HybridHero UK SAAS Terms and Conditions

These T&Cs (Terms and Conditions) are a legally binding contract between you (the Customer, you and your) and HybridHero Limited (a company registered in England and Wales with company number 12356013) (HybridHero, we, us and our).

If you are agreeing to these Terms and Conditions not as an individual but on behalf of an entity or organisation, then “you” means that entity or organisation, and you acknowledge that you are binding that entity or organisation to these Terms and Conditions.

Please read these Terms and Conditions carefully. By Executing the Order Form or using or accessing the Products, Goods and Services, you acknowledge that you have read, understand and agree to follow and be bound by these Terms and Conditions.These Terms and Conditions incorporate the Data Security and Privacy Addendum attached to this Agreement.

1 Contract structure


(a) The terms of engagement for the provision of the Products, Goods and Services to the Customer will be set out in:

(i) an Executed order form (Order Form);

(ii) any subsequent Executed order forms that amend the Order Form (Supplementary Order Form). Upon Execution, the Order Form (as amended by any Supplementary Order Forms) will incorporate these Terms and Conditions and the HybridHero Documentation (as updated from time to time and
available on the HybridHero Website and HybridHero App or otherwise attached to the Order Form or Supplementary Order Forms) and take effect as a binding agreement (Agreement).

(b) Any new features, tools or Software which are added to the Products, Goods and Services (including any Updates under clause 6) will also be subject to the Agreement.

(c) Each party must perform its obligations under the Order Form in accordance with these Terms and
Conditions and the terms of the Order Form. The parties must comply with any special conditions set
out in the Order Form as may be amended by any Supplementary Order Forms (Special Conditions).

(d) In the event of any inconsistency between these Terms and Conditions, the Order Form and any
Supplementary Order Forms, the provisions will prevail in the following descending order:

(i) the Special Conditions (if any) in the most recent Supplementary Order Form followed by any other Supplementary Order Forms in descending date order, which must explicitly state which terms
they replace in order to be valid; (ii) the Special Conditions (if any) in any Order Form, which must explicitly state which terms they replace in order to be valid;
(iii) the remaining provisions of the most recent Supplementary Order Form followed by any other Supplementary Order Forms in descending date order;
(iv) the remaining provisions of the Order Form;
(v) these Terms and Conditions; and
(vi) the HybridHero Documentation

2 Term
(a) The Agreement commences on the Commencement Date and continues for the Initial Term, unless
terminated earlier in accordance with clause 14.


(b) At the end of the Initial Term, the Agreement will be automatically extended for successive Renewal
Terms unless:

(i) either party provides written notice of its intention to cancel such automatic renewal:

(A) no less than 90 days’ prior to the commencement of the relevant Renewal Term;

(B) no less than 24 hours prior to the commencement of the relevant Renewal Term where the Initial
Term is also a Trial Period; or

(C) such other period as specified in the Order Form (or any amending Supplementary Order Form); or

(ii) the Trial Period is extended through Execution of a new Order Form. If this occurs the previous

Order Form will be taken to have been terminated on the day that the new Order Form is Executed; or

(iii) this Agreement is terminated earlier in accordance with clause 14.

3 Licence


(a) Subject to clause 4 and the Terms and Conditions of this Agreement, including the Customer’s payment of all, if any, relevant Fees and amounts under this Agreement, HybridHero grants to the Customer a non-exclusive, limited, non-sublicensable, nontransferable, revocable licence to access and use, and make available to its Personnel to use, in the Jurisdictions, the Products, Goods and Services
during the Term in accordance with this Agreement. The Customer is liable for any access or use of the
Products, Goods or Services outside the Jurisdictions in breach of this clause 3(a).


(b) The licence set out in clause 3(a) vests in the Customer on the Commencement Date and endures
for the duration of this Agreement except as otherwise specified in this Agreement.


(c) HybridHero will:

(i) assist with delivering or otherwise providing access to, and initial configuration and customisation (as applicable) of, the relevant Products, Goods and Services as required for the Customer to exercise its rights under clause 3(a) and as required pursuant to the Order Form, including by providing
encryption keys, where applicable; and

(ii) provide the Customer with any HybridHero Documentation reasonably required to use the Products, Goods and Services, including installation instructions in respect of the Goods.

(d) HybridHero may engage a third party service provider to assist in the delivery, installation,
customisation or support of the Products, Goods and Services, as applicable.

4 Use of Products, Goods and Services

(a) The Customer must promptly provide all information required by HybridHero to set up the HybridHero App and the Customer’s Operating Environment.

(b) The Customer must use, and must ensure that its Personnel use:

(i) the Products, Goods and Services in accordance with the End User Licence Agreement for the Products, Goods and Services; and

(ii) the Goods in accordance with any instructions provided by HybridHero, when the Customer and/or its Personnel register to use the Products, Goods and Services.

(c) All use by the Customer’s Personnel and any other third party of the Products, Goods, and Services will be deemed to be use by the Customer for which the Customer remains liable.

(d) In the event any Goods are considered to be faulty and require replacement, the Customer will send the Goods to the address supplied by HybridHero (at the Customer’s initial expense):

(i) if the Goods are found to be faulty, HybridHero will provide the Customer with replacement Goods and reimburse any reasonable delivery costs; or

(ii) if the Goods are not determined by HybridHero to be faulty or they have been damaged (otherwise through fair wear and tear), then to the extent allowed by law, the Customer will be required to pay the Replacement Fee and the cost of delivery replacement Goods.

(e) The Customer must not, without HybridHero’s prior written approval:

(i) use the Products, Goods and Services for a purpose other than the Authorised Purpose and in accordance with the Terms and Conditions of this Agreement;

(ii) copy or replicate, or directly or indirectly allow or cause a third party to copy or replicate, the whole or any part of the Products, Goods and Services;

(iii) use the Products, Goods and Services to assist in the conduct of the business of any third party;

(iv) modify, adapt or amend the Products, Goods and Services, or permit any third party to modify, adapt or amend the Products, Goods and Services;

(v) disassemble, decompile, or reverse engineer (or permit any other person to do so) all or any parts of the computer programs or source code which form any part of the Products, Goods and Services (or attempt to do so) or take any other action intended to render any of the programs more amenable to human understanding or render the programs operational as to any other user who has
not been authorised by HybridHero;

(vi) publicly disseminate information regarding the performance of the Products, Goods and Services; or

(vii) sub-license, rent, sell, lease, distribute or otherwise transfer the Products, Goods
and Services or any part of them except as permitted under this Agreement.

(f) The Customer is responsible for maintaining control over and access to its instance of, or account for, the Products, Goods and Services. the Customer must keep accurate, up-to-date records of each of the Customer’s Personnel who access the Customer’s instance of, or account for, the Products, Goods and Services.

(g) The Customer must maintain the confidentiality of all login information and must not allow or authorise any person other than the Customer’s Personnel to use the login information. The Customer must immediately notify HybridHero of any suspected or actual unauthorised access to or use of the login information.

(h) The Customer must ensure there is only one end user per HybridHero Account. The Customer is
responsible for any and all activities that occur on the Customer’s instance of, or account for, the
Products, Goods and Services, whether or not authorised by the Customer.

(i) The Customer must not, and must ensure its Personnel do not, use the Products, Goods and Services (including through the upload of any Customer Material) in any way that:

(i) involves anything which is false, defamatory, harassing or obscene;

(ii) involves unsolicited electronic messages;

(iii) would involve the contravention of any person’s rights (including Intellectual Property Rights);

(iv) may contravene any Laws;

(v) could damage, disable or impair any part of the Products, Goods and Services;

(vi) may otherwise be regarded by HybridHero, on reasonable grounds, to be unacceptable (HybridHero may from time to time notify the Customer of the circumstances which it regards as
unacceptable);

(vii) involves any fraudulent activity;

(viii) involves any dealing with Personal Data in contravention of applicable Privacy Laws; or

(ix) involves the sale or promotion of any illegal business activities or prohibited products, goods or services.

(j) The Customer must comply at all times with the terms of any Third Party Licences.

