge and are clearly designated as beta, pilot, limited release, developer preview, non-production, evaluation, or by a similar description.

“Documentation” means Our online help and training materials for the Services accessible via https://community.Payloop.com/ as updated from time to time.  

"Europe” or “European” means any member state of the European Union along with Iceland, Liechtenstein, Norway, and Switzerland to the exclusion of the UK.

“Malicious Code” means code, files, scripts, agents or programs intended to do harm, including, for example, viruses, worms, time bombs and Trojan horses.

"Order Form" means the ordering documents for purchases hereunder, including addenda thereto, that are entered into between You and Us from time to time. By entering into an Order Form hereunder, an Affiliate agrees to be bound by the terms of this Agreement as if it were an original party hereto.  Order Forms shall be deemed incorporated herein by reference.

"Services" means the online, Web-based applications and platform provided by or through Us via www.trypayloop.com and/or other designated websites as described in the Documentation, subscriptions to which are purchased by You or Your Affiliates under an Order Form, including any associated offline components but excluding Third-Party Applications.

“Subscription Term” means the period of time from the start date to the end date specified in each Order Form for each subscription purchased thereunder.  Each renewal of a subscription, whether automatic or in writing, shall constitute a new Subscription Term.

“Support” means the service to restore Services or correct Services anomalies. The current version of the Support policies can be found at https://www.payloop.com/hubfs/support-policies.pdf.

"Third-Party Applications" means online, Web-based applications and offline software products that are provided by third parties pursuant to an agreement between You (and/or Your Affiliate) and said third parties, but may be configured to interoperate with the Services, including but not limited to those listed on the AppExchange.

"Users" means individuals who are authorized by You to use the Services, pursuant to the subscriptions to the Services that You have purchased under one or more Order Forms, and who have been supplied user identifications and passwords by You.  Users may include but are not limited to Your employees, consultants, contractors, and agents, or third parties with which You transact business.

"We", "Us", or "Our" means Payloop, Inc. and Affiliates of Payloop, Inc.

"You" or "Your" means the company or other legal entity for which You are accepting this Agreement, and Affiliates of that company or entity.  

“Your Content” means electronic data and information submitted by or for You to the Services (excluding Third-Party Applications) or collected and processed by or for You using the Services (excluding Third-Party Applications). Your Content is and remains Your property at all times and includes especially the data You provide and the 2D and 3D models created by or for You through the Services.

2.  SERVICES

2.1. Provision of Services.  We shall make the Services available to You pursuant to this Agreement and the relevant Order Forms during each Subscription Term and Your timely payment of all applicable fees.  You agree that Your purchases hereunder are neither contingent on the delivery of any future functionality or features nor dependent on any oral or written public comments made by Us regarding future functionality or features.

2.2. Subscriptions and Usage Limits.  Except to the extent otherwise specified in the applicable Order Form, (a) subscriptions to the Services are limited to the quantities specified in each Order Form, (b) additional subscriptions may be purchased during the Subscription Term by signing an additional Order Form and paying the additional fees for such additional subscriptions, prorated for the portion of that Subscription Term remaining at the time the subscriptions are added, and (c) the added subscriptions shall terminate on the same date as the underlying subscriptions.  If You exceed a contractual usage limit, We may work with You to seek to reduce Your usage so that it conforms to that limit.  If, notwithstanding Our efforts, You are unable or unwilling to abide by a contractual usage limit, You will execute an Order Form for additional quantities of the applicable Services promptly upon Our request, and/or pay any invoice for excess usage in accordance with Section 4.2 (Invoicing and Payment). 

2.3. User Rights. Users access the Services using credentials (id and password) each time they log into the Services. You can manage and update all User credentials from the first User subscription, which has admin privileges over Your other User subscriptions, under Your sole liability.  These credentials are personal, confidential, used by Users under Your sole liability, and may not be shared with any other individual, but may be reassigned to a new individual replacing one who no longer requires ongoing use of the Services. 

3.  USE OF THE SERVICES

3.1. Our Responsibilities.  In addition to providing the Services as described in Section 2, We shall provide You with standard Support, in accordance with Our then-current support policy for the Services, during the applicable Subscription Term and at no additional charge. 

3.2. Your Responsibilities.  You shall (a) be responsible for any action or omission of Your Users as well as for Your Users’ compliance with this Agreement, the Documentation, and each of the Order Forms, (b) be solely responsible for the accuracy, quality, integrity, and legality of Your Content and of the means by which You acquired and/or created Your Content and Your use of Your Content with Our Services, (c) use commercially reasonable efforts to prevent unauthorized access to or use of the Services, and notify Us promptly of any such unauthorized access or use (or any loss or theft of credentials), and (d) use the Services only in accordance with their purposes, this Agreement, the Documentation, each of the Order Forms, and applicable laws and government regulations. 

