SECTION 1: GENERAL TERMS AND CONDITIONS

This Section 1 sets forth the terms and conditions applicable to Customer’s purchase and use of any of the Services. Capitalized terms used but not defined in the body of this Agreement are defined in Exhibit C.

1.1 Term and Termination.

1.1.1 Term.

Unless earlier terminated as provided in this Section 1 or specified in an Order Form, this Agreement shall be effective as of the Commencement Date and will continue until the expiration or termination of the Term specified in the Order Form ("Subscription Term"). If no term is specified in the Order for a Subscription, the Subscription Term for Subscription will be twelve (12) months.

1.1.2 Termination for Convenience. Account Cancellation.

Either party shall have the right to terminate this Agreement upon written notice in the event the other party fails to perform or observe any material term or condition of this Agreement and such default has not been cured no later than thirty (30) days after written notice of such default to the other party. If Customer elects to terminate an Order Form or Agreement, it is Customer’s responsibility to notify Webiny by sending a termination notice in an email to sales@webiny.com. Webiny may also terminate this Agreement immediately if the Customer: (a) terminates or suspends its business; (b) becomes subject to any bankruptcy or insolvency proceeding; (c) becomes insolvent or subject to direct control by a trustee, receiver or similar authority; or (d) is wound up or liquidated, voluntarily or otherwise.

1.1.3 Effect of Termination; Survival.

If this Agreement terminates or expires: (i) the Subscription Term for the Services will immediately end; (ii) any Subscription Licenses in the Order Form will automatically terminate, and Customer will no longer have the right to use the Services; (iii) if any Fees were owed prior to termination, Customer must pay those Fees immediately; and (iv) each Party will promptly return (or, if the other party requests it, destroy) all Confidential Information belonging to the other to the extent permitted by the Service. Any provisions which by their nature should reasonably survive will survive the termination or expiration of this Agreement or an Order Form.

1.2 Payment.

1.2.1 Fees.

Customer agrees to pay the Fees in full, without deduction or set-off of any kind, in the currency and on the dates (if any) specified in the Order Form. Customer must pay the Fees within thirty (30) days of the Webiny invoice date. Amounts payable under this Agreement are non-refundable. If Customer fails to pay any Fees on time, Webiny reserves the right, in addition to taking any other action at law or equity, to (i) charge interest on past due amounts at 1.0% per month or the highest interest rate allowed by law, whichever is less, and to charge all expenses of recovery, and (ii) terminate this Agreement and/or the applicable Order Form. Customer is solely responsible for all taxes, fees, duties, and governmental assessments (except for taxes based on Webiny’s net income) that are imposed or become due in connection with this Agreement.

1.2.2 Professional Services.

Upon Customer’s request for Professional Services, Webiny will provide an Order Form detailing such Professional Services. Webiny will perform the Professional Services described in each Order Form. Webiny will control the manner and means by which the Professional Services are performed and reserves the right to determine personnel assigned. Webiny may use third parties to perform the Professional Services, provided that Webiny remains responsible for their acts and omissions. Customer acknowledges and agrees that Webiny retains all right, title, and interest in and to anything used or developed in connection with performing the Professional Services, including software, tools, specifications, ideas, concepts, inventions, processes, techniques, and know-how. To the extent Webiny delivers anything to Customer while performing the Professional Services, Webiny grants to Customer a non-exclusive, non-transferable, worldwide, royalty-free, limited-term license to use those deliverables during the term of this Agreement, solely in conjunction with Customer’s use of the Software or Service.

1.2.3 Purchasing Additional Services.

Customer may obtain additional Services under this Agreement by submitting a request through Webiny’s sales team. If Customer purchases the additional Services, Customer must pay the then-currently applicable Fees for them.