5 Fees, payment and VAT

5.1 Fees and payment

(a) Except as provided for in clause 5.1(b), the Customer must pay the Fees set out in each invoice, without set-off, abatement or deduction, in accordance with this clause 5 and in accordance
with any specific invoicing arrangements specified in the Order Form. The Fees payable will be calculated by the methods specified in the Order Form.

(b) If the Customer has been granted a Trial by HybridHero, the Customer:

(i) is not required to pay any Fees; and

(ii) will not be issued invoices for the duration of the Trial Period.

(c) During the Initial Term and/or no later than 30 days prior to any Renewal Term, HybridHero may notify the Customer in writing of revisions to the Fees to take effect from the start of the next Renewal Term.

(d) Except as provided for in clause 5.1(b) and unless expressly stated otherwise in the Order Form:

(i) if the Customer did not undertake a Trial, invoices for Up-front Fees and Set-up Fees set out in the Order Form will be invoiced on the Commencement Date and the Customer must pay all such invoices
immediately on receipt;

(ii) if the Customer did undertake a Trial, invoices for Up-front Fees and Set-up Fees set out in the Order Form will be invoiced on the first day of the first Renewal Term immediately following the Trial Period and will not be invoiced for subsequent Renewal Terms and the Customer must pay all such invoices
immediately on receipt;

(e) Except as provided for in clause 5.1(b) and unless expressly stated otherwise in the Order Form, if the Customer is on a Monthly Billing Cycle, invoices for any volume-based and/or other Fees as set out in the Order Form will be submitted monthly in advance and the Customer must pay all such invoices
immediately on receipt.

(f) Except as provided for in clause 5.1(b) and unless expressly stated otherwise in the Order Form, if the Customer is on a Quarterly Billing Cycle, invoices for any volume-based and/or other Fees as set out in the Order Form will be submitted:

(i) quarterly in advance for the Quarterly Billing set out in section 10 of the Order Form; and

(ii) monthly in arrears for the Monthly Adjustment and the Customer must pay all such invoices immediately on receipt.

(g) Except as provided for in clause 5.1(b) and unless expressly stated otherwise in the Order Form, if the billing cycle is annually, invoices for any volumebased and/or other Fees as set out in the Order Form will be submitted

(i) annually in advance for the Annual Billing set out in section 10 of the Order Form; and

(ii) monthly in arrears for the Monthly Adjustment.

(h) and the Customer must pay all such invoices immediately on receipt.

(i) Any portion of the payments not paid by the Customer on or before the date that it is due shall accrue interest at a rate equal to the Bank of England base rate plus 4% per annum, from the date such amount is due until payment is received in full by HybridHero.

(j) The Customer will pay the Fees through one of the payment methods specified in the Order Form, including by electing to authorise us to automatically deduct any Fees payable under clause 5.1(a) from a bank account, credit card or debit card nominated by the Customer on the date such amounts are due
under clauses 5.1(d) – 5.1(h). If you authorise us to make such deductions, we will do so each month until you tell us to stop by removing this as your preferred payment method in accordance with the
notification process in clause 21. You are responsible for ensuring that sufficient funds are available on the relevant due date so that the appropriate deduction can be made. For the avoidance of doubt, if an attempted deduction is unsuccessful, the relevant amount will be considered to be unpaid and clause 5.1(k) will be enlivened if it is not otherwise paid using a different payment method.

(k) If the Customer fails to make payment to HybridHero in respect of any Fees when due under clauses 5.1(d) – 5.1(h), the Customer acknowledges that HybridHero may suspend the provision of
services, including access to the Products, Goods and Services, until such time as payment is made in full as per the invoice.

5.2 VAT

(a) If VAT is payable on a supply made under or in connection with this Agreement, the party providing the consideration for that supply must pay as additional consideration an amount equal to the amount of VAT payable on that supply.

(b) Unless otherwise stated, all amounts referred to in this Agreement, including the Fees, are stated on a VAT exclusive basis.

(c) In providing an invoice, a party shall provide proper tax invoices if VAT is applicable to the Fees.

(d) Terms which have a defined meaning in the Value Added Tax Act 1994 (UK) shall have that meaning in this.

6 Updates

(a) From time to time, HybridHero may introduce Updates to the Products, Goods and Services.

(b) HybridHero will provide the Customer with reasonable prior notice in advance of any Update which would, in the reasonable opinion of HybridHero, have a material detrimental impact on the Products, Goods and Services, unless security, legal, system performance or Third Party Licence considerations or obligations require an expedited Update.

7 Support Services
HybridHero shall provide any Support Services as specified in the Order Form.

8 Intellectual Property Rights

8.1 Ownership

(a) The Customer acknowledges and agrees that HybridHero owns or licenses:

(i) all Intellectual Property Rights in the Products, Goods and Services; and

(ii) any Developed Intellectual Property, and nothing in this Agreement is intended to transfer
ownership of or interest in any Intellectual Property Rights of HybridHero or any third party.

(b) To the extent that the Customer acquires ownership of any Intellectual Property Rights in the Developed Intellectual Property:

(i) the Customer assigns, and shall procure that its Personnel assign, such Intellectual Property Rights to HybridHero;

(ii) the Customer must, upon request by HybridHero, execute (and procure that its Personnel execute) any assignment or other document reasonably required to evidence or perfect HybridHero’s ownership of such Intellectual Property Rights; and

(iii) the Customer must provide all reasonable assistance requested by HybridHero to protect, defend and assert HybridHero’s interests in such Intellectual Property Rights.

(c) the Customer must notify HybridHero immediately if it becomes aware of any:

(i) unauthorised access to or use of the Products, Goods and Services;

(ii) other breach of any of HybridHero’s Intellectual Property Rights; or

(iii) claim by any third party relating to Intellectual Property Rights in the Products, Goods and Services.

(d) HybridHero indemnifies the Customer against any liability (including liability for reasonable legal costs) under an injunction or final judgment against the Customer, based on a claim that its use of the
Products and Services in accordance with this Agreement is an infringement of the Intellectual
Property Rights of any third person (Claim), except to the extent any such infringement is caused by an
act or omission of the Customer, and only if:

(i) the Customer notifies HybridHero immediately after it becomes aware of the Claim;

(ii) HybridHero has sole control over defence of the Claim (even in the Customer’s name) and any negotiations to settle the Claim;

(iii) the Customer allows its name to be used in any proceedings arising out of the Claim; and

(iv) the Customer provides HybridHero all other assistance reasonably requested (and paid for) by HybridHero to defend or settle the Claim.

(e) If a Claim is made, HybridHero may:

(i) procure for the Customer the right to continue using the Products and Services free of the Claim;

(ii) replace or modify the Products and Services to remove any infringing (or allegedly infringing) component; or

(iii) immediately terminate this Agreement and the Customer must immediately cease using the Products and Services.

8.2 Customer Material

(a) The Customer agrees and acknowledges that it is solely responsible for any Customer Material.

(b) While HybridHero will seek to ensure that the Products, Goods and Services are as accurate as
possible, the Customer acknowledges and agrees that:

(i) HybridHero is not responsible for any Customer Material or other information input into the Products, Goods and Services by the Customer and/or its Personnel;

(ii) it must ensure that all Customer Material that is input into the Products, Goods and Services is accurate, complete and up-to-date;

(iii) it has sufficient rights to all Customer Material, to hold the Customer Material and input it to the Products, Goods and Services; and

(iv) it has obtained from all individuals and third parties any required Consents and have provided all required notices with respect to the collection, retention, disclosure and use of the Customer
Material as contemplated for the purposes of this Agreement that are required under applicable laws.

(c) The Customer, in the event that it discovers that any Customer Material input by it into the Products,
Goods and Services is not accurate, complete or upto-date, will promptly notify HybridHero and update the Customer Material.

(d) HybridHero reserves the right to modify, update, edit or delete Customer Material where it deems such Customer Material is a risk to the security, accuracy or integrity of the Products, Goods and Services, and may do so without prior written notice to the Customer, but will use reasonable endeavours to notify the Customer as soon as reasonably practical in the event of such deletion

(e) The Customer must ensure that Customer Material, and its collection, use, processing, disclosure and dissemination via the Products, Goods and Services:

(i) will not infringe any Intellectual Property Rights of any person; and

(ii) complies with all applicable Laws (including Privacy Laws, where applicable).