3.3. Usage Restrictions. You will not, directly or through any Affiliate, agent or third party, except to the extent applicable law permits: (a) make any Services available to, or use any Services for the benefit of, anyone other than You, Your Affiliates, or Users, (b) reproduce, sell, resell, license, sublicense, distribute, rent or lease any part of the Services, or include any Services in a service bureau or outsourcing offering, (c) use the Services to store or transmit infringing, libelous, or otherwise unlawful or tortious material, or to store or transmit material in violation of third-party privacy rights, (d) use the Services to store or transmit Malicious Code, (e) interfere with or disrupt the integrity or performance of any Services or third-party data or content contained therein, (f) attempt to gain unauthorized access to any part of the Services or their related systems or networks or defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any software protection mechanisms in the Services, including without limitation any mechanism used to restrict or control the functionality of the Services, (g) permit direct or indirect access to or use of any part of the Services in a way that circumvents a contractual usage limit, (h) copy, adapt, modify, or creative derivative works of the Services or any part, feature, function, or user interface thereof, (i) frame, interface, integrate, or mirror any part of the Services, other than framing on Your own intranets or otherwise for Your own internal business purposes or as permitted in the Documentation, (j) access any part of the Services in order to build a competitive product or service, or (k) de-compile, disassemble, reverse engineer, or otherwise attempt to derive source code or underlying ideas, algorithms, structure, or organization of any part of the Services (to the extent such restriction is permitted by law).  Similarly, extraction or re-use of a qualitatively or quantitatively substantial part of the libraries linked to the Services is prohibited.  In the event of a violation of Section 2.2. (Subscriptions and Usage Limits), Section 2.3. (User Rights), and/or this Section 3.3. (Usage Restrictions), We reserve the right (i) to delete Your Content allegedly infringing in the event of an emergency or threat to the technical infrastructure of the Services, (ii) to suspend access to the Services immediately and without notice, and/or (iii) to terminate the relevant subscription(s) or Order Form(s).  During such suspension under (i), You will remain liable for any amount normally due under this Agreement and each Order Form.  Suspension of Services due to Your misuse is not deemed an availability issue. Likewise, termination under (ii) will not give rise to any compensation whatsoever, without prejudice to any damages that We may claim as a result of Your actions or those of Your Users.  

3.4. Your Content.  We will make commercially reasonable efforts to maintain administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of Your Content.  You expressly grant Us (and Our hosting service provider, if applicable) a personal, non-assignable, and non-transferable right to reproduce Your Content on the technical infrastructure of the Services for the purposes of providing the Services, to anonymize or aggregate Your Content to prepare reports, studies, analyses, enhancements, and other work product (provided, however, that under no circumstances shall We distribute or otherwise make available data or information that is identifiable as Your Content to any third party other than Us, Our Affiliates, You, Your Users, or any third party approved by You in writing), and to perform this Agreement, to the exclusion of any other use or purpose, for each Subscription Term and worldwide.  The Services do not include any monitoring or cleaning of Your Content, which integrity, lawfulness, and use remain under Your sole liability.  We make no use or reproduction of Your Content that is not strictly necessary for the provision of the Services and as otherwise specified herein.  We will not access Your Content except: (a) at Your request, to provide technical support or to assist in the implementation or configuration of the Services; (b) as expressly provided herein; or (c) as compelled by law in accordance with Section 6.3 (Compelled Disclosure).  You and We agree to comply with the Data Processing Addendum, by and between You and Us and attached hereto as Exhibit 3, to the extent Your Content includes any Personal Data (as defined in the Data Processing Addendum).  For the purposes of applicable laws and regulations, You are deemed the data controller and We are the data processor.  As a result, You are responsible for the processing of Personal Data during the Subscription Term, whereas We are responsible for the security and confidentiality of Personal Data when used in connection with the Services.

4.  FEES AND PAYMENT

4.1. Fees.  You shall pay all fees specified in all Order Forms hereunder.  Fees are indicated without taxes, in U.S. dollars, net and excluding discounts.  Except as otherwise specified herein or in an Order Form, (a) fees are based on subscriptions purchased and not actual usage, (b) payment obligations are non-cancellable and fees paid are non-refundable, and (c) quantities purchased cannot be decreased during the relevant Subscription Term stated on the Order Form.  Subscription fees are based on annual periods that begin on the subscription start date and each year anniversary thereof; fees for subscriptions added in the middle of a yearly period will be prorated based on the month in which they are added and thereafter will be charged for the full yearly periods remaining in the Subscription Term.

4.2. Invoicing and Payment.  Fees will be invoiced annually in advance. Unless otherwise stated in the Order Form, fees are due net 30 days from the invoice date.  You are responsible for providing complete and accurate billing and contact information to Us and notifying Us of any changes to such information as well as for payment of any fees or charges associated with Your payment, other than those charged by Our bank.

4.3. Overdue Charges.  If any invoiced amount is not received by Us by the due date, then without limiting Our rights or remedies and at Our discretion, (a) those amounts may accrue late interest at the rate of 1.5% of the outstanding balance per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid and/or (b) We may condition future subscriptions on payment terms shorter than those specified in Section 4.2 (Invoicing and Payment).

4.4. Suspension of Services and Acceleration.  If any amount owing by You under this or any other agreement for Our services is 30 or more days overdue, We may, without limiting Our other rights and remedies, accelerate Your unpaid fee obligations under this Agreement and/or such other agreements so that all such obligations become immediately due and payable, and suspend access to the Services and/or Our other services to You until such amounts are paid in full.  We will give You at least 10 days’ prior notice that Your account is overdue, in accordance with Section 11.1 (Notices), before suspending Your access to the Services and/or any other services to You.  Suspension for late payment is not deemed an availability issue of the Services.  During suspension, You remain liable for any amount normally due under this Agreement.

4.5. Payment Disputes.  We shall not exercise Our rights under Section 4.3 (Overdue Charges) or 4.4 (Suspension of Services and Acceleration) if the applicable fees are under reasonable and good-faith dispute and You are cooperating diligently to resolve the dispute. 

4.6. Taxes.  Unless otherwise stated, Our fees do not include any taxes, levies, duties, or similar governmental assessments of any nature, including but not limited to so-called Value-Added Tax (VAT), sales, use, or withholding taxes, assessable by any local, state, provincial, federal, or foreign jurisdiction (individually and collectively, "Taxes").  You are responsible for paying all Taxes associated with the Services provided to You hereunder.  If We have the legal obligation to pay or collect Taxes for which You are responsible under this Section 4.6, the appropriate amount shall be invoiced to and paid by You, unless You provide Us with a valid tax exemption certificate authorized by the appropriate taxing authority.  For clarity, We are solely responsible for taxes assessable against Us based on Our income, property and employees.