1.3 Confidentiality.

Neither Party will use the other Party’s Confidential Information, except as permitted under this Agreement. Each Party agrees to maintain in confidence and protect the other Party’s Confidential Information using at least the same degree of care as it uses for its own information of a similar nature, but in any event at least a reasonable degree of care. Each Party agrees to take all reasonable precautions to prevent any unauthorized disclosure of the other Party’s Confidential Information, including, without limitation, disclosing such Confidential Information only to its Representatives who (i) have a need to know such information, (ii) are parties to appropriate agreements sufficient to comply with this Section 1.3, and (iii) are informed of the restrictions on use and disclosure set forth in this Section 1.3. Each Party is responsible for all acts and omissions of its Representatives. The foregoing obligations will not restrict either Party from disclosing Confidential Information of the other Party pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the Party required to make such a disclosure gives reasonable notice to the other Party to enable such Party to contest such order or requirement, unless such notice is prohibited by law. The restrictions set forth in this Section 1.3 will survive the termination or expiration of this Agreement.

1.4 Defense of Claims.

The Parties will defend each other against third-party claims, as and to the extent set forth in this Section 1.4 and will pay the amount of any resulting adverse final judgment or approved settlement, but only if the defending Party is promptly notified in writing of the claim and has the right to control the defense and any settlement of it. The Party being defended must provide the defending Party with all requested assistance, information, and authority. The defending Party will reimburse the other Party for reasonable out-of-pocket expenses it incurs in providing assistance, and will not settle or make any admissions with respect to a third-party claim without the other Party’s prior written consent, not to be unreasonably withheld or delayed. This Section 1.4 describes the Parties’ sole remedies and entire liability for such claims.

1.4.1 Webiny.

Webiny will defend Customer against any claim brought by an unaffiliated third party to the extent it alleges Customer’s authorized use of the Services infringes a copyright, patent, or trademark or misappropriates a trade secret of an unaffiliated third party. If Webiny is unable to resolve any such claim under commercially reasonable terms, it may, at its option, either: (a) modify, repair, or replace the Service (as applicable); or (b) terminate Customer’s subscription and refund any prepaid, unused service fees.

Webiny will have no obligation under this Section 1.4.1 for any such claim arising from: (i) modification of the Services, or the combination, operation, or use of the Services with equipment, devices, software, systems, or data, other than as expressly authorized by this Agreement (including the Documentation); (ii) Customer’s failure to stop using the Services after receiving notice to do so; (iii) Customer’s obligations under Section 1.4.2; (iv) products or services (including use of the Software or Service) that are provided by Webiny free of charge; or (v) access or use of Beta Previews. For purposes of Webiny’s obligation under this Section 1.4.1, the Software and the Service include open source components incorporated by Webiny therein.

1.4.2 Customer.

Customer will defend Webiny against any claim brought by an unaffiliated third party arising from: (i) Customer Content that Customer uploads to the Software or the Service; (ii) Customer’s violation of this Agreement, including Customer’s breach of confidentiality or violation of Webiny’s acceptable use terms; (iii) Customer modifications to the Software; or (iv) any third party-branded equipment, devices, software, systems, or data that Customer combines, operates, or uses with the Software or Service.

1.5 Representations and Warranties; Disclaimer; Limitations of Liability.

1.5.1 General Warranty.

Each Party represents and warrants to the other that it has the legal power and authority to enter into this Agreement and that this Agreement and each Order Form is entered into by an employee or agent of such Party with all necessary authority to bind such Party to the terms and conditions of this Agreement.

1.5.2 Limited Warranties.

Professional Services. Webiny warrants to Customer that any Professional Services performed under this Agreement will be performed in a professional and workmanlike manner by appropriately qualified personnel. Webiny’s only obligation, and Customer’s only remedy, for a breach of this warranty will be, at Webiny’s option and expense, to either: (1) promptly re-perform any Professional Services that fail to meet this warranty or (2) if the breach cannot be cured, terminate the Agreement and/or Order Form and refund the unused, prepaid Fees.