(f) Notwithstanding any other clause in this Agreement, the Customer agrees that HybridHero will have the right to access, use, adapt, modify, reproduce, reformat, transform, and process Customer Material for the purpose of:

(i) providing the Customer with the Products, Goods and Services;

(ii) internal training; and

(iii) testing, improving and developing new features for the Products, Goods and Services, and grants HybridHero a perpetual, royalty-free, worldwide, transferable, non-exclusive licence to do so, including the right to sub-license.

9 Variation

(a) HybridHero may unilaterally amend these Terms and Conditions from time to time to reflect additions to the Products, Goods and Services offered, changes in market conditions, changes in technology used to provide the Products, Goods and Services under this Agreement, changes in payment methods, changes in relevant laws and regulatory requirements and changes in the capabilities of HybridHero’s system.

(b) HybridHero will provide the Customer with reasonable prior notice of any amendment to these Terms and Conditions in writing. 10 Confidentiality and publicity 10.1 Confidentiality (a) Each party

(i) except as permitted under clause 10.1, must keep confidential all Confidential Information of the other party; and;

(ii) may use Confidential Information of the other party solely for the purposes of exercising its rights and performing its obligations under this Agreement and otherwise for the purposes of this Agreement;

(iii) may only disclose Confidential Information of the other party

(A) to persons which Control, or are Controlled by, the party, and the employees, legal advisors or consultants of such persons, in each case under corresponding obligations of confidence as imposed by this clause and only where such persons, employees, legal advisors or consultants of such persons have a need to know such information in connection with this Agreement;

(B) in enforcing this Agreement or in a proceeding arising out of or in connection with this Agreement; or

(C) to the extent required by Law or pursuant to a binding order of a government agency or court.

(b) HybridHero may disclose Confidential Information of the Customer to the extent necessary in connection with a capital raising, financing, or transfer or divestiture of all or a portion of its business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or part of HybridHero’s business, but will use reasonable efforts to minimise the scope of such disclosure.

10.2 Publicity

(a) Subject to clause 10.2(b) the Customer acknowledges and agrees the parties will not make any public announcement in relation to this Agreement without the prior written approval of the other party.

(b) The Customer acknowledges and agrees that HybridHero may:

(i) disclose to third parties the fact that the Customer has entered into this Agreement with HybridHero, including by way of the use of the Customer’s company logo; and

(ii) use de-identified information about the Customer, in any marketing or other material used by HybridHero, including case studies regarding the Customer’s involvement with HybridHero

(c) The Customer grants to HybridHero a royalty-free, non-exclusive licence to use and display the Customer’s logo on the HybridHero Website or in HybridHero’s marketing materials for the purpose of clause 10.2(b). The licence granted in this clause10.2(c) survives termination of the Agreement for whatever reason.

11 Third Party Content

(a) The Customer acknowledges that the Products, Goods and Services may incorporate Third Party Content including open source software and that HybridHero is not responsible for the accuracy, quality, integrity or reliability of the same.

(b) To the extent permitted by Law (including the Consumer Law, if applicable), HybridHero does not give any representation or warranty as to the reliability, accuracy or completeness of any Third Party Content, including open source software, and HybridHero will have no responsibility or liability to the Customer or any other person arising from or in connection with any error, defect or inaccuracy in any Third Party Content.

12 Operating Environment

(a) The Customer acknowledges that, except to the extent otherwise provided in this Agreement, it is solely responsible for establishing, providing or procuring, maintaining and supporting any Third Party Licences and any operating environment, facilities, equipment and telecommunications and internet connections necessary to use and obtain the benefit of the Products, Goods and Services (Operating Environment).

(b) The Customer must ensure that the Operating Environment has the necessary specifications, features and third party software required to ensure compatibility with relevant parts of the Products, Goods and Services, as may be notified by HybridHero from time to time.

13 Force Majeure

(a) Subject to the requirement to give notice under this clause, if the performance by any party (Affected Party) of all or any of its obligations under this Agreement is prevented or delayed (in whole or in part) due to any Force Majeure Event, this Agreement will continue and remain in effect but the Affected Party will not be in breach of this Agreement for that reason only, and the Affected Party will be granted a reasonable extension of time to complete performance of its affected obligations. This clause 13(a) shall not apply to payment obligations under clause 5.

(b) The Affected Party must promptly, after becoming aware of a Force Majeure Event, give written notice to the other party of the nature of the Force Majeure Event and the way and the extent to which its obligations are prevented or delayed and notify the other party of any material change in these matters and use its reasonable endeavours to limit the effects of the Force Majeure Event, and promptly carry out its obligations as soon as, and to the extent that, it is able to do so.

14 Termination

14.1 Termination

(a) Either party may terminate this Agreement with immediate effect by giving written notice to the other party at any time if:

(i) the other party experiences an Insolvency Event;

(ii) the other party breaches any material provision of this Agreement which is incapable of being remedied, or where the breach is capable of being remedied, fails to remedy the breach within 30 days after receiving written notice from the terminating party requiring it to do so; or

(iii) without limiting clause 14.1(a)(ii), the other party fails to comply with the obligations set out in clause 10 (Confidentiality and Publicity) or the Data Security and Privacy Addendum.

(b) HybridHero may terminate this Agreement:

(i) on 60 days’ written notice to the Customer for any reason;

(ii) immediately by written notice to the Customer in the event of any change (directly or indirectly) in a controlling interest or majority ownership of the Customer; or

(iii) immediately by written notice to the Customer if, subject to an invoice that has been disputed under clause 22, the Customer fails to pay any amount due under this Agreement, and does not pay within 14 days after receiving notice requiring the Customer to do so.

14.2 Consequences of termination

(a) On expiration or termination of this Agreement for any reason, including the expiration of any Trial Period, the Customer must immediately:

(i) stop using the Products, Goods and Services, and ensure that all of the Customer’s Personnel stop using the Products, Goods and Services;

(ii) return to HybridHero (or, at HybridHero’s direction, destroy) all copies of the HybridHero Documentation and any of HybridHero’s Confidential Information in the Customer’s possession or control;

(iii) return to HybridHero, at the Customer’s cost, all Goods in a useable condition or otherwise HybridHero may charge the Replacement Fee for any unreturned Goods or for Goods returned in an unusable condition; and

(iv) allow HybridHero or HybridHero’s nominee to access the Customer’s premises and systems to enable HybridHero to de-install and remove relevant parts of the Products, Goods and Services (if applicable).

(b) If HybridHero terminates this Agreement under clause 14.1(a)(ii) the Customer will pay HybridHero any unpaid Fees covering the remainder of the Term.

(c) If the Customer terminates this Agreement under clause 14.1(a)(ii) HybridHero will refund the Customer any pre-paid Fees covering the remainder of the Term after the date of termination on a prorata basis.

(d) Termination of this Agreement shall not relieve the parties of any accrued liability (including with respect to outstanding or accrued Fees).

15 Warranties

(a) The Customer warrants that:

(i) it has the authority to enter into and perform its obligations under this Agreement and that this Agreement has been duly executed and is a legal, valid and binding Agreement;

(ii) it will act in good faith towards HybridHero and any of HybridHero’s authorised representatives and provide such assistance and co-operation as is practicable on request by HybridHero; and

(iii) it will comply at all times with applicable Laws and regulations, and all reasonable directions HybridHero gives.

(b) The Customer will be solely responsible for any representations, warranties or guarantees made or published concerning the Products, Goods and Services by the Customer to the extent that such representations, warranties or guarantees are inconsistent with any warranties in this Agreement.

(c) HybridHero warrants that:

(i) it has the authority to enter into and perform its obligations under this Agreement and that this Agreement is a legal, valid and binding Agreement;

(ii) it has all rights necessary to grant access to the Products, Goods and Services;

(iii) it will comply at all times with applicable Laws; and

(iv) it will not do anything or make any statement that could be reasonably expected to harm the reputation of the Customer.