5. PROPRIETARY RIGHTS

5.1. Reservation of Rights.  Subject to the limited rights expressly granted hereunder, We and Our licensors reserve all of Our/their right, title, and interest in and to the Services, including all of Our/their related intellectual property rights.  No rights are granted to You hereunder other than as expressly set forth herein. You agree not to, and not to permit Your Affiliate(s) or User(s), to remove any proprietary notices on or related to the Services, including, without limitation, any statements that the Services or displays generated therefrom are “powered by” Us or the Payloop platform.

5.2. Ownership of Your Content.  As between Us and You, You exclusively own all rights, title, and interest in and to all of Your Content.

5.3. Suggestions.  We shall have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into the Services any suggestions, enhancement requests, recommendations, correction, or other feedback provided by You, including Users, relating to the functionality and/or operation of the Services.

6. CONFIDENTIALITY

6.1. Definition of Confidential Information.  As used herein, "Confidential Information" means all confidential information disclosed by a party ("Disclosing Party") to the other party ("Receiving Party"), whether electronically, orally or in writing, that (i) if disclosed in tangible form, is conspicuously marked as “Confidential”, and (ii) if disclosed in non-tangible form, is identified as confidential at the time of disclosure and summarized in tangible form conspicuously marked “Confidential” within 30 days of the original disclosure.  In addition, Your Confidential Information shall include Your Content; Our Confidential Information shall include the Services; and Confidential Information of each party shall include the terms and conditions of this Agreement and all Order Forms (including pricing), as well as business and marketing plans, technology and technical information, product plans and designs, and business processes disclosed by such party  (provided that either party may disclose the terms and conditions of this Agreement and any Order Forms to potential investors and acquirers in connection with bona fide financing or acquisition due diligence).  However, Confidential Information shall not include any information that (a) is or becomes generally known to the public without breach of any obligation of confidentiality owed to the Disclosing Party, (b) was known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of any obligation of confidentiality owed to the Disclosing Party, (c) is received from a third party without breach of any obligation of confidentiality owed to the Disclosing Party, or (d) was independently developed by the Receiving Party.

6.2. Protection of Confidential Information. Except as otherwise permitted in writing by the Disclosing Party, (a) the Receiving Party shall use the same degree of care that it uses to protect the confidentiality of its own confidential information of like kind (but in no event less than reasonable care) not to disclose or use any Confidential Information of the Disclosing Party in the Receiving Party’s possession for any purpose outside the scope of this Agreement and (b) the Receiving Party shall only disclose Confidential Information of the Disclosing Party to those of its employees, contractors, and agents who need such access for purposes consistent with this Agreement and who have signed confidentiality agreements with the Receiving Party containing protections no less stringent than those herein. Neither party will disclose the terms of this Agreement or any Order Form to any third party other than as permitted in Section 6.1 or to its Affiliates, legal counsel and accountants without the other party’s prior written consent, provided that a party that makes any such disclosure to its Affiliate, legal counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or accountant’s compliance with this Section 6.2. For clarity, You acknowledge and agree that We have no control over (or responsibility for) any information that You may provide to, store on, or otherwise process using any Third-Party Applications.

6.3. Compelled Disclosure. The Receiving Party may disclose Confidential Information of the Disclosing Party if it is compelled by law to do so, provided the Receiving Party gives the Disclosing Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance, at the Disclosing Party's cost, if the Disclosing Party wishes to contest the disclosure.  If the Receiving Party is compelled by law to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure, the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling and providing secure access to such Confidential Information.

7. WARRANTIES AND DISCLAIMERS

7.1. Our Warranties.  We warrant that (a) the Services shall perform materially in accordance with the Documentation and (b) subject to Section 7.4 (Third-Party Applications), the functionality of the Services will not be materially decreased during a Subscription Term.  For any breach of either such warranty, Your exclusive remedy shall be as provided in Section 10.3 (Termination for Cause) and Section 10.4 (Refund or Payment upon Termination) below.

7.2. Mutual Warranties.  Each party represents and warrants that (a) it has the legal power to enter into this Agreement and (b) it will not transmit to the other party any Malicious Code (except for Malicious Code first transmitted to the warranting party by the other party).

7.3. Disclaimer.  EXCEPT AS EXPRESSLY PROVIDED HEREIN OR TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY MAKES ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND EACH PARTY AND THEIR LICENSORS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, UNINTERRUPTED OR ERROR-FREE SERVICE, ERROR CORRECTION, AVAILABILITY, ACCURACY, AND ANY AND ALL IMPLIED WARRANTIES ARISING FROM STATUTE, COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE.  BETA SERVICES ARE PROVIDED “AS IS”, EXCLUSIVE OF ANY WARRANTY WHATSOEVER.  EACH PARTY DISCLAIMS ALL LIABILITY AND INDEMNIFICATION FOR ANY HARM OR DAMAGES CAUSED BY ANY THIRD-PARTY HOSTING PROVIDERS.

7.4. Third-Party Applications.  Your use of Third-Party Applications is governed entirely by the terms of Your agreement with the relevant third party.  Nothing in this Agreement creates any rights or obligations on Our part with respect to such Third-Party Applications nor should this Agreement be construed as creating any rights or obligations on the part of any third party providing Third-Party Applications with respect to Our Services. We decline any and all liability if an issue of the Services or affecting Your Content is due to Third-Party Applications.

