TERMS OF SERVICE (UPDATED AS OF 25TH MAY 2018)


BETWEEN:

(1) Zymplify Limited a company registered in Northern Ireland under number NI068866 whose registered office is at 27/28 The Promenade, Portstewart, BT557AE (“the Service Provider”) and

(2) You the customer

If you agree to the terms of this service agreement; please indicate this by checking the box beside “I AGREE TO THE TERMS & CONDITIONS”. If this box is not checked the registration process will end and you will not gain access to the service. Note for existing customers continued use of the service constitutes acceptance of these terms of service.


WHEREAS:


(1) The Service Provider hosts and provides access to the Applications described herein in its capacity as an Application Service Provider.

(2) The Customer wishes to access the Applications described herein as hosted by the Service Provider under a non-exclusive Licence, from a remote location, in return for the payment of a monthly fee and subject to the terms and conditions of this Agreement.

IT IS AGREED

as follows:

1. Definitions and Interpretation

1.1 In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:

“Applications” means the selected software applications provided by the ASP which shall be available to the Customer, as set out in Schedule 2 of this Agreement;

“ASP Infrastructure” means the Service Provider’s computer hardware, firmware, software and communications infrastructure which is used to facilitate access to the Applications by the Customer;

“Business Day” means any day other than Saturday or Sunday that is not a bank or public holiday;

“Business Hour” means any time between 09:00 and 17:00 on a Business Day, during which the Service Provider is open for business;

“Commencement Date” means the 25th May 2018 or the date of accepting these terms whichever is later;

“Confidential Information” means all business, technical, financial or other information created or exchanged between the Parties throughout the Term of this Agreement;

“Customer Computer Systems” means the Customer’s computer hardware, firmware, software and communications infrastructure through and on which the Applications are to be used;

“Customer Data” means any data belonging to the Customer or to third parties and used by the Customer under licence which is created using the Applications or otherwise stored in the ASP Infrastructure;

“Fees” means the sums payable by the Customer in return for access to the Applications, the ASP Infrastructure and support services provided by the Service Provider in accordance with Clauses 4 and 12 and Schedule 1 of this Agreement;

“Intellectual Property Rights” means all vested contingent and future intellectual property rights including but not limited to copyright, trade marks, service marks, design rights (whether registered or unregistered), patents, know-how, trade secrets, inventions, get-up and database rights;

“Non-Customer User” means a non-employee of the Customer who may not use the Service in the absence of written consent from the Service Provider as per sub-Clause 10.4;

“Service” means, collectively, the Applications, ASP Infrastructure and support services provided by the Service Provider to the Customer;

“Training Fees” means the sums payable by the Customer in return for training provided by the Service Provider in accordance with Clause 6 of this Agreement, specified in Schedule 3; and

“Users” means an employee of the Customer who shall, from time to time, access the Applications through the ASP Infrastructure.

1.2 Unless the context otherwise requires, each reference in this Agreement to:

2.a.1 “writing”, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;

2.a.2 a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;

2.a.3 “this Agreement” is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;

2.a.4 a Schedule is a schedule to this Agreement; and

2.a.5 a Clause, sub-Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.

1.3 The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.

1.4 Words imparting the singular number shall include the plural and vice versa.

1.5 References to any gender shall include the other gender.

2. The Service

1.1 The Service Provider shall, with effect from the Commencement Date, provide the Service to the Customer on a non-exclusive basis for the duration of the Term of this Agreement and in accordance with the terms and conditions of this Agreement.

1.2 The Service Provider shall provide access to the Applications through the ASP Infrastructure and shall use its best and reasonable endeavours to ensure that such access is available, without interruption, 24 hours a day, 7 days a week, 365 days a year. This undertaking shall be subject to the exceptions contained in Clauses 4, 12, 18 and 19 of this Agreement.

3. Term

1.1 The Service will be provided by the Service Provider during the term of this agreement (the “Term"), which shall commence on the Commencement Date and will continue until terminated in accordance with Clause 19 of this Agreement.