16 Disclaimer

(a) The Customer acknowledges and agrees that, to the extent permitted by Law (including the Consumer Law if applicable), the Products, Goods and Services are made available “as is” and HybridHero makes no representation, warranty or guarantee:

(i) as to the reliability, timeliness, quality, suitability, truth, availability, accuracy or completeness of any content contained in or generated by the Products, Goods and Services;

(ii) that the use of the Products, Goods and Services will be secure, timely, uninterrupted or error-free; (iii) that the Products, Goods and Services will operate in combination with any other hardware, software, platform, or Customer Material;

(iv) that the Products, Goods and Services will meet the Customer’s requirements or expectations;

(v) that any stored Customer Material will be accurate or reliable or that any stored Customer Material will not be lost or corrupted;

(vi) errors or defects will be corrected;

(vii) that the Products, Goods and Services, and information extracted from them, will be accurate, free from defects, bugs, errors or omissions, or that any Customer Material input into the Products, Goods and Services will not be lost or corrupted; or

(viii) in relation to non-infringement, title, fitness for a particular purpose, functionality, availability or merchantability.

(b) Without limiting any other provision of this Agreement, to the extent permitted by Law (including the Consumer Law if applicable), HybridHero does not make any representation, warranty or guarantee:

(i) that servers used to make a hosted component of the Products, Goods and Services available are free of viruses or other harmful components; or

(ii) in respect of the availability or uptime of any hosted component of the Products, Goods and Services due to scheduled or unexpected maintenance, system downtime or outages or other interruptions.

(c) HybridHero shall not be liable for delays, interruptions, service failures and other problems inherent in use of the internet and electronic communications or other platforms outside the reasonable control of HybridHero, including third party hosting providers.

(d) HybridHero disclaims all liability in respect of the results of any verification of identity performed using the Products, Goods and Services, including to the extent that such verification relies on the accuracy or completeness of any Customer Material.

17 Indemnities

Without limiting any other indemnities given by the Customer under this Agreement, the Customer shall defend, hold harmless and indemnify HybridHero and its Affiliates and Personnel (the HybridHero Indemnified Parties) from and against any Loss suffered or incurred by the HybridHero Indemnified Parties arising out of or in connection with:

(a) any breach by the Customer of clauses 3(a) (Licence), 4 (Use of the Products, Goods and Services), 8 (Intellectual Property Rights), 10 (Confidentiality and Publicity) or the Data Security and Privacy Addendum;

(b) the performance, or failure to perform, of the Products, Goods and Services associated with any deficiency or inadequacy of the Customer’s Operating Environment;

(c) any Customer Material (including Personal Data used or disclosed by the Customer, including any claim by any person that Customer Material infringes any Intellectual Property Right or other right (including privacy rights) of such person or any third party;

(d) the use of the Products, Goods and Services by the Customer and its Personnel;

(e) any fraud, wilful misconduct or negligence by the Customer or its Personnel; or

(f) any loss or damage to property arising out of or otherwise in connection with any wrongful act or omission of the Customer.

18 Limitation of Liability

(a) To the extent permitted by Law, (including the Consumer Law if applicable), and subject to clause 18(c), no liability is accepted in relation to a Trial of the Products, Goods and Services and in no event will the aggregate liability of HybridHero for any Loss, direct or otherwise, exceed an amount either that is equivalent to the Fees paid by the Customer to HybridHero in the Contract Year in which the event giving rise to the liability occurred, regardless of the cause or form of action. For the avoidance of doubt, the limitation of liability under this clause 18(a) is cumulative and not per incident and applies to the indemnity provided in clause 8.1(d).

(b) To the extent permitted by Law, (including the Consumer Law if applicable), under no circumstances will either party be liable for any Consequential Loss, except to the extent arising from a breach by the Customer of its obligations under clauses 8, 10 and the Data Security and Privacy Addendum.

(c) Clause 18(a) does not apply to, and shall not limit, any party’s liability:

(i) for death or personal injury caused by that party or its Personnel;

(ii) for fraud (including fraudulent misrepresentation); or

(iii) under any indemnity given in this Agreement, except for in clause 8.1(d).

19 Assignment

The Customer must not sub-license, assign or novate, directly or indirectly, or attempt to sub-licence, assign or novate, any of its rights or obligations under this Agreement without the prior written consent of HybridHero. HybridHero may assign or subcontract all or part of this Agreement to any other party.

20 Survival

Without limiting any other provision of this Agreement, clauses 5 (Fees, payment and VAT), 8 (Intellectual Property Rights), 10 (Confidentiality and publicity) and 18 (Limitation of liability), and the Data Security and Privacy Addendum and any other clauses which should by their nature survive termination of this Agreement, survive termination or expiry of this Agreement for any reason.

21 Notices

(a) Subject to clause 21(b), a party giving notice or notifying under this Agreement must do so in English and in writing:

(i) in the case of HybridHero, addressed to the CEO at 4 Prince Albert Road, London NW1 7SN or, in the case of the Customer, to the person and address supplied in the Order Form or as altered by any notice; and

(ii) hand delivered or sent by prepaid post to that address.

(b) For the purposes of service messages and notices about the Products, Goods and Services, including notices under clause 6, notice may consist of:

(i) an email from HybridHero to an email address associated with the Customer’s account; or

(ii) A pop-up notification to the Administrator Account in the HybridHero App,

even if HybridHero has other contact information. The Customer acknowledges and agrees that HybridHero shall have no liability associated with or arising from the Customer’s failure to maintain accurate contact or other information, including, but not limited to, the Customer’s failure to receive critical information about the Products, Goods and Services.

(c) A notice given in accordance with this clause is taken to be received:

(i) if hand delivered, on delivery;

(ii) if sent by prepaid post, three (3) days after the date of posting;

(iii) if sent by email under clause 21(b), at the time of sending the email.

22 Dispute resolution

(a) If a dispute arises out of or in relation to this Agreement, either party may notify the other in writing in which case a nominated representative of each affected party must promptly attempt in good faith to resolve the dispute. In the event that the parties are unable to resolve the dispute within 60 days of the written notification referred to in this clause, each party must promptly refer the dispute for resolution to one of the Managing Director, Chief Executive or Chief Operating Officer (Senior Executive) of that party.

(b) If the parties are unable to resolve the dispute within 14 days following referral to the Senior Executive of the relevant parties, then the parties must seek to mutually appoint an arbitrator. If the parties cannot agree on a single arbitrator, then there shall be three arbitrators: one selected by each party, and a third selected by the first two. Arbitration will take place in London (UK) unless all three arbitrators mutually agree on an alternative city. The arbitration rules will be the London Court of International Arbitration Rules.

(c) Nothing in this clause 22, shall prevent a party from seeking urgent injunctive relief before an appropriate court with respect to a violation of Intellectual Property Rights, confidentiality obligations or enforcement or recognition of any award or order in any appropriate jurisdiction.

23 General

(a) Each party agrees to do all things and execute all deeds, instruments, transfers or other documents as may be necessary or desirable to give full effect to the provisions of this Agreement.

(b) This Agreement contains the entire agreement between the parties with respect to its subject matter. Neither of the parties has relied on or is relying on any other representation in entering into this Agreement.

(c) Except where expressly stated otherwise, any express statement of a right of a party under this Agreement is without prejudice to any other rights of that party expressly stated in this Agreement or existing at Law.

(d) Nothing in this Agreement gives a party any right to bind the other party in contract or otherwise at Law, or hold itself out as a representative of the other party.

(e) Each party must take all steps as may be reasonably required by the other party to give effect to the Terms and Conditions of this Agreement and transactions contemplated by this Agreement.

(f) Subject to clause 9, this Agreement may be amended only by another written agreement executed by all the parties.

(g) The Customer will be fully responsible to HybridHero for any Loss suffered by HybridHero or its Personnel arising from or in connection with the acts or omissions of its sub-contractors, contractors, assigns and all their employees, as if they were the acts and omissions of the Customer.

(h) No failure to exercise or delay in exercising any right, power or remedy under this Agreement operates as a waiver. A single or partial exercise or waiver of the exercise of any right, power or remedy does not preclude any other or further exercise of that or any other right, power or remedy. A waiver is not valid or binding on the party granting that waiver unless made in writing.