8. MUTUAL INDEMNIFICATION

8.1. Indemnification by Us.  We will defend You against any claim, demand, suit, or proceeding made or brought against You by a third party alleging that the use of a Services in accordance with this Agreement infringes or misappropriates such third party’s intellectual property rights (a “Claim Against You”), and will indemnify You from any damages, attorney fees, and costs finally awarded against You as a result of, or for amounts paid by You under a court-approved settlement of, a Claim Against You, provided You (a) promptly give Us written notice of the Claim Against You, (b) give Us sole control of the defense and settlement of the Claim Against You (except that We may not settle any Claim Against You unless it unconditionally releases You of all liability), and (c) give Us all reasonable assistance, at Our expense. If We receive information about an infringement or misappropriation claim related to the Services, We may in Our discretion and at no cost to You (i) modify the Services so that they are no longer claimed to infringe or misappropriate, without breaching Our warranties under Section 7.1 (Our Warranties), (ii) obtain a license for Your continued use of the Services in accordance with this Agreement, or (iii) terminate Your subscriptions for the Services or impacted portion of the Services upon 30 days’ written notice and refund You any prepaid fees covering the remainder of the term of the terminated subscriptions. The above defense and indemnification obligations do not apply to the extent (A) the allegation does not state with specificity that Our Services are the basis of the Claim Against You; (B) a Claim Against You arises from the use or combination of Our Services or any part thereof with software, hardware, content, data, or processes not provided by Us, if Our Services or use thereof would not infringe without such combination; and/or (C) a Claim Against You arises from Third-Party Applications or Your breach of this Agreement, the Documentation, or applicable Order Forms.

8.2. Indemnification by You.  You will defend Us and Our Affiliates against any claim, demand, suit, or proceeding made or brought against Us by a third party alleging that Your Content, or Your use of the Services in breach of this Agreement, infringes or misappropriates such third party’s intellectual property rights or violates applicable law (a “Claim Against Us”), and will indemnify Us from any damages, attorney fees, and costs finally awarded against Us as a result of, or for any amounts paid by Us under a court-approved settlement of, a Claim Against Us, provided We (a) promptly give You written notice of the Claim Against Us, (b) give You sole control of the defense and settlement of the Claim Against Us (except that You may not settle any Claim Against Us unless it unconditionally releases Us of all liability), and (c) give You all reasonable assistance, at Your expense.

8.3. Beta Services.  You understand that a Claim Against You which arises from Services under an Order Form for which there is no charge will result in termination of Your subscriptions to the exclusion of any other remedy.

8.4. Exclusive Remedy.  This Section 8 (Mutual Indemnification) states the indemnifying party’s sole liability to, and the indemnified party’s exclusive remedy against, the other party for any type of claim described in this Section 8.

9. LIMITATION OF LIABILITY

9.1. Limitation of Liability.  EXCEPT FOR A PARTY’S INDEMNIFICATION OBLIGATIONS UNDER SECTION 8 (MUTUAL INDEMNIFICATION), IN NO EVENT SHALL THE AGGREGATE LIABILITY OF EITHER PARTY, TOGETHER WITH ALL OF ITS AFFILIATES, ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, EXCEED THE TOTAL AMOUNT PAID BY YOU HEREUNDER OR, WITH RESPECT TO ANY SINGLE INCIDENT THE AMOUNT PAID BY YOU HEREUNDER IN THE 12 MONTHS PRECEDING THE INCIDENT. THE FOREGOING SHALL NOT LIMIT YOUR PAYMENT OBLIGATIONS UNDER SECTION 4 (FEES AND PAYMENT). 

9.2. Exclusion of Consequential and Related Damages.  IN NO EVENT SHALL EITHER PARTY OR ITS AFFILIATES HAVE ANY LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT FOR ANY LOST PROFITS, REVENUES, CLIENTELE, GOODWILL OR IMAGE, ANY COST OF SUBSTITUTION, OR INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, RELIANCE, COVER, BUSINESS INTERRUPTION, OR PUNITIVE DAMAGES HOWEVER CAUSED, WHETHER IN CONTRACT, TORT, OR UNDER ANY OTHER THEORY OF LIABILITY, AND WHETHER OR NOT THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF A PARTY’S OR AFFILIATES’ REMEDY OTHERWISE FAILS OF ITS ESSENTIAL PURPOSE.  THE FOREGOING DISCLAIMER SHALL NOT APPLY TO THE EXTENT PROHIBITED BY APPLICABLE LAW. FOR CLARITY, THE FOREGOING DISCLAIMER DOES NOT LIMIT EITHER PARTY’S INDEMNIFICATION OBLIGATIONS WITH RESPECT TO THIRD-PARTY CLAIMS UNDER SECTION 8 (MUTUAL INDEMNIFICATION).

10. TERM AND TERMINATION

10.1. Term of Agreement.  This Agreement commences on the date You accept it and continues until all subscriptions granted in accordance with this Agreement have expired or been terminated.  

10.2. Term of Subscriptions.  The term of each subscription to the Services shall be as specified in the applicable Order Form.  Except as otherwise specified in an Order Form, subscriptions to the Services will automatically renew for additional successive time periods equal to the expiring Subscription Term, unless either party gives the other notice of non-renewal at least 30 days before the end of the relevant Subscription Term. 

The per-unit pricing during any Subscription Term after an automatic renewal will be the same as that during the immediately prior Subscription Term unless We have given You written notice of a pricing increase at least 60 days before the end of that prior Subscription Term, in which case the pricing increase will be effective upon renewal and thereafter.  Except as expressly provided in the applicable Order Form, renewal of promotional or one-time priced subscriptions will be at Our applicable list price in effect at the time of the applicable renewal.  Notwithstanding anything to the contrary, any renewal in which subscription volume for any Services has decreased from the prior term will result in re-pricing at the applicable list price upon renewal without regard to the prior term’s per-unit pricing. 

10.3. Termination for Cause.  A party may terminate this Agreement for cause: (a) upon 30 days written notice to the other party of a material breach if such breach remains uncured at the expiration of such period or (b) immediately upon written notice if the other party becomes the subject of a petition in bankruptcy or any other proceeding relating to insolvency, receivership, liquidation, or assignment for the benefit of creditors.

10.4. Refund or Payment upon Termination. Upon any termination for cause by You, We shall refund You any prepaid fees covering the remainder of the term of all subscriptions after the effective date of termination.  Upon any termination for cause by Us, You shall pay any unpaid fees covering the remainder of the term of all Order Forms after the effective date of termination.  In no event shall any termination relieve You of the obligation to pay any fees payable to Us for the period prior to the effective date of termination.