1.5.3 Disclaimer.

(i) Generally. Except as expressly provided in this Agreement, Webiny does not make any other warranties and representation of any kind, and hereby specifically disclaims any other warranties, whether express, implied, or statutory, including but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, or any warranties or conditions arising out of course of dealing or usage of trade. No advice or information, whether oral or written, provided by Webiny or anywhere else will create any warranty or condition not expressly stated in this Agreement.

(ii) Service. Webiny provides the Service "AS IS" and "AS AVAILABLE" without warranty of any kind. Without limiting this, Webiny expressly disclaims all warranties, whether express, implied, or statutory, regarding the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy, and non-infringement. Webiny does not warrant that the Service will meet Customer’s requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable, or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. Webiny will not be responsible for any risk of loss resulting from Customer’s downloading and/or use of files, information, Content, or other material obtained from the Service.

(iii) Beta Previews. Customer may choose to use Beta Previews at their sole discretion. Beta Previews may not be supported and may be changed at any time without notice. Beta Previews may not be as reliable or available as the Service. Beta Previews are not subject to the same security measures and auditing to which the Service has been and is subject. Webiny will have no liability arising out of or in connection with Beta Previews. Customer uses Beta Previews at its own risk.

1.5.4 Limitations of Liability.

(i) Indirect Damages. To the maximum extent permitted by applicable law, in no event will either party be liable to the other party or to any third party for any indirect, special, incidental, punitive, or consequential damages (including for loss of profits, revenue, or data) or for the cost of obtaining substitute products arising out of or in connection with this Agreement, however caused, whether such liability arises from any claim based upon contract, warranty, tort (including negligence), strict liability or otherwise, and whether or not a party has been advised of the possibility of such damages. \

**(ii) Limitation of Total Liability. **To the maximum extent permitted by applicable law, in no event will either party’s total cumulative liability under this Agreement from all causes of action and all theories of liability exceed the Fees Customer has actually paid to Webiny during the 12 months preceding the claim giving rise to such liability. For products and services (including use of the Products) that are provided free of charge and for Beta Previews, Webiny’s liability is limited to direct damages up to £5,000.

1.6 Intellectual Property Rights.

As between the Parties, Webiny owns all rights, title, and interest, including all intellectual property rights, in and to the Software, Services and Products. Webiny reserves all rights in and to the Software, Services and Products not expressly granted to Customer under this Agreement. Webiny may use, modify, and incorporate into its Software, Services and Products, any Feedback, comments, or suggestions that Customer may provide or post in forums without any obligation to Customer.

1.7 General Provisions.

1.7.1 Governing Law; Venue.

This Agreement will be governed by and construed in accordance with the laws of the State of Delaware, without giving effect to the principles of conflict of law. The Parties agree that any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in the State of Delaware, and the Parties hereby consent to personal jurisdiction and venue therein..

1.7.2 No Publicity without Permission.

Webiny may identify Customer as a customer to current and prospective customers. However, Webiny may not use Customer’s name or logo in any advertising or marketing materials without Customer’s permission.

1.7.3 Assignment.

Neither Party may assign or otherwise transfer this Agreement, in whole or in part, without the other Party’s prior written consent, such consent not to be unreasonably withheld, and any attempt to do so will be null and void, except that Webiny may assign this Agreement in its entirety, upon notice to the other party and without the other Party’s consent, in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of the assigning party’s business or assets.

1.7.4 Notices.

Unless otherwise stated herein, any notice, request, demand or other communication under this Agreement must be in writing (e-mail is acceptable) and will be deemed to be properly given: (i) upon receipt, if delivered personally; (ii) one (1) business day following confirmation of receipt by the intended recipient, if by email; (iii) five (5) business days after it is sent by registered or certified mail, with written confirmation of receipt and email; or (iv) three (3) business days after deposit with an internationally recognised express courier and email, with written confirmation of receipt. Notices can be sent to the address(es) set forth in this Agreement unless a Party notifies the other that those addresses have changed.