(i) The rights, powers and remedies provided to a party in this Agreement are in addition to, and do not exclude or limit, any right, power or remedy provided by law or equity or any agreement.

(j) Any provision of this Agreement which is prohibited or unenforceable in any jurisdiction is ineffective as to that jurisdiction to the extent of the prohibition or unenforceability. That does not invalidate the remaining provisions of this Agreement nor affect the validity or enforceability of that provision in any other jurisdiction.

(k) Each party must bear its own costs arising out of the negotiation, preparation and Execution of this Agreement.

(l) This Agreement and, to the extent permitted by law, all related matters including non-contractual matters, is governed by the Laws of England and Wales. In relation to such matters, each party irrevocably accepts the non-exclusive jurisdiction of courts with jurisdiction there and waives any right to object to the venue on any ground.

(m) This Agreement may be Executed in any number of counterparts and by electronic means. All counterparts will be taken to constitute one agreement.

24 Third Party Beneficiaries

(a) Aside from Affiliates of HybridHero, there are no third-party beneficiaries under this Agreement. 25 Definitions and interpretation

25.1 Definitions

The following definitions apply unless the context requires otherwise.

Administrator Account means the account of the Customer’s chosen administrator, who is given oversight of the Customer’s platform and users.

Affiliate means an entity that has the ability either directly or indirectly to Control another entity, via ownership of more than fifty percent of the voting rights, or an entity that holds more than a fifty percent interest in a joint venture over which either party’s Control over the joint venture is set out in writing, for as long as such Control exists.

Annual Billing Cycle means where invoicing on an annual basis has been selected in the Order Form. Authorised Purpose means the Customer’s use of the Products, Goods and Services for the purpose of recording Personnel Data and using this Data:

• to determine office real estate needs;

• to allow booking of and/or checking in to available desks, office space and meeting rooms;

• to provide detailed management information around HybridHero processes, associated costs and employee activities including well-being;

• to locate and/or to check in to available desks using the Goods;

• for any other purpose set out in a schedule to this Agreement or in an attachment to the Order Form; or

• as the ordinary use of any additional features would permit provided as Updates to the Software by HybridHero from time to time.

Business Day means a day that is not a Saturday, Sunday or public holiday in the place of incorporation of HybridHero.

Commencement Date means the commencement date specified in the Order Form.

Confidential Information means all information of a confidential or proprietary nature, in any form whether tangible or not, disclosed or communicated by a party to the other, or learnt or accessed by, or to which the other party is exposed as a result of entering into this Agreement. Specifically, HybridHero’s Confidential Information includes the design, specification and content of the Products, Goods and Services, including its source code, HybridHero’s Personnel information, operational and other policies, project documentation, proposals, or other development documentation including any specifications, or business strategies, and the Terms and Conditions of this Agreement, including the Fees and information relating to HybridHero’s pricing and all reports generated by HybridHero. Confidential Information does not include information which:

(a) becomes public knowledge during this Agreement;

(b) is already known to the other party;

(c) is received by the other party from a third party not under a duty of confidence; or

(d) is independently developed by the other party in circumstances where there was no breach of any obligation of confidence.

Consent means any licences, clearances, permissions, authorisations, waivers, approvals or consents. Consequential Loss means any indirect or consequential loss (not being loss which arises naturally as a result of a breach of this Agreement or other event the subject of the relevant claim), including loss of profits, loss of income or revenue, loss of Data, loss of or damage to reputation, loss of or damage to goodwill, loss of business opportunities (including opportunities to enter into or complete arrangements with third parties), loss of management time, damage to credit rating, or loss of business.

Consumer Law means the Consumer Protection Act 1987 (UK) as amended and replaced from time to time, as applicable.

Contract Year means a 12 month period commencing on the Effective Date or any anniversary of the Effective Date.

Control means, with respect to any entity, the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entities, whether through ownership of voting securities, as trustee or executor, as general partner or managing member, by contract or otherwise.

Customer Material means any and all Data or other material input, entered into or added or uploaded to the Products, Goods and Services, or otherwise provided or made available to HybridHero, by, on behalf of, or at the request of, the Customer or its Personnel.

Data means any data, information or Personal Data accessible to HybridHero (or any third parties who have access to such Data through HybridHero) under or in connection with this Agreement and which relates in any way to the Customer or its related entities (including their operatives, suppliers, customers and Personnel).

DPA means the Data Protection Act 2018 (UK).

Developed Intellectual Property means any Intellectual Property Rights arising from any work done by or for HybridHero on behalf of the Customer in connection with the Products, Goods and Services, including the development of any portals used by the Customer to access the Products, Goods and Services and any feedback (including suggestions, ideas, information, comments, process descriptions or other information) provided by the Customer to HybridHero.

Effective Date means the start date of this Agreement, or if no such date is set out, the date of HybridHero’s first invoice to the Customer.

End User Licence Agreement means the end user terms and conditions of use for the particular Products, Goods and Services available on the HybridHero Website and HybridHero App, which end users must accept as part of the registration process for a HybridHero Account.

Execution means either:

(a) when the Customer indicates their acceptance of the Agreement, and any amendment to the Agreement, by checking the tick-box in an Order Form and any Supplementary Order Form, issued by HybridHero; or

(b) when the parties digitally sign the Agreement, and any amendment to the Agreement (including by Supplementary Order Form), in accordance with the process administered by a third party provider such as DocuSign.

Fees means the fees and expenses set out in the Order Form.

Force Majeure Event affecting a party means a circumstance beyond the reasonable control of that party causing that party to be unable to observe or perform on time an obligation under this Agreement, including acts of God, lightning strikes, earthquakes, floods, storms, explosions, fires and any natural disaster, acts of public enemies, terrorism, riots, civil commotion, malicious damage, sabotage, revolution and acts of war and war, general strikes (other than of its own staff), embargo, or power, water and other utility shortage.

GDPR means the General Data Protection Regulation (EU) 2016/679.

Goods means the goods specified in the Order Form and described on the HybridHero Website (as updated from time to time) including the Bluetooth sensors, which can be mounted either on the wall, ceiling or underneath/on top of desks in order to facilitate the following functions:

(a) automatic check-in based on previously booked desks;

(b) automatic check-in based on time spent near a free desk;

(c) way-finding to available desks in the Customer’s premises (future capability to be announced when available).

Government Agency means any government or any governmental, semi-governmental or judicial entity or authority. It also includes any self-regulatory organisation established under statute or any stock exchange.

HybridHero Account means the account for each end user to enable use of the Products, Goods and Services which is activated following registration and acceptance of the End User Licence Agreement. HybridHero App / App means the application downloaded by end users to a mobile device. HybridHero Documentation means the API documentation, sample code, reference manual, user instructions, technical literature and all other related materials supplied to the Customer in any format by HybridHero for aiding the installation, use and application of the Products, Goods and Services (including the Software), and will include all revised documentation supplied as part of an Update

HybridHero Website / Website means

https://app.hybridhero.com/

Initial Term means the initial term set out in the Order Form, such period commencing on and from the Commencement Date and which may be preceded by a Trial Period if a Trial Period is specified in the Order Form. An Insolvency Event occurs in respect of a person where:

(a) a party ceases, suspends or threatens to cease or suspend the conduct of all or a substantial part of its business or disposes of or threatens to dispose of a substantial part of its assets;

(b) a party becomes unable to pay its debts when they fall due, or stops or suspends or threatens to stop or suspend payment of all or a class of its debts;

(c) a party becomes or is (including under legislation) deemed or presumed to be insolvent;

(d) a party has a receiver, manager, administrator, administrative receiver or similar officer appointed in respect of it or the whole or any part of its assets or business;

(e) any composition or arrangement is made with any one or more classes of its creditors;

(f) except for the purpose of solvent amalgamation or reconstruction, an order, application or resolution is made, proposed or passed for its winding up, dissolution, administration or liquidation;

(g) a party enters into liquidation whether compulsorily or voluntarily; or

(h) any analogous or comparable event takes place in any jurisdiction.