4. Fees and Payment

1.1 The Fees due for the Service are specified in Schedule 1 to this Agreement.

1.2 The Customer shall pay to the Service Provider all Fees due within 30 days of receipt of an invoice from the Service Provider for the same or by advanced purchase with a credit or debit card.

1.3 In the event that the Customer does not pay all Fees due within the time period specified in sub-Clause 4.2 above, the Service Provider shall suspend the Customer’s use of the Service by whatever means it deems appropriate, subject to the requirement that such shall not disrupt any other of the Customer’s operations.

1.4 In the event that the Customer fails to pay under sub-Clause 4.3 then, without prejudice to sub-Clause 4.3, that amount shall bear interest from the due date until payment is made in full, both before and after any judgment, at 3% per annum over the Bank of England base rate obtaining at the time.

1.5 The Service Provider reserves the right to vary the Fees from time to time as it may deem appropriate. The Customer shall receive 30 days’ written notice of any such variation. Such variations shall take effect upon expiry of such notice.

5. The Applications

1.1 The Applications to which the Customer shall have access are detailed in Schedule 2 to this Agreement.

1.2 The Customer is free during the term of this Agreement to either add to or remove from the selection of Applications, subject to availability of required applications from the Service Provider.The Fees shall be amended accordingly in the event of such modification.

6. Training/Onboarding

1.1 The Service Provider shall provide training in accordance with the programme specified in Schedule 3 to all Users that require it.

1.2 The cost of all training materials including, but not limited to, guides, video tutorials and interactive resources which may be required shall be included in the Training Fees.

1.3 Prior to the Commencement Date, the Customer shall determine the number of Users requiring training and shall inform the Service Provider.

1.4 All Training Fees, as specified in Schedule 3, shall be paid by the Customer at the same time as the first instalment of Fees payable under Clause 4. In the event that subsequent training of new Users is required, additional Training Fees shall be charged on an ad-hoc basis with payment due prior to the commencement of such training.

1.5 Further training may be required in the event of significant alterations or upgrades to the Applications and the ASP Infrastructure. The Service Provider shall inform the Customer of such recommended training in advance and shall supply details of all required Training Fees.

1.6 Notwithstanding the provisions of this Clause 6, the Customer is not bound to utilise the Service Provider’s training services and is free to procure training from alternative sources.

7. Security

1.1 The Service Provider shall ensure that at all times the ASP Infrastructure includes adequate security measures.

1.2 The Service Provider shall make daily backups of all data on the ASP server.

8. Maintenance

1.1 The Service Provider shall be responsible for all maintenance and upgrades to the ASP Infrastructure which may from time to time be required.

1.2 Subject to the provisions of Clause 12, the Customer shall be responsible for all maintenance and upgrades to the Customer Computer Systems which may from time to time be required.

1.3 Whenever possible, the Service Provider shall use its best and reasonable endeavours to undertake maintenance work outside of the Customer’s business hours.

1.4 Whenever possible, the Service Provider shall provide a workaround solution to the Customer to enable the Customer’s continued use of the Service or to enable use that is as close to normal as is possible under the prevailing circumstances.

9. Software Licences

1.1 The Customer shall use all Applications under a non-exclusive, non-transferrable licence, as set out in this Agreement.

1.2 All Applications provided by the Service Provider are the property of the Service Provider unless otherwise stated and shall be covered by the terms of the licence included in this Agreement.

10. Applications and ASP Infrastructure Terms of Use

1.1 Users’ access to the Applications and the ASP Infrastructure shall be controlled by means of username and password.

1.2 Should the Customer require an increased number of Users, such an increase shall be permitted at the exclusive discretion of the Service Provider. The Service Provider reserves the right to increase Fees proportionately, in accordance with Schedule 1, in the event of an increase in the number of Users.

1.3 Use by Non-Customer Users is not permitted under this Agreement in the absence of express written consent from the Service Provider, such consent not to be unreasonably withheld. The Service Provider may require such details as the reason that access to the Applications and ASP Infrastructure is required by the Non-Customer User, details of the Non-Customer User and other information which may be specified from time to time.

1.4 The Customer shall use the Service exclusively for the purposes of carrying on its marketing activites.

1.5 The Service Provider shall monitor the Customer’s use of the Applications and ASP Infrastructure from time to time to ensure compliance with the terms and conditions of this Agreement.