1.7.5 Force Majeure.

Webiny will be excused from liability to the extent that it is unable to perform any obligation under this Agreement due to extraordinary causes beyond its reasonable control, including acts of God, natural disasters, strikes, lockouts, riots, acts of war, epidemics, or power, telecommunication or network failures.

1.7.6 Independent Contractors.

Each Party is an independent contractor with respect to the subject matter of this Agreement. Nothing contained in this Agreement will be deemed or construed in any manner to create a legal association, partnership, joint venture, employment, agency, fiduciary, or other similar relationship between the Parties, and neither Party can bind the other contractually.

1.7.7 Waiver.

A Party’s obligations under this Agreement may only be waived in writing signed by an authorized representative of the other Party. No failure or delay by a Party to this Agreement in exercising any right hereunder will operate as a waiver thereof, nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any right hereunder at law or equity.

1.7.8 Entire Agreement.

This Agreement, together with the Exhibits and each Order Form, constitutes the entire agreement and understanding of the Parties with respect to its subject matter, and supersedes all prior or contemporaneous understandings and agreements, whether oral or written, between the Parties with respect for such subject matter. The terms of any Customer purchase order, written terms or conditions, or other documents that Customer submits to Webiny that contains terms that are different from or in addition to the terms of this Agreement or any Order Form will be void and of no effect.

1.7.9 Severability.

If any provision of this Agreement is deemed by a court of competent jurisdiction to be illegal, invalid, or unenforceable, the Parties will modify or reform this Agreement to give as much effect as possible to that provision. Any provision that cannot be modified or reformed in this way will be deemed deleted and the remaining provisions of this Agreement will continue in full force and effect.

EXHIBIT A: DEFINITIONS FOR SECTIONS 1

"Beta Previews" means software, services, or features identified as alpha, beta, preview, early access, or evaluation, or words or phrases with similar meanings.

"Confidential Information" means all non-public information disclosed by either Party to the others, whether in writing, orally or by other means, designated as confidential or that the receiving Party knows or reasonably should know, under the circumstances surrounding the disclosure and the nature of the information, is confidential to the disclosing Party.

"Content" means, without limitation, text, data, articles, images, photographs, graphics, software, applications, designs, features, and other materials that are featured, displayed, or otherwise made available through the Service. \

"Documentation" means any manuals, documentation, and other supporting materials relating to the Software or Service that Webiny provides or makes available to Customer. \

"Commencement Date" is the commencement date which is set out in the Order Form (or such other date as may be agreed between the parties). \

"Fees" means the fees Customer is required to pay Webiny to (i) use the Products during the applicable Subscription Term or (ii) receive Professional Services, as such fees are reflected on an Order Form. \

"Feedback" means any ideas, know-how, algorithms, code contributions, suggestions, enhancement requests, recommendations, or any other feedback on Webiny products or services.

"Order Form" means written or electronic documentation (including a quote) that the Parties use to order the Products.

"Professional Services" means training, technical consulting, or implementation services that Webiny provides pursuant to an agreed Order Form. Professional Services do not include Support.

"Representatives" means a Party’s employees, agents, independent contractors, consultants, and legal and financial advisors. \

"Software" means Webiny Enterprise software. Software includes any applicable Documentation, as well as any Updates to the Software that Webiny provides to Customer or that it can access under this Agreement. \

"Subscription Term" means one (1) year from the Commencement Date of an order or any fixed term otherwise stated in the Order Form, and includes any renewal of that Subscription Term.

**"Support" **means technical support for the Software or Service that Webiny may provide.

"Update" means a Software release that Webiny makes generally available to its customers, along with any corresponding changes to Documentation (if any).