10.5. Surviving Provisions. Section 4 (Fees and Payment), 5 (Proprietary Rights), 6 (Confidentiality), 7.3 (Disclaimer), 8 (Mutual Indemnification), 9 (Limitation of Liability), 10 (Term and Termination), and 11 (General Provisions) shall survive any termination or expiration of this Agreement.

11. GENERAL PROVISIONS

11.1. Notices.  Except as otherwise specified in this Agreement, all notices, permissions, and approvals hereunder shall be in writing and shall be deemed to have been given upon: (a) personal delivery, (b) the second business day after mailing, (c) the second business day after sending by confirmed facsimile, or (d) the first business day after sending by email (provided email shall not be sufficient for notices of termination or an indemnification claim).  Notices to You shall be addressed to the system administrator designated by You for Your relevant Services account, and in the case of billing-related notices, to the relevant billing contact designated by You.

11.2. Compliance. During the term of this Agreement and for a period of one (1) year following its termination or expiration, We reserve the right, during Your normal business hours, to audit Your use of the Services to verify compliance with this Agreement.  You shall maintain and make available to Us records sufficient to permit Us or an independent auditor retained by Us to verify, upon ten (10) days' written notice, Your compliance with the terms and requirements of this Agreement.  In the event that any audit reveals any non-compliance, including but not limited to underpayment of fees, You shall promptly cure the non-compliance, pay Us any shortfall, and, if such shortfall exceeds 10% in any one-year period, shall pay such shortfall at Our then-current list price and reimburse Us the reasonable costs of such audit, provided, however, that the obligations under this Section 11.2 do not constitute a waiver of Our termination rights or any other rights hereunder.

11.3. Governing Law and Jurisdiction; Waiver of Jury Trial. This Agreement shall be governed exclusively by the substantive and procedural laws of the State of Texas, without regard to its conflicts of laws rules.  The state and federal courts located in Austin, Texas shall have exclusive jurisdiction to adjudicate any dispute arising out of or relating to this Agreement.  Each party hereby consents to the exclusive jurisdiction and venue of such courts.  The Uniform Computer Information Transactions Act and the United Nations Convention on the International Sale of Goods do not apply to this Agreement or to orders placed under it.  Each party also hereby waives any right to jury trial in connection with any action or litigation in any way arising out of or related to this Agreement.

11.4. Export Compliance.  Each party shall comply with the export laws and regulations of the United States and other applicable jurisdictions in providing and using the Services.  Without limiting the foregoing, (a) each party represents that it is not named on any government list of persons or entities prohibited from receiving exports and (b) You shall not permit Users to access or use the Services in violation of any export embargo, prohibition, or export restriction under the applicable laws and regulations.

11.5. Relationship of the Parties.  The parties are independent contractors.  This Agreement does not create a partnership, franchise, joint venture, agency, fiduciary, or employment relationship between the parties. 

11.6. No Third-Party Beneficiaries.  There are no third-party beneficiaries to this Agreement.

11.7. Waiver and Cumulative Remedies.  No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right.  Other than as expressly stated herein, the remedies provided herein are in addition to, and not exclusive of, any other remedies of a party at law or in equity.

11.8. Severability.  If any provision of this Agreement is held by a court of competent jurisdiction to be contrary to laws or regulations, the provision shall be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law, and the remaining provisions of this Agreement shall remain in effect.  If the court fails to do so, the parties undertake that in such circumstances, they will negotiate in good faith replacement provisions consistent with the original intent of the provision.

11.9. Assignment.  Neither party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the prior written consent of the other party (not to be unreasonably withheld).  Notwithstanding the foregoing, either party may assign this Agreement in its entirety (including all Order Forms), without consent of the other party, to its Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets not involving a direct competitor of the other party.  A party’s sole remedy for any purported assignment by the other party in breach of this paragraph shall be, at the non-assigning party’s election, termination of this Agreement upon written notice to the assigning party.  In the event of such a termination, We shall refund to You any prepaid fees covering the remainder of the term of all subscriptions after the effective date of termination.  Subject to the foregoing, this Agreement shall bind and inure to the benefit of the parties and their respective successors and permitted assigns.

11.10. Force Majeure.  Excluding payment obligations hereunder, neither party shall be liable to the other party for failure or delay in performing its obligations hereunder if such failure or delay is due to circumstances beyond its reasonable control including, without limitation, acts of any governmental body, war, insurrection, sabotage, embargo, pandemic, fire, flood, strike or other labor disturbance, interruption of or delay in transportation, unavailability of or interruption or delay in telecommunications or third-party services, failure of third-party software or inability to obtain raw materials, supplies or power.

11.11. Entire Agreement and Order of Precedence. This Agreement is the entire agreement between You and Us regarding Your use of the Services and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning its subject matter.  Some parts of the Services may be subject to additional terms and conditions which will be referred to in the Order Forms.  No modification, amendment, or waiver of any provision of this Agreement will be effective unless in writing and signed by the party against whom the modification, amendment, or waiver is to be asserted.  The parties agree that any term or condition stated in Your purchase order or in any other of Your order documentation (excluding Order Forms) is void.  Likewise, the terms and conditions of Third-Party Applications are excluded from this Agreement.  In the event of any conflict or inconsistency among the following documents, the order of precedence shall be: (1) the applicable Order Form, (2) Exhibit 1 when its conditions are met or Exhibit 2 when its conditions are met, (3) this Master Subscription Agreement, and (4) the Support policies and the Documentation.  The Data Processing Addendum shall prevail over all other contractual documents insofar as it relates to the processing of personal data.

11.12. Customer Attribution. You agree that We may use and display Your name and logo: (a) on Our customer list; and (b) with Your prior written approval, not to be unreasonably withheld or delayed, in other marketing materials of Us.

