General Terms & Conditions

Talon.One UK Ltd.

Last updated: December 1, 2022

THE CUSTOMER'S ATTENTION IS PARTICULARLY DRAWN TO THE PROVISIONS OF CLAUSE 9 (LIMITATION OF LIABILITY).

1. Interpretation

The following definitions and rules of interpretation apply in these Conditions.

1.1 Definitions:

1 Business Day: a day other than a Saturday, Sunday or public holiday in England, when banks in London are open for business.

2 Fees: the fees payable by the Customer for the supply of the Talon.One Services in accordance with clause 6.

3 Commencement Date: has the meaning given in 2.5.

4 Conditions: these terms and conditions as amended from time to time in accordance with 12.5.

5 Contract: the contract between Talon.One and the Customer for the supply of Talon.One Services in accordance with these Conditions.

6 Customer: the person or firm who purchases Talon.One Services from Talon.One.

7 Customer Default: has the meaning set out in 5.2.

8 Data Protection Agreement: the agreement regarding the processing of personal data into which the Customer and Talon.One will enter at the beginning of the Contract.

9 Intellectual Property Rights: patents, utility models, rights to inventions, copyright and neighbouring and related rights, moral rights, trademarks and service marks, business names and domain names, rights in get-up and trade dress, goodwill and the right to sue for passing off or unfair competition, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets), and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world.

10 Order: the Customer's order for Talon.One Services via an Order Form or via a Web Application Order.

11 Order Form: the Customer's order for Talon.One Services via a written order.

12 Talon.One Services: the online and software based products and services to maintain, monitor and automate voucher codes, discounts, loyalty programs, customer referral campaigns and related products and services supplied by Talon.One to the Customer as set out in the Specification.

13 Specification: the description or specification of Talon.One Services in the respective service and product descriptions, special contract conditions, individual subjects of performance and/or services, order forms and/or price lists in effect at the time the Contract was concluded.

14 Talon.One: Talon.One UK Ltd, registered in England and Wales with company number 13473145.

15 Talon.One Self Service Portal: Talon.One's online portal for which access is granted after acceptance of email invitation and provision of correct URL

16 Web Application Order: the Customer's order for Services via Talon.One's online portal ('Talon.One Self Service Portal') by using the respective order form within the web application.

1.2 Interpretation:

a) A reference to legislation or a legislative provision:

i) is a reference to it as amended, extended or re-enacted from time to time; and

ii) shall include all subordinate legislation made from time to time under that legislation or legislative provision.

b) Any words following the terms including, include, in particular, for example or any similar expression, shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

c) A reference to writing or written includes fax and email.

2. Basis of contract

2.1 The Order constitutes an offer by the Customer to purchase Services in accordance with these Conditions. The Customer is bound by the Order for a period of two (2) weeks after making the Order.

2.2 Any samples, drawings, descriptive matter or advertising issued by Talon.One, and any descriptions or illustrations contained in Talon.One's catalogues or brochures or on its website, are issued or published for the sole purpose of giving an approximate idea of the Talon.One Services described in them. They shall not form part of the Contract or have any contractual force.

2.3 These Conditions apply to the Contract to the exclusion of any other terms that the Customer seeks to impose or incorporate, or which are implied by law, trade custom, practice or course of dealing.

2.4 Any quotation given by Talon.One shall not constitute an offer, and is only valid for a period of 14 Business Days from its date of issue or until the validity date stated in the Order Form.

2.5 The Contract between Talon.One and the Customer shall come into existence (Commencement Date) either upon Talon.One confirming an Order Form in writing, upon the Customer using the Web Application Form via Talon.One's online portal, or upon Talon.One delivering or performing Talon.One Services towards the Customer.

a) Order Form In order to conclude the Contract via an Order Form, the Customer must send the signed Order Form to Talon.One by fax or by email. Talon.One shall not be obliged to accept the Order Form and is entitled to reject such Order without stating reasons.

b) Web Application Order In order to conclude the Contract via the Talon.One Self Service Portal, the Customer must register itself online with Talon.One. It is required for Talon.One to confirm such registration by sending a confirmation email or verbal confirmation by phone, each by using the respective contact details (email address / phone number) that was provided by the Customer. A right to registration does not exist; Talon.One expressly reserves the right to reject a registration without stating reasons. The Customer's Talon.One user account will be activated once the Customer clicks on the activation link. The user account is non-transferable. The Customer must keep the password secret and protect it against any wrongful use by unauthorised third parties.

2.6 The Customer can order Talon.One Services via its user account. Talon.One offers subscriptions for its Talon.One Services. The details for subscriptions can be found within the Customer's account or on the Order Form.

a) Subscriptions Unless otherwise provided in the Order Form or Web Application Order, Talon.One Services are purchased as subscriptions. Further subscriptions may be added during a subscription term at the same pricing as the underlying subscription pricing, prorated for the portion of that subscription term remaining at the time the subscriptions are added, and any added subscriptions will terminate on the same date as the underlying subscriptions. To order a subscription, the Customer must click on the button 'Buy' (or any similar or synonymous expression) or sign the provided Order Form to make a binding Order for the relevant Talon.One Services. Talon.One will confirm the receipt of the Order via email. However, such confirmation does not constitute an acceptance of the Order. The Contract between the Customer and Talon.One will be concluded by Talon.One's express acceptance of the Order in writing, via email or by making the Talon.One Services available. Talon.One is not obliged to accept the Order.

b) Usage Limits Talon.One Services are subject to usage limits, including, for example, the quantities specified in the Order Form or Web Application Order, unless otherwise specified or agreed. Talon.One Service may not be active for more than the respective usage limit. If the Customer exceeds a contractual usage limit, Talon.One is entitled to charge additional quantities accordingly.

c) Free Trial Talon.One may offer a free trial period to new Customers. The free trial period is available only once to any one Customer. Length of the free trial will be communicated by Talon.One. The detailed terms for such free trial are available in the Customer's account. If the new Customer does not order Talon.One Services within the communicated trial period against payment, they will not be entitled to continue the use of the Talon.One Services after expiry of the free trial period. The Customer is aware that contractual declarations (e.g. confirmation emails, amendments to the Conditions as well as other notifications) may be sent via email.