\

EXHIBIT B: WEBINY DATA PROTECTION ADDENDUM

**1. Definitions and Interpretation. **Capitalized terms and expressions used in this Schedule shall have the following meaning:

"Client Personal Data" means any Personal Data Processed by a Subprocessor on behalf of Client pursuant to or in connection with this Agreement;

"EEA" means the European Economic Area;

"EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

"GDPR" means EU General Data Protection Regulation 2016/679;

"Data Transfer" means a transfer of Client Personal Data from the Client to a Subprocessor; or an onward transfer of Client Personal Data from a Subprocessor to a Sub-Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

"Services" means the services which the Supplier provides for Clients.

"Subprocessor" means any person appointed by or on behalf of the Supplier to process Personal Data in connection with the agreement.

"UK Data Protection Laws" means the Data Protection Act 2018 and any amendment or replacement of that Act.

"US Data Protection Laws" means The U.S. Department of Commerce and European Commission’s EU–U.S. Privacy Shield Framework ("Privacy Shield"), or any succeeding legislation, available at https://www.privacyshield.gov/, or any succeeding URL, as may be amended. The "Privacy Shield Principles" refer to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability;

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Client Personal Data. Where the Supplier Processes Client Personal Data under the terms of the agreement, the Supplier shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data.

**3. The Supplier Personnel. **The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

**4. Security. **Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

**5. **In assessing the appropriate level of security, the Supplier shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

**6. Subprocessing. **The Supplier shall not appoint (or disclose any Client Personal Data to) any Subprocessor unless required or authorized to do so by the Client, or by the Customer, having received authorization from the Client.

**7. Data Subject Rights. **Taking into account the nature of the Processing, the Supplier shall implement appropriate technical and organizational measures, insofar as this is possible, to respond to any requests to exercise Data Subject rights under the Data Protection Laws.

8. The Supplier shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data.

**9. Personal Data Breach. **The Supplier shall notify Customer without undue delay upon the Supplier becoming aware of any Personal Data Breach affecting Client Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

**10. **The Supplier shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of any such Personal Data Breach.

**11. Data Protection Impact Assessment and Prior Consultation. **The Supplier shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably requires under article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to the Supplier.

12. Deletion or return of Client Personal Data. The Supplier shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Client Personal Data delete and procure the deletion of all copies of Client Personal Data. However, it is agreed that the Supplier may retain anonymized or aggregated data which cannot be used to identify individual Data Subjects.

**13. Audit rights. **The Supplier shall make available to the Client on request all information necessary to demonstrate compliance with this agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by the Supplier or its Subprocessors.

14. Data Transfer. The Supplier may not transfer or authorize the transfer of Data to countries outside the US, the UK, the EU and/or the European Economic Area (EEA), other than under the EU-U.S. Privacy Shield Framework, without the prior written consent of the Customer, having received appropriate consent (where required) from the Client. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, or outside the EU-U.S. Privacy Shield Framework, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

EXHIBIT A: DEFINITIONS FOR SECTIONS 1

“Beta Previews” means software, services, or features identified as alpha, beta, preview, early access, or evaluation, or words or phrases with similar meanings.

“Confidential Information” means all non-public information disclosed by either Party to the others, whether in writing, orally or by other means, designated as confidential or that the receiving Party knows or reasonably should know, under the circumstances surrounding the disclosure and the nature of the information, is confidential to the disclosing Party.

“Content” means, without limitation, text, data, articles, images, photographs, graphics, software, applications, designs, features, and other materials that are featured, displayed, or otherwise made available through the Service. \

“Documentation” means any manuals, documentation, and other supporting materials relating to the Software or Service that Webiny provides or makes available to Customer. \

“Commencement Date” is the commencement date which is set out in the Order Form (or such other date as may be agreed between the parties). \

“Fees” means the fees Customer is required to pay Webiny to (i) use the Products during the applicable Subscription Term or (ii) receive Professional Services, as such fees are reflected on an Order Form. \

“Feedback” means any ideas, know-how, algorithms, code contributions, suggestions, enhancement requests, recommendations, or any other feedback on Webiny products or services.