Intellectual Property Rights means all industrial and intellectual property rights of any kind including but not limited to copyrights (including rights in computer software object code and source code), trade marks, service marks, business names, trade names, rights in trade names, domain names, rights in domain names and URLs, company names, product names, logos or get-up, designs, design rights, database rights, patents, rights in inventions, Know-how and other proprietary rights, format rights, trade secrets, semi-conductor or circuit layout rights, rights in Confidential Information, and all rights or forms of protection of a similar nature or having equivalent or similar effect to any of these (whether or not any of these are registered and including any application, or right to apply, for registration), which may subsist anywhere in the world, existing now or in the future, and all derivations, modifications, improvements and enhancements to these intellectual property rights, but excludes moral rights, and similar personal rights where these are non-assignable.

Jurisdictions means the United Kingdom, any member state of the European Union and Australia.

Know-how means non-trivial industrial and commercial information and techniques, in each case, in any form and not in the public domain.

Law means all applicable laws including rules of common law, principles of equity, statutes, regulations, proclamations, ordinances, by laws, rules, regulatory principles, requirements and determinations, mandatory codes of conduct and standards, writs, orders, injunctions and judgments. Loss means any claim, loss, damage, liability, cost, charge or expense (including legal expenses on a full indemnity basis), however arising, and whether present or future, fixed or unascertained, actual or contingent. For the avoidance of doubt, Loss does not include payment of Fees.

Minimum User Number means the minimum number of invoiced monthly users as stated in clause 9 of the Order Form.

Monthly Adjustment means the adjustment amount based on the monthly fee per user set out in the Order Form where the actual monthly users exceeds the Minimum User Number.

Monthly Billing Cycle means where invoicing on a monthly basis has been selected in the Order Form.

Operating Environment has the meaning given to that term set out in clause 12.

Order Form has the meaning given to that term set out in clause 1(a)(i), as amended by any and all Supplementary Order Forms. All references to Order Form include Supplementary Order Forms unless stated otherwise.

Personal Data has the same meaning as given to that term in the DPA and the GDPR.

Personnel means, in respect of a person, any officer, employee, contractor, servant, agent, or other person under the Customer’s direct or indirect control and includes any subcontractors, who may also be end users of the Products, Goods and Services.

Privacy Laws means the DPA and all other laws, rules and regulations in the United Kingdom which relate to the privacy, protection, use or disclosure of Personal Data and any guidelines, orders, directives or codes of conduct issued by any Government Agency under or in respect of such laws, rules or regulations, as amended from time to time.

Products, Goods and Services means the products, goods and services specified in the Order Form and described on the HybridHero Website (as updated from time to time), including any Software, Support Services, any associated HybridHero Documentation or Updates (as applicable), and any additional material or services the parties have agreed that HybridHero will supply to the Customer in accordance with the Schedules of this Agreement.

Quarterly Billing Cycle means where invoicing on a quarterly basis has been selected in the Order Form.

Renewal Term means, unless otherwise stated in the Order Form or Supplementary Order Forms, a period of 12 months commencing at the end of the Initial Term or the current Renewal Term, which shall automatically renew for further periods of 12 months.

Replacement Fee means the fee charged to the Customer where Goods are not returned as required or returned in an unusable condition, as set out in the Order Form.

Set-up Fees mean the Fees specified as such in the Order Form.

Software means the software, licensed or otherwise, provided to the Customer by HybridHero in accordance with this Agreement, and includes all software supplied as part of an Update. Supplementary Order Form(s) has the meaning set out in clause 1(a)(ii), being the instrument to effect all amendments to the Order Form including any changes to licences, Fees, modification, reduction or cancellation of Products, Goods and Services or addition of new services.

Support Services means the support services provided by HybridHero as specified in the Order Form (if applicable).

Term means the period from the Commencement Date until the end of the Trial Period, the Initial Term or any applicable Renewal Term in accordance with clause 2.

Third Party Content means any information, data or other content that HybridHero sources and/or supplies from any third party for use in connection with the Products, Goods and Services.

Third Party Licence means any licence, registration or other authorisation that is required by the Customer to enable the Customer to properly access and use the Products, Goods and Services, including any licence, registration or other authorisation as notified by HybridHero to the Customer. Trial means use of the Products, Goods and Services specified in the Order Form without charge for the Trial Period, in accordance with this Agreement.

Trial Period means the period of the Trial, being 90 days or such other period as set out in the Order Form.

Update means any update, upgrade or modification to the Software from time to time, but does not include new versions of the Software, and accompanying revisions to the HybridHero Documentation, as determined in the absolute discretion of HybridHero.

Upfront Fees mean the Fees specified as such in the Order Form.

25.2 Interpretation

Headings are for convenience only and do not affect interpretation. The following rules apply unless the context requires otherwise.

(a) the singular includes the plural and conversely;

(b) where a word or phrase is defined, its other grammatical forms have a corresponding meaning;

(c) a reference to a person includes any body corporate, unincorporated body or other entity and conversely;

(d) a reference to a clause is to a clause of these Terms and Conditions;

(e) a reference to any party to this Agreement or any other agreement or document includes the party’s successors and permitted assigns;

(f) a reference to any agreement or document (including a reference to this Agreement) is to that agreement or document as amended, notated, supplemented, varied or replaced from time to time, where applicable, in accordance with this Agreement or that other agreement or document;

(g) a reference to any legislation or to any provision of any legislation includes any modification or reenactment of it, any legislative provision substituted for it and all regulations and statutory instruments issued under it;

(h) a reference to conduct includes any omissions, statement or undertaking, whether or not in writing; (i) mentioning anything after includes, including, for example, or similar expressions, does not limit what else might be included; and

(j) all references to £ are to Great British Pounds, unless another currency is specified in the Order Form.

HybridHero Data Security and Privacy Addendum (DPA and GDPR)

This Data Security and Privacy Addendum (Addendum) is supplementary to and forms part of the HybridHero SAAS Terms and Conditions (Agreement), including as amended from time to time.

By signing the Agreement or otherwise accepting the SAAS Terms and Conditions by Executing the Order Form (including any Supplementary Order Forms) or using or accessing the Products, Goods and Services, the Customer enters into this Addendum on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorised Affiliates, if and to the extent HybridHero processes Personal Data for which such Authorised Affiliates qualify as the Customer. For the purposes of this Addendum only, and except where indicated otherwise, the term “Customer” shall include the Customer and Authorised Affiliates. All capitalised terms that are undefined shall have the meaning set forth in the Agreement.

In the course of providing the Product and Services to the Customer pursuant to the Agreement, HybridHero may process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1 Application of this Addendum This Addendum:

(a) applies in addition to the Agreement; and

(b) despite anything to the contrary in the Agreement, overrides and prevails over the terms of the Agreement to the extent of any inconsistency.

2 Definitions

Unless the context otherwise requires, capitalised words in this Addendum have the same meaning as in the Agreement. In addition, the following definitions apply in this Addendum unless the context requires otherwise.

Applicable Data Protection Laws means the DPA, the GDPR and all other applicable Laws, rules and regulations that the Controller is subject to within the United Kingdom and the European Union and, to the extent applicable, the laws of any other country, that relate to the privacy, protection, use or disclosure of Personal Data, provided that to the extent of any inconsistency, the DPA shall prevail. Attachment means the Attachment to this Addendum.

Auditor is any person which the Controller nominates in writing from time to time.

Authorised Affiliate means any of the Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, and/or the United Kingdom, and (b) is permitted to use the Products, Goods and Services pursuant to the Agreement between Customer and HybridHero, but has not signed or Executed its own Order Form with HybridHero and is not a “Customer” as defined under the Agreement.

Controller has the meaning given to that term in the DPA and the GDPR.

Data Subject has the meaning given to that term in the DPA and the GDPR.

Personal Data Breach has the same meaning as given to that term in the DPA and the GDPR.

Processing has the same meaning as given to that term in the DPA and the GDPR.

Processor has the meaning given to that term in the DPA and the GDPR.

Relevant Data means any Personal Data that is received by, accessible by or made available to the Processor by or from the Controller (whether directly or indirectly) under or in connection with the Agreement and/or the Products, Goods and Services.