3. Supply of Services

3.1 Talon.One shall supply the Talon.One Services to the Customer in accordance with the Specification in all material respects.

3.2 Talon.One reserves the right to amend the Specification if necessary to comply with any applicable law or regulatory requirement, or if the amendment will not materially affect the nature or quality of the Talon.One Services, and Talon.One shall notify the Customer in any such event. Talon.One also reserves the right to make technical changes and improvements to the Talon.One Services within a reasonable scope.

3.3 Talon.One warrants to the Customer that the Talon.One Services will be provided using reasonable care and skill. 3.4 Talon.One is entitled to use third parties as agents in order to carry out and/or fulfill all or part of its contractual obligations.

4. Availability, Changes of Services

4.1 Unless expressly specified Talon.One offers the Talon.One Services on the basis of what is currently technically, economically and operationally possible and/or reasonable.

4.2 The Customer accepts that uninterrupted availability of the Talon.One Services is technically not possible and cannot be reasonably guaranteed. The Talon.One Services shall be available at least 98,5% of the annual mean. Hereof excluded are times during which Talon.One Services may be interrupted or disrupted by circumstances beyond Talon.One's reasonable control, including but not limited to acts of third parties that do not act on Talon.One's behalf, technical conditions of the internet that Talon.One cannot influence or force majeure events. If such circumstances interfere with the availability, quality or functionality of the Talon.One Services, this does not constitute a breach of the Contract by Talon.One.

4.3 Talon.One shall notify the Customer about planned downtimes or restrictions on the availability of the Talon.One Services within a reasonable period of time. The Customer shall have no claims against Talon.One based on such circumstances.

4.4 In case of unforeseen events, Talon.One is entitled to suspend the Talon.One Services for maintenance or repair purposes if this is necessary to ensure the proper operation of the Talon.One Services.

4.5 Taking into account the Customer's interest in the Talon.One Services, Talon.One reserves the right to change, alter, limit or discontinue Talon.One Services, in particular if this is reasonably necessary to prevent abuse of Talon.One Services or to comply with legal requirements. Talon.One shall notify the Customer of any such measure with a notice period of three (3) weeks. In such event, the Customer is entitled to request a price adjustment or to terminate the Contract, provided that contractual use of the Talon.One Services is significantly impaired. Talon.One is entitled at any time, and without an obligation to notify the Customer, to improve, adjust, extend and/or to adapt the Talon.One Services to the technical progress, provided that the material content of the Talon.One Services is maintained.

5. Customer's obligations

5.1 The Customer shall:

a) keep the passwords and login data provided by Talon.One for access to the Talon.One Services confidential and inform Talon.One immediately as soon as the Customer becomes aware of unauthorised third parties gaining access to these passwords. If, due to the Customer's fault, unauthorised third parties use any Talon.One Services by using the passwords, the Customer is liable to Talon.One for usage fees and damages;

b) not make the software provided by Talon.One available to any third parties;

c) not modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Talon.One software or documentation;

d) not transfer, lend, rent, lease, distribute the software provided by Talon.One or the Talon.One Services, or use them for providing services to a third party, or grant any rights in and to the Talon.One software or documentation to a third party in any form, without Talon.One's express prior written and unless all respective fees have been paid and all of Talon.One's other conditions have been met;

e) not remove, modify or make illegible the labels, markers or designations regarding any Intellectual Property Rights of the Talon.One software or documentation;

f) use the HTML (Hypertext Markup Language), JavaScript or other program code provided by Talon.One without any modifications for its intended use;

g) if Talon.One has protected its Talon.One Services by technical means (e.g. security codes, firewalls, etc.), not circumvent or remove such security measures.

h) protect its own data by taking appropriate measures and by regularly making backups of its data;

i) follow Talon.One's instructions as well as the protocols and specifications as requested by Talon.One with regard to the telecommunication/data transmission.

j) upon receipt of the Talon.One Services, immediately notify Talon.One in writing of any obvious defects. The Customer shall provide Talon.One with all documents necessary for the analysis and debugging attempts and shall provide Talon.One with access to the Customer's servers, if necessary.

k) confirm, represent and warrant that all personal as well as other relevant contractual information provided by the Customer during the conclusion of the Contract is true, complete and correct. The Customer is responsible for any disadvantages or damages incurred as a result of providing false, incorrect, incomplete or outdated information. The Customer is obliged to promptly inform Talon.One about any changes to this data and/or to update altered data in its user account.

