Common use of Customer Data Clause in Contracts

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 (5.1) The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier (5.2) Avari Solutions Ltd shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeData. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier Avari Solutions Ltd to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier Avari Solutions Ltd. Avari Solutions Ltd shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Avari Solutions Ltd to perform services related to Customer Data maintenance and back-back- up). 5.3 The Supplier (5.3) Avari Solutions Ltd shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇www.Avari Solutions ▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Avari Solutions Ltd in its sole discretion. The client will be notified 30 days before any amends. 5.4 (5.4) If the Supplier Avari Solutions Ltd processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Avari Solutions Ltd shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s Avari Solutions Ltd other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Avari Solutions Ltd so that the Supplier Avari Solutions Ltd may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ed) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Sisense processes Customer shall own all rightsData, title and interest in and including personal data about any natural person (“Personal Data”, which may also be referred to all as “personally identifiable information” or “personal information” by applicable laws), as a “data processor” acting on behalf of the Customer Data and shall have sole responsibility for (who will be the legality, reliability, integrity, accuracy and quality “data controller” of the Customer Datasuch data). 5.2 The Supplier 4.1.1. Sisense shall follow its archiving procedures for Customer process such Personal Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described Data Processing Addendum in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure effect at the time of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data this Agreement available at ▇▇▇▇▇://▇▇▇▇▇.▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as ▇/rs/601-OXE-081/images/Data-Processing-Addendum.pdf (the “DPA”). Sisense may be notified to update the Customer from time to time, as such document may be amended DPA from time to time in its reasonable discretion, provided there is no material degradation to the overall protections set forth in the DPA. In the event of any conflict between the terms and conditions of this Agreement and the DPA, the terms and conditions of the DPA will govern. 4.1.2. Customer represents and warrants that: (a) it and its Users have all the necessary rights, licenses, consents, waivers and permissions to allow Sisense: (i) to store, process and deliver the Customer Data and otherwise provide the Services and operate the Product on behalf of Customer; (ii) to use any Customer Data provided to or collected by the Supplier Product according to Customer’s instructions; and (iii) to receive, transfer and process any Customer Data from or to any third party according to Customer’s instructions, whether by application program interface (“API”), file transfer protocol or other data transfer method; (b) neither Customer nor its Users, nor any of their respective users, will use the applicable Product or any of the Services in a way or for any purpose that infringes or misappropriates any third party’s intellectual property rights or other proprietary rights; and (c) if Sisense considers, in its sole discretion. The client will be notified 30 days before , that any amends. 5.4 If Customer Data breaches any of the Supplier processes any personal data on the Customer’s behalf when performing its obligations under requirements set forth in this agreementSection, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data or may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order subject Sisense to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed ofmaterial adverse risks, and have given their consent toSisense requests that such Customer Data be removed or amended, then Customer will withdraw such use, processing, and transfer as required by all Customer Data from the applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Product or amend such Customer from time Data to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damageSisense’s satisfaction.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 6.2 Where the Customer stores the Customer Data on its own systems, the Customer shall follow its archiving own back-up procedures for such Customer Data and Protean shall have no responsibility for any loss, destruction, alteration or disclosure of Customer Data that is held on the Customer’s own systems. 6.3 Where Protean is hosting the Customer Data, Protean shall follow its back-up procedures for Customer Data (details of which are available on request from Protean) or such other website address as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 may be notified to the Customer from time to time, as such document procedures may be amended by the Supplier Protean in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier Protean to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Protean in accordance with the archiving back-up procedure described in its Back-Up Policyabove. The Supplier Protean shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Protean to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier 6.4 Protean shall, in providing supplying the Services, Software to the Customer comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or on request to the Customer and on such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Protean in its sole discretion. The client will be notified 30 days before any amends. 5.4 6.5 If the Supplier Protean processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Protean shall be a data processor and in any such case: (a) 6.5.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services Cloud Service and the Supplier▇▇▇▇▇▇▇’s other obligations under this agreement; (b) 6.5.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Protean so that the Supplier Protean may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) 6.5.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier 6.5.4 Protean shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 6.5.5 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 6.6 Without prejudice to clause 4.2, the Customer acknowledges and agrees that: 6.6.1 Protean is reliant upon third party providers in order to supply the Cloud Service; and 6.6.2 Protean shall have no liability to the Customer for any loss (including any loss arising from the loss or misuse of Customer Data) to the Customer which is caused by an act or omission of such third party providers. 6.7 The Customer acknowledges and agrees that when using the Software: 6.7.1 it is able to integrate with third party software (such as accounting software) in order to submit and exchange Customer Data; and 6.7.2 it shall indemnify Protean for any claim against Protean by such third party software suppliers arising from the Customer’s submission and exchange of Customer Data pursuant to clause 6.7.1. 6.8 The Customer hereby gives consent to Protean to allow Protean to collate and use its Customer Data for Protean’s own marketing and other commercial purposes, provided that such Customer Data is anonymised by Protean prior to its use, and such use is subject to Protean’s obligations of confidentiality under clause 11.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. The customer being a contractor of DSA Airport, the customer shall not own the rights, title and interest in and to the Data which belongs to DSA Airport. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Back- Up Policy available at ▇▇▇.▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted subcontracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Back- Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as Policy; such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted subcontracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as Data; such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 6.2 iplicit shall follow its archiving procedures for Customer Data as set out in its Back-Up Backup Policy available at (▇▇▇▇://.▇▇▇▇▇▇▇.▇▇/GDPR▇/security-and-data- protection/servers-security#a174 ▇▇▇▇▇) or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier iplicit in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier iplicit to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier iplicit in accordance with the archiving procedure described in its Back-Up Backup Policy. The Supplier iplicit shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier 6.3 Iplicit shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇.▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/▇▇▇▇▇ and the Data Protection Addendum attached to these terms or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Iplicit in its sole discretion. The client will be notified 30 days before any amends. 5.4 6.4 If the Supplier iplicit processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier iplicit shall be a data processor and in any such case: (a) : Unless agreed otherwise in writing by the Company, the Customer acknowledges and agrees that the personal data may not be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplieriplicit’s other obligations under this agreement; (b) ; the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier iplicit so that the Supplier iplicit may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) ; the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier ; iplicit shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) and each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer as such document may be amended by the Supplier in its sole discretion from time to timetime the current version of which is set out at Schedule 3 of this Agreement. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (dc) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ed) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 5.5 The Supplier and the Customer shall comply with their respective obligations as set out in Schedule 4 of this Agreement

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legalitylegality , reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out described in its Back-Up the relevant Service Level Agreement or the Supplier’s Hosting Policy available at ▇▇▇▇://▇▇▇▇▇▇▇(as applicable). The Supplier may, without obligation to the Customer, make such additional backup or archiving arrangements as it sees fit.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. 5.3 In the event of any loss or damage to Customer DataData during the Licence Term, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. the relevant Service Level Agreement or the Supplier’s Hosting Policy (as applicable). 5.4 The Supplier shall not be responsible for any lossrequired to maintain, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up), protect or retrieve any Customer Data after the expiry of the Licence Term. 5.3 5.5 If the Customer utilises the customer service icon provided within the Software, the Customer acknowledges that any Customer Data uploaded via such service will be subject to the relevant third-party supplier’s security policy. The Supplier shall, in providing currently utilises the Services, comply with its Privacy and Fresh Desk application. For a copy of the Fresh Desk Security Policy relating to the privacy and security of the Customer Data available at ▇see ▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/security. The Supplier accepts no liability for any Customer Data transferred through the customer service icon provided within the Software. 5.6 The Supplier shall not be responsible for any loss suffered by the Customer as a result of or such other website address as may be notified arising from the destruction, alteration, or disclosure of any Customer Data caused by any third party (including any third-party providing customer service functionality in connection with the Software), except and to the Customer from time to time, as such document may be amended from time to time by extent that the Supplier in its sole discretion. The client will be notified 30 days before any amendsis entitled to recover and has so recovered an amount (net of the costs of recovery) equal to such loss from the relevant third party. 5.4 5.7 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreementthese Terms and Conditions of Use, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that undertakes to comply with all the requirements of the Data Protection ▇▇▇ ▇▇▇▇ in connection with any personal data may be transferred or stored temporarily outside processed by the EEA or Supplier on the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other Customer's behalf when performing its obligations under this agreementthese Terms and Conditions of Use; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement these Terms and Conditions of Use on the Customer's behalf; (c) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under these Terms and Conditions of Use; (d) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, processing and transfer as required by all applicable data protection legislation; (de) the Supplier shall process the personal data only in accordance with the terms these Terms and Conditions of this agreement Use and any lawful instructions reasonably given by the Customer from time to time; and; (ef) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage; and (g) the Customer shall make and maintain all necessary registration applications within all appropriate categories under the DPA as are required in relation to any personal data processed by the Supplier on the Customer's behalf when performing its obligations under these Terms and Conditions of Use. 5.8 The Customer shall indemnify and keep indemnified the Supplier against all actions, proceedings , costs, claims, demands , liabilities , losses and expenses whatsoever arising out of or in connection with the Supplier 's processing of personal data on the Customer's behalf when performing its obligations under these Terms and Conditions of Use, save to the extent that the same is caused by or arises from the Supplier’s (or its directors, employees or sub-contractors’) negligence or breach of its obligations under these Terms and Conditions of Use.