Exhibit 1: Data Processing Addendum

This Data Processing Addendum, including the Standard Contractual Clauses referenced herein, (collectively, “DPA”) amends and supplements any existing and currently valid Main Agreement (defined below) either previously or concurrently made between:

Payloop, Inc., a company incorporated under the laws of the State of Delaware, USA, having its principal place of business at 1515 E Cesar Chaves St., Ste 100, Austin, TX  78702 (USA) (the “Data Processor”)

and

The other party to the Main Agreement, as defined below, (the “Data Controller”).

Data Processor and Data Controller are also individually referred to herein as a “Party” and collectively as the “Parties”.  Defined terms used in this DPA but not otherwise defined herein shall have the meanings ascribed to them in the Main Agreement.

RECITALS

1. Data Processor and Data Controller agreed to the Main Agreement (as defined below).

2. Pursuant to the Main Agreement, Data Processor may Process Personal Data in connection with the Services (as defined below) on behalf of Data Controller.

3. The Parties agree to comply with the following provisions with respect to any Personal Data transferred to Data Processor in connection with Data Processor’s provision of the Services to Data Controller.

   
   

NOW, THEREFORE, THE PARTIES AGREE AS FOLLOWS:

1. Definitions

“Affiliate” has the meaning ascribed to it in the Main Agreement.

“CCPA” means the California Consumer Privacy Act.

“Data Controller” means the Party that determines the purposes and means of the Processing of Personal Data, namely, the other Party to the Main Agreement, as noted above.

“Data Processor” means the Party who Processes Personal Data on behalf of Data Controller, namely, Payloop, Inc., as noted above.

“Data Protection Law(s)” means all applicable laws relating to the Processing of Personal Data and privacy that may  exist in any relevant jurisdiction, including, where applicable, guidance, formal directives, applicable regulations, and codes of practice issued by the applicable Supervisory Authority, and including, without limitation to the extent applicable:  (i) CCPA; (ii) GDPR; (iii) UK GDPR; and (iv) FADP.  Data Protection Law(s) exclude, without limitation, consent decrees.

“Data Subject” means the person to whom the Personal Data relates.

“Effective Date” means March 21, 2022, or, if later, the date on which the Main Agreement between the Parties became effective.

“European Economic Area” means a Member State of the European Union, together with Norway, Iceland, and Liechtenstein, (jointly referred to as “EEA”).

“EU Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of a Member State   of the EEA.

“EU SCC” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clause, Module II, for the transfer of personal data to third countries pursuant to GDPR, where GDPR applies.

“FADP” means the Swiss Federal Act on Data Protection as updated on 25 September 2020.

“GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).

“Main Agreement’’ means the Professional Services Agreement, its contractual documents including Statement(s) of Work thereto, as well as any exhibits or amendments or add-on Statement(s) of Work, and/or the Master Subscription Agreement, its contractual documents including Order Form(s) thereto, as well as any exhibits or amendments or add-on Order Form(s), as entered into between Data Controller and Data Processor.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific  to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person that Data Processor has received from Data Controller on or after the Effective Date for Processing pursuant to the Main Agreement when such data is protected as “personal data” or “personally identifiable information” or a similar term under applicable Data Protection Laws. Personal Data processed pursuant to the Main Agreement explicitly excludes Prohibited Data.

“Personal Data Breach” means any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to Personal Data where such compromise of the Personal Data meets the definitions of both “personal   data” (or like term) and “security breach” (or like term) under applicable Data Protection Law(s) governing the particular circumstances.

“Process” or “Processing” or “Processed” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.

“Prohibited Data” has the meaning ascribed to it in Section 3.5.

“Services” has the meaning ascribed to “Professional Services” and/or “Services” in the Main Agreement. 

“Standard Contractual Clauses” means the EU SCC or the UK SCC together as means to safeguard the transfer of personal data outside of, respectively, the EU, the UK, or Switzerland.

“Sub-processor” means any processor engaged by Data Processor or by any other Sub-processor of Data Processor who receives Personal Data exclusively intended for Processing activities to be carried out on behalf of Data Controller in connection with the Services.

“Supervisory Authority” has the meaning set forth under the applicable Data Protection Laws. When the EU Personal Data are involved, the Supervisory Authority is the French CNIL.

“Swiss Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of Switzerland. Swiss Personal Data shall encompass, in addition to data relating to identified or identifiable individuals, data relating to identified and identifiable legal entities if and as long as such data is considered personal data under the FADP.

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

“UK Personal Data” means Personal Data which is, or has been, subject to the Data Protection Laws of the United Kingdom.

“UK SCC” means the UK International Data Transfer Addendum to the EU SCC issued by the UK ICO, where the UK GDPR applies.

2. Scope of the DPA
   
   

2.1. The Personal Data to be transferred or collected for Processing pursuant to the Main Agreement may consist of the following categories of data:

First and last name, email address, title, phone number, business address, employer’s company name, localization data, and/or information related to selections made through the Services, including online orders placed thereby

2.2. The categories of Data Subjects whose Personal Data may be Processed are:

Data Controller’s or its Affiliate’s employees or contractors involved in Data Controller’s and/or its Affiliate’s receipt of the Services, Data Controller’s or its Affiliate’s authorized users of the Services, and/or the employees or contractors of Data Controller’s or its Affiliate’s customers and/or prospective customers

2.3. The nature and purpose of Processing activities to be undertaken by Data Processor are: Providing the Services to Data Controller.

3. Obligations of Data Controller
   
   

3.1. In accordance with the applicable Data Protection Law(s), Data Controller remains responsible for ensuring the rights of the concerned Data Subjects, including but not limited to, (i) access to their data, (ii) rectification of inaccurate or incomplete data, (iii) erasure of their data, (iv) when applicable, limitation of the use of their data, (v) when data is processed in an automated way, right to transfer their data to a third party under a standard interoperable format (right to portability), (vi) when applicable, opposition to the data processing, or (vii) consent withdrawal. A Data Subject may lodge a complaint with the applicable Supervisory Authority at any time. If the applicable law of the Main Agreement is French law, a Data Subject also has the right to set up directives relating to the use of their data after their death.