1.6 The Customer may only access the Applications detailed in Schedule 2 to this Agreement. No access to other parts of the ASP Infrastructure shall be permitted in the absence of express written permission from the Service Provider.

1.7 The Customer is exclusively responsible for it’s use of the Service, including the conduct of individual Users (Users to include any authorised Non-Customer Users) and must ensure that all use is in accordance with this Agreement. The Customer shall notify the Service Provider immediately of any breaches of this Agreement by any Users or Non-Customer Users.

1.8 Access to the Applications is only permitted through www.zymplify.com, via the ASP Infrastructure. Under no circumstances may the Customer download, store, reproduce or redistribute the Applications or any other part of the ASP Infrastructure, without first obtaining the express written permission of the Service Provider.

1.9 The Customer’s use of the Applications and ASP Infrastructure may, from time to time, be governed by statutory or regulatory rules and requirements external to the terms and conditions of this Agreement. It shall be the Customer’s exclusive responsibility to ensure that their use of the Service is in compliance with any such laws.

1.10 The Customer’s use of the Service shall be subject to the following limitations, any of which may be waived by the Service Provider giving their express written consent:

10.a.1 The Customer may not use or redistribute the Applications or the ASP Infrastructure for the purpose of conducting the business of an Application Service Provider;

10.a.2 The Customer may not redistribute or reproduce the Applications or the ASP Infrastructure through any network; and

10.a.3 The Customer may not allow any unauthorised third party to access the Applications or the ASP Infrastructure.

1.11 Neither the Customer, nor anyone on their behalf may, in the absence of written consent from the Service Provider:

11.a.1 Make changes of any kind to the Applications or the ASP Infrastructure; or

11.a.2 Attempt to correct any fault or perceived fault in the Applications or the ASP Infrastructure.

11. Customer Computer Systems

1.1 Prior to commencement of the Service the Service Provider shall conduct a full inspection and inventory of the Customer Computer Systems to ensure compatibility with the Applications and ASP Infrastructure. Where appropriate, the Service Provider may offer recommendations for upgrades and other alterations. Any such recommendations shall be presented in a written report to the Customer.

1.2 The Service Provider may from time to time require physical access to the Customer Computer Systems for the purposes of inspecting, testing and upgrading the Customer Computer Systems to ensure their compatibility with the Applications and ASP Infrastructure. Such access shall be granted by the Customer only upon receipt of reasonable notice from the Service Provider.

1.3 The Service Provider shall be entitled at all times during the term of this Agreement to access the Customer Computer Systems remotely for the purposes of inspecting, testing and upgrading the Customer Computer Systems to ensure their compatibility with the Applications and ASP Infrastructure.

1.4 Where, in the opinion of the Service Provider, Customer Computer Systems are likely to cause disruption to the ASP Infrastructure, the Service Provider may request that the Customer disconnects from the ASP Infrastructure until advised that reconnection is possible. The Service Provider may require changes such as upgrades or equipment replacement to be made to the Customer Computer Systems prior to reconnection.

1.5 In the event of any unauthorised access by the Customer of Applications or the ASP Infrastructure, in breach of sub-Clause 10.3 or otherwise the Service Provider shall be entitled to terminate access indefinitely or temporarily as it deems appropriate and to terminate this Agreement in accordance with Clause 19 below.

1.6 The Customer shall ensure that no Customer Computer Systems are connected to a third party ASP system or other service, communications system or network in such a way that the Service may be accessed by unauthorised third parties.

12. Support

1.1 The Service Provider shall provide, email and live online support services during their normal business hours, such business hours to exclude public holidays. The support provided by the Service Provider shall relate only to the Applications and ASP Infrastructure. Any problems which are related to Customer Computer Systems must be resolved by the Customer’s own support staff.

1.2 When seeking support the Customer shall use its best and reasonable endeavours to provide the fullest information possible to aid the Service Provider in diagnosing any faults in either the Applications or the ASP Infrastructure.