5.2 If Talon.One's performance of any of its obligations under the Contract is prevented or delayed by any act or omission by the Customer or failure by the Customer to perform any relevant obligation (Customer Default):

a) without limiting or affecting any other right or remedy available to it, Talon.One shall have the right to suspend performance of the Talon.One Services until the Customer remedies the Customer Default, and to rely on the Customer Default to relieve it from the performance of any of its obligations in each case to the extent the Customer Default prevents or delays Talon.One's performance of any of its obligations;

b) Talon.One shall not be liable for any costs or losses sustained or incurred by the Customer arising directly or indirectly from Talon.One's failure or delay to perform any of its obligations as set out in this 5.2; and

c) the Customer shall reimburse Talon.One on written demand for any costs or losses sustained or incurred by Talon.One arising directly or indirectly from the Customer Default.

6. Fees, Payment

6.1 The Fees for the Talon.One Services are set out in the applicable Order Form, Web Application Order or Talon.One's current valid price lists. All Fees are in pound sterling, unless another currency is explicitly agreed. Talon.One will invoice the Customer in advance and otherwise in accordance with the relevant Order Form. All fees and charges payable by Customer are exclusive of applicable taxes and duties, including VAT, GST and applicable sales tax. If Customer is legally entitled to an exemption from any sales, use, or similar transaction tax, Customer is responsible for providing Talon.One with legally sufficient tax exemption certificates for each taxing jurisdiction. Talon.One shall apply the tax exemption certificates to charges under Customer's account occurring after the date Talon.One receive the tax exemption certificates. If any deduction or withholding is required by law, Customer shall notify Talon.One and shall pay Talon.One any additional amounts necessary to ensure that the net amount that Talon.One receives, after any deduction and withholding, equals the amount, Talon.One would have received if no deduction or withholding had been required. Additionally, Customer shall provide Talon.One with documentation showing that the withheld and deducted amounts have been paid to the relevant taxing authority.

6.2 If the Customer places a Web Application Order via its customer account in the Talon.One Self Service Portal, Talon.One accepts the payment methods as shown in the customer account (e.g. payment by credit card). When paying by credit card, the credit card on file will be charged with the amount indicated on the Order.

6.3 Invoices will be sent to the Customer via mail or in electronic form, unless expressly agreed otherwise.

6.4 The Customer shall pay each invoice submitted by Talon.One: within 15 days of the date of the invoice (unless stated differently in the applicable Web Application Order or Order Form); and

6.5 in full and in cleared funds to a bank account nominated in writing by Talon.One, and

6.6 without deductions created by bank charges using SWIFT payment instruction 'SHA' or 'BEN' (i.e. Customer shall choose 'OUR'), and

6.7 time for payment shall be of the essence of the Contract.

6.8 If the Customer fails to make a payment due to Talon.One under the Contract by the due date, then, without limiting Talon.One's remedies under clause 10, the Customer shall pay interest on the overdue sum from the due date until payment of the overdue sum, whether before or after judgment. Interest under this clause 6.4 will accrue each day at 4% a year above the Bank of England's base rate from time to time, but at 4% a year for any period when that base rate is below 0%.

6.9 All amounts due under the Contract shall be paid in full without any set-off, counterclaim, deduction or withholding

6.10 Further claims and rights to which Talon.One may be entitled in this respect shall remain unaffected.

6.11 Even if the Customer does not use the provided Talon.One Services, the Customer is still obliged to pay the agreed fees.

6.12 As long as Talon.One carries out its Talon.One Services during the term of the Contract, Talon.One is entitled to change the Fees at any time with a six (6) week notice to the beginning of each calendar month by notifying the Customer in writing. If such changes exceed 10% of the agreed fees for the Talon.One Services provided under the Contract, the Customer has the right to terminate the Contract within four (4) weeks from the date of notification of Fee increase. In case the Customer terminates the Contract, Talon.One is entitled to revoke the proposed increase at its sole discretion. If the Customer does not terminate the Contract within four (4) weeks from the date of notification of the Fee increase, the higher Fees are deemed to be accepted.

6.13 Any complaints relating to an invoice must be submitted to Talon.One in writing or by email to billing.uk@talon.one within four (4) weeks upon receipt of the respective invoice. If no such complaint has been made within four (4) weeks upon receipt of invoice, the invoice is deemed to be accepted. Talon.One will notify the Customer in the invoice about the consequences of failing to submit a timely complaint.

7. Intellectual property rights

7.1 All Intellectual Property Rights in or arising out of or in connection with the Talon.One Services, as well as other services that are provided under the Contract, including source codes, databases, hardware and/or any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.), shall be owned by Talon.One.

7.2 Talon.One grants to the Customer the simple and non-exclusive, non-transferable and non-sub licensable right to use the Talon.One Services during the term of the Contract, insofar as this is necessary to use the Talon.One Services according to the respective Order Form or Web Application Order. The right of use shall expire with the termination of the Contract for whatsoever reason.

7.3 Information which may require to achieve interoperability with other programs created independently can be purchased from Talon.One for a fee based on the current price list upon request.

7.4 The Customer undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of the Contract while using the Talon.One Services. Insofar, the Customer shall indemnify Talon.One regarding any and all third party claims (including but not limited to all costs and expenses, incl. reasonable legal fees) that are being asserted against Talon.One.