3.2. Data Controller will inform its Data Subjects (i) about its use of Data Processor to Process their Personal Data as   required by applicable Data Protection Law(s) and (ii) that their Personal Data will be Processed outside of the European Economic Area, the United Kingdom, Switzerland, as required by applicable Data Protection Law(s).

3.3. Data Controller shall without undue delay notify Data Processor in writing (email insufficient) at the address specified above when it discovers errors or irregularities in the Processing of Personal Data in accordance with applicable Data Protection Law(s).

3.4. Data Controller shall respond in a reasonable time to enquiries from any Supervisory Authority regarding the processing of relevant Personal Data by Data Controller. If any Party is required under applicable Data Protection Law(s) to issue information to any Supervisory Authority regarding the collection, processing, or use of Personal Data, the other Party may support the responding Party in its efforts to provide such information.

3.5. Data Controller hereby acknowledges that the Services are intended only to generate 3D and 2D images on websites and platforms, including those of Data Controller and/or third parties with whom Data Controller contracts, and are not intended for storage or use of any data not related to such purpose, including, without limitation, social security numbers, financial account numbers, health information, driver’s license numbers or information, passport or visa numbers, credit card information, or any special categories of personal data (“Prohibited Data”). Data Controller agrees that it will not, and will not permit its Affiliate or any user, to input any Prohibited Data into the Services.

4. Obligations of Data Processor
   
   

4.1 In providing the Services, Data Processor shall comply with the instructions of Data Controller for the Processing of Personal Data and Process the Personal Data exclusively in connection with the provision of the Services. The provisions of this DPA are the main source of instructions issued by Data Controller. Any amendments to the Processing requirements shall be agreed between the Parties and documented in writing.

4.2. Data Processor shall assist Data Controller:

1. in responding to requests by Data Subjects to exercise their rights; and

2. in complying with its obligations in relation to security of Personal Data under applicable Data Protection Law(s), including but not limited to, as applicable, data protection impact assessment and prior consultation, taking into account the nature of the Services and the information available to Data Processor.

3. carrying out a request from Data Controller to amend, transfer, or delete any of the Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a data controller under applicable Data Protection Law(s).

4.3. Notification of Non-Compliance with Data Protection Requirements:

Data Processor shall inform Data Controller without delay if it becomes aware:

1. That Data Processor’s employees, subcontractors, and/or any third party engaged in the Processing fail to comply with any requirements regarding the protection of Personal Data or any provisions of this DPA; and/or

2. Of any other irregularity in the Processing of Personal Data.

4.4. Storage and Erasure of Data

1. Data Processor shall store the Personal Data as long as it is needed for the provision of the Services and in accordance with applicable Data Protection Law(s).

2. Data Processor must store the Personal Data, together with any copies or reproductions made of such Personal Data, with reasonable care and securely so that it is not accessible to third parties.

3. Any Personal Data that is no longer required will be deleted in accordance with applicable Data Protection Law(s).

4. Upon request by Data Controller or upon termination or expiration of the Main Agreement, Data Processor shall at Data Controller’s choice (a) deliver to Data Controller all Personal Data (and any copies or derivative works of same) in its possession, and/or (b) destroy all Personal Data (and any copies or derivative works of same) in its possession, and certify to Data Controller that it has done so, unless otherwise required under operation of Data Protection Law(s), or as mutually agreed by the Parties, and/or (c) cease any Processing of Personal Data.

4.5. Data Access and Modification

1. Data Processor shall permit Data Subjects access to their respective Personal Data. In particular, Data Subjects shall be permitted to correct, amend, or delete inaccurate Personal Data at no additional cost.

2. Both Parties agree that, in the event of receiving a Data Subject complaint or access request that may involve the other Party, to notify the other Party without delay and to provide such cooperation and assistance as may be reasonably required to enable that Party to deal with any Data Subject complaint or access request in accordance with the provisions of the applicable Data Protection Law(s).

3. To the extent that Data Controller does not have the ability to correct, amend, block, or delete already transferred Personal Data, Data Processor shall comply with any reasonable request by Data Controller to facilitate such actions as required by Data Protection Law(s).

4. If Data Processor becomes aware of any errors or incorrectness of Personal Data, Data Processor shall notify Data Controller prior to correcting such data. Whenever a situation arises where this may be appropriate and in line with applicable Data Protection Law(s), consideration may be given to blocking data instead of erasing it.

4.6. Upon request by Data Controller with reasonable notice, Data Controller (or a duly qualified independent auditor selected by Data Controller and not unreasonably objected to by Data Processor) may audit Data Processor to ensure that Data Processor is in compliance with this DPA. Data Processor shall provide Data Controller access to the relevant Data Processor personnel and records. Data Processor shall notify Data Controller without delay if Data Processor becomes aware that an instruction for the Processing of Personal Data given by Data Controller violates any applicable Data Protection Law(s).

4.7. To the extent that Data Controller is a “business” as defined under the CCPA, it is the understanding of the Parties that Processor is a “service provider” as defined under CCPA with respect to the Personal Data. Except for usage of Personal Data as necessary to bring and defend claims, to comply with requirements of the legal process, to cooperate with regulatory authorities, and to exercise other similar permissible uses as expressly provided under applicable Data Protection Law(s), Data Processor shall not retain, use, sell, or disclose the Personal Data (that is not de-identified) for any purpose, including other commercial purposes, outside of the direct business relationship with Data Controller.

5. International Data Transfers

5.1 By the Effective Date, Data Controller acknowledges that it will carry out EU Personal Data, Swiss Personal Data, and UK Personal Data transfers to the following country/ies: United States of America.

5.2 Data Processor hereby agrees to comply with the obligations of a data importer as set out in the EU SCC, incorporated by reference in Exhibit 1 hereto, and acknowledges that Data Controller will be a data exporter under such clauses. 