Customer Data. 5.1 10.1 The Customer shall own all rights, title grant to the Supplier access to any and interest in and to all of its data as set out in the Commercial Summary that is in the custody of any third party. Customer shall ensure that that third party provides access to or the Supplier to that data in a timely manner. Any delays in authorizations and/or access to the Customer Data and shall have in the custody of third parties is the sole responsibility of the Customer. 10.2 The Customer shall not use Infringing Data on the SaaS. 10.3 The Customer shall not provide any data, information, materials, and/or documents that are infringing Intellectual Property Rights. 10.4 The Customer grants a royalty-free, non-transferable, non-exclusive, non-revocable and worldwide licence and necessary permissions for the term of this Agreement, to the Supplier to use the Customer Data to the extent necessary to perform the SaaS and provide the Supplier Professional Services Deliverables. 10.5 Customer is responsible for the accuracy, quality, integrity, legality, reliability, integrityand appropriateness of all electronic data or information and Customer Data submitted by Customer to Supplier. Customer is solely responsible for the preparation, accuracy content, accuracy, quality and quality review of any documents, data, or output prepared or resulting from the use of the SaaS and/or any deliverable pursuant to a Statement of Work. The Customer acknowledges that the Supplier has no control over any Customer Data hosted as part of the provision of the SaaS and does not actively monitor the content of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event the Supplier is required, on behalf of Customer, to reload or amend any erroneous Customer Data submitted by the Customer to the Supplier, the Supplier shall be entitled to charge the Customer for such services. 10.6 The Supplier shall notify the Customer immediately if it becomes aware of any loss or damage to allegation that any Customer Data, the Customer's sole Data may be Infringing Data and exclusive remedy shall be for the Supplier shall have the right to use reasonable commercial endeavours to restore the lost or damaged remove Customer Data from the latest back-up of such SaaS without the need to consult the Customer. 10.7 The Customer Data maintained by shall indemnify the Supplier, its Affiliates and each officers, directors, agent, employees, and subcontractors from and against all loss caused to the Supplier as a result of the Customer’s use of Infringing Data on the SaaS and/or the provision to the Supplier of any data, information, materials, and/or documents that are infringing Intellectual Property Rights. 10.8 The Supplier acknowledges that, as between the parties, all Intellectual Property Rights in accordance with the archiving procedure described in its Back-Up PolicyCustomer materials are owned by Customer or licensors to Customer. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services may collect and use information related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security Customer’s use of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or SaaS and any Submissions on the Supplier’s products and services, for the purposes of the administration of this Agreement and, as long as such other website address as may be notified information is not identifiable to the Customer from time or any individual User, to timetest, as develop, improve and enhance its products and services and to create and own derivative works based on such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amendsSubmission. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 5.2. The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Back- Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 such website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Back- Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 5.4. If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) 5.4.1. the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) 5.4.2. the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 5.4.3. the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 5.4.4. each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 6.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timePolicy. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-upup for which it shall remain fully liable under clause 6.9). 5.3 6.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf .▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If 6.4 Both parties will follow all applicable requirements of the Data Protection Legislation. This clause 6 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation. 6.5 The parties acknowledge that: (a) if the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be is the data controller and the Supplier shall be a is the data processor for the purposes of the Data Protection Legislation (where Data Controller and Data Processor have the meanings as defined in any such case:the Data Protection Legislation). (ab) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement;. If personal data is transferred or stored outside the UK, appropriate safeguards in accordance with UK GDPR, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), will be implemented to ensure compliance with UK data protection laws. (b) 6.6 Without prejudice to the generality of clause 6.1, the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data Personal Data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the personal data Personal Data in accordance with this agreement on the Customer's behalf. 6.7 Without prejudice to the generality of clause 6.1, the Supplier shall, in relation to any Personal Data processed in connection with the performance by the Supplier of its obligations under this agreement: (a) Process that Personal Data only on the written instructions of the Customer, unless the Supplier is required by the laws of the United Kingdom, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, or any applicable international laws to process Personal Data (Applicable Laws). In instances where the Supplier's data processing activities are subject to the laws of a member of the European Union due to cross-border operations or data transfers, and where such laws necessitate processing actions divergent from the Customer's instructions, the Supplier shall promptly notify the Customer of this requirement before commencing the processing required by the Applicable Laws, unless prohibited by those laws from providing such notification; (b) Not transfer any Personal Data outside of the United Kingdom or to any country not deemed to have adequate data protection laws by the UK Information Commissioner's Office (ICO), unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer such as Standard Contractual Clauses (SCCs) specifically adapted for the data transfer requirements under the UK GDPR, or any future UK adequacy decisions. When transferring personal data outside the UK, the Supplier will ensure the use of Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO), or ensure that the destination country has been deemed to provide an adequate level of protection for personal data by the UK government; (ii) the data subject has enforceable rights and effective legal remedies in accordance with the UK GDPR and the Data Protection Act 2018; (iii) the Supplier ensures compliance with the UK Data Protection Legislation by providing an adequate level of protection to any Personal Data transferred, including adhering to any additional requirements set forth by the UK Information Commissioner's Office (ICO); and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the Personal Data; (c) assist the Customer shall ensure that Customer, at the relevant third parties have been informed ofCustomer's cost, in responding to any request from a Data Subject and have given their consent toin ensuring compliance with its obligations under the Data Protection Legislation with respect to security, such usebreach notifications, processing, impact assessments and transfer as required by all applicable data protection legislationconsultations with supervisory authorities or regulators; (d) notify the Supplier shall process ICO within 72 hours of becoming aware of a data breach. Where the personal breach is likely to result in a high risk to the rights and freedoms of natural persons, notify the affected data only in accordance with subjects without undue delay.; (e) at the terms written direction of this agreement the Customer, delete or return Personal Data and any lawful instructions reasonably given by copies thereof to the Customer from time on termination of the agreement unless required by Applicable Law to timestore the Personal Data; and (ef) each maintain complete and accurate records and information to demonstrate its compliance with this clause 6. 6.8 Each party shall take ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the personal data harm that might result from the unauthorised or its unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymisation and encr ypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 6.9 The Supplier will ensure that any sub-contractors appointed to process personal data on behalf of the Customer are subject to written agreements that require them to process such data only on documented instructions from the Customer and in full compliance with the requirements of the UK GDPR, particularly Article 28. The Supplier confirms that it has entered or (as the case may be) will enter with the third- party processor into a written agreement substantially on that third party's standard terms of business. As between the Customer and the Supplier, the Supplier shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 6. Full details of all third parties providing such services to the Supplier and who are processing Personal data under this agreement are available upon request. 6.10 The Supplier will update its Privacy Policy to reflect any changes in sub-processors or the addition of new sub-processors. It is the responsibility of the Customer to regularly review the Privacy Policy to stay informed of such changes. 6.11 The Customer acknowledges and agrees that the Supplier relies on third-party services for the hosting and processing of Customer Data pursuant to this agreement. Specifically, Amazon Web Services (AWS) is utilised as the primary infrastructure provider due to its robust data security measures and adherence to data protection legislation relevant to our operations. For comprehensive details regarding the use of AWS, including the location of data centres and the specific security and compliance measures in place, refer to Schedule 2 of this agreement. This schedule outlines how data storage and processing activities through AWS are conducted in strict conformity with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, ensuring the highest standards of data protection and security are maintained. 6.12 The Supplier will ensure that any use of Customer Data in aggregated and anonymised form is done in a manner that fully ensures such data cannot be re-identified, adhering to the standards of anonymisation defined under the UK GDPR. 6.13 The supplier will assist the customer in ensuring compliance with the data subject rights under the Data Protection Legislation, including but not limited to rights of access, correction, deletion, and data portability. 6.14 The customer shall have the right to conduct an audit of the supplier's data processing activities related to this agreement once per year to ensure compliance with Data Protection Legislation and the terms of this agreement. Such audit shall be conducted at the customers expense, with reasonable prior notice, and shall not unreasonably interfere with the supplier's business operations 6.15 Any revisions to this clause related to data protection will be made in compliance with the latest data protection legislation and best practices, ensuring the protection of data subjects' rights. The Customer will be notified at least 30 days in advance of any such changes, which will only be implemented with the Customer's consent if they materially alter the data protection obligations of the parties.

Customer Data. 5.1 4.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 4.2 Siemens shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy Data Management Principles for Stratos document available as a pdf at ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR▇/Footer/security-and-data- protection/servers-security#a174 Legalor such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier Siemens in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Siemens to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Siemens in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible Data Management Principles for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)Stratos document. 5.3 The Supplier 4.3 Siemens shall, in providing the Services, comply with its Privacy and Security Policy Principles for Stratos document relating to the privacy and security of the Customer Data available as a pdf at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/Footer/Legal or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Siemens in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.4 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (dc) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ed) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 4.5 Siemens shall own the Siemens Data. During the Subscription Term, the Customer shall have access to the Siemens Data. At the end of the Subscription Term the Customer shall return to Siemens all the Siemens Data.

Customer Data. 5.1 4.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by notified to the Supplier in its sole discretion Customer from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the such archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Customer acknowledges and agrees that its Customer Data (non-confidential Authorised User answers and Authorised User progress) may be utilised by the Supplier shallfor the proper performance of, in providing and improvement of, the Services, comply with its Privacy including analysis and Security Policy relating to research, general metrics and analytics and general promotional uses. 5.4 To the privacy and security of extent that the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If comprises Personal Data and the Supplier processes any personal data such Personal Data on the Customer’s behalf when performing its obligations under this agreementagreement (Customer Personal Data), the parties record their intention that the Customer shall be the data controller Controller and the Supplier shall be a data processor the Processor of such Customer Personal Data and in any such casethe following provisions apply: (a) both parties shall comply with the Customer acknowledges and agrees that Data Protection Laws in the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under performance of this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data Customer Personal Data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer customer from time to time; andtime (unless the Supplier is required by the Data Protection Laws or any other applicable laws to otherwise process the Customer Personal Data, in which case the Supplier shall promptly notify the Customer of this before performing the processing unless those Applicable Laws prohibit the Supplier from doing so; (c) unless otherwise agreed, the Customer Personal Data shall not be transferred outside of the European Economic Area (EEA); (d) the Customer shall be responsible for ensuring that it is lawfully entitled to transfer the Customer Personal Data to the Supplier, including by giving all necessary notices and/ or obtaining necessary consents, so that the Supplier may use, process and transfer it in accordance with this agreement; (e) taking into account the state of technical development and the nature of processing, each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data Customer Personal Data or its accidental loss, alteration, disclosure, destruction or damage; (f) the Supplier shall ensure that all persons acting for it with access to Customer Personal Data are informed of the confidential nature of the Customer Personal Data and are subject to a suitable binding obligation to keep the same confidential; (g) the Customer acknowledges and agrees that the Supplier may use third party sub-Processors for the purposes of providing the Services, provided that the Supplier shall remain fully responsible for the acts and omissions of such third parties. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of sub- Processors involved the processing of Customer Personal Data, thereby giving the Customer the opportunity to object to such changes; (h) the Supplier shall assist the Customer in providing Data Subject access and allowing Data Subjects to exercise their rights under the GDPR; (i) the Supplier shall notify the Customer without delay and in any case within seventy-two (72) hours on becoming aware of any breach of Customer Personal Data; (j) the Supplier must assist the Customer in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments; and (k) the Supplier shall maintain complete and accurate records to demonstrate its compliance with this clause 5.4 and allow for audits by the Customer to verify the Supplier’s compliance with this clause 5.4. 5.5 All Customer Data will be handled in accordance with the privacy notice referred to in Schedule 1.

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf the website assigned to the Customer by the Supplier, or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country state where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational organizational measures against unauthorised unAuthorized or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 9.1. The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The 9.2. In relation to Services which involve the Supplier shall follow its archiving procedures for storing Customer Data as set out and in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore ensure that the lost or damaged Customer Data from is secure and backed up and that the latest back-up of such Customer has electronic access to the Customer Data maintained stored by the Supplier to retrieve or manipulate at any time. If the Customer has no access to the Customer Data electronically, the Supplier shall, upon the Customer’s request grant such access necessary to retrieve/manipulate Customer Data within 7 working days from the request. In the event that the Customer requires Customer Data on physical media, the Customer can raise a request and the Supplier will apply reasonable endeavours to assist the Customer with the physical retrieval of Customer Data. 9.3. On the billing anniversary following the termination date of a Service which involves the storing or hosting of Customer Data by the Supplier, all Customer Data held within the Service shall cease to be available to the Customer to access. Any Customer Data will be retained in accordance with to the archiving procedure described extent set out in its Back-Up Policythe applicable Service Option and can be retrieved by the Supplier (and then provided to the Customer in the format reasonably required) through the submission of a request to the Supplier by email. 9.4. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 9.5. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to available on the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf InsightCloud Website or such other website address as may be notified to the Customer from time to time, as time and such document policy may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 9.6. If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 9.6.1. the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreementAgreement; (b) 9.6.2. the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) 9.6.3. the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 9.6.4. the Supplier shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party 9.6.5. the Supplier shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The . Subject to clause Error: Reference source not found, the Supplier shall follow its archiving procedures for ensure that the Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeis backed up each Business Day. In the event of any loss of or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore retrieve the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by from the Supplier in accordance with the archiving procedure described in its Back-Up Policyprevious Business Day. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, unless otherwise agreed by the parties record their intention that parties, the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) : the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside of the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) Agreement; the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) ; the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) transfer; the Supplier shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) and each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.. For the purposes of this clause 4, the terms "data processor", "data controller", "personal data" and "process" shall have the meaning given to them in the Data Protection ▇▇▇ ▇▇▇▇. The Customer acknowledges that the Services may enable or assist it to access the website content of third parties via third-party websites and that it does so solely at its own risk. The Supplier makes no representation or commitment and shall have no liability or obligation whatsoever in relation to the content or use of, or correspondence with, any such third-party website, or any transactions completed, and any contract entered into by the Customer, with any such third party. Any contract entered into and any transaction completed via any third-party website is between the Customer and the relevant third party, and not the Supplier. The Supplier recommends that the Customer refers to the third party’s website terms and conditions and privacy policy prior to using the relevant third-party website. The Supplier does not endorse or approve any third-party website nor the content of any of the third-party website made available via the Services. The Customer shall and shall procure that all Authorised Users shall: provide the Supplier with all necessary access to such information as may be required by the Supplier in connection with the Services, including but not limited to Customer Data and security access information; comply with all applicable laws and regulations with respect to its activities under this Agreement; carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer’s provision of such assistance as agreed by the parties, the Supplier may adjust any agreed timetable or delivery schedule as reasonably necessary; ensure that the Authorised Users use the Services in accordance with the terms and conditions of this Agreement and shall be responsible for any Authorised User’s breach of this Agreement; obtain and maintain all necessary licences, consents and permissions necessary for the Supplier, its Suppliers and agents to perform their obligations under this Agreement, including without limitation the Services; use as its web browser Microsoft Internet Explorer version 6 (or such other web browser as the Supplier from time to time recommends to the Customer) and comply with any request to upgrade its web browser made by the Supplier within 60 days of receiving such request; be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to the Supplier’s data centres, and for all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer's network connections or telecommunications links or caused by the internet; and ensure that its network and systems comply in all other respects with such specifications as the Supplier shall provide from time to time. The Customer shall use all reasonable endeavours to not, and shall ensure any Authorised User uses all reasonable endeavours to not: access, store, distribute or transmit any Viruses, or any material during the course of its use of the Services that: is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; facilitates illegal activity; depicts sexually explicit images; promotes unlawful violence; is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activity; or causes damage or injury to any person or property, and the Supplier reserves the right, without liability to the Customer, to disable the Customer’s access to any material that breaches the provisions of this clause; The Customer shall not, and shall not allow any Authorised User to:

Customer Data. 5.1 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time5.2. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇.▇▇/staffwise_privacy.pdf /privacy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amendsExpressions defined in the Privacy and Security policy and used in this agreement shall have the meaning set out in the Privacy and Security policy. 5.4 5.3. If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 5.3.1. the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside of the EEA or the country where the Customer and the Authorised Users are located UK in order to those recipients set out in clause 10 of the Suppliers Privacy and Security Policy (“Recipient Processor”) carry out the Services and the Supplier’s other obligations under this agreement; (b) 5.3.2. the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) 5.3.3. the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 5.3.4. the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 5.3.5. each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://grants to ▇▇▇▇▇▇▇! a royalty-free, non-exclusive, non-transferable licence to process Customer Data in accordance with the terms of this Agreement for the purpose of fulfilling its obligations under this Agreement. 4.3 ▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in ▇▇▇▇▇! shall follow its sole discretion from time to timestandard archiving procedures for Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier ▇▇▇▇▇▇▇! to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier ▇▇▇▇▇▇▇! in accordance with the its standard archiving procedure described in its Back-Up Policyprocedures. The Supplier ▇▇▇▇▇▇▇! shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier party. 4.4 The Customer is able to perform services related to download or export its Customer Data maintenance and back-up)at any time. Instructions on how to do so are available on the Platform. 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://4.5 If ▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier ! processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier ▇▇▇▇▇▇▇! shall be a data processor and in any such case: : (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier ▇▇▇▇▇▇▇! so that the Supplier ▇▇▇▇▇▇▇! may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's ’s behalf; ; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier ▇▇▇▇▇▇▇! shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and and (ec) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage; and (d) any user shall ensure that when setting up workflows or making any other use of the Services that they possess the relevant consent or lawful permission to use, process and share End User Data and that they comply with all relevant data protection laws in all relevant jurisdiction(s) in relation to the data processed through the ▇▇▇▇▇▇▇! Platform.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf the website assigned to the Customer by the Supplier, or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country state where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational organizational measures against unauthorised unAuthorized or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeService Definition. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policythe Service Definition. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services specifically related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy at Schedule 5 relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to timeData, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amendsagreement with the accreditor of the RMADS referred to in Schedule 5. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may only be transferred or stored temporarily outside in the EEA or UK without prejudice to the country where the Customer and ability of the Authorised Users are located to access such data from anywhere in order to carry out the Services and the Supplier’s other obligations under this agreementworld; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-back- up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreementAgreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 (a) The Customer agrees to promptly provide all information (“Customer Data”) reasonably required by the Service Provider to provide the Services. The Customer shall own ensure that all rightsCustomer Data is provided to the Service Provider in the correct format. (b) The Customer designates the following employee, title officer or director as its contact person and interest in and authorizes the Service Provider to all rely on any instructions and/or information provided to the Service Provider by such contact person on behalf of the Customer: Name of contact person: Email Address: Phone Number: _ (c) The Customer shall deliver the Customer Data and shall have sole responsibility for to the legality, reliability, integrity, accuracy and quality of Service Provider through the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available Service Provider’s secure client portal at ▇▇▇▇://.▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time ▇ unless otherwise requested by the Supplier Service Provider in its sole discretion. The client will be notified 30 days before any amendswriting. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) In the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by event the Customer fails to provide the Customer Data to the Service Provider in the correct format, the Customer agrees to pay the Service Provider $175/hour in addition to the Fee for the Service Provider to reformat the Customer Data into the correct format. The Customer agrees that it shall also be responsible for paying any penalties and/or fees incurred for any late filing of information returns which resulted from time to time; andthe Customer providing the Customer Data in an incorrect format. (e) each party All Customer Data is and shall take appropriate technical remain the sole and organisational measures against unauthorised or unlawful processing exclusive property of the personal Customer. The Service Provider agrees to use the Customer Data for the sole purpose of providing the Services. (f) Upon completion of the Services, the Service Provider shall retain a copy of the Customer Data for 60 days or until receiving the Customer’s request in writing to delete the data, whichever comes first. At this time, the Service Provider shall: (i) Provide the Customer with an archive containing all: Customer Data; System Database(s); Preview & Final Report(s); XML File(s) and XML Submission Confirmation(s) (ii) Delete all Customer Data from its servers (iii) Delete the data archive from its servers on Customer confirmation of receipt or its accidental lossby May 31st of the current season, destruction or damage.whichever comes first (iv) Return to the Customer all physical copies of the Customer Data, if any (v) Retain for their records: (A) Copies of the System Database(s) purged of all Recipient Data and all Customer Data other than: Business Number(s); Mailing Address; Certification and/or Contact Name(s) and XML Submission History (B) Copies of the XML Submission Confirmation(s)

Customer Data. 5.1 4.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its standard archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the its standard archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 4.3 The Customer acknowledges that the Supplier does not, as part of its operations in providing the Services, collect personal data for its own purposes. All data collected as a result of the use of the Services is stored anonymously by the Supplier. However, the Supplier shall, in providing the Services, comply with its Privacy legal and Security Policy statutory obligations relating to the privacy and security of any personal data provided by the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as Customer’s service users. Anonymised data may be notified to the Customer from time to time, as such document may be amended from time to time used by the Supplier in to improve its sole discretion. The client will be notified 30 days before any amendsservices or for general dissemination of anonymised analysis to the relevant industry and to Customers. 5.4 4.4 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreementobligations, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreementobligations; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement these terms on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with these terms, the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 9.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The 9.2 In relation to Services which involve the Supplier shall follow its archiving procedures for storing Customer Data as set out and in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore ensure that the lost or damaged Customer Data from is secure and backed up and that the latest back-up of such Customer has electronic access to the Customer Data maintained stored by the Supplier to retrieve or manipulate at any time. If the Customer has no access to the Customer Data electronically, the Supplier shall, upon the Customer’s request grant such access necessary to retrieve/manipulate Customer Data within 7 working days from the request. In the event that the Customer requires Customer Data on physical media, the Customer can raise a request and the Supplier will apply reasonable endeavours to assist the Customer with the physical retrieval of Customer Data. 9.3 On the billing anniversary following the termination date of a Service which involves the storing or hosting of Customer Data by the Supplier, all Customer Data held within the Service shall cease to be available to the Customer to access. Any Customer Data will be retained in accordance with to the archiving procedure described extent set out in its Back-Up Policy. the applicable Service Option and can be retrieved by the Supplier (and then provided to the Customer in the format reasonably required) through the submission of a request to the Supplier by email. 9.4 The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 9.5 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to available on the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf smartCLOUD Website or such other website address as may be notified to the Customer from time to time, as time and such document policy may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 9.6 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 9.6.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreementAgreement; (b) 9.6.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) 9.6.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 9.6.4 the Supplier shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party 9.6.5 the Supplier shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 8.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The 8.2 Where a Customer has ordered Recording Services from the Supplier, the Supplier shall follow its the recording and archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeOrder Form (where applicable). In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-back- up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policythe Order Form. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). For the avoidance of doubt, where the Order Form provides that the Customer is responsible for backing-up Customer Data, the Supplier shall not be responsible for any loss or damage suffered by the Customer resulting from the Customer’s failure to back-up/archive or failure to ensure sufficient frequency or length of retention of such back-ups/archives. 5.3 8.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating Services use reasonable endeavours to the privacy and security of keep the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier confidential in its sole discretion. The client will be notified 30 days before any amendsaccordance with Clause 11. 5.4 8.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties Parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer Supplier acknowledges and agrees that the personal data may not be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement;EEA (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party Party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 8.5 The Customer shall pay all reasonable expenses incurred by the Supplier where the Customer requests the Supplier’s assistance in complying with the Customer’s statutory obligations in relation to any Customer Data being held by the Supplier which is outside the scope of the Services.

Customer Data. 5.1 ‌ 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 5.2. The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy (available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 such website address as may be notified to the Customer from time to time), as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyabove. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-back- up). 5.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy privacy policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf [INSERT WEB ADDRESS] or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 5.4. If the Supplier processes Processes any personal data Personal Data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller Data Controller and the Supplier shall be a data processor Data Processor and in any such case:case:‌ (a) 5.4.1. the Customer acknowledges and agrees that Supplier shall not transfer any Personal Data outside of the personal data may be transferred or stored temporarily outside United Kingdom without the EEA or prior written consent of the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreementCustomer; (b) 5.4.2. the Customer shall ensure that the Customer is entitled to transfer the relevant personal data Personal Data to the Supplier so that the Supplier may lawfully use, process Process and transfer the personal data Personal Data in accordance with this agreement on the Customer's behalf; (c) 5.4.3. the Customer shall ensure that the relevant third parties have been informed of, and where appropriate have given their consent to, such use, processingProcessing, and transfer as required by all applicable data protection legislationData Protection Legislation; (d) 5.4.4. the Supplier shall process Process the personal data Personal Data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and; (e) 5.4.5. each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing Processing of the personal data Personal Data or its accidental loss, destruction or damage; 5.4.6. the Supplier shall ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; 5.4.7. the Supplier shall ensure at all times it has in place appropriate technical and organisational measures to guard against unauthorised or unlawful Processing of the Personal Data and/or accidental loss, destruction or damage to the Personal Data and to enable the Customer to comply with its obligations under Article 32 of the GDPR; 5.4.8. the Supplier shall not engage another sub Data Processor to undertake any Processing of any Personal Data without the prior written authorisation of the Customer. Where such authorisation is granted by the Customer, the Supplier shall ensure that it enters into a contract with that sub Data Processor on the same or equivalent terms as are set out in this clause 5.4; 5.4.9. the Supplier shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to Subject Access Requests, as well as providing all assistance and cooperation as the Customer may require to investigate or deal with any such Subject Access Requests; 5.4.10. insofar as this is possible given the nature of Processing and the information available to the Supplier, the Supplier shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR; 5.4.11. the Supplier shall notify the Customer of any Personal Data Breach within 24 hours of its occurrence, along with all supporting facts and information sufficient to allow the Customer to make any required report(s) to any relevant Data Subjects, the Information Commissioner or other regulatory or governmental body or bodies to which it is subject; 5.4.12. at the choice of the Customer, the Supplier shall delete or return all the Personal Data to the Customer after the end of the provision of Services, and delete existing copies, unless the Supplier has a statutory duty to retain that Personal Data; and 5.4.13. the Supplier shall make available to the Customer, following a request for such, all information necessary to demonstrate compliance with the obligations laid down in the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. 5.5. The provisions of this clause 5 shall apply during the continuance of the agreement and indefinitely after its termination.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for archive Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time daily between 10:00 pm to 4:00 am UK time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. Supplier. 5.3 The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier retains primary responsibility for taking at least every twenty four hours and maintaining backups (for seven days) of the Customer Data and shall take regular backups to protect against data loss, corruption or other damage. 5.3 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 Privacy Policy, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Privacy Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The 5.4 On termination of this agreement, the Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security may destroy or otherwise dispose of any of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified in its possession unless the Supplier receives, no later than ten days after the effective date of the termination of this agreement, a written request for the delivery to the Customer from time of the then most recent archive of the Customer Data. The Supplier shall use reasonable commercial endeavours to deliver the archive to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, as such document may be amended paid all fees and charges outstanding at and resulting from time to time termination (whether or not due at the date of termination). The Customer shall pay all reasonable expenses incurred by the Supplier in its sole discretion. The client will be notified 30 days before any amendsreturning or disposing of Customer Data. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the 5.5 The Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data hereby grants to the Supplier so that a non-exclusive licence to use the Customer Data for the purposes of internal software improvements, including for the purpose of optimising the Services provided by the Supplier may lawfully use, process by way of comparisons across any and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) all Customer projects. The Supplier undertakes not to release details of the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, projects arising from such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damageimprovements.

Customer Data. 5.1 6.1 The Customer shall own all rights, title and interest in and to all of the Customer Profile Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Profile Data. 5.2 6.2 The Supplier Service Provider shall follow its archiving procedures for Customer Data (Customer Profile Data and Customer Submitted Data) performing daily-automated back-ups of the entire member data as set out described in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeSchedule 3 below. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Service Provider to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyService Provider. The Supplier Service Provider shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Service Provider to perform services related to Customer Data maintenance and back-up). 5.3 6.3 The Supplier Service Provider shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time required by the Supplier in its sole discretion. The client will be notified 30 days before any amends.all applicable General Data Protection Regulation (Regulation EU 2016/679 “GDPR”); 5.4 6.4 If the Supplier Service Provider processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier Service Provider shall be a data processor (as agreed and defined in the Data Protection Agreement signed between the two parties and included as Annex 1 to this main contract) and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Service Provider so that the Supplier Service Provider may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (c) the Service Provider agrees that the personal data may not be transferred or stored outside the client’s chosen data storage region in order to carry out the Services and the Service Provider’s other obligations under this Agreement; (d) the Supplier Service Provider shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. (f) Regardless of the Agreement documents’ application hierarchy, Appendix 1 (Data Protection Agreement annex) will always be primarily applied in matters concerning data protection. 6.5 The Service Provider undertakes that the Services will be performed both by it and its duly authorised contractors, assigns or agents in accordance with the Documentation and with reasonable skill and care.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legalitylegality , reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out described in its Back-Up the Service Level Agreement or the Supplier’s Hosting Policy available at ▇▇▇▇://▇▇▇▇▇▇▇(as applicable). The Supplier may, without obligation to the Customer, make such additional backup or archiving arrangements as it sees fit.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. 5.3 In the event of any loss or damage to Customer DataData during the Licence Term, the Customer's sole and exclusive remedy Supplier shall be for under no obligation to retrieve the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Customer’s Data from the latest any back-up taken by or on behalf of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. Supplier. 5.4 The Supplier shall not be responsible for any lossrequired to maintain, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up), protect or retrieve any Customer Data after the expiry of the Licence Term. 5.3 5.5 If the Customer utilises the customer service icon provided within the Software, the Customer acknowledges that any Customer Data uploaded via such service will be subject to the relevant third-party supplier’s security policy. The Supplier shall, in providing currently utilises a Fresh Desk application. For a copy of the Services, comply with its Privacy and Fresh Desk Security Policy relating to the privacy and security of the Customer Data available at ▇see ▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/security. The Supplier accepts no liability for any Customer Data transferred through the customer service icon provided within the Software. 5.6 The Supplier shall not be responsible for any loss suffered by the Customer as a result of or such other website address as may be notified arising from the destruction, alteration, or disclosure of any Customer Data caused by any third party (including any third-party providing customer service functionality in connection with the Software), except and to the Customer from time to time, as such document may be amended from time to time by extent that the Supplier in its sole discretion. The client will be notified 30 days before any amendsis entitled to recover and has so recovered an amount (net of the costs of recovery) equal to such loss from the relevant third party. 5.4 5.7 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreementthese Terms and Conditions of Use, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that undertakes to comply with all the requirements of the Data Protection ▇▇▇ ▇▇▇▇ in connection with any personal data may be transferred or stored temporarily outside processed by the EEA or Supplier on the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other Customer's behalf when performing its obligations under this agreementthese Terms and Conditions of Use; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement these Terms and Conditions of Use on the Customer's behalf; (c) the Customer acknowledges and agrees that the personal data may be transferred or stored outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier's other obligations under these Terms and Conditions of Use; (d) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, processing and transfer as required by all applicable data protection legislation; (de) the Supplier shall process the personal data only in accordance with the terms these Terms and Conditions of this agreement Use and any lawful instructions reasonably given by the Customer from time to time; and; (ef) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage; and (g) the Customer shall make and maintain all necessary registration applications within all appropriate categories under the DPA as are required in relation to any personal data processed by the Supplier on the Customer's behalf when performing its obligations under these Terms and Conditions of Use. 5.8 The Customer shall indemnify and keep indemnified the Supplier against all actions, proceedings , costs, claims, demands , liabilities , losses and expenses whatsoever arising out of or in connection with the Supplier 's processing of personal data on the Customer's behalf when performing its obligations under these Terms and Conditions of Use, save to the extent that the same is caused by or arises from the Supplier’s (or its directors, employees or sub-contractors’) negligence or breach of its obligations under these Terms and Conditions of Use.

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all Customer Data. 5.2 4.2 The Supplier Customer acknowledges and agrees that the Customer Data shall follow its be transferred to and stored by the PaaS Supplier. 4.3 The archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may shall be amended notified to the Customer by the Supplier in its sole discretion from time to timeSupplier. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to require the PaaS Supplier to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the PaaS Supplier in accordance with the PaaS Supplier’s then current archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 4.4 The Supplier shall, in providing the Services, comply with its Privacy privacy and Security Policy IT and communications system policies relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document policies may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.5 If the Supplier and/or the PaaS Supplier processes any personal data on the Customer’s 's behalf when performing its the Supplier’s obligations under this agreementagreement (including the processing set out in Schedule 6), the parties record their intention that the Customer shall be the data controller and the Supplier and/or PaaS Supplier as appropriate shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA United Kingdom or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier and/or PaaS Supplier as appropriate for the duration and purposes of this agreement so that the Supplier and/or PaaS Supplier as appropriate may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf;; and (c) the Customer shall ensure that the all relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable Data Protection Legislation. 4.6 The Supplier shall, in relation to any personal data processed by it on the Customer’s behalf when performing its obligations under this agreement: (a) process that personal data only on the documented written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where the Supplier is relying on Applicable Laws as the basis for processing personal data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) not transfer any personal data outside of the United Kingdom unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection legislationto any personal data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data; (c) assist the Customer, at the Customer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators; (d) notify the Supplier shall process Customer without undue delay on becoming aware of a personal data breach; (e) at the written direction of the Customer take all reasonable steps to delete or return personal data to the Customer on termination of the agreement unless required by Applicable Law to store the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to timedata; and (ef) each maintain complete and accurate records and information to demonstrate its compliance with this clause 4 and immediately inform the Customer if an instruction infringes the Data Protection Legislation. 4.7 Each party shall take ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against accidental loss or its destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 4.8 The Customer consents to the Supplier appointing the PaaS Supplier as a third-party processor of personal data under this agreement. The Supplier confirms that it has entered into a written agreement on that third party's standard terms of business which reflect the requirements of the Data Protection Legislation. 4.9 Either party may, at any time on not less than 30 days' notice, revise this clause 4 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement). 4.10 Both parties will comply with all applicable requirements of the Data Protection Legislation and acknowledge that this obligation is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇-▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer as such document may be amended by the Supplier in its sole discretion from time to timetime the current version of which is set out at Schedule 3 of this Agreement. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (dc) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ed) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 6.1 The Supplier shall follow its archiving and security procedures for Customer Data as Data, including those set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇clause 7 (Security) and as described in Schedule 2.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by 6.2 The Supplier shall promptly notify the Supplier Customer in its sole discretion from time writing of any actual or suspected loss or damage to timethe Customer Data. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-back- up). 5.3 The Supplier shall, in providing the Services, 6.3 Each party undertakes that it shall comply with its Privacy the DPA and Security Policy relating to all applicable changes in law, including any subsequent legislation that may amend and/or supersede the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to timeDPA, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the . The parties record their intention acknowledge that the European General Data Protection Regulation (GDPR) shall apply during the term of this agreement. The parties agree that they shall enter into such variation of this agreement and execute such additional documentation and make any required changes to the Services as is reasonably required to reflect their obligations under the GDPR and in order for the Supplier to provide the Services in a manner that would allow the Customer to be compliant with the GDPR, based on the Customer’s obligations as a Data Controller and the Supplier’s obligations as a Data Processor or each party’s obligations as a Data Controller, as applicable. 6.4 The Customer shall be the data controller Data Controller, and the parties acknowledge that the Supplier shall will be a acting as Data Processor in respect of all data processor and processing activities in any such caserelation to Customer Personal Data that the Supplier carries out under this agreement. 6.5 The Supplier undertakes to the Customer that: (a) it shall process the Customer acknowledges Personal Data, including updating, correcting and agrees that deleting such Customer Personal Data, only in accordance with this agreement and the personal data may be transferred or stored temporarily outside the EEA or the country where written instructions of the Customer and to the Authorised Users are located extent, and in order such a manner, as is reasonably necessary to carry out supply the Services in accordance with this agreement or as is required by any applicable law; (b) in respect of Customer Personal Data which is in the possession or under the control of the Supplier, it shall implement appropriate technical and organisational measures to protect this Customer Personal Data against unauthorised or unlawful processing and accidental loss, destruction, damage, alteration or disclosure; (c) it shall not publish, disclose or divulge any Customer Personal Data to any third party, nor allow any third party to process Customer Personal Data on the Supplier’s other obligations behalf, without the prior written consent of the Customer; (d) it shall not transfer Customer Personal Data outside the European Economic Area without the prior written consent of the Customer; (e) it shall take reasonable steps to ensure the reliability of any employee, agent or sub- contractor who has access to Customer Data, and ensure all employees, agents and sub- contractors undergo training on data protection and information security; (f) it shall use reasonable endeavours to assist the Customer at the Customer’s cost with any subject access request that the Customer receives relating to Customer Personal Data processed by the Supplier under this agreement; (bg) it shall use reasonable endeavours to assist the Customer shall ensure that the Customer is entitled in responding to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damageregulatory requirements.

Customer Data. 5.1 The As between Customer and Company, all data collected, stored, or generated through Customer’s use of the Services (including student and driver ridership data, route data, identification, and geolocation data) (the “Customer Data”) is owned by Customer and shall be held as confidential, subject to the rights granted to Company hereunder. Company will delete and destroy all copies of Customer Data once this MSA is terminated other than one copy kept solely for archival purposes or as otherwise permitted by the terms of this MSA; provided that all students’ personally identifiable information that must be permanently and irrecoverably deleted by applicable law shall be deleted by Customer. Customer may receive a backup copy of Customer Data prior to deletion upon request, subject to the same deletion requirements. Notwithstanding the foregoing, Customer hereby grants to Company an irrevocable, exclusive, perpetual, world-wide, and royalty-free right and license to reproduce, use and distribute, subject to § 99.33(a) of FERPA, all Customer Data (a) as necessary for Company to provide the Services; or (b) on an aggregated and de-identified basis, for statistical analysis about the performance and use of the Services including access times, benchmarking results, functionality use, and other statistical and performance data for any legal purpose including analysis and incorporation of the such data in databases, reports, comparative data sets, scores or scoring systems generated therefrom, and the creation and distribution of works and derivative works. Customer represents and warrants to Company that Customer is and shall be, at all times during the term of this MSA, in compliance with all applicable laws, including COPPA, FERPA, the Protection of Pupil rights Amendment (“PPRA”), and all other applicable data privacy laws. Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for obtaining any loss, destruction, alteration legally required parental or disclosure of student consents with respect to any Customer Data caused by any third party (except those third parties sub-contracted by the Supplier that is subject to perform services related to Customer Data maintenance COPPA, FERPA, PPRA, or other data privacy laws, and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer Data is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data maintained in accordance with this agreement on such laws. In the Customer's behalf; (c) the event that any use of Customer shall ensure that the relevant third parties have been informed ofData fails to comply with COPPA, and have given their consent toFERPA, PPRA, or other data privacy laws, or is deemed by Company to be pornographic, defamatory, or illegal in any manner, Company may immediately delete all such useCustomer Data from its systems, processing, and transfer as required by all subject to Company’s obligations under applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damagelaw.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier ODS shall follow its standard archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion force from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier ODS to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier ODS in accordance with the those archiving procedure described in its Back-Up Policyprocedures. The Supplier ODS shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by SAP or any other third party (except those third parties sub-contracted by the Supplier ODS to perform maintenance services related specifically to the Customer Data maintenance and back-upof the Customer). 5.3 The Supplier ODS shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf [INSERT WEB ADDRESS] or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier ODS in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier ODS processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier ODS shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s ODS's other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier ODS so that the Supplier ODS may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier ODS shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 5.5 To the extent that SAP processes any Customer Data, the Customer acknowledges and agrees that such processing is undertaken by SAP and its subcontractors in accordance with its SAP Personal Data Processing Agreement and that Customer shall be bound by and abide by the same.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 6.2 iplicit shall follow its archiving procedures for Customer Data as set out in its Back-Up Backup Policy available at (▇▇▇▇://.▇▇▇▇▇▇▇.▇▇/GDPR▇/security-and-data- protection/servers-security#a174 ▇▇▇▇▇) or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier iplicit in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier iplicit to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier iplicit in accordance with the archiving procedure described in its Back-Up Backup Policy. The Supplier iplicit shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier 6.3 iplicit shall, in providing the Services, comply with its Privacy and Security UK GDPR Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇.▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/▇▇▇▇▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier iplicit in its sole discretion. The client will be notified 30 days before any amends. 5.4 6.4 If the Supplier iplicit processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier iplicit shall be a data processor and in any such case: (a) : Unless agreed otherwise in writing by the Customer, the Customer acknowledges and agrees that the personal data may not be transferred or stored temporarily outside the EEA UK (or Ireland if Customer specifically requests in the country where the Customer and the Authorised Users are located Order Form in order to meet EU requirements) in order to carry out the Services and the Supplieriplicit’s other obligations under this agreement; (b) ; the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier iplicit so that the Supplier iplicit may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) ; the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier ; iplicit shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) and each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. iplicit may sub-contract and/or outsource any of its processing of personal data under this agreement to any other person or entity (“sub- processor”) provided that it informs the Customer immediately upon the Customer’s request for an updated list of sub-processors or, in any event, if requested in advance of the next Renewal Period following the appointment of one or more additional sub-processors, less those in place at signing of this Agreement. The Customer shall not unreasonably object to any new sub-processor (or any change to any sub-processor). If a sub- processor is appointed, iplicit shall enter into a written sub-processing agreement with such sub- processor and shall ensure that the sub-processor shall accept data protection obligations that are substantially the same as those undertaken by iplicit under this agreement. iplicit shall remain liable to the Customer for any acts and omissions of the sub-processor; iplicit shall give the Customer such assistance as it reasonably requests, and iplicit is reasonably able to provide, aimed at ensuring compliance with the Customer’s own personal data protection obligations under applicable law, including (where applicable) responding to data subject requests, security, personal data breach notifications, impact assessments, supervisory authority consultation obligations. Where requests from Customer to iplicit require significant resource time to meet Customer’s requirements, iplicit will be entitled to charge for the time to meet Customer’s requests; rates to be agreed prior to undertaking the work; iplicit shall ensure that persons authorised to process personal data on behalf of the customer have committed themselves to confidentiality or are under an appropriate obligation of confidentiality relating to the personal data; and iplicit shall, subject to any relevant and applicable confidentiality obligation, and solely at the expense of the Customer, covering any third party costs and resource costs incurred by iplicit to facilitate this request, provide the Customer with access to any Customer personal data and Customer information relating to the performance of the Services and assist with such audits, including inspections, where iplicit is contractually able to facilitate such audits and inspections, reasonably requested by (or on behalf of) the Customer to undertake the verification that iplicit complies with its obligations in relation to Customer personal data. This request may only be made once in any 12 month period.

Customer Data. 5.1 9.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 9.2 The Supplier shall follow its archiving the procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as applicable Service Option, and such document procedure may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest last available back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 9.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to available on the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf InsightCloud Website or such other website address as may be notified to the Customer from time to time, as time and such document policy may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 9.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 9.4.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreementAgreement; (b) 9.4.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf; (c) 9.4.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 9.4.4 the Supplier shall process the personal data only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party 9.4.5 the Supplier shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 9.5 On termination of this Agreement, any Service Option or User Subscription (as the care may be) the Customer shall have 30 days to request a copy of the last back-up of the Customer Data. Thereafter, the Supplier shall be entitled to destroy the Customer Data at its discretion.

Customer Data. 5.1 The operation of the Platform and the provision of the Services require the Company to monitor, analyze and process data from the Customer’s online store platform and any other data provided or made accessible by the Customer (the “Customer Data”). Processing of Customer Data. Customer shall upload to the Platform the Customer Data, as to allow the Company to provide the Services. The Customer shall own agrees that the Company will collect, monitor, store, analyze, process and use the Customer Data, on the Customer's behalf, in order to provide the Services. As between Company and Customer, the Intellectual Property Rights (as such term is defined below) and all rightsother right, title and interest of any nature in and to all the Customer Data, which may be stored on the Company’s database, are and shall remain the exclusive property of Customer and its licensors. The Company shall be considered granted a non-revocable, non-exclusive, assignable, sub-licensable, royalty-free and fully paid up license to use the Customer Data, in order to provide the Services. For the avoidance of doubt, the Company shall not be responsible for any failure or delay that is attributable to Customer's late delivery of the Customer Data. Except as set forth herein, nothing in this Agreement shall be construed as transferring any right, title or interests in the Customer Data to the Company or any third party. To the extent that the Customer Data includes personally identifiable information (as such term is defined under applicable law), the Customer hereby instructs the Company (and authorizes Company to instruct its sub-processors) to: (i) process Customer Data as reasonably necessary for the provision of the Services; and (ii) transfer such Customer Data, at the Company's discretion, to jurisdictions other than those of the Customer's operations. With respect to the processing of the Customer Data, the Company shall: (i) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk involved in such processing; (ii) ensure that all individuals who engage in the processing of Customer Data on its behalf are subject to confidentiality undertakings; (iii) taking into account the nature of the processing, assist the Customer in exercising data subjects' rights under applicable data protection laws; (iv) inform Customer without undue delay of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Company on behalf of the Customer; and (iv) either delete, anonymize or return all Customer Data to Customer upon termination of the Order or this Agreement, unless applicable law requires storage of the personal data. Customer hereby authorizes Company to appoint sub-processors, as necessary for the Customer Data processing activities under this Agreement. The Customer shall have sole responsibility for the legalityaccuracy, reliability, integrity, accuracy quality and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security legality of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or and the means by which Customer acquired such other website address as may be notified personal data. Customer warrants and undertakes that Customer Data has been collected, processed and transferred to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data Company in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damagelaws.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 6.1 The Supplier shall follow its archiving procedures for Customer Data as set out in its [Back-Up Policy Policy] available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR▇▇▇▇▇▇▇.▇▇▇/support/security-and-data- protection/servers-security#a174 home or such other website address as may be notified to the Customer from time to time], as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its [Back-Up Policy]. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 6.2 The Supplier shall, in providing the Services, comply with its [Privacy and Security Policy Policy] relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇▇▇▇▇▇▇.▇▇▇/support/home or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 6.3 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementFramework Agreement, the parties Parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the 6.3.1 The Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreementFramework Agreement; (b) the 6.3.2 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Framework Agreement on the Customer's ’s behalf; (c) 6.3.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 6.3.4 the Supplier shall process the personal data only in accordance with the terms of this agreement Framework Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 6.3.5 each party Party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyESC Cloud Database. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-upthe upkeep of the ESC Cloud Database). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy privacy policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf on the ESC Website or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 By agreeing to these Terms and Conditions the Customer agrees to the Suppliers Privacy Policy. 5.5 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 5.5.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) 5.5.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) 5.5.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) 5.5.4 the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 5.5.5 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy Customer’s information security, confidentiality and data protection policies, UKHSA operate in line with the Government Functional Standard for Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf 007 or such other website address as may be notified to by the Customer from time to time, as such document may be amended from time to time by the Supplier Customer in its sole discretion. The client will be notified 30 days before any amends. 5.3 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 5 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. In this Clause 5, Applicable Laws means the UK Data Protection Legislation and any other relevant law that applies in the UK.. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the The parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such caseacknowledge that: (a) The parties acknowledge that for the purposes of the Data Protection Legislation, the Customer acknowledges is the Controller, and agrees that the Provider is the Processor. Schedule 3 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of Personal Data and categories of Data Subject. (b) the personal data may not be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement;Agreement. (b) 5.5 Without prejudice to the generality of clause 5.3, the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this Agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's ’s behalf. 5.6 Without prejudice to the generality of clause 5.3, the Supplier shall, in relation to any personal data processed in connection with the performance by the Supplier of its obligations under this Agreement: (a) process that personal data only on the documented written instructions of the Customer unless the Supplier is required by Applicable Laws to otherwise process that personal data. Where the Supplier is relying on Applicable Laws as the basis for processing personal data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) not transfer any personal data outside of the European Economic Area unless it has obtained the Customer’s prior written consent to do so and the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data; (c) assist the Customer shall ensure that Customer, at the relevant third parties have been informed ofCustomer’s cost, in responding to any request from a data subject and have given their consent toin ensuring compliance with its obligations under the Data Protection Legislation with respect to security, such usebreach notifications, processing, impact assessments and transfer as required by all applicable data protection legislationconsultations with supervisory authorities or regulators; (d) notify the Customer without undue delay and in any event within twenty-four (24) hours on becoming aware of a personal data breach; (e) at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the Agreement in accordance with clause 14.5 unless the Supplier shall process is required by Applicable Law to store the personal data only in accordance with (and for these purposes the terms of this agreement and any lawful instructions reasonably given by the Customer from time term “delete” shall mean to timeput such data beyond use); and (ef) each party maintain complete and accurate records and information to demonstrate its compliance with this Clause 5 and immediately inform the Company if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation. 5.7 The Supplier shall take ensure that it has in place appropriate technical and organisational measures measures, reviewed and approved by the other party, to protect against unauthorised or unlawful processing of the personal data and against accidental loss or its destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.8 The Customer does not consent to the Supplier appointing any third party processor of personal data under this Agreement. 5.9 The parties may, on written agreement between the parties, revise this Clause 5 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this Agreement).

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer Data Data, which include but are not limited to: nightly backups to offsite servers as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/well as replicated copies to independent onsite servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.3 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country state where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational organizational measures against unauthorised unauthorized or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its Back-Up Privacy and Security Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/GDPR//privacy- security-and-data- protection/servers-security#a174 policy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours endeavors to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-upup for which it shall remain fully liable under clause 5.9). 5.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. 5.4. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 5.5. The client will be notified 30 days before any amends.parties acknowledge that: 5.4 If (a) if the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that Customer is the Customer shall be the data controller and the Supplier shall be a data is the processor and in any such case:for the purposes of the Data Protection Legislation. (ab) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject. (c) the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Authorized Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement;. (b) 5.6. Without prejudice to the generality of clause 5.4, the Customer shall will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf. 5.7. Without prejudice to the generality of clause 5.4, the Supplier shall, in relation to any personal data processed in connection with the performance by the Supplier of its obligations under this agreement: (a) process that personal data only on the documented written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where the Supplier is relying on Applicable Laws as the basis for processing personal data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data; (c) assist the Customer shall ensure that Customer, at the relevant third parties have been informed ofCustomer's cost, in responding to any request from a data subject and have given their consent toin ensuring compliance with its obligations under the Data Protection Legislation with respect to security, such usebreach notifications, processing, impact assessments and transfer as required by all applicable data protection legislationconsultations with supervisory authorities or regulators; (d) notify the Supplier shall process Customer without undue delay on becoming aware of a personal data breach; (e) in accordance with clause 14.1 (b), delete or return personal data on termination of the agreement unless required by Applicable Law to store the personal data only in accordance with (and for these purposes the terms of this agreement and any lawful instructions reasonably given by the Customer from time term "delete" shall mean to timeput such data beyond use); and (ef) each maintain complete and accurate records and information to demonstrate its compliance with this clause 5 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation. 5.8. Each party shall take ensure that it has in place appropriate technical and organisational organizational measures to protect against unauthorised unauthorized or unlawful processing of the personal data and against accidental loss or its destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it). 5.9. The Customer consents to the Supplier appointing or otherwise hosting its Software with

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier 6.2 Posturite shall, in providing the Products and Professional Services, comply with its Privacy Information Security and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to timeCustomer’s request, as such document may be amended from time to time by the Supplier Posturite in its sole discretion. The client will be notified 30 days before any amends. 5.4 If 6.3 The parties agree that, in respect of the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementCustomer Data, the parties record their intention that the Customer shall be the data controller Data Controller and the Supplier Posturite shall be a Data Processor and shall process the Customer Data in compliance with the obligations of Data Processors under Data Protection Laws. 6.4 The Customer warrants, represents and undertakes, that: 6.4.1 all data processor sourced by the Customer shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and 6.4.2 all instructions given by it to Posturite in respect of Personal Data shall at all times be in accordance with Data Protection Laws. 6.5 Posturite, as Data Processor, shall: 6.5.1 inform the Customer if Posturite becomes aware of any instruction that, in the Posturite’s opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by mandatory law, Posturite shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information. 6.5.2 implement and maintain at its own cost and expense, technical and organisational measures, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Customer Data; 6.5.3 refer all Data Subject Requests it receives to the Customer within five Business Days of receipt of the request; 6.5.4 maintain, in accordance with Data Protection Laws binding on Posturite, written records of all categories of processing activities carried out on behalf of the Customer; 6.5.5 subject to condition 6.6.1, ensure that all persons authorised by Posturite to process Customer Data are subject to a binding written contractual obligation to keep the Customer Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Posturite shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such caserequirement before such disclosure); 6.5.6 ensure that each Authorised Sub-Processor shall to the extent applicable, be subject to conditions substantially no less onerous to those conditions contained within this condition 6; in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Posturite’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer giving Posturite reasonable prior notice of such information request; 6.5.7 notify the Customer (for which email shall suffice) if Posturite adds or removes any Authorised Sub- Processors at least ten (10) days prior to any such change. The Customer acknowledges and agrees that Posturite may object in writing to an appointment of a new Authorised Sub-Processor within five (5) calendar days of such notice. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate the Contract (without prejudice to any fees incurred by the Customer prior to suspension or termination); 6.5.8 in respect of any Personal Data Breach, Posturite shall, without undue delay: (a) notify the Customer acknowledges of any Customer Data Breach; and (b) provide the Customer with details of the Customer Data Breach; and 6.5.9 Posturite shall either delete or return all the Customer Data to the Customer in such form as the Customer reasonably requests within a reasonable time once processing by Posturite of any Customer Data is no longer required for the purpose of Posturite’s performance of its relevant obligations under the Contract. 6.6 The processing of Personal Data by Posturite to be carried out in accordance with the change control procedure in condition 5.9 and agrees shall comprise the information contained in the Contract Particulars, and may be updated from time to time in accordance with any change control procedure in condition 5.9. 6.7 Posturite shall not: 6.7.1 With the exception of the Authorised Sub-Processors, engage any other party (a ‘Sub-Processor’) for carrying out any processing activities in respect of the Customer Data without the Customer’s written authorisation authorising the appointment of that the specific Sub-Processor; or 6.7.2 transfer or store any personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Licensed Users are located in order to carry out the Products and Professional Services and the SupplierPosturite’s other obligations under this agreement;the Contract. (b) the 6.8 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Posturite so that the Supplier Posturite may lawfully use, process and transfer the personal data in accordance with this agreement the Contract on the Customer's behalf;. (c) the 6.9 The Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;Data Protection Laws. (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each 6.10 Each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the Customer Data or any personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 8.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. The Customer grants to Cardinus the non-exclusive, royalty-free right (which shall be capable of sub-licence) to store the Customer Data in the Production Environment for the purposes of providing the Hosting and Support Services and Software Services. 5.2 The Supplier 8.2 During the Hosting and Support Term Cardinus shall follow its standard back-up and archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. Appendix C. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Cardinus to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier ▇▇▇▇▇▇▇▇ shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://other than ▇▇▇▇▇▇▇▇▇’s sub-contractors). 8.3 Unless agreed in any authorisation, it is the Customer’s sole responsibility to monitor data, including Customer Data, accumulated through the Customer’s use of the Software Services, including accessing and reviewing the results of Courses/Assessments performed by Authorised Users. Cardinus is not obliged to notify the Customer that any of its Authorised Users have completed any Courses/Assessments nor to collate or export such data for or to the Customer. 8.4 Upon termination of the Hosting and Support Services for any reason Cardinus will, to the extent Cardinus holds and/or controls any Customer Data on behalf of the Customer: 8.4.1 provide a copy of such Customer Data to the Customer in an industry standard format; and 8.4.2 cease to make such Customer Data accessible to the Customer through the Production Environment. 8.5 The provision by Cardinus of Customer Data under Section 8.4.1 shall be free of charge, provided that if the Customer requires any additional work (such as formatting or manipulation of the Customer Data) in order to make use of it, ▇▇/staffwise_privacy.pdf or ▇▇▇▇▇▇ may charge for any such other website address work as may be notified to agreed in the Customer from time to time, same manner as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations for Professional Services provided under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damageAgreement.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeData. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policyprocedure. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇-▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/privacy-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier Customer will not have any access to any Customer Data during a suspension or following termination of this agreement. 5.3 CHL shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇.▇://▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document procedure may be amended by the Supplier CHL in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier CHL to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyCHL. The Supplier CHL shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier 5.4 CHL shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier CHL in its sole discretion. The client will be notified 30 days before any amends. 5.4 5.5 If the Supplier CHL processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier CHL shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the SupplierCHL’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier CHL so that the Supplier CHL may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier CHL shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf .▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 5.5 The Customer acknowledges that the Supplier and its Licensors collect and use anonymised aggregate data relating to its customers’ use of the Services.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving and security procedures and policies for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeaccordance with good industry practice. In the event of any loss or damage to Customer DataData within the reasonable control of the Supplier, the Customer's sole and exclusive remedy shall be for the Supplier to will use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the its archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)procedures. 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that unless the parties otherwise expressly agree in writing the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the all relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and; (e) each party the Supplier shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage; and (f) where required to do so by the Customer the Supplier shall enter into any model clauses under EU law and/or any other legal arrangements reasonably required by the Customer to enable the Customer to comply with data protection laws applicable to it from time to time in relation to the Supplier’s provision of the Services to it (Additional DP Requirements). Where the Supplier’s compliance with the Additional DP Requirements shall materially increase the Supplier’s costs in providing the Services the Supplier in consultation with the Customer shall be entitled to make a reasonable additional charge to cover such costs.

Customer Data. 5.1 3.1 The Customer Supplier shall own all rights, title and interest in and to all of promptly notify the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality in writing of any actual or suspected loss or damage to the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up backup of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyData. The Supplier shall not be responsible for any loss, destruction, alteration or unauthorised access to or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, 3.2 Each party undertakes that it shall comply with its Privacy the DPA and Security Policy relating to all applicable changes in law, including any subsequent legislation that may amend and/or supersede the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to timeDPA, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the . The parties record their intention acknowledge that the European General Data Protection Regulation (GDPR) shall apply during the term of this agreement. The parties agree that they shall enter into such variation of this agreement and execute such additional documentation and make any required changes to the Services as is reasonably required to reflect their obligations under the GDPR and in order for the Supplier to provide the Services in a manner that would allow the Customer to be compliant with the GDPR, based on the Customer’s obligations as a Data Controller and the Supplier’s obligations as a Data Processor or each party’s obligations as a Data Controller, as applicable. 3.3 The Customer shall be the data controller Data Controller, and the parties acknowledge that the Supplier shall will be a acting as Data Processor in respect of all data processor and processing activities in any such caserelation to Customer Personal Data that the Supplier carries out under this agreement. 3.4 The Supplier undertakes to the Customer that: (a) it shall process the Customer acknowledges Personal Data, including updating, correcting and agrees that deleting such Customer Personal Data, only in accordance with this agreement and the personal data may be transferred or stored temporarily outside the EEA or the country where written instructions of the Customer and to the Authorised Users are located extent, and in order such a manner, as is reasonably necessary to carry out supply the Services and the Supplier’s other obligations under in accordance with this agreementagreement or as is required by any applicable law; (b) in respect of Customer Personal Data which is in the possession or under the control of the Supplier, it shall implement appropriate technical and organisational measures to protect this Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully usePersonal Data against unauthorised or unlawful processing and accidental loss, process and transfer the personal data in accordance with this agreement on the Customer's behalfdestruction, damage, alteration or disclosure; (c) the Customer it shall not (and shall ensure that its Representatives do not) publish, disclose or divulge any Customer Personal Data to any third party, nor allow any third party to process Customer Personal Data on the relevant third parties have been informed ofSupplier's behalf, and have given their without the prior written consent to, such use, processing, and transfer as required by all applicable data protection legislationof the Customer; (d) it shall not transfer Customer Personal Data outside the European Economic Area without the prior written consent of the Customer; (e) it shall take reasonable steps to ensure the reliability of any employee, agent or sub-contractor who has access to Customer Data, and ensure all employees, agents and sub-contractors undergo training on data protection and information security; (f) it shall use reasonable endeavours to assist the Customer at the Customer's cost with any subject access request that the Customer receives relating to Customer Personal Data processed by the Supplier shall process the personal data only in accordance with the terms of under this agreement and any lawful instructions reasonably given by the Customer from time to timeagreement; and (eg) each party it shall take appropriate technical and organisational measures against unauthorised or unlawful processing of use reasonable endeavours to assist the personal data or its accidental loss, destruction or damageCustomer in responding to regulatory requirements.

Customer Data. 5.1 6.1 The Customer shall own all rights, title and interest in and to all of the Customer Profile Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Profile Data. 5.2 6.2 The Supplier Service Provider shall follow its archiving procedures for Customer Data (Customer Profile Data and Customer Submitted Data) performing daily-automated back-ups of the entire member data as set out described in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeSchedule 3 below. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Service Provider to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicyService Provider. The Supplier Service Provider shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Service Provider to perform services related to Customer Data maintenance and back-up). 5.3 6.3 The Supplier Service Provider shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time required by the Supplier in its sole discretion. The client will be notified 30 days before any amends.all applicable General Data Protection Regulation (Regulation EU 2016/679 “GDPR”); 5.4 6.4 If the Supplier Service Provider processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Service Provider shall be a data processor (as agreed and defined in the Data Protection Agreement signed between the two parties and included as Annex 1 to this main contract) and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Service Provider so that the Supplier Service Provider may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (c) the Service Provider agrees that the personal data may not be transferred or stored outside the client’s chosen data storage region in order to carry out the Services and the Service Provider’s other obligations under this agreement; (d) the Supplier Service Provider shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. (f) Regardless of the agreement documents’ application hierarchy, Appendix 1 (Data Protection Agreement annex) will always be primarily applied in matters concerning data protection. 6.5 The Service Provider undertakes that the Services will be performed in accordance with the Documentation and with reasonable skill and care. 6.6 The undertaking at clause 6.5 shall not apply to the extent of any non-conformance which is caused by use of the Services contrary to the Service Provider's instructions, or modification or alteration of the Services by any party other than the Service Provider or the Service Provider's duly authorised contractors or agents. If the Services do not conform with the foregoing undertaking, Service Provider will, at its expense, use all reasonable commercial endeavours to correct any such non-conformance promptly, or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution constitutes the Customer's sole and exclusive remedy for any breach of the undertaking set out in clause 6.5. Notwithstanding the foregoing, the Service Provider: (a) does not warrant that the Customer's use of the Services will be uninterrupted or error- free; nor that the Services, Documentation and/or the information obtained by the Customer through the Services will meet the Customer's requirements; and (b) is not responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services and Documentation may be subject to limitations, delays and other problems inherent in the use of such communications facilities. 6.7 This agreement shall not prevent the Service Provider from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this agreement. 6.8 The Service Provider warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this agreement.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier 6.2 Posturite shall, in providing the Products and Professional Services, comply with its Privacy Information Security and Security Data Protection Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to [the Customer from time to timeCustomer’s request], as such document may be amended from time to time by the Supplier Posturite in its sole discretion. The client will be notified 30 days before any amends. 5.4 If 6.3 The parties agree that, in respect of the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementCustomer Data, the parties record their intention that the Customer shall be the data controller Data Controller and the Supplier Posturite shall be a Data Processor and shall process the Customer Data in compliance with the obligations of Data Processors under Data Protection Laws. 6.4 The Customer warrants, represents and undertakes, that: 6.4.1 all data processor sourced by the Customer shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and 6.4.2 all instructions given by it to Posturite in respect of Personal Data shall at all times be in accordance with Data Protection Laws. 6.5 Posturite, as Data Processor, shall: 6.5.1 inform the Customer if Posturite becomes aware of any instruction that, in the Posturite’s opinion, infringes Data Protection Laws, provided that to the maximum extent permitted by mandatory law, Posturite shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with the Customer's Processing Instructions following the Customer's receipt of that information. 6.5.2 implement and maintain at its own cost and expense, technical and organisational measures, taking into account the nature of the processing, to assist the Customer insofar as is possible in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Customer Data; 6.5.3 refer all Data Subject Requests it receives to the Customer within five Business Days of receipt of the request; 6.5.4 maintain, in accordance with Data Protection Laws binding on Posturite, written records of all categories of processing activities carried out on behalf of the Customer; 6.5.5 subject to condition 6.6.1, ensure that all persons authorised by Posturite to process Customer Data are subject to a binding written contractual obligation to keep the Customer Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Posturite shall, where practicable and not prohibited by Applicable Law, notify the Customer of any such caserequirement before such disclosure); 6.5.6 ensure that each Authorised Sub-Processor shall to the extent applicable, be subject to conditions substantially no less onerous to those conditions contained within this condition 6; in accordance with Data Protection Laws, make available to the Customer such information as is reasonably necessary to demonstrate Posturite’s compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Customer (or another auditor mandated by the Customer) for this purpose, subject to the Customer giving Posturite reasonable prior notice of such information request; 6.5.7 notify the Customer (for which email shall suffice) if Posturite adds or removes any Authorised Sub- Processors at least ten (10) days prior to any such change. The Customer acknowledges and agrees that Posturite may object in writing to an appointment of a new Authorised Sub-Processor within five (5) calendar days of such notice. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Customer may suspend or terminate the Contract (without prejudice to any fees incurred by the Customer prior to suspension or termination); 6.5.8 in respect of any Personal Data Breach, Posturite shall, without undue delay: (a) notify the Customer acknowledges of any Customer Data Breach; and (b) provide the Customer with details of the Customer Data Breach; and 6.5.9 Posturite shall either delete or return all the Customer Data to the Customer in such form as the Customer reasonably requests within a reasonable time once processing by Posturite of any Customer Data is no longer required for the purpose of Posturite’s performance of its relevant obligations under the Contract. 6.6 The processing of Personal Data by Posturite to be carried out in accordance with the change control procedure in condition 5.9 and agrees shall comprise the information contained in the Contract Particulars, and may be updated from time to time in accordance with any change control procedure in condition 5.9. 6.7 Posturite shall not: 6.7.1 With the exception of the Authorised Sub-Processors, engage any other party (a ‘Sub-Processor’) for carrying out any processing activities in respect of the Customer Data without the Customer’s written authorisation authorising the appointment of that the specific Sub-Processor; or 6.7.2 transfer or store any personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Licensed Users are located in order to carry out the Products and Professional Services and the SupplierPosturite’s other obligations under this agreement;the Contract. (b) the 6.8 The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Posturite so that the Supplier Posturite may lawfully use, process and transfer the personal data in accordance with this agreement the Contract on the Customer's behalf;. (c) the 6.9 The Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation;Data Protection Laws. (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each 6.10 Each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the Customer Data or any personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 6.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier 6.2 Apposite shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Apposite to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier 6.3 Apposite shall, in providing the ServicesProducts, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address (as may be notified to identified in the Customer from time to time, as Table) (such document may be amended from time to time by the Supplier Apposite and/or its Technology Provider in its sole discretion. The client will be notified 30 days before any amends). 5.4 6.4 If the Supplier Apposite processes any personal data Personal Data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier Apposite shall be a data processor (as defined in the DPA) and in any such case: (a) the Customer acknowledges and agrees that the personal data Personal Data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out provide the Products. The Customer consents for Apposite to receive, share and transfer Personal Data arising from use of the Products and/or Hosted Services and with telecommunications or other providers used in conjunction with the Supplier’s other obligations under this agreementProducts and/or Hosted Services; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data Personal Data to the Supplier Apposite so that the Supplier they may lawfully use, process and transfer the personal data Personal Data in accordance with this agreement Agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislationunder the DPA; (d) the Supplier Personal Data shall process the personal data be processed only in accordance with the terms of this agreement Agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational organizational measures against unauthorised or unlawful processing of the personal data Personal Data or its accidental loss, destruction or damage.

Customer Data. 5.1 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its Back-Up Metadata Maintenance Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/GDPR/security/metadata-andmaintenance-data- protection/servers-security#a174 policy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-upup for which it shall remain fully liable under clause 5.9). 5.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. 5.4. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 5.5. The client will be notified 30 days before any amends.parties acknowledge that: 5.4 If (a) if the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that Customer is the Customer shall be the data controller and the Supplier shall be a data is the processor and in any such case:for the purposes of the Data Protection Legislation. (ab) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject. (c) the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement;. (b) 5.6. Without prejudice to the generality of clause 5.4, the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf. 5.7. Without prejudice to the generality of clause 5.4, the Supplier shall, in relation to any personal data processed in connection with the performance by the Supplier of its obligations under this agreement: (a) process that personal data only on the documented written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where the Supplier is relying on Applicable Laws as the basis for processing personal data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: i. the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; ii. the data subject has enforceable rights and effective legal remedies; iii. the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and iv. the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data; (c) assist the Customer shall ensure that Customer, at the relevant third parties have been informed ofCustomer's cost, in responding to any request from a data subject and have given their consent toin ensuring compliance with its obligations under the Data Protection Legislation with respect to security, such usebreach notifications, processing, impact assessments and transfer as required by all applicable data protection legislationconsultations with supervisory authorities or regulators; (d) notify the Supplier shall process Customer without undue delay on becoming aware of a personal data breach; (e) at the written direction of the Customer, delete or return personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the personal data only in accordance with (and for these purposes the terms of this agreement and any lawful instructions reasonably given by the Customer from time term "delete" shall mean to timeput such data beyond use); and (ef) each maintain complete and accurate records and information to demonstrate its compliance with this clause 5 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation. 5.8. Each party shall take ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against accidental loss or its destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.9. The Customer consents to the Supplier appointing or otherwise hosting its Software with (i) Amazon Web Services EMEA SARL or any other member of the Amazon Web Services Group; and (ii) any other third party processor the Supplier considers appropriate to the provision of the Services; as a third-party processor of personal data under this agreement. The Supplier confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement substantially on that third party's standard terms of business including terms related to the requirements of the Data Protection Legislation. As between the Customer and the Supplier, the Supplier shall use commercially reasonable efforts to enforce the terms of any third-party processor.

Customer Data. 5.1 10.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 10.2 The Supplier shall follow its use reasonable industry accepted archiving procedures for the storage and back up of Customer Data as set out in Data, and shall use its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by reasonable commercial endeavours to secure the Supplier in its sole discretion from time to timeprivacy and security of the Customer Data. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 10.3 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) 10.3.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement; (b) 10.3.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) 10.3.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 10.4 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 3.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 3.2 Orpheus shall follow its archiving procedures for Customer Data and the Analytical Data as set out in its Back-Up Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇-▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier ▇▇▇▇▇▇▇ in its sole discretion from time to time. In the event of any loss or damage to Customer Data or Analytical Data, the Customer's sole and exclusive remedy shall be for the Supplier Orpheus to use reasonable commercial endeavours to restore the lost or damaged Customer Data or Analytical Data from the latest back-up of such Customer Data or Analytical Data maintained by the Supplier Orpheus in accordance with the archiving procedure described in its Back-Up Policy. The Supplier Orpheus shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier Orpheus to perform services related to Customer Data maintenance and back-back- up). 5.3 The Supplier 3.3 Orpheus shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇-▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier ▇▇▇▇▇▇▇ in its sole discretion. The client will be notified 30 days before any amends. 5.4 3.4 If the Supplier Orpheus processes any personal data Personal Data on the Customer’s 's behalf when performing its obligations under this agreement▇▇▇▇, the parties record their intention that the Customer shall be the data controller and the Supplier Orpheus shall be a data processor and processor. 3.5 Orpheus shall comply with all Data Protection Laws (which apply to it in any such case: (aits capacity as a data processor) in connection with the Customer acknowledges and agrees that processing of Personal Data in respect of the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out delivery of the Services and the Supplier’s other exercise and performance of its rights and obligations under this agreement;Agreement. (b) the 3.6 The Customer shall ensure that comply with all Data Protection Laws (which apply to it in its capacity as a data controller) in connection with the Customer is entitled processing of Personal Data in respect of the exercise and performance of its rights and obligations under this Agreement, and to transfer enable Orpheus to deliver the relevant personal data to the Supplier so that the Supplier may lawfully use, process Services. 3.7 Instructions and transfer the personal data in accordance with this agreement details of processing - Insofar as Orpheus processes Personal Data on behalf of the Customer's behalf;: 3.7.1 unless required to do otherwise by applicable laws, Orpheus shall (c) the Customer and shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (deach person acting under its authority shall) the Supplier shall process the personal data Personal Data only on and in accordance with the terms of Customer’s documented instructions as set out in this agreement clause 3 and any lawful instructions reasonably given by the Customer Schedule 2 (Data Processing Details), and as updated from time to timetime by the written agreement of the parties (Processing Instructions); and 3.7.2 if any applicable laws require it to process Personal Data other than in accordance with the Processing Instructions, Orpheus shall notify the Customer of any such requirement before processing the Personal Data (eunless any of the applicable laws prohibit such information on important grounds of public interest). 3.8 Technical and organisational measures - Orpheus shall implement and maintain, at its cost and expense (taking into account those factors which it is entitled to take into account pursuant to the Data Protection Laws) each party shall take appropriate technical and organisational measures against unauthorised in relation to the processing of Personal Data by ▇▇▇▇▇▇▇: 3.8.1 so as to ensure a level of security in respect of the Personal Data processed by it is appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed; and 3.8.2 without prejudice to clause 3.11, insofar as is possible, to assist the Customer in the fulfilment of the Customer’s obligations to respond to Data Subject Requests relating to Personal Data. 3.9 Using staff and other processors - Orpheus shall not engage another Data Processor for carrying out any processing activities in respect of the Personal Data without the Customer’s prior written consent. The Customer consents to the processing of Personal Data by the personal data Authorised Reseller in accordance with the Data Processing Instructions. 3.10 Orpheus shall ensure that all Orpheus personnel processing Personal Data: 3.10.1 are subject to obligations of confidentiality which apply, generally or specifically, to the Personal Data; and 3.10.2 are reliable and have received appropriate training on compliance with the Data Protection Laws. 3.11 Assistance with Customer’s Compliance with Data Subject Rights - Orpheus shall: 3.11.1 record and then refer all Data Subject Requests it receives to the Customer, without undue delay; 3.11.2 provide such assistance to the Customer as the Customer reasonably requests in relation to a Data Subject Request; and 3.11.3 not respond to any Data Subject Request or Complaint without the Customer’s prior written approval. 3.12 Without prejudice to clause 3.11 Orpheus shall, at its accidental losscost and expense, destruction or damageprovide such assistance to the Customer as the Customer reasonably requires (taking into account the nature of processing and 3.12.1 security of processing; 3.12.2 Data Protection Impact Assessments (as such term is defined in the Data Protection Laws); 3.12.3 prior consultation with a Supervisory Authority regarding high risk processing.

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and Authorised users shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer their Data. 5.2 4.2 The supplier and customer shall fulfil its obligations of GDPR compliance as a ‘controllers’ and ‘processors’ of data which includes ( but not limited to) • Data protection impact assessments • Data protection officers • The right to be informed • The right to erasure • The right to rectification • The right to restrict processing 4.3 The Supplier shall follow its archiving procedures for Customer Data as set out described in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeSchedule 4. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySchedule 4. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 4.4 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating will need to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any process Authorised users personal data on the Customer’s their behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer users shall ensure that the Customer is they are entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (db) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ec) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 4.5 The Supplier will ensure that all Health Companion Ltd Staff are aware of their responsibilities to fully comply with the provisions of the Data Protection Act (2018), including related Caldicott Guardian principles and the Computer Misuse Act and GDPR compliance. The Supplier may, at times, be required to access patient identifiable data in order to investigate and resolve system errors or data quality issues. It is the responsibility of the Supplier to ensure that its staff can: • fully justify the purpose of access, • do not access patient identifiable information unless it is absolutely necessary • access or use the minimum necessary patient identifiable information. Details of the Supplier’s Information Governance Policy can be obtained from the Operations Director at Health Companion Ltd. The Customers Security Principles should be provided to the Supplier at the Project Initiation meeting. The Supplier will be responsible for ensuring these are followed. The Customer will confirm whether explicit permissions will be required to access any patient identifiable information in order to carry out appropriate changes or investigations. The supplier will ensure that its processes enable the patient to actually consent to their data being extracted from clinical systems to populate their patient portal.

Customer Data. 5.1 5.1. The Customer shall own all rightsright, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 5.2. The Supplier shall follow its archiving procedures for maintenance of metadata related to Customer Data as set out in its Back-Up Metadata Maintenance Policy available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/GDPR/security/metadata-andmaintenance-data- protection/servers-security#a174 policy or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to provide the Customer with available Customer comprehensible metadata to restore the lost or damaged Customer Data from the latest back-up version of such metadata related to Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Metadata Maintenance Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-sub- contracted by the Supplier to perform services related to Customer Data maintenance and back-upup for which it shall remain fully liable under clause 5.9). 5.3 5.3. The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf /privacy-security-policy or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. 5.4. Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 5 is in addition to, and does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 5.5. The client will be notified 30 days before any amends.parties acknowledge that: 5.4 If (a) if the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that Customer is the Customer shall be the data controller and the Supplier shall be a data is the processor and in any such case:for the purposes of the Data Protection Legislation. (ab) Schedule 2 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject. (c) the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement;. (b) 5.6. Without prejudice to the generality of clause 5.4, the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf. 5.7. Without prejudice to the generality of clause 5.4, the Supplier shall, in relation to any personal data processed in connection with the performance by the Supplier of its obligations under this agreement: (a) process that personal data only on the documented written instructions of the Customer unless the Supplier is required by the laws of any member of the European Union or by the laws of the European Union applicable to the Supplier and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where the Supplier is relying on Applicable Laws as the basis for processing personal data, the Supplier shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Supplier from so notifying the Customer; (b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled: (i) the Customer or the Supplier has provided appropriate safeguards in relation to the transfer; (ii) the data subject has enforceable rights and effective legal remedies; (iii) the Supplier complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and (iv) the Supplier complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data; (c) assist the Customer shall ensure that Customer, at the relevant third parties have been informed ofCustomer's cost, in responding to any request from a data subject and have given their consent toin ensuring compliance with its obligations under the Data Protection Legislation with respect to security, such usebreach notifications, processing, impact assessments and transfer as required by all applicable data protection legislationconsultations with supervisory authorities or regulators; (d) notify the Supplier shall process Customer without undue delay on becoming aware of a personal data breach; (e) at the written direction of the Customer, delete or return personal data it can reasonably identify and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the personal data only in accordance with (and for these purposes the terms of this agreement and any lawful instructions reasonably given by the Customer from time term "delete" shall mean to timeput such data beyond use); and (ef) each maintain complete and accurate records and information to demonstrate its compliance with this clause 5 and immediately inform the Customer if, in the opinion of the Supplier, an instruction infringes the Data Protection Legislation. 5.8. Each party shall take ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of the personal data and against accidental loss or its destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damagedamage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it). 5.9. The Customer consents to the Supplier appointing or otherwise hosting its Software with

Customer Data. 5.1 4.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and Authorised users shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer their Data. 5.2 4.2 The supplier and customer shall fulfil its obligations of GDPR compliance as a ‘controllers’ and ‘processors’ of data which includes ( but not limited to) • Data protection impact assessments • Data protection officers • The right to be informed • The right to erasure • The right to rectification • The right to restrict processing 4.3 The Supplier shall follow its archiving procedures for Customer Data as set out described in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to timeSchedule 4. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySchedule 4. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 4.4 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating will need to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any process Authorised users personal data on the Customer’s their behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer users shall ensure that the Customer is they are entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (db) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (ec) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage. 4.5 The Supplier will ensure that all Health Companion Ltd Staff are aware of their responsibilities to fully comply with the provisions of the Data Protection Act (1998), including related Caldicott Guardian principles and the Computer Misuse Act (1990) and GDPR compliance. The Supplier may, at times, be required to access patient identifiable data in order to investigate and resolve system errors or data quality issues. It is the responsibility of the Supplier to ensure that its staff can: • fully justify the purpose of access, • do not access patient identifiable information unless it is absolutely necessary • access or use the minimum necessary patient identifiable information. Details of the Supplier’s Information Governance Policy can be obtained from the Operations Director at Health Companion Ltd. The Customers Security Principles should be provided to the Supplier at the Project Initiation meeting. The Supplier will be responsible for ensuring these are followed. The Customer will confirm whether explicit permissions will be required to access any patient identifiable information in order to carry out appropriate changes or investigations. The supplier will ensure that its processes enable the patient to actually consent to their data being extracted from clinical systems to populate their patient portal.

Customer Data. 5.1 6.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 6.2 Iplicit shall follow its archiving procedures for Customer Data as set out in its Back-Back- Up Policy available at ▇▇▇▇://.▇▇▇▇▇▇▇.▇▇/GDPR▇/security-and-data- protection/servers-security#a174 ▇▇▇▇▇▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier Iplicit in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier Iplicit to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Iplicit in accordance with the archiving procedure described in its Back-Up Policy. The Supplier Iplicit shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up)party. 5.3 The Supplier 6.3 Iplicit shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇.▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/▇▇▇▇▇▇▇▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Iplicit in its sole discretion. The client will be notified 30 days before any amends. 5.4 6.4 If the Supplier Iplicit processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Iplicit shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the SupplierIplicit’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Iplicit so that the Supplier Iplicit may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier Iplicit shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 4.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 on request in writing as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-back- up). 5.3 4.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 4.4 If the Supplier processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s 's other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 Each Party shall comply with its respective obligations and may exercise its respective rights and remedies, under the Data Processing Agreement in Schedule 5. 5.2 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier in its sole discretion from time to time. 5.3 In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up PolicySupplier. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those any third parties sub-contracted by the Supplier to perform Software services related to Customer Data maintenance and back-up). 5.3 5.4 The Supplier shall, in providing the Software Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇.▇▇▇.▇▇/staffwise_privacy.pdf /en/privacynotice or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If 5.5 Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 5 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. 5.6 The parties acknowledge that: a) if the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that Customer is the Customer shall be the data controller Data Controller and the Supplier shall be a is the Data Processor for the purposes of the Data Protection Legislation and; b) Schedule 5 sets out the scope, nature and purpose of processing by the Supplier as the Data Processor, the duration of the processing, the types of personal data processor and in any such case:categories of data subject. (a) 5.7 Without prejudice to the generality of Clause 5.5, the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this Agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 4.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 4.2 The Supplier shall follow its archiving procedures for Customer acknowledges that IMImobile will use Customer Data solely to the extent necessary for the performance of the Service and will obtain no rights in such data by virtue of its use under this Agreement. 4.3 The Customer acknowledges that, except as set out agreed between the parties in its Back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document writing, IMImobile may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to periodically delete Customer Data, . 4.4 IMImobile will process User Data on the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Agreement. The Customer shall be the data controller and the Supplier IMImobile shall be a data processor and in any such caseand: (a) the Customer acknowledges and agrees that the personal data User Data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services Service and the SupplierIMImobile’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data User Data to the Supplier IMImobile so that the Supplier IMImobile may lawfully use, process and transfer the personal data User Data in accordance with this agreement Agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data User Data or its accidental loss, destruction or damage; and (e) the parties agree to enter in to and abide by the terms of the data processing agreement attached at Appendix A to this Agreement. 4.5 The Customer acknowledges and consents that IMImobile may be required to disclose User Data to Regulatory Bodies, the police or Channels (who in turn may disclose such User Data to Regulatory Bodies or the police). The Customer also acknowledges and consents that IMImobile may disclose User Data to Channels for Channels’ own use. The Customer hereby confirms that it, and its Licensees, have the necessary permissions in order to grant such consent under this clause 4.5.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data (or have an appropriate licence to use such rights where the Customer relates to an End User) and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier Causeway shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇/ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier ▇▇▇▇▇▇▇▇ in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Causeway to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Causeway in accordance with the archiving procedure described in its Back-Up Policy. The Supplier Causeway shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Causeway to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier Causeway shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇/ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Causeway in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier Causeway processes any personal data on the Customer’s 's (or an End User’s) behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Causeway shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data that is not personal data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the all such Customer Data. 5.2 The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇.▇://▇▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy against the Supplier shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-upup for which it shall remain fully liable under Clause 5.9). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If Both parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 5 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under the Data Protection Legislation. 5.5 The parties acknowledge that: (a) if the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that Customer is the Customer shall be the data controller and the Supplier shall be a data is the processor and in any such case:for the purposes of the Data Protection Legislation. (ab) [Schedule 4 sets out the Customer acknowledges scope, nature and agrees that purpose of processing by the Supplier, the duration of the processing and the types of personal data and categories of data subject.] (c) the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement;. (b) 5.6 Without prejudice to the generality of Clause 5.4, the Customer shall will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Customer is entitled to transfer the relevant personal data to the Supplier for the duration and purposes of this agreement so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's ’s behalf; (c) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 . The Supplier shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time], as such document may be amended by the Supplier in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours endeavors to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 . The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier processes any personal data on the Customer’s behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier shall be a data processor and in any such case: : (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other obligations under this agreement; (b) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier so that the Supplier may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; ; (cb) the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; ; (de) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 The Customer shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier Yotta shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy available at ▇▇▇.▇://▇▇▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier Yotta in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier Yotta to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier Yotta in accordance with the archiving procedure described in its Back-Up Policy. The Supplier ▇▇▇▇▇ shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier Yotta to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier Yotta shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier Yotta in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier Yotta processes any personal data on the Customer’s 's behalf when performing its obligations under this agreement, the parties record their intention that the Customer shall be the data controller and the Supplier Yotta shall be a data processor and in any such case: (a) 5.4.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside within the EEA or the country where the Customer and the Authorised Users are located in order inorder to carry out the Services and the Supplier’s Yotta's other obligations under this agreement; (b) 5.4.2 the Customer shall ensure that the Customer it complies with its obligations under applicable Data Protection Legislation and that it is entitled to transfer the relevant personal data to the Supplier Yotta so that the Supplier ▇▇▇▇▇ may lawfully use, process and transfer the personal data in accordance with this agreement on the Customer's behalf; (c) 5.4.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislationData Protection Legislation; (d) the Supplier 5.4.4 Yotta shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to timeprovisions of applicable Data Protection Legislation; and (e) 5.4.5 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.

Customer Data. 5.1 15.1 The Customer shall own all rights, title and interest in and to all of the Customer Data and shall (except as otherwise expressly stated in this clause 15) have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier 15.2 Target shall follow its archiving procedures for back up the Customer Data as set out stored on Target’s systems in its Backaccordance with Target’s standard back-Up Policy available at ▇▇▇▇://▇▇▇▇▇▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 as such document may be amended by the Supplier up procedures in its sole discretion place from time to time. In the event of any loss or damage to Customer Data, the Customer's sole and exclusive remedy shall be for the Supplier to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier in accordance with the archiving procedure described in its Back-Up Policy. The Supplier shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier shall, in providing the Services, comply with its Privacy and Security Policy relating to the privacy and security of the Customer Data available at ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇/staffwise_privacy.pdf or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier in its sole discretion. The client will be notified 30 days before any amends. 5.4 15.3 If the Supplier Target processes any personal data on the Customer’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier Target shall be a data processor and in any such case: (a) the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the Supplier’s other each party shall comply with its obligations under this agreementthe Data Protection Act 1998 (Act); (b) Target shall process the Customer’s personal data only in accordance with the terms of this Agreement and any lawful instructions reasonably given by the Customer from time to time; (c) Target shall not transfer or store the Customer’s personal data outside the EEA without the prior written consent of the Customer; (d) Target shall not transfer the Customer’s personal data to any third party (including any sub-contractor or sub-processor) without the prior written consent of the Customer, provided that the Customer consents to the transfer and subsequent processing of personal data to the Approved Third Parties for the purposes listed in schedule 8; (e) Target shall, and shall procure that the Approved Third Parties shall, when processing personal data, take the technical and organisational measures described in schedule 10, insofar as applicable to the Services; and (f) the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier Target (including by obtaining all necessary consents) so that the Supplier Target may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's behalf;. (c) 15.4 For the Customer shall ensure that the relevant third parties have been informed ofpurposes of clause 15.3, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement “data controller”, “data processor” and any lawful instructions reasonably “personal data” shall have the meanings given by to them in the Customer from time to time; and (e) each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damageAct.

Customer Data. 5.1 The Customer Customer’s Group shall own all rightsright, title and interest in and to all of the Customer Data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data. 5.2 The Supplier SDS shall follow its archiving procedures for Customer Data as set out in its Backback-Up Policy up policy available at ▇▇▇.▇://-▇-▇▇▇▇.▇▇.▇▇/GDPR/security-and-data- protection/servers-security#a174 ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended by the Supplier SDS in its sole discretion from time to time. In the event of any loss or damage to Customer Data, the Customer's ’s sole and exclusive remedy shall be for the Supplier SDS to use reasonable commercial endeavours to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by the Supplier SDS in accordance with the archiving procedure described in its Backback-Up Policyup policy. The Supplier SDS shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party (except those third parties sub-contracted by the Supplier SDS to perform services related to Customer Data maintenance and back-up). 5.3 The Supplier SDS shall, in providing the Services, comply with its Privacy privacy and Security Policy security policy relating to the privacy and security of the Customer Data available at ▇▇▇.▇-▇://-▇▇▇▇▇▇▇.▇▇.▇▇/staffwise_privacy.pdf ▇ or such other website address as may be notified to the Customer from time to time, as such document may be amended from time to time by the Supplier SDS in its sole discretion. The client will be notified 30 days before any amends. 5.4 If the Supplier SDS processes any personal data on the Customer’s Group’s behalf when performing its obligations under this agreementAgreement, the parties record their intention that the Customer shall be the data controller and the Supplier SDS shall be a data processor and in any such case: (a) 5.4.1 the Customer acknowledges and agrees that the personal data may be transferred or stored temporarily outside the EEA or the country where the Customer and the Authorised Users are located in order to carry out the Services and the SupplierSDS’s other obligations under this agreementAgreement. SDS will choose a UK data centre as its preferred data storage location. Should any transfer be required this will always be done subject to the implementation of the same or better legal protection as the UK; (b) 5.4.2 the Customer shall ensure that the Customer is entitled to transfer the relevant personal data to the Supplier SDS so that the Supplier SDS may lawfully use, process and transfer the personal data in accordance with this agreement Agreement on the Customer's ’s behalf; (c) 5.4.3 the Customer shall ensure that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection legislation; (d) the Supplier shall process the personal data only in accordance with the terms of this agreement and any lawful instructions reasonably given by the Customer from time to time; and (e) 5.4.4 each party shall take appropriate technical and organisational measures against unauthorised or unlawful processing of the personal data or its accidental loss, destruction or damage.