7.5 The customer hereby grants Talon.One a non-exclusive license solely during the term of the Order Form to list Customer's name and display the Customer's logo in the customer section of Talon.One's website and to use the customer's name and logo in Talon.One's customer lists but only to the extent that other customers of Talon.One are also listed on such list. Within 60 days of the Effective Date of this Agreement, the customer agrees to review in good faith a press release announcing the cooperation with Talon.One. Talon.One must obtain written consent by the customer prior to publication of such release, such consent not to be unreasonably withheld. Any other use by Talon.One of the customer's name, logo or trademark requires the customer's prior written consent (such consent not to be unreasonably withheld).

7.6 The Customer shall not sub-license, assign or otherwise transfer the rights granted in 7.2.

8. Data protection

8.1 The Customer shall comply with the applicable data protection law and the Data Protection Agreement when using the Talon.One Services.

8.2 The Customer shall ensure that its websites and apps clearly provide appropriate and sufficiently prominent notice to users regarding the collection, processing and use of tracking data by Talon.One. The Customer shall ensure that the websites and apps provide facilities for users to opt out of tracking. If a user opts out, the tracking mechanisms provided by Talon.One must be fully disabled. At a minimum, a privacy policy should be available on the Customer's website or from inside the app complying with these requirements.

8.3 Talon.One will comply with its privacy policy (https://www.talon.one/privacy-policy) and all applicable data protection legislation when processing personal data.

9. Limitation of liability: THE CUSTOMER'S ATTENTION IS PARTICULARLY DRAWN TO THIS CLAUSE.

9.1 References to liability in this 9 include every kind of liability arising under or in connection with the Contract including liability in contract, tort (including negligence), misrepresentation, restitution or otherwise.

9.2 Talon.One does not assume any liability for any damages resulting from a usage other than the intended use of the Talon.One Services. The same applies to any damages resulting from a usage that is not in accordance with Talon.One's instructions and recommendations or any other unauthorised usage.

9.3 Talon.One does not assume any liability for any disturbances, limitations, interruptions or disruptions of the Talon.One Services which are caused by circumstances beyond Talon.One's reasonable control.

9.4 Nothing in this 9 shall limit the Customer's payment obligations under the Contract.

9.5 Neither party may benefit from the limitations and exclusions set out in this clause in respect of any liability arising from its deliberate default.

9.6 Nothing in the Contract limits any liability which cannot legally be limited, including liability for: a) death or personal injury caused by negligence; b) fraud or fraudulent misrepresentation; and c) breach of the terms implied by section 2 of the Supply of Goods and Services Act 1982 (title and quiet possession).

9.7 Subject to clause 9.5 (No limitation in respect of deliberate default), and 9.6 (Liabilities which cannot legally be limited), Talon.One's total liability to the Customer for all loss or damage shall not exceed £25,000.00 per incident of damage and £50,000.00 per Contract.

9.8 Subject to clause 9.5 (No limitation in respect of deliberate default), 9.2 (No limitation of customer's payment obligations) and 9.6 (Liabilities which cannot legally be limited), this 9.8 sets out the types of loss that are wholly excluded: a) loss of profits. b) loss of sales or business. c) loss of agreements or contracts. d) loss of anticipated savings. e) loss of use or corruption of software, data or information. f) loss of or damage to goodwill; and g) indirect or consequential loss.

9.9 Talon.One has given commitments as to compliance of the Talon.One Services with relevant specifications in 3. In view of these commitments, the terms implied by sections 3, 4 and 5 of the Supply of Goods and Services Act 1982 are, to the fullest extent permitted by law, excluded from the Contract.

9.10 Unless the Customer notifies Talon.One that it intends to make a claim in respect of an event within the notice period, Talon.One shall have no liability for that event. The notice period for an event shall start on the day on which the Customer became, or ought reasonably to have become, aware of the event having occurred and shall expire 6 months from that date. The notice must be in writing and must identify the event and the grounds for the claim in reasonable detail.

9.11 This clause 9 shall survive termination of the Contract.

10. Termination

10.1 The term of the Contract is determined in the Order Form or Web Application Order. Each party has the right to terminate the Contract by giving 30 days' notice to the end of the agreed term. If such notice is not given, the Contract will be automatically renewed for the same term as agreed, unless terminated or ended otherwise under this clause 10.

10.2 Without affecting any other right or remedy available to it, either party may terminate the Contract with immediate effect by giving written notice to the other party if: a) the other party commits a material breach of any term of the Contract and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing to do so. b) the other party takes any step or action in connection with its entering administration, provisional liquidation or any composition or arrangement with its creditors (other than in relation to a solvent restructuring), applying to court for or obtaining a moratorium under Part A1 of the Insolvency Act 1986, being wound up (whether voluntarily or by order of the court, unless for the purpose of a solvent restructuring), having a receiver appointed to any of its assets or ceasing to carry on business or, if the step or action is taken in another jurisdiction, in connection with any analogous procedure in the relevant jurisdiction; c) the other party suspends, or threatens to suspend, or ceases or threatens to cease to carry on all or a substantial part of its business; or d) the other party's financial position deteriorates to such an extent that in the terminating party's opinion the other party's capability to adequately fulfil its obligations under the Contract has been placed in jeopardy.

10.3 Without affecting any other right or remedy available to it, Talon.One may terminate the Contract with immediate effect by giving written notice to the Customer if: a) the Customer breaches its obligations under clauses 5.1, 7.4 or 12.3; b) the Customer fails to pay any amount due under the Contract on the due date for payment; or c) the Customer publishes racist, pornographic, immoral or illegal content on its website and/or content which glorifies or trivialises violence.