1.3 Whenever possible, the Service Provider shall provide a workaround solution to the Customer to enable the Customer’s continued use of the Service or to enable use that is as close to normal as is possible under the prevailing circumstances.

13. Intellectual Property

1.1 Subject to sub-Clause 13.2 all Intellectual Property Rights subsisting in the Applications and the ASP Infrastructure, including any supporting software and documentation are the property of the Service Provider. For the purposes of this Clause 13, ‘Applications’ and ‘ASP Infrastructure’ along with supporting software and documentation are taken to include the manner in which all such material is compiled and presented.

1.2 Where expressly indicated, the Intellectual Property Rights subsisting in certain Applications including any supporting software and documentation may be the property of named third parties.

1.3 The Customer shall not either during the term or after the expiry of this Agreement permit or cause to occur any infringement of any Intellectual Property Rights covered by this Clause 13. Use by the Customer and its employees of the Service shall be only within the terms of this Agreement.

1.4 The Customer shall not, in the absence of the Service Provider’s written consent, reproduce, adapt, translate, reverse-engineer, or make available to any third party any of the Applications, any part of the ASP Infrastructure, or any other material associated with this Agreement where such activity goes beyond the scope of actions permitted by the terms and conditions of this Agreement.

1.5 Where the Customer either suspects or is aware of any breach of Intellectual Property Rights covered by this Clause 13 it shall be under a duty to inform the Service Provider of such breach immediately.

14. Customer Data

1.1 Subject to sub-Clause 14.2 all Intellectual Property Rights subsisting in Customer Data are and shall remain the property of the Customer.

1.2 Certain Customer Data may belong to third parties. In such cases, the Customer warrants that all such Customer Data is used with the consent of relevant third parties.

1.3 The Service Provider shall process personal data in accordance with the data processing agreement as set out in Schedule 4.

15. Confidentiality

1.1 During the Term of this Agreement and after the termination or expiration of this Agreement for any reason, the Service Provider shall use its best and reasonable endeavours to ensure that all Customer Data is kept secure and confidential. The Service Provider shall not, in the absence of express written consent from the Customer, disclose Customer Data to any third party unless such disclosure is required by law in which case the Customer shall be notified in writing of the disclosure.

1.2 During the Term of this Agreement the following obligations shall apply to the Party receiving Confidential Information (the “Receiving Party”) from the other Party (the “Disclosing Party”).

1.3 Subject to sub-Clause 15.4, the Receiving Party:

3.a.1 may not use any Confidential Information for any purpose other than the performance of their obligations under this Agreement;

3.a.2 may not disclose any Confidential Information to any third party except with the prior written consent of the Disclosing Party; and

3.a.3 shall make every effort to prevent the unauthorised use or disclosure of the Confidential Information.

1.4 The obligations of confidence referred to in this Clause 15 (excluding sub-Clause 15.1) shall not apply to any Confidential Information that:

4.a.1 is in the possession of and is at the free disposal of the Receiving Party or is published or is otherwise in the public domain prior to its receipt by the Receiving Party;

4.a.2 is or becomes publicly available on a non-confidential basis through no fault of the Receiving Party;

4.a.3 is required to be disclosed by any applicable law or regulation; or

4.a.4 is received in good faith by the Receiving Party from a third party who, on reasonable enquiry by the Receiving Party claims to have no obligations of confidence to the Disclosing Party in respect thereof and who imposes no obligations of confidence upon the Receiving Party.

1.5 Without prejudice to any other rights or remedies the Disclosing Party may have, the Receiving Party acknowledges and agrees that in the event of breach of this Clause the Disclosing Party shall, without proof of special damage, be entitled to an injunction or other equitable remedy for any threatened or actual breach of the provisions of this Clause in addition to any damages or other remedies to which they may be entitled.

1.6 The obligations of the Parties under all provisions of this Clause shall survive the expiry or the termination of this Agreement irrespective of the reason for such expiry or termination.

16. Liability

1.1 The Service Provider shall not be liable to the Customer for any indirect or consequential loss the Customer may suffer even if such loss is reasonably foreseeable or if the Service Provider has been advised of the possibility of the Customer incurring it.

