Common use of PROCESSOR CLAUSES Clause in Contracts

PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, and You are the controller of such personal data. The Product Fact Sheet sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 6, We may amend the Product Fact Sheet from time to time. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to clause 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instruction. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general security measures are set out in clause 4 to this Schedule 6, the Access Payment Product specific security measures are set out in the relevant Product Fact Sheet. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, provided that We shall notify You of the appointment of a new Sub Processor and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall ensure that all Sub Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with any notification to the applicable supervisory authority and data subjects, considering the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing of Your personal data by Us. 2.11. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.3 to 2.11 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the Data Protection Legislation and Our reasoning (where such reasoning is provided). We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non- infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider it necessary to amend this Schedule 6 as a result of any changes in law relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 to ensure compliance with such law. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.

PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, and You are the controller of such personal data. The Product Fact Sheet sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 6, We may amend the Product Fact Sheet from time to time. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to clause 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instruction. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general security measures are set out in clause 4 to this Schedule 6, the Access Payment Product specific security measures are set out in the relevant Product Fact Sheet. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, provided that We shall notify You of the appointment of a new Sub Processor and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall ensure that all Sub Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with any notification to the applicable supervisory authority and data subjects, considering the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing of Your personal data by Us. 2.11. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.3 to 2.11 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the Data Protection Legislation and Our reasoning (where such reasoning is provided). We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non- infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider it necessary to amend this Schedule 6 as a result of any changes in law relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 to ensure compliance with such law. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.

PROCESSOR CLAUSES. 2.1. 2.1 In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, processor and You are the controller of such personal data. The Product Fact Sheet Annex 1 to this Addendum 1 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 6, We The parties may amend the Product Fact Sheet Annex 1 from time to timetime by written agreement. You warrant and undertake that You have reviewed Annex 1 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement You shall inform Us and You and We shall work together to correct Annex 1 and review Annex 2 as necessary. You shall defend, indemnify and hold Us harmless against claims, actions, proceedings, losses, damages, expenses and costs (including without limitation court costs and reasonable legal fees) arising out of or in connection with any errors, inaccuracies or omissions from time to time in Annex 1 (as amended in accordance with this paragraph 2.1). 2.2. 2.2 Each party shall comply with its obligations under applicable Data Protection Legislation, Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. 2.3 Subject to clause paragraph 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) Economic Area without the documented instructionYour consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject access rights and effective legal remedies as required by the Data Protection LegislationAddendum 1. 2.4. 2.4 We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. 2.5 We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentialityconfidentiality in respect of such personal data. 2.6. 2.6 We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general The security measures are set out in clause 4 Annex 2 to this Schedule 6, the Access Payment Product specific Addendum and You warrant that You have reviewed such security measures are set out and consider them appropriate in the relevant Product Fact Sheetcontext of the processing of Your personal data as anticipated by the Agreement. 2.7. 2.7 We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-third party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, ) provided that We shall notify You of the appointment addition or replacement of a new such Sub Processor Processors and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 5 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall ensure that require all Sub Processors are bound by contract with Us which include appropriate data processing to enter into an agreement equivalent effect to the terms contained in paragraphs 2.3 to 2.6 inclusive and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreementomissions. 2.8. 2.8 In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and within 72 hours and shall use reasonable commercial efforts efforts, to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) days following written request from You provided that We may: may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We we consider, in Our our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. 2.9 Upon discovering We have experienced a Personal Data Breach in respect of Your personal data Breach, We shall notify You without undue delay and within 72 hours and shall assist You to the extent reasonably necessary in connection with any notification to the applicable supervisory authority Supervisory Authority and data subjects, considering taking into account the nature of processing and the information available to Us. 2.10. 2.10 In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultationassessment. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are . 2.11 Unless otherwise required by Article 35 or 36 of the GDPRapplicable law, in each case solely in relation to the processing of Your personal data by Us. 2.11. Following the earlier of following termination or expiry of the Agreement (the “End Date”)We shall, at Your instruction is for Us to option, delete or return all Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us and all copies thereof to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirementYou. 2.12. 2.12 Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses paragraphs 2.3 to 2.11 inclusive, inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basiswritten notice. 2.13. 2.13 In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the assess your instructions and Data Protection Legislation and Our reasoning (where such reasoning is provided)Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non- non-infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for 2.14 We reserve the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider it necessary right to amend this Schedule 6 Addendum 1 on written notice to You if We consider it reasonably necessary as a result of any changes in law or practice relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 to ensure compliance with such law. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.

PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, and You are the controller of such personal data. The Product Fact Sheet sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 62, We may amend the Product Fact Sheet from time to time. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to clause 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instruction. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentiality. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general security measures are set out in clause 4 to this Schedule 62, the Access Payment Product specific security measures are set out in the relevant Product Fact Sheet. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, provided that We shall notify You of the appointment of a new Sub Processor and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors, and, for the avoidance of doubt, We shall not share Your personal data with any Sub Processor You have objected to in accordance with this Agreement. We shall ensure that all Sub Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with mitigation of the impact of the Personal Data Breach and any notification to the applicable supervisory authority and data subjects, considering the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing of Your personal data by Us. 2.11. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.3 2.2 to 2.11 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the Data Protection Legislation and Our reasoning (where such reasoning is provided). We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-infringing or amend Your instructions to make them non- infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider it necessary to amend this Schedule 6 2 as a result of any changes in law relating to the protection or treatment of personal data, You shall notify Us of the same. Thereafter the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 2 to ensure compliance with such law. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.

PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, processor and You are the controller of such personal data. The Product Fact Sheet Paragraph 3 of this Schedule 2 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 6, We The parties may amend the Product Fact Sheet paragraph 3 from time to timetime by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to clause paragraph 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instructionYour consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentialityconfidentiality in respect of such personal data as set out in Clause 6 of the Agreement. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general The security measures are set out in clause paragraph 4 to this Schedule 6, the Access Payment Product specific 2 and You warrant that You have reviewed such security measures are set out and consider them appropriate in the relevant Product Fact Sheetcontext of the processing of Your personal data as anticipated by the Agreement. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-third party data centres). Any Sub Processors shall be outlined in the Product Fact Sheet. By You signing this Agreement, You are providing Us with general written authorisation to add a Sub Processor and/or replace or remove a Sub Processor where We deem necessary, ) provided that We shall notify You of the appointment addition or replacement of a new such Sub Processor Processors and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall ensure that require all Sub Processors are bound by contract with Us which include appropriate data processing to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts efforts, to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) days following written request from You provided that We may: may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or Legislation)and/or (b) charge You on a time and materials basis in the event that We we consider, in Our our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data., 2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data the Customer Data, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with any notification to the applicable supervisory authority Supervisory Authority and data subjects, considering taking into account the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing Processing of Your personal data Customer Personal Data by UsUS. 2.11. Following the earlier of Unless otherwise required by applicable law, following termination or expiry of the Agreement (the “End Date”)We shall, at Your instruction is for Us to option, delete or return all Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned all copies thereof to You in accordance with the format specified in the Product Fact Sheet, the relevant Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses paragraphs 2.3 to 2.11 inclusive, inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the assess your instructions and Data Protection Legislation and Our reasoning (where such reasoning is provided)Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-non- infringing or amend Your instructions to make them non- non-infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for In the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider event that either party considers it reasonably necessary to amend this Schedule 6 as a result of any changes in law relating to the protection or treatment of personal data, You such party shall notify Us of the same. Thereafter other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 to ensure compliance with such law. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.