10.4 Without affecting any other right or remedy available to it, Talon.One may suspend the supply of Talon.One Services under the Contract or any other contract between the Customer and Talon.One if: a) the Customer fails to pay any amount due under the Contract on the due date for payment; b) the Customer becomes subject to any of the events listed in 10.2(c) or 10.2(d), or Talon.One reasonably believes that the Customer is about to become subject to any of them; and c) Talon.One reasonably believes that the Customer is about to become subject to any of the events listed in 10.2(b).

11. Consequences of termination

11.1 On termination of the Contract: a) The Customer shall pay Talon.One all fees that had accrued prior to the termination date. If the Contract is terminated because of Customer's material breach or due to Customer's default in making payments, then Customer shall promptly pay to Talon.One all Fees due under the applicable Order Form for the entire term of such Order Form and any prepaid Fees will not be refunded. If the Order Form is terminated because of Talon.One's material breach, then Customer shall be entitled to a refund of the pro rata portion of any prepaid unused subscription fees paid by Customer to Talon.One under this Contract. Except as expressly provided herein, termination of this Contract by either party will be a nonexclusive remedy for breach and will be without prejudice to any other right or remedy of such party. b) the Customer shall delete all copies of the codes that were provided by Talon.One.

11.2 Termination of the Contract shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination, including the right to claim damages in respect of any breach of the Contract which existed at or before the date of termination.

11.3 Any provision of the Contract that expressly or by implication is intended to come into or continue in force on or after termination of the Contract shall remain in full force and effect.

12. General

12.1 Force majeure.

Neither party shall be in breach of the Contract nor liable for delay in performing, or failure to perform, any of its obligations under the Contract if such delay or failure result from events, circumstances or causes beyond its reasonable control.

12.2 Assignment and other dealings.

a) Talon.One may at any time assign, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under the Contract.

b) The Customer shall not assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any of its rights and obligations under the Contract without the prior written consent of Talon.One.

12.3 Confidentiality.

a) Each party undertakes that it shall not at any time disclose to any person any confidential information concerning the business, affairs, customers, clients or suppliers of the other party, except as permitted by 12.3(b).

b) Each party may disclose the other party's confidential information:

i) to its employees, officers, representatives, contractors, subcontractors or advisers who need to know such information for the purposes of carrying out the party's obligations under the Contract. Each party shall ensure that its employees, officers, representatives, contractors, subcontractors or advisers to whom it discloses the other party's confidential information comply with this 12.3; and

ii) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.

c) Neither party shall use the other party's confidential information for any purpose other than to perform its obligations under the Contract.

12.4 Entire agreement.

a) The Contract constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

b) Each party acknowledges that in entering into the Contract it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in the Contract. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in the Contract.

c) Nothing in this clause shall limit or exclude any liability for fraud.

12.5 Variation.

Except as set out in these Conditions, no variation of the Contract shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

12.6 Waiver.

A waiver of any right or remedy under the Contract or by law is only effective if given in writing and shall not be deemed a waiver of any subsequent right or remedy. A failure or delay by a party to exercise any right or remedy provided under the Contract or by law shall not constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict any further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy provided under the Contract or by law shall prevent or restrict the further exercise of that or any other right or remedy.

12.7 Severance.

If any provision or part-provision of the Contract is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement. If any provision or part-provision of this Contract deleted under this 12.7 the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

12.8 Notices.

a) Unless stated otherwise in these Conditions, any notice or other communication given to a party under or in connection with the Contract shall be in writing and shall be delivered by hand or by pre-paid first-class post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case); or sent by fax to its main fax number or sent by email to the address provided to the other party.

b) Any notice or communication shall be deemed to have been received:

i) if delivered by hand, at the time the notice is left at the proper address;

ii) if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting; or

iii) if sent by fax or email at the time of transmission, or, if this time falls outside business hours in the place of receipt, when business hours resume. In this 12.8(b)(iii), business hours means 9.00am to 5.00pm Monday to Friday on a day that is not a public holiday in the place of receipt.

c) This 12.8 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any other method of dispute resolution.

12.9 Third party rights.

a) Unless it expressly states otherwise, the Contract does not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of the Contract.

b) The rights of the parties to rescind or vary the Contract are not subject to the consent of any other person.

12.10 Governing law.

The Contract, and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with the law of England and Wales.

12.11 Jurisdiction.

Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Contract or its subject matter or formation.

Service Level Addendum

1. Definitions

Certain capitalized terms not otherwise defined in this Service Level Addendum, will have the meanings set forth in the Agreement. The following terms will have the definitions set forth below:

1.1 'System Uptime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer has the ability to access the features and functions of the Subscription Service according to the terms of the Agreement.

1.2 'Scheduled Downtime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access the Subscription Service or to deliver Customer Data, according to the terms of the Agreement, due to planned system maintenance performed by Talon.One. Talon.One will provide reasonable prior notice to conduct system maintenance.

1.3 'Unscheduled Downtime' will mean the total amount of time during any calendar month, measured in minutes, during which Customer is not able to access the features and functions of the Subscription Service according to the terms of this Agreement, other than Scheduled Downtime, as defined above.

1.4 'System Availability' will mean, with respect to any particular calendar month, the ratio obtained by subtracting Unscheduled Downtime during such month from the total time during such month, and thereafter dividing the difference so obtained by the total time during such month. Represented algebraically, System Availability for any particular calendar month is determined as follows:

image

NOTE: 'Total Monthly Time' is deemed to include all minutes in the relevant calendar month, to the extent such minutes are included within the Subscription Term.