1.2 The Service Provider’s entire liability to the Customer in respect of any breach of its contractual obligations, any breach of warranty, any representation, statement or tortious act or omission including negligence arising under or in connection with this Agreement shall be limited to 2 Year’s annual fee’s.

1.3 Notwithstanding any other provision in this Agreement, the Service Provider’s liability to the Customer for death or injury resulting from the Service Provider’s own negligence or that of their employees, agents or sub-contractors shall not be limited.

17. Indemnity

1.1 The Customer will fully indemnify the Service Provider against all costs, expenses, liabilities, losses, damages and judgments that the Service Provider may incur or be subject to as a result of any of the following:

1.a.1 The Customer’s misuse of the Applications, ASP Infrastructure or any other element of the Service;

1.a.2 The Customer’s breach of this Agreement; or

1.a.3 The Customer’s negligence or other act of default.

1.2 The Service Provider shall be under no obligation to indemnify the Customer against any costs, expenses, liabilities, losses, damages and judgments that the Customer may incur or be subject to arising out of any matter covered by this Agreement.

18. Force Majeure

1.1 Neither the Service Provider nor the Customer shall be liable for breaching this Agreement where that breach results from Force Majeure.

1.2 Force Majeure refers to any event that is beyond the reasonable control of the parties and includes, but is not limited to: power failure, internet service provider failure, industrial action, civil unrest, theft, fire, flood, storms, earthquakes, acts of terrorism, acts of war, governmental action or any other event that is beyond the control of the Party in question.

19. Termination

1.1 The Service Provider reserves the right to terminate this Agreement or to suspend the Service in the following circumstances:

1.a.1 If the Customer fails to pay Fees due under Clause 4 of this Agreement;

1.a.2 If the Customer is in breach of the terms of this Agreement;

1.a.3 If the Customer becomes the subject of a voluntary arrangement under Section 1 of the Insolvency Act 1986;

1.a.4 If the Customer is unable to pay its debts within the definition of Section 123 of the Insolvency Act 1986; or

1.a.5 If the Customer has a receiver, manager, administrator or administrative receiver appointed over all or a substantial part of its undertakings, assets, or income; has passed a resolution for its winding up; or is the subject of a petition presented to a court for its winding up or for an administration order.

1.2 The Customer reserves the right to terminate this Agreement in the following circumstances:

2.a.1 If the Service Provider is in breach of the terms of this Agreement;

2.a.2 If the Service Provider becomes the subject of a voluntary arrangement under Section 1 of the Insolvency Act 1986;

2.a.3 If the Service Provider is unable to pay its debts within the definition of Section 123 of the Insolvency Act 1986; or

2.a.4 If the Service Provider has a receiver, manager, administrator or administrative receiver appointed over all or a substantial part of its undertakings, assets, or income; has passed a resolution for its winding up; or is the subject of a petition presented to a court for its winding up or for an administration order.

2.a.5 By providing 30 days’ notice of termination of the agreement after any fixed initial period as agreed at the commencement of the agreement.

20. Notices

1.1 All notices under this Agreement shall be in writing.

1.2 Notices shall be deemed to have been duly given:

2.a.1 when delivered, if delivered by courier or other messenger (including registered mail) during normal business hours of the recipient; or

2.a.2 when sent, if transmitted by fax or e-mail and a successful transmission report or return receipt is generated; or

2.a.3 on the fifth business day following mailing, if mailed by national ordinary mail, postage prepaid; or

2.a.4 on the tenth business day following mailing, if mailed by airmail, postage prepaid.

1.3 In each case notices should be addressed to the most recent address, e-mail address, or facsimile number notified to the other Party.

21. Relationship of Parties

Nothing in this Agreement shall create, or be deemed to create, a partnership, the relationship of principal and agent, or of employer and employee between the Service Provider and the Customer.

22. Assignment

Neither Party shall assign, transfer, sub-contract, or in any other manner make over to any third party the benefit and/or burden of this Agreement without the prior written consent of the other, such consent not to be unreasonably withheld.