“Order Form” means written or electronic documentation (including a quote) that the Parties use to order the Products.

“Professional Services” means training, technical consulting, or implementation services that Webiny provides pursuant to an agreed Order Form. Professional Services do not include Support.

“Representatives” means a Party’s employees, agents, independent contractors, consultants, and legal and financial advisors. \

“Software” means Webiny Enterprise software. Software includes any applicable Documentation, as well as any Updates to the Software that Webiny provides to Customer or that it can access under this Agreement. \

“Subscription Term” means one (1) year from the Commencement Date of an order or any fixed term otherwise stated in the Order Form, and includes any renewal of that Subscription Term.

**“Support” **means technical support for the Software or Service that Webiny may provide.

“Update” means a Software release that Webiny makes generally available to its customers, along with any corresponding changes to Documentation (if any).

EXHIBIT B: WEBINY DATA PROTECTION ADDENDUM

**1. Definitions and Interpretation. **Capitalized terms and expressions used in this Schedule shall have the following meaning:

“Client Personal Data” means any Personal Data Processed by a Subprocessor on behalf of Client pursuant to or in connection with this Agreement;

“EEA” means the European Economic Area;

“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

“GDPR” means EU General Data Protection Regulation 2016/679;

“Data Transfer” means a transfer of Client Personal Data from the Client to a Subprocessor; or an onward transfer of Client Personal Data from a Subprocessor to a Sub-Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

“Services” means the services which the Supplier provides for Clients.

“Subprocessor” means any person appointed by or on behalf of the Supplier to process Personal Data in connection with the agreement.

“UK Data Protection Laws” means the Data Protection Act 2018 and any amendment or replacement of that Act.

“US Data Protection Laws” means The U.S. Department of Commerce and European Commission’s EU–U.S. Privacy Shield Framework (“Privacy Shield”), or any succeeding legislation, available at https://www.privacyshield.gov/, or any succeeding URL, as may be amended. The “Privacy Shield Principles” refer to the principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability;

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Client Personal Data. Where the Supplier Processes Client Personal Data under the terms of the agreement, the Supplier shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data.

**3. The Supplier Personnel. **The Supplier shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with applicable laws in the context of that individual’s duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

**4. Security. **Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall in relation to the Client Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

**5. **In assessing the appropriate level of security, the Supplier shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

**6. Subprocessing. **The Supplier shall not appoint (or disclose any Client Personal Data to) any Subprocessor unless required or authorized to do so by the Client, or by the Customer, having received authorization from the Client.

**7. Data Subject Rights. **Taking into account the nature of the Processing, the Supplier shall implement appropriate technical and organizational measures, insofar as this is possible, to respond to any requests to exercise Data Subject rights under the Data Protection Laws.

8. The Supplier shall promptly notify the Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data.

**9. Personal Data Breach. **The Supplier shall notify Customer without undue delay upon the Supplier becoming aware of any Personal Data Breach affecting Client Personal Data, providing the Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

**10. **The Supplier shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation and remediation of any such Personal Data Breach.

**11. Data Protection Impact Assessment and Prior Consultation. **The Supplier shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably requires under article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to the Supplier.

12. Deletion or return of Client Personal Data. The Supplier shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Client Personal Data delete and procure the deletion of all copies of Client Personal Data. However, it is agreed that the Supplier may retain anonymized or aggregated data which cannot be used to identify individual Data Subjects.

**13. Audit rights. **The Supplier shall make available to the Client on request all information necessary to demonstrate compliance with this agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by the Supplier or its Subprocessors.

14. Data Transfer. The Supplier may not transfer or authorize the transfer of Data to countries outside the US, the UK, the EU and/or the European Economic Area (EEA), other than under the EU-U.S. Privacy Shield Framework, without the prior written consent of the Customer, having received appropriate consent (where required) from the Client. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, or outside the EU-U.S. Privacy Shield Framework, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.