5.3. Data Processor also agrees to comply with the obligations of a data importer as set out in the UK SCC, incorporated by reference in Exhibit 2 hereto, and acknowledges that Data Controller will also be a data exporter under such clauses.

5.4. To the extent the FADP is applicable, the Parties agree that (i) the EU SCC will apply to the transfer of Swiss Personal Data between Data Processor as data importer and Data Controller as data exporter in Switzerland, provided that (i) where the EU SCC include references to the GDPR, such references shall be understood as references to the FADP and (ii) such EU SCC include the superseding changes mentioned in Exhibit 1 for the purpose of that transfer.

5.5. The Parties agree that they will provide additional information about the transfer and will co-operate, without delay, where this is required by a Supervisory Authority in any EEA Member State, the United Kingdom, and/or Switzerland. In the event that a Supervisory Authority revokes or adapts the decision that it made approving the EU SCC or the UK SCC, then Data Controller shall have the right forthwith to require Data Processor to cease to Process EU Personal Data outside the EEA or, if Data Processor is unable to do this, to terminate the Processing of EU Personal Data. 

5.6. With respect to the Processing of EU Personal Data, UK Personal Data, and Swiss Personal Data, Data Controller grants authorization to Data Processor to appoint as Sub-processors the entities set out in Annex III of the Appendix to Exhibit 1 hereto, and for the sub-processing activities described therein, as it may be updated from time to time. Data Processor shall provide Data Controller thirty (30) days’ notice (email or message through Company Services sufficient) of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Data Controller the opportunity to object to such changes. Data Processor shall be fully liable for the acts and omissions of its Sub-processors’ Processing of EU Personal Data to the same extent Data Processor would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. Security Measures

6.1. Data Processor shall implement and adhere to appropriate technical and organizational measures in order to protect Personal Data, in particular where the Processing involves the transmission of data over a network. These measures shall include the requirements established under applicable Data Protection Law(s).

Therefore, Data Processor agrees to undertake appropriate technical and organizational measures with the following purposes:

1. protect the Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, theft, alteration, or disclosure;

2. ensure, to the extent within Data Processor’s control and not that of Data Controller, that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage and that it is possible to examine, control, and establish to which parties the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control); and

3. ensure that it is possible to retrospectively examine, control, and establish whether and by whom Personal Data has been introduced into data processing systems, including any modifications or removal (input control).

6.2. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage, or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected.

At a minimum, these measures should include, but not be limited to:

1. encrypting sensitive and other Personal Data in transit (but solely to the extent such transit is initiated by Data Processor as opposed to Data Controller and it being understood and agreed by Data Controller that the scope of the Main Agreement does not require or address the Processing of any sensitive data, which Data Controller should not transmit to Data Processor without Data Processor’s express written consent);

2. ensuring least privileged access rights on systems containing Data Controller’s Personal Data;

3. regularly reviewing access permissions to Data Controller’s Personal Data;

4. ensuring the use of complex passwords or two-factor authentication when used;

5. ensuring proper physical access controls to all systems containing Data Controller’s Personal Data; and

6. ensuring proper disposal of any Personal Data, in print or electronic media, properly patching systems containing Data Controller’s Personal Data, and ensuring an up-to-date antivirus application is installed on all systems Processing and/or containing Data Controller’s Personal Data.
   
   

7. Data Breaches

7.1. Data Processor shall notify Data Controller promptly and in writing if it becomes aware of any actual Personal Data Breach on Data Processor’s equipment or in Data Processor’s facilities, or Sub-processors’, if any.

In particular, Data Processor must notify Data Controller immediately in writing in the event that the property of Data Controller or its Personal Data in the possession or control of Data Processor is endangered by measures undertaken by third parties.

7.2. Immediately after notification, Data Processor will:

1. investigate the Personal Data Breach and provide Data Controller with a detailed description of the Personal Data Breach, the type of data and other Personal Data that was the subject of the Personal Data Breach and the identity of each affected person, as soon as such information can be collected or otherwise becomes available (as well as periodic updates to this information and any other information Data Controller may reasonably request relating to the Personal Data Breach);

2. take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach; and

3. provide its full assistance and support to Data Controller in the event that Data Controller determines that it is necessary to notify Data Subjects or any concerned Supervisory Authority of such Personal Data Breach.
   
   

8. Sub-processors

8.1 Data Processor uses the third-party Sub-processors listed in Annex III of the Appendix to Exhibit 1. Any such Sub-processor will Process Personal Data only in connection with Data Processor’s provision of the Services and will be prohibited from using Personal Data for any other purpose.

8.2. Data Processor ensures the reliability and competence of its Sub-processors and shall agree with its Sub- processors to protect and Process the Personal Data under terms and conditions no less restrictive than those contained in this DPA.

9. Term and Termination

9.1. This DPA shall enter into effect on the Effective Date and its term shall be coextensive with the term of the Main Agreement. The obligations under Section 4.4 shall survive any termination or expiration of the Main Agreement. Any other obligation, excepting those that reasonably or under any applicable laws have to survive a termination or expiration of the Main Agreement, shall terminate upon termination or expiration of the Main Agreement.

9.2. Data Controller shall deem any breach of this DPA as a breach of the Main Agreement and thus the same provisions for the termination of this DPA shall be applicable.

10. Miscellaneous

10.1. This DPA is intended to ensure the adequate level of protection of Personal Data and does not otherwise affect the rights and obligations under any other agreements between the Parties, including, without limitation, the Main Agreement.

10.2. Nothing in this DPA shall be construed as an exclusion of Data Protection Laws or export regulations that may be applicable to the Services provided by Data Processor under the Main Agreement and that must be observed by the Parties.

10.3. If any term or provision of this DPA shall be held to be illegal or unenforceable in whole or in part, the validity of the remaining provisions of this DPA shall remain unaffected. The same shall apply in the event that this DPA is incomplete.