2. System Performance

2.1 System Availability: Talon.One will undertake commercially reasonable measures to ensure that System Availability equals or exceeds ninety- nine point nine percent (99.9%) during each calendar month (the 'Service Standard'), provided that any Unscheduled Downtime occurring as a result of circumstances beyond Talon.One's reasonable control including, without limitation, (i) Customer's breach of any provision of this Agreement; (ii) non-compliance by Customer with any provision of this Exhibit; (iii) incompatibility of Customer's equipment or software with the Subscription Service; (iv) poor or inadequate performance of Customer's systems; or (vi) force majeure (as contemplated in the Agreement), shall not be considered toward any reduction in System Availability measurements.

2.2 Access to Support; Response Times: Customers may report any Unscheduled Downtime by email at support@talon.one 24 hours per day, 7 days per week. Talon.One classifies problems with the Subscription Service using the following problem classification table:

image

Upon discovery of a problem both Parties shall promptly inform each other on discovery of the problem according to the classifications above. The following table specifies the reaction steps, which must be performed by Talon.One and Customer by which Talon.One deals with the specific problem reports:

  • Step 1 - Identification: Talon.One confirms that the problem exists and starts to collect information and performs an analysis.

  • Step 2 - Temporary Solution: Talon.One processes the problem and provides a temporary work around, if possible, as soon as possible, in order to make the Subscription Service at least partially available.

  • Step 3 - Problem Resolution: Talon.One provides a final solution to the problem, so that the Subscription Service is fully available again.

image

Both Parties shall inform each other regularly on the status of the error.

3. Measurement and Reports

3.1 System Monitoring and Measurement: Talon.One will provide for monitoring of System Availability on an ongoing basis. All measurements of System Availability will be calculated on a monthly basis for each calendar month during the Subscription Term.

3.2 System Performance Reports: Upon Customer's request, Talon.One will provide reports to Customer on a quarterly basis setting forth measurements of Unscheduled Downtime and a calculation of System Availability for the relevant preceding quarter. If Customer disagrees with any measurement or other information set forth in any such report, it must so inform Talon.One in writing within five (5) calendar days after receipt thereof, provided that the accuracy of any such report shall be deemed conclusive unless such notice is provided by Customer. Any such notice must indicate specific measurements in dispute and must include a detailed description of the nature of the dispute. Talon.One and Customer agree to attempt to settle any such disputes regarding System Availability and/or related measurements in a timely manner by mutual good faith discussions.

4. Customer Requirements

4.1 Minimum System Requirement: The service standards set forth in this Exhibit assume that Customer, as applicable, meets the minimum system standards established by Talon.One.

4.2 Additional Customer Obligations: Except as otherwise agreed between the Parties in a separate written agreement, Customer is responsible for (i) maintenance and management of its computer network(s), servers, software, and any equipment or services related to maintenance and management of the foregoing; and (ii) correctly configuring Customer's systems in accordance with the terms of this Agreement.

4.3 Reporting of Unscheduled Downtime: Customer must promptly notify Talon.One in the event Unscheduled Downtime occurs. Unscheduled Downtime will be deemed to begin when Talon.One receives accurate notification thereof from Customer, or when Talon.One first becomes aware of such Unscheduled Downtime, whichever first occurs.

4.4 Non-Performance by Customer: The obligations of Talon.One set forth in this Exhibit will be excused to the extent any failures to meet such obligations result in whole or in part from Customer's failure(s) to meet the foregoing requirements.

4.5 Suspension: If the Customer endangers the security, integrity or availability of networks, the Talon.One's servers or the Subscription Service, or if Talon.One has an objective reason to suspect so, then Talon.One may temporarily suspend Customer's access to the Subscription Service. In case of deliberate actions by the Customer, Talon.One may terminate the contract with immediate effect: (a) if the Customer's system or Subscription Service becomes an object of Denial of Service attacks by Customer; (b) if Customer is responsible for sending spam mails or text/multimedia messages (SMS/MMS) via the Subscription Service; or (c) if the Customer saves content on the Talon.One' servers, which violates any laws or infringes on the rights of third parties.

5. Remedies

In the event Unscheduled Downtime occurs, Talon.One will undertake commercially reasonable efforts to remedy such Unscheduled Downtime within a commercially reasonable timeframe. If Talon.One is unable to meet the System Availability standards set forth in Section 2.1 of this Exhibit, Customer shall be entitled to the following service credits ('Service Credits'), provided that the maximum number of Service Credits to be issued by Talon.One to Customer for any and all Unscheduled Downtime shall not exceed one month of service.

image

Credit shall be applied to the next month's platform fee.

Data Processing Agreement

Preamble

The Customer and the Provider entered into the agreement over the provision of Talon.One Services via an Order Form (Master Agreement) that may require the Provider to process Personal Data on behalf of the Customer.

This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors and the General Data Protection Regulation ((EU) 2016/679).

AGREED TERMS

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1.1 Definitions:

Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions and from whom the Provider agrees solely to accept such instructions.

Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement and any other purpose specifically identified in Annex 1.

Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).

Controller: has the meaning given to it in section 6, DPA 2018.

Data Protection Legislation: a) To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom which relates to the protection of personal data. b) To the extent the EU GDPR applies, the law of the European Union or any member state of the European Union to which the Customer or Provider is subject, which relates to the protection of personal data.