23. Severance

The Parties agree that, in the event that one or more of the provisions of this Agreement is found to be unlawful, invalid or otherwise unenforceable, that / those provisions shall be deemed severed from the remainder of this Agreement. The remainder of this Agreement shall be valid and enforceable.

24. Entire Agreement

1.1 This Agreement embodies and sets forth the entire agreement and understanding between the Parties and supersedes all prior oral or written agreements, understandings or arrangements relating to the subject matter of this Agreement. Neither Party shall be entitled to rely on any agreement, understanding or arrangement not expressly set forth in this Agreement, save for any representation made fraudulently.

1.2 Unless otherwise expressly provided elsewhere in this Agreement, this Agreement may be varied only by a document signed by both of the Parties.

25. No Waiver

The Parties agree that no failure by either Party to enforce the performance of any provision in this Agreement shall constitute a waiver of the right to subsequently enforce that provision or any other provision of this Agreement. Such failure shall not be deemed to be a waiver of any preceding or subsequent breach and shall not constitute a continuing waiver.

26. Non-Exclusivity

The relationship between the Parties under this Agreement is and shall remain non-exclusive. Both parties are free to enter into similar relationships with other parties.

27. Law and Jurisdiction

1.1 This Agreement shall be governed by the laws of Northern Ireland.

1.2 Any dispute between the Parties relating to this Agreement shall fall within the jurisdiction of the courts of Northern Ireland.

This Agreement has been duly executed the day and year first before written

SCHEDULE 1



Fees

1. Service Fees

Depending on the package of services agreed with the customer in advance.

2. Licence Fees

Depending on the bundle selected by the customer

3. Fee Increases

Fees may be adjusted from time to time as the software evolves and in line with other factors affecting the business. Any fee increases will be notified to the customer with 30 days notice.

4. Additional Costs

Email Overage – as itemised on the customers invoice Lookups Overage – as itemised on the customers invoice SMS Costs - £0.05 per SMS

SCHEDULE 2



Applications

The Zymplify Marketing Automation Platform

SCHEDULE 3



Training/Onboarding

A programme of training or onboarding may be offered to assist the customer in setting up their account and training their staff on the use of the software.

Training Fees

As agreed in advance with the customer.

SCHEDULE 4



Data Processing Agreement

1. Definitions

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Law” means all applicable legislation relating to data protection and privacy including without limitation the EU Data Protection Directive 95/46/EC and all local laws and regulations which amend or replace any of them, including the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time. The terms “process”, “processes” and “processed” will be construed accordingly.

“Data Subject” means the individual to whom Personal Data relates.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

2. Details of the Processing

a. Categories of Data Subjects. Controller’s Contacts and other end users including Controller’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Controller’s end users.

b. Types of Personal Data. Contact Information, the extent of which is determined and controlled by the Customer in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Subscription Service.

c. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Personal Data by Processor is the provision of the services to the Controller that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in the Agreement and an Order.

d. Purpose of the Processing. Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the Agreement and any applicable Order.

e. Duration of the Processing. Personal Data will be Processed for the duration of the Agreement, subject to Section 4 of this DPA.

3. Customer Responsibility

Within the scope of the Agreement and in its use of the services, Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Law. This DPA is Customer’s complete and final instruction to Zymplify in relation to Personal Data and that additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (as individual instructions).

Controller shall inform Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.

4. Obligations of Processor

a. Compliance with Instructions. The parties acknowledge and agree that Customer is the Controller of Personal Data and Zymplify is the Processor of that data. Processor shall collect, process and use Personal Data only within the scope of Controller’s Instructions. If the Processor believes that an Instruction of the Controller infringes the Data Protection Law, it shall immediately inform the Controller without delay. If Processor cannot process Personal Data in accordance with the Instructions due to a legal requirement under any applicable European Union or Member State law, Processor will (i) promptly notify the Controller of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Law; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Controller issues new instructions with which Processor is able to comply. If this provision is invoked, Processor will not be liable to the Controller under the Agreement for any failure to perform the applicable services until such time as the Controller issues new instructions in regard to the Processing.

b. Security. Processor shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, described under Appendix 2 to the Standard Contractual Clauses. Such measures include, but are not be limited to:

i. the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),

ii. the prevention of Personal Data Processing systems from being used without authorization (logical access control),

iii. ensuring that persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),

iv. ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),

v. ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems (entry control),

vi. ensuring that Personal Data is Processed solely in accordance with the Instructions (control of instructions),

vii. ensuring that Personal Data is protected against accidental destruction or loss (availability control).