Standard Contractual Clauses means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.

Sub-processor means any person (including any third party) appointed by or on behalf of Processor to process Relevant Data on behalf of the Controller in connection with the Agreement.

Supervisory Authority means the UK Information Commissioner.

3 Role of the Parties The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, HybridHero is the Processor and that HybridHero may engage Sub-processors under the procedure in clause 9 of this Addendum.

4 Mutual Privacy Obligations Without limiting any other provision of this Agreement, each party agrees in respect of any Personal Data it receives or has access to in connection with this Agreement:

(a) to comply at all times with all Applicable Data Protection Laws in respect of all Relevant Data;

(b) to collect, use and disclose Personal Data only for the purpose for which it was disclosed to that party;

(c) to provide reasonable cooperation to the other party to resolve any complaint alleging a breach of the Applicable Data Protection Laws or by a third party seeking access to Personal Data in accordance with Applicable Data Protection Laws.

5 Processing of the Relevant Data

(a) HybridHero must:

(i) process Relevant Data only as is necessary for the purposes of delivering or performing the Products, Goods and Services under the Agreement and only:

(A) in accordance with the terms contained in the Attachment to this Addendum (which may be amended by the Customer by notice in writing from time to time); or

(B) as otherwise instructed by the Customer in writing, unless HybridHero is required to do otherwise by any Law to which HybridHero is subject, in which case HybridHero must notify the Customer prior to undertaking such Processing (unless the making of such a notification is prohibited by applicable Law);

(ii) immediately inform the Customer, in writing, if HybridHero considers that any written instructions in accordance with clause 5(a)(i) of this Addendum are or would be inconsistent with Applicable Data Protection Laws; and

(iii) except as provided in clause 5(b) of this Addendum, provide the Customer with prior written notice if it intends to hold or transfer the Relevant Data outside the United Kingdom and the European Union. For the avoidance of doubt, such notification should include the transfer mechanism that will be relied upon as a basis on which such a transfer would be permitted under the DPA and the GDPR.

(b) Despite anything in this Addendum to the contrary, the parties agree that HybridHero is not required to provide prior written notice of a transfer of the Relevant Data to its cloud service provider and other Sub-processors.

(c) Except as required by applicable Law, HybridHero must:

(i) not use Relevant Data for any purpose other than directly in relation to the performance of its obligations under the Agreement;

(ii) not, and must ensure that its Personnel will not, sell, commercially exploit, let for hire, assign rights in or otherwise dispose of any Relevant Data; and

(iii) not make any Relevant Data available to a third party other than an approved Subprocessor and then only to the extent necessary to enable the approved Sub-processor to perform its part of HybridHero’ obligations under this Addendum and the Agreement.

6 Data Accuracy

The Customer must assume responsibility for the accuracy quality and legality of the Relevant Data and the means by which the Customer acquired the Relevant Data.

7 Data Security

(a) HybridHero must establish and maintain appropriate technical and organisational safeguards against the misuse, interference, destruction, loss or unauthorised access or disclosure or modification of the Relevant Data in the possession or control of HybridHero that:

(i) are consistent with and no less rigorous than those maintained by organisations similar to HybridHero engaged in security ‘best practice’ to secure that data (including, but not limited to, a high level of IT security, physical security, and Personnel security); and

(ii) comply with all Applicable Data Protection Laws and any procedures notified from time to time to HybridHero by the Customer concerning the Customer’s data security requirements.

(b) HybridHero shall notify the Customer without undue delay should it become aware of a security breach affecting Personal Data.

8 Deletion or return of the Relevant Data

Promptly after the termination or expiry of the Agreement HybridHero must, at the election of the Customer:

(a) return all the Relevant Data to the Customer;

(b) destroy all the Relevant Data, in a manner agreed to by the Customer; and/or

(c) de-identify all the Relevant Data, in a manner agreed to by the Customer, unless a Law binding on HybridHero prevents HybridHero from doing so as requested, in which case HybridHero agrees that it will continue to observe the terms of this Addendum for as long as it is required to retain the Relevant Data and, once HybridHero is no longer required to retain the Relevant Data, HybridHero will perform the action originally requested by the Customer under this clause.

9 Sub-processors

(a) The Customer provides a general authorisation to HybridHero to engage further Processors to process Personal Data. HybridHero shall provide the Customer with a list of those Processors on request. HybridHero shall give the Customer prior notice of any intended addition to or a replacement of those further Processors so that the Customer may raise any objections that it may have within 10 Business Days of receiving the prior notice; and

(b) HybridHero

(i) is not relieved of any of its liabilities or obligations under this Addendum and remains liable to the Customer for the acts, defaults and neglect of any Sub-processor or any Personnel of the Sub-processor as if they were the acts, defaults or neglect of HybridHero; and

(ii) is responsible for the performance of each Sub-processor and ensuring the suitability for each Sub-processor for the Processing to be performed by that Sub-processor.

10 Rights of Data Subjects

HybridHero must:

(a) implement appropriate technical and organisational measures in order to assist the Customer to comply with the Customer’s obligation to respond to requests to exercise Data Subject Rights under any Applicable Data Protection Laws in respect of the Relevant Data (Data Subject Request);

(b) promptly notify the Customer if HybridHero receives a Data Subject Request;

(c) assist the Customer to meet its obligation to respond to a Data Subject Request under Applicable Data Protection Laws

(d) provide the individual with access to any record of the Relevant Data following a request from an individual where a response is required to be made by HybridHero under Applicable Data Protection Laws. If the Customer, in its use of services, does not have the ability to address a Data Subject Request:

(e) HybridHero must, upon the Customer’s request, provide commercially reasonable efforts to assist the Customer in responding to such Data Subject Request; and

(f) the Customer will be responsible for any costs arising from HybridHero’ provision of such assistance.

11 Personal Data Breach

(a) If HybridHero becomes aware, or believes or suspects, that a Personal Data Breach has or may have occurred in relation to any Relevant Data, HybridHero must:

(i) immediately notify the Customer in writing and provide the Customer with all known details relating to that actual or suspected Personal Data Breach;

(ii) cooperate and comply with all reasonable directions of the Customer in relation to that actual or suspected Personal Data Breach;

(iii) promptly take all reasonable steps to rectify or remedy that actual or suspected Personal Data Breach where possible; and

(iv) cooperate with the Customer in:

(A) the resolution of any complaint alleging a breach of the Applicable Data Protection Laws regarding the Relevant Data;

(B) assisting the Customer to meet their obligation under clause 11(b) of this Addendum to notify the occurrence of the Personal Data Breach that affects or relates to Relevant Data to the Supervisory Authority and to affected Data Subjects, but only where the Customer determines that such a notification would be required by Applicable Data Protection Laws; and

(C) any investigation by the Customer or the Supervisory Authority or other competent data privacy authorities relating to the Personal Data Breach that affects or relates to Relevant Data.

(b) If the Customer determines that notification of the Personal Data Breach would be required by Applicable Data Protection Laws, the Customer will prepare a proposed statement in accordance with Applicable Data Protection Laws, obtain HybridHero’ written approval to that statement and the method of notification for issuing such statement to affected Data Subjects and the Supervisory Authority, and, when such written approval is received, issue the statement to affected individuals and the Supervisory Authority on behalf of itself and HybridHero.

12 Data Protection Impact Assessments

HybridHero will provide the Customer with reasonable assistance (including providing any reasonably necessary data or information) in relation to the Customer:

(a) undertaking any data protection impact assessments that the Customer reasonably considers would be necessary under or required by any Applicable Data Protection Law; and

(b) engaging in any required consultations with the Supervisory Authority or other competent data privacy authorities that the Customer reasonably considers to be required of the Customer under Applicable Data Protection Laws.

Attachment to Addendum

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e); page 20

(iii) Clause 9(a), (c), (d) and (e);

(iv) Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18(a) and (b);

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1 Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4 Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5 Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(a) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(b) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(c) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(d) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a) The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least 1 month prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation.

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy. page 24

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its subprocessor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a) The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent
supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public page 26 authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred page 27 pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.\

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until page 28 compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of United Kingdom.