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

EU GDPR: the General Data Protection Regulation ((EU) 2017/679).

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.

Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Records: has the meaning given to it in Clause 12. Term: this Agreement's term as defined in Clause 10.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the DPA 2018.

1.2 This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.

1.3 The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

1.4 A reference to writing or written includes faxes and email. 1.5 In the case of conflict or ambiguity between:

a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;

b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

c) any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.

2. Personal data types and processing purposes

2.1 The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

a) the Customer is the Controller and the Provider is the Processor.

b) the Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.

c) Annex 1 describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.

3. Provider's obligations

3.1 The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must promptly notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

3.2 The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3 The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic or EU law, court or regulator (including the Commissioner). If a domestic or EU law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic or EU law prohibits the giving of such notice.

3.4 The Provider will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner or other relevant regulator under the Data Protection Legislation.

3.5 The Provider must notify the Customer promptly of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider's performance of the Master Agreement or this Agreement.

4. Provider's employees

4.1 The Provider will ensure that all of its employees: a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data; b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and c) are aware both of the Provider's duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.2 The Provider will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable domestic law on all of the Provider's employees with access to the Personal Data.

5. Security

5.1 The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex 2.

5.2 The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

6. Personal data breach

6.1 The Provider will immediately and in any event without undue delay notify the Customer in writing if it becomes aware of: a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore such Personal Data at its own expense as soon as possible. b) any accidental, unauthorised or unlawful processing of the Personal Data; or c) any Personal Data Breach.

6.2 Where the Provider becomes aware of (a), (b) and/or (c) above, it will, without undue delay, also provide the Customer with the following written information: a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned; b) the likely consequences; and c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

6.3 Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer's handling of the matter, including but not limited to: a) assisting with any investigation; b) providing the Customer with physical access to any facilities and operations affected; c) facilitating interviews with the Provider's employees, former employees and others involved in the matter including, but not limited to, its officers and directors; d) making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and e) taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.

6.4 The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic or EU law.

6.5 The Provider agrees that the Customer has the sole right to determine: a) whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer's discretion, including the contents and delivery method of the notice; and b) whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6 The Provider will cover all reasonable expenses associated with the performance of the obligations under 6.1 to 6.3 unless the matter arose from the Customer's specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.

6.7 The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in 6.5.

7. Cross-border transfers of personal data

7.1 The Provider (and any subcontractor) must not transfer or otherwise process the Personal Data outside the UK or, the EEA without obtaining the Customer's prior written consent.

8. Subcontractors

8.1 The Provider may only authorise a third-party (subcontractor) to process the Personal Data if: a) is provided with an opportunity to object to the appointment of each subcontractor within 14 working days after the Provider supplies the Customer with full details in writing regarding such subcontractor; b) the Provider enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this Agreement, in particular, in relation to requiring appropriate technical and organisational data security measures, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts; c) the Provider maintains control over all of the Personal Data it entrusts to the subcontractor; and d) the subcontractor's contract terminates automatically on termination of this Agreement for any reason.

8.2 Those subcontractors approved as at the commencement of this Agreement are as set out in Annex 1. The Provider must list all approved subcontractors in Annex 1 and include any subcontractor's name and location and the contact information for the person responsible for privacy and data protection compliance.

8.3 Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement, the Provider remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.

8.4 The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors.

9. Complaints, data subject requests and third-party rights

9.1 The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with: a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and b) information or assessment notices served on the Customer by the Commissioner or other relevant regulator under the Data Protection Legislation.

9.2 The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

9.3 The Provider must notify the Customer within 5 days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.4 The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.5 The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by domestic or EU law.

10. Term and termination

10.1 This Agreement will remain in full force and effect so long as: a) the Master Agreement remains in effect; or b) the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

10.2 Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.

10.3 The Provider's failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate any part of the Master Agreement involving the processing of the Personal Data effective immediately on written notice to the Provider without further liability or obligation of the Customer.

10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 30 days, either party may terminate the Master Agreement with immediate effect on written notice to the other party.

11. Data return and destruction

11.1 At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

11.2 On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.

11.3 If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

12. Records

12.1 The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, approved subcontractors, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in 5.1 (Records).

12.2 The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.

12.3 The Customer and the Provider must review the information listed in the Annexes to this Agreement to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1 The Provider will permit the Customer and its third-party representatives to audit the Provider's compliance with its Agreement obligations, on at least [5] days' notice, during the Term. The Provider will give the Customer and its third-party representatives all necessary assistance to conduct such audits at no additional cost to the Customer. The assistance may include, but is not limited to: a) physical access to, remote electronic access to, and copies of the Records and any other information held at the Provider's premises or on systems storing the Personal Data; b) access to and meetings with any of the Provider's personnel reasonably necessary to provide all explanations and perform the audit effectively; and c) inspection of all Records and the infrastructure, electronic data or systems, facilities, equipment or application software used to process the Personal Data.

13.2 The notice requirements in 13.1 will not apply if the Customer reasonably believes that a Personal Data Breach has occurred or is occurring, or the Provider is in material breach of any of its obligations under this Agreement or any of the Data Protection Legislation.

13.3 If a Personal Data Breach occurs or is occurring, or the Provider becomes aware of a breach of any of its obligations under this Agreement or any of the Data Protection Legislation, the Provider will: a) promptly, conduct its own audit to determine the cause; b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit; c) provide the Customer with a copy of the written audit report; and d) remedy any deficiencies identified by the audit within 28 days.