Upon Controller’s request, Processor shall provide a current Personal Data protection and security programme relating to the Processing hereunder.

Processor will facilitate Controller’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR), by (i) implementing and maintaining the security measures described under Appendix 2, (ii) complying with the terms of Section 4.4 (Personal Data Breaches); and (iii) providing the Controller with information in relation to the Processing in accordance with Section 5 (Audits).

c. Confidentiality. Processor shall ensure that any personnel whom Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities.

d. Personal Data Breaches. Processor will notify the Controller as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law.

e. Data Subject Requests. Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Processor, Processor will promptly inform Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests. Controller shall reimburse Processor for the costs arising from this assistance.

f. Sub-Processors. Processor shall be entitled to engage sub-Processors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Schedule 5. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the sub-Processing by Processor for purposes of Clause 11 of the Standard Contractual Clauses.

If the Processor intends to instruct sub-Processors other than the companies listed in Schedule 5, the Processor will notify the Controller thereof in writing (email to the email address(es) on record in Processor’s account information for Controller is sufficient) and will give the Controller the opportunity to object to the engagement of the new sub-Processors within 30 days after being notified. The objection must be based on reasonable grounds (e.g. if the Controller proves that significant risks for the protection of its Personal Data exist at the sub-Processor). If the Processor and Controller are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.

Where Processor engages sub-Processors, Processor will enter into a contract with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Processor under this DPA. Where the sub-Processor fails to fulfil its data protection obligations, Processor will remain liable to the Controller for the performance of such sub-Processors obligations.

Where a sub-Processor is engaged, the Controller must be granted the right to monitor and inspect the sub-Processor’s activities in accordance with this DPA and the Data Protection Law, including to obtain information from the Processor, upon written request, on the substance of the contract and the implementation of the data protection obligations under the sub-Processing contract, where necessary by inspecting the relevant contract documents.

The provisions of this Section 4.6 shall mutually apply if the Processor engages a sub-Processor in a country outside the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, Zymplify transfers any Personal Data to a sub-processor located outside of the EEA, Zymplify shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

Zymplify has an API to YouTube allowing users to access data from users YouTube accounts. The use of the Zymplify platform and acceptance of these terms indicates that the user agrees to be bound by the YouTube Terms of Service details of which can be found here: https://www.youtube.com/t/terms

g. Deletion or Retrieval of Personal Data. Other than to the extent required to comply with Data Protection Law, following termination or expiry of the Agreement, Processor will delete all Personal Data (including copies thereof) processed pursuant to this DPA. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that Personal Data is blocked from any further Processing.

Controller shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period of time set by Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of the Agreement shall be borne by Controller.

5. Audits

Controller may, prior to the commencement of Processing, and at regular intervals thereafter, audit the technical and organizational measures taken by Processor.

For such purpose, Controller may, e.g.,

obtain information from the Processor,

request Processor to submit to Controller an existing attestation or certificate by an independent professional expert, or

upon reasonable and timely advance agreement, during regular business hours and without interrupting Processor’s business operations, conduct an on-site inspection of Processor’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Processor.

Processor shall, upon Controller’s written request and within a reasonable period of time, provide Controller with all information necessary for such audit, to the extent that such information is within Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

6. General Provisions

In case of any conflict, this DPA shall take precedence over the regulations of the main Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.

Effective 25 May 2018 Zymplify will process Personal Data in accordance with the GDPR requirements contained herein which are directly applicable to Zymplify's provision of the Subscription Services.

SCHEDULE 5



List of Sub-processors

Amazon Web Services

Google, Inc

Instagiv Limited

SendGrid, Inc

Full Contact, Inc

Sparkpost, Inc

CONTACT DETAILS:

Zymplify Ltd
27/28 The Promenade
Portstewart
Co. Londonderry
BT55 7AE