Standard Terms and Conditions (Europe) for the supply of Services and Equipment (Payment ĢƵ)

The Agreement for the supply of Services and Equipment (as specified in the relevant Service Order Form relating thereto) by ĢƵ (“Agreement”) is by and between (a) Transaction Network Services (UK) Limited (Registered in England under Company Number 02952557) or its relevant Affiliate specified in the Service Order Form (“ĢƵ” or “Supplier”) and (b) the party purchasing such Services and Equipment from ĢƵ as specified in the relevant Service Order Form (“Customer”).The Agreement is effective as of the earlier of (i) date that ĢƵ initially provided Services and Equipment to Customer or (b) date that the Service Order Form is executed by both parties (the “Effective Date”).

IT IS HEREBY AGREED THAT:

1.Definitions:

1.1 “Agreement” means this Agreement and any related Service Order Forms.

1.2 “Affiliate” means, in relation to either party, any person or entity which directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with such party.

1.3 “Anti-Corruption Laws” means all Applicable Laws relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010.

1.4 “Applicable Law” means all applicable laws, legislation, European regulations, statutes, statutory instruments, regulations, edicts, bye-laws or directions or guidance from government or governmental agencies which have the force of law whether local, national, international or otherwise existing from time to time and including any laws or regulations which affect the provision or use of the Services and Equipment.

1.5 “Confidential Information” means, in relation to either party, its technical knowledge, know-how,computer software and data,engineering, hardware configuration information, data, drawings and other material; its trading position, product/service costs and product/service pricing policies; its market and market shares; its customer details and customer account information; and its plans, strategies and projects (including the existence as well as the content of such plans, strategies and projects); and all such information relating to any affiliate of the disclosing party.

1.6 “Contractual Delivery Date” means the date which ĢƵ is to complete provision of the Dedicated Connection or such later date as may be agreed by ĢƵ and the Customer.

1.7 “Customer’s Equipment” means equipment either owned or hired by the Customer and used or intended to be used with the Services

1.8 “Customer Site(s)” means any premise(s) or site(s) which are owned, operated or leased by the Customer at which the Services and the Equipment are to be provided under this Agreement.

1.9 “Data Protection Laws” means any Applicable Law protecting the Personal Data of natural persons, including in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”) on and from 25 May 2018 (as amended and superseded from time to time), together with all Applicable Laws relating to data privacy from time to time, in each jurisdiction where the Services are delivered.
Any references to “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data Breach”, “Process/Processed/Processing”, “Special Categories of Personal Data” and “Supervisory Authority” shall have the same meaning as in the Data Protection Laws. For the avoidance of doubt, “Personal Data” shall be as defined in Clause 1.21 of this Agreement.

1.10 “Dedicated Connection” means a telecommunications link and ancillary equipment connecting the Customer Site to a ĢƵ node and in particular, does not include the Customer’s Equipment.

1.11 “Effective Date” means the date of this Agreement.

1.12 “Equipment” means any equipment and/or software as supplied by ĢƵ under this Agreement in connection with the provision of the Services as more particularly described in the relevant Service Order Form(s).

1.13 “Intellectual Property Rights” means any patents, trademarks, service marks, rights in semi-conductor chip topographies, design rights, registered designs, applications for any of the foregoing, copyright, database rights, know-how and other similar rights or obligations whether registrable or not in any country.

1.14 “Network” means ĢƵ’ communications network to which the Customer may be granted gateway access pursuant to the terms of this Agreement (and “ĢƵ Network” shall be construed accordingly).

1.15 “PCI DSS”means the Payment Card Industry Data Security Standard which is formulated by PCI SSC from time to time which determines the industry standard in relation to access to and storing, processing and transmission of payment cardholder data.

1.16 “PCI SSC” means thePayment Card Industry Security Standards Council founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and VisaInternational.

1.17 “PCI DSS Certification(s)” means the PCI DSS certification of ĢƵ (in