13.4 At least once a year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.

13.5 On the Customer's written request, the Provider will make all of the relevant audit reports available to the Customer for review. The Customer will treat such audit reports as the Provider's confidential information under the Master Agreement.

13.6 The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider's management.

14. Warranties

14.1 The Provider warrants and represents that: a) its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation; b) it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments; c) it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement's contracted services; and d) considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to: i) the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage; ii) the nature of the Personal Data protected; and iii) comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in 5.1.

14.2 The Customer warrants and represents that the Provider's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

15. Liability

15.1 The Provider and the Customer shall be liable for damages in accordance with Article 82 UK GDPR.

16. Notice

16.1 Any notice or other communication given to a party under or in connection with this Agreement must be in writing and delivered to:

For the Customer: [CUSTOMER DATA PRIVACY CONTACT]

For the Provider: [PROVIDER DATA PRIVACY CONTACT]

16.2 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Annex 1: Personal Data processing purposes and details

image

Approved Subcontractors:

image

Annex 2: Technical and organizational security measures

The Talon One Promotion Engine is operated in a cloud environment (Google Cloud Platform) provided by Google Ireland Limited. The data processing within the Talon One Promotion Engine is therefore carried out in ISO 27001-certified data centers of the Google Cloud Platform. The administration of this infrastructure is carried out from the Berlin location, but the company does not maintain its own server infrastructure at the Berlin location. Accordingly, no information is documented in this respect. For more information about technical and organizational measures to secure the Google Cloud Platform, click here.

1. Measures at the Berlin location

1.1 Physical access control

Measures to prevent unauthorised parties from gaining access to data-processing equipment that processes or uses personal data.

  • Manual locking system

  • Key control (key output)

  • Determination of authorized access persons

  • Use of security guards/security service

  • Transponder and chip card control (regarding alarm system)

  • Alarm system/ intrusion detection system

  • Personal control (porter/reception)

1.2 Access control

Measures to prevent unauthorised parties from using data processing systems.

  • authorization concept

  • Authentication with username and password

  • Use of a password policy (minimum length and complexity)

  • Incorrect access attempts are logged

  • Encryption of data carriers

  • Principle of minimum authorization assignment

  • Authentication-free accesses are deactivated by default

  • Inactive implements automatically deactivate themselves after using a password-protected screen saver.

  • Employees block their work equipment during absence

1.3 Controlling access

Measures to ensure that those authorised to use a data processing system can only access the data subject to their right of access and that personal data cannot be read, copied, changed or removed without authorisation during processing, use and after storage.

  • Rules for creating, changing and deleting authorization profiles/users

  • Documentation of authorization assignment

  • Administration of users and rights by the system administrator(s)

  • Principle of minimum authorization assignment

  • Encryption of data carriers

  • Data carriers are deleted before reuse

  • Definition and use of authorization and role profiles

  • Observance of the separation of functions

  • Users are, if possible, limited in time

  • Data carriers are stored securely

  • Data carriers are properly destroyed

1.4 Transfer control

Measures to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during transport or storage on data carriers, and that it can be verified and established at which points personal data is to be transmitted by means of data transmission facilities.

  • Installation of tunnels and VPN tunnels

  • Encrypted transmission (SSL/TLS)

  • Encryption of data carriers

  • Backups are stored locked

1.5 Input control

Measures to ensure that it is possible to verify and establish at a later stage whether and by whom personal data have been entered, modified or removed in data processing systems.

  • Logging of read, input, change and delete transactions (depending on the system)

  • Control of input options in the data processing systems

  • Control of input options in the data processing systems

  • Documentation of input authorizations

  • Traceability of changes in the IT systems

1.6 Order control

Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the instructions of the client.

  • Partially written agreement with data-processing (sub-)contractors

  • Careful selection of the (sub-) contractors with regard to data protection and data security

  • Ensuring the destruction of data after completion of the order

  • Raising employee awareness · Examination of the measures taken by (sub-)contractors

  • Data protection officer appointed in writing

  • Commitment of employees to data secrecy (ß 5 BDSG) / confidentiality

  • In case of serious violations the client will be informed immediately.

1.7 Availability control

Measures to ensure that personal data is protected against accidental destruction or loss.

  • Use of a backup concept

  • Regular backups

  • Deployment of an emergency plan

  • Backup Recovery Tests

  • Store backups in an outsourced and secure location

  • Alarm

  • Encrypted backups

  • Mirroring of the data in a colocation

  • Hardware monitoring

  • Hardware protection against theft

1.8 Separation control

Measures to ensure that data collected for different purposes can be processed separately.

  • Logical client separation (software-side) through virtualization

  • Separate databases

  • Separate directory structures

  • Production and test systems are separated from each other

  • Various data carriers / dedicated servers for different clients

Talon.One Logo

The World's Most Powerful Promotion Engine

BERLIN

Wiener Strasse 10
10999 Berlin
Germany

BIRMINGHAM

41 Church Street
B3 2RT Birmingham
United Kingdom

BOSTON

One Boston Place, Suite 2600
02108 Boston, MA
United States

SINGAPORE

1 Scotts Road, #21-10 Shaw Centre
228208 Singapore
Singapore

G2 LogoMach Alliance LogoISO 27001 Logo
CCPA Logo
GDPR Logo
SOC2 Logo

© 2024 Talon.One GmbH. All rights reserved.