ANNEX I

This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.

A. Description of Transfer

(a) Categories of data subjects whose personal data is transferred

Any officer, employee, contractor, servant, agent, or other person under the Customer’s direct or indirect control and includes any subcontractors, who may also be end users of the Products, Goods and Services.

(b) Categories of personal data transferred

Data including but not limited to an individual’s name, birthdate, mobile phone number, office locations, employee or staff number, corporate title, work locations, email address, hours of utilisation, survey data, working hours, desk utilisation and absenteeism including vacations (statutory or otherwise), sickness, vaccinations and other sensitive information.

(c) Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive data is stored in a dedicated database for each Customer. Access to the database is restricted by role with each role having access limitations. The firewall is enabled on the database server with IP whitelisting to allow only authorised persons to access the sensitive data.

(d) The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). The data is transferred on a continuous basis.

(e) Nature of the processing Collecting data including personal information and ordering the data for the purposes of identifying and allocating office seating and other related information.

(f) Purpose(s) of the data transfer and further processing For identifying and allocating office seating and any sensitive and other related information.

(g) The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The data will be retained until the earlier of: (i) written notice from the Customer requesting deletion of any personal data; or (ii) termination of the Agreement. page 30

(h) For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

▪ Our cloud provider, Microsoft Azure

▪ Brickendon Consulting Limited

▪ Brickendon Consulting (Poland) Sp. z o. o.

▪ Brickendon Consulting (India) Private Limited

▪ Dreamguy’s Technologies Pvt. Ltd

▪ Geveo Australasia (pvt) Ltd

▪ HybridHero Pty Ltd

▪ InfySEC Solutions Private Limited

▪ Sandhata Technologies Limited

▪ Dreamguy’s Technologies Pvt. Ltd

B. Competent Supervisory Authority

European Data Protection Supervisor.

ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures of pseudonymisation and encryption of personal data

All data is encrypted in transit and rest. (HHTPS -TLS1.2)

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Availability checks on the Services runs periodically. Disaster recovery processes are in place to recover any partial or total failure of the Services. The data is continuously backed-up to a secondary location.


Sensitive data is stored in a dedicated database for each Customer. Access to the database is restricted by role with each role having access limitations. The firewall is enabled on the database server with IP whitelisting to allow only authorised persons to access the sensitive data.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Disaster recovery processes are in place to recover any partial or total failure of the Services. The data is continuously backed-up to a secondary location.

Measures for user identification and authorisation

For authorisation there is the option of our standard password base authentication or Single Sign On (SSO) with an identity provider (IdP) of your choice.

Measures for the protection of data during transmission

HTTP is strictly used for front-end and backend communication and HTTPS and TLS 1.2 is used to communicate between backend components.

Measures for the protection of data during storage

Data is stored in Azure SQL Databases which are encrypted at rest.

https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview#transparent-dataencryption-encryption-at-rest

Measures for ensuring events logging

Event logs have been set up for the key events relating to the provision of the Services by utilising the event logs that are available within Microsoft Azure.

Measures for ensuring system configuration, including default configuration

HybridHero is a multi-tenant client facing application. Services/components are configured globally. There are certain features which can be configured, turn on/off by request basis. Also an admin role user can configure business features using the built-in admin functionalities.

Measures for ensuring data minimisation

Only the data fields that are required for the performance of the Services are mandatory. All other fields are optional, and the Customer and/or end user can choose which of these fields they wish to populate.

Measures for ensuring limited data retention, data portability and ensuring erasure

The data will be retained until the the earlier of: (i) written notice from the Customer requesting deletion of any personal data; or (ii) termination of the Agreement.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Access to the database for sub-processors is restricted by role with each role having access limitations. The firewall is enabled on the database server with IP whitelisting to allow only authorised persons to access the sensitive data. Where sub-processors are required to provide assistance to the controller but do not have the relevant access to the Services, the sub-process would need to request access to the relevant application(s) together with the reason(s) they require such access. Access is approved on a temporary basis by HybridHero’ management. Immediately after such assistance is complete, the access is revoked.

Schedule 1: Analytics

If the parties agree that HybridHero will provide Data Analysis Services to the Customer, the provisions of this Schedule will apply in addition to the other terms of this Agreement. Unless defined in this Schedule, any capitalised terms are defined in clause 25 of the Agreement.

1 Data Analysis Services

HybridHero will provide the Data Analysis Services and deliver copies of the Derivative Materials to the Customer.

2 Derivative Materials

(a) The Customer grants HybridHero a perpetual, non-exclusive, world-wide, irrevocable, royalty free licence to access, use, adapt, modify, reproduce, reformat, transform, process, aggregate, commercialise and exploit, and create Derivative Materials from, the Customer Material to the extent necessary to provide the Data Analysis Services and to otherwise carry out its obligations under this Agreement.

(b) The Customer will ensure that any existing or future Intellectual Property Rights in any Derivative Materials (excluding the Customer Material) vest in HybridHero absolutely. The Customer agrees to assign, and procure the assignment of, such Intellectual Property Rights in any Derivative Materials to HybridHero immediately on their creation.

(c) HybridHero grants the Customer a perpetual, non-exclusive, world-wide, irrevocable, royalty free licence to access, use, adapt, modify, reproduce, reformat, transform, process, aggregate, commercialise and exploit the Derivative Materials for internal purposes only.

(d) The Customer agrees and acknowledges that HybridHero intends to use and/or aggregate, on a de-identified basis, the Customer Material in conjunction with other information collected or obtained by HybridHero, and the Customer agrees that HybridHero is permitted to make full use of, commercialise and exploit the Customer Material for those purposes.

3 Warranties

In addition any other warranties provided under this Agreement, HybridHero warrants that:

(a) it will exercise due care and skill in performing the Data Analysis Services;

(b) the Data Analysis Services will be performed in a professional manner by Personnel who are suitably qualified and experienced to perform the Data Analysis Services and will be of a standard commensurate with the qualifications and experience of those Personnel; and

(c) it has the necessary Personnel, facilities, other resources, expertise and experience to perform the Data Analysis Services in accordance with this Agreement.

4 Disclaimer

While HybridHero will use its Best Endeavours to ensure that the Derivative Materials are as accurate as possible, the Customer acknowledges that the accuracy of the Derivative Materials is reliant upon the accuracy of Customer Material provided by the Customer and its Personnel.

Except to the extent expressly provided in this Agreement, to the extent permitted by Law (including Consumer Law if applicable), neither HybridHero nor any of its third party suppliers makes any representation, warranty or guarantee as to the reliability, quality, suitability, truth, availability, accuracy or completeness, or any content contained in the Derivative Materials.

5 Best Endeavours

A reference to a party using or obligation on a party to use its best endeavours or reasonable endeavours does not oblige that party to:

(d) pay money:

(i) in the form of an inducement or consideration to a third party to procure something (other than the payment of immaterial expenses or costs, including costs of advisers, to procure the relevant thing) in addition to any arms’ length consideration for any goods, service or licenses to be provided by such third party; or

(ii) in circumstances that are commercially onerous or unreasonable in the context of this Agreement;

(e) provide other valuable consideration to or for the benefit of any person other than arms’ length consideration for any goods, service or licenses to be provided by such person;

(f) agree to commercially onerous or unreasonable conditions;

(g) forego, sacrifice or prejudice their commercial, economic or operational interests; or

(h) use best endeavours or reasonable endeavours after the termination of this Agreement.

6 Definitions

Data Analysis Services means the services set out in Annexure A (Data Analysis Services). For the avoidance of doubt, the Data Analysis Services form part of the Products, Goods and Services for the purposes of this Agreement only if this Schedule applies.

Derivative Materials means materials, data and insights derived or created by or on behalf of HybridHero as part of the Data Analysis Services, which are based on, or created or derived from, the Customer Material. For the avoidance of doubt, the Derivative Materials form part of the Products, Goods and Services for the purposes of this Agreement only if this Schedule applies.

Annexure A – Data Analysis Services

Data Analysis of data for the purpose of the Customer making decisions relevant to the carrying out of their business in an anonymised or non-anonymised format.