PROCESSOR CLAUSES. 2.1. In the event that We process Your personal data under or in connection with the Agreement, the parties record their intention that We are the processor, processor and You are the controller of such personal data. The Product Fact Sheet Paragraph 3 of this Schedule 2 sets out the subject-matter and duration of the processing of Your personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects. Subject to clause 2.7 of this Schedule 6, We The parties may amend the Product Fact Sheet paragraph 3 from time to timetime by written agreement. You warrant and undertake that You have reviewed paragraph 3 and that it contains full and accurate details of “type of personal data” and “categories of data subject” to which the Agreement relates. In the event of any change during the term of the Agreement each party shall inform the other and You and We shall work together to correct paragraph 3 and review Paragraph 4as necessary. 2.2. Each party shall comply with its obligations under applicable Data Protection Legislation, Legislation and You warrant and undertake that You shall not instruct Us to process Your personal data where such processing would be unlawful. 2.3. Subject to clause paragraph 2.4 and 2.7 below, We shall process Your personal data only in accordance with Your documented instructions and shall not transfer Your personal data Personal Data outside of the European Union or the UK (the “Approved Jurisdiction”) without the documented instructionYour consent. For the avoidance of any doubt, any configuration of the service by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this Schedule 6 2 and in relation to any transfer as a result of such configuration, We shall have put in place appropriate safeguards to protect Your personal data and ensure that the relevant data subjects subject have enforceable subject access rights and effective legal remedies as required by the Data Protection Legislation. 2.4. We may process Your personal data other than in accordance with Your documented instructions where required to do so by applicable law provided that (unless prohibited by applicable law on important grounds of public interest) We shall notify You of such legal l egal requirement before such processing. 2.5. We shall ensure that individuals engaged in the processing of Your personal data under the Agreement are subject to written obligations of confidentialityconfidentiality in respect of such personal data as set out in Clause 6 of the Agreement. 2.6. We shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing Your personal data pursuant to the Agreement. We shall assist You by appropriate technical and organisational measures in fulfilling Your obligations as controller in relation to the security of processing Your personal data. Our general The security measures are set out in clause paragraph 4 to this Schedule 6, the Access Payment Product specific 2 and You warrant that You have reviewed such security measures are set out and consider them appropriate in the relevant Product Fact Sheetcontext of the processing of Your personal data as anticipated by the Agreement. 2.7. We may engage such other processors (“Sub Processors”) as We consider reasonably appropriate for the processing of Your personal data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-third party data centres). Any Sub Processors (save for replacement Sub Processors) shall be outlined in the Product Fact Sheet. By GDPR Portal pursuant to paragraph 3.1 to this Schedule 2, and by You signing this Agreement, You are providing Us with general written authorisation to add a replace that Sub Processor and/or replace or remove a Sub Processor (for the same processing activity) where We deem necessary, provided that We shall notify You of the appointment addition or replacement of a new such Sub Processor Processors and You may, on reasonable grounds, object to the appointment of a Sub Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub Processors. We shall ensure that require all Sub Processors are bound by contract with Us which include appropriate data processing to enter into an agreement equivalent in effect to the terms contained in this Data Processor Terms Schedule and We shall remain responsible and liable for Sub Processors’ acts and omissions in connection with this Agreement. 2.8. In the event that any data subject exercises its rights under applicable Data Protection Legislation against You, We shall respond without undue delay and shall use reasonable commercial efforts efforts, to assist You in fulfilling Your obligations as controller and provide You with a suitable response without undue delay (and in any event within 5 days) days following written request from You provided that We may: may (a) extend such time period (provided always that We shall use all reasonable endeavours to provide such assistance within a time period to enable You to comply with Your obligations under applicable Data Protection Legislation); and/or Legislation)and/or (b) charge You on a time and materials basis in the event that We we consider, in Our our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Your personal data. 2.9. Upon discovering We have experienced a Personal Data Breach in respect of Your personal data the Customer Data, We shall notify You without undue delay and shall assist You to the extent reasonably necessary in connection with any notification to the applicable supervisory authority and data subjects, considering taking into account the nature of processing and the information available to Us. 2.10. In the event that You consider that the processing of personal data performed pursuant to the Agreement requires a privacy impact assessment or prior consultation with a supervisory authority authority, to be undertaken, following written request from You, We shall use reasonable commercial endeavours to provide relevant information and assistance to You to facilitate such privacy impact assessment or prior consultation. We may charge You for such assistance on a time and materials basis. We shall provide you with a data protection impact assessment upon request, and prior consultations with supervisory authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to the processing Processing of Your personal data Customer Personal Data by Us. 2.11. Following the earlier of Unless otherwise required by applicable law, following termination or expiry of the Agreement (the “End Date”)We shall, at Your instruction is for Us to option, delete or return all Your personal data held by Us. Before deleting Your personal data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Your personal data returned all copies thereof to You in accordance with the format specified in the Product Fact Sheet, the relevant Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some of Your personal data, We shall notify You of this lawful requirement. 2.12. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses paragraphs 2.3 to 2.11 inclusive, inclusive and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Working Hours. You will ensure that your representatives make all reasonable endeavours to minimise any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis. 2.13. In the event that We consider that Your instructions relating to processing of Your personal data under the Agreement infringes Data Protection Legislation We shall inform You immediately and You shall reconsider Your instruction considering the assess your instructions and Data Protection Legislation and Our reasoning (where such reasoning is provided)Legislation. We shall not be obliged to process any of Your personal data in relation to such instructions until You notify Us that Your instructions are non-non- infringing or amend Your instructions to make them non- non-infringing and notify Us accordingly. Further, where We request the same, You shall sign a waiver provided by Us which will absolve Us of any liability associated with Us following Your processing instruction. 2.14. Without prejudice to any other provision in this Agreement which may apply, You shall for In the Licence Term have in place and maintain any and all appropriate consents from the relevant data subjects and or an appropriate lawful basis for processing the personal data of the data subjects affected by this Agreement. 2.15. We shall for the Licence Term use reasonable endeavours to assist You in meeting Your obligations under Articles 32 to 36 (inclusive). 2.16. Where You consider event that either party considers it reasonably necessary to amend this Schedule 6 as a result of any changes in law relating to the protection or treatment of personal data, You such party shall notify Us of the same. Thereafter other party in writing and the parties shall act reasonably and in good faith in agreeing appropriate amendments to this Schedule 6 to ensure compliance with such lawsuchlaw. 2.17. Nothing in these Terms and Conditions is intended to govern the processing of personal data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our privacy policy made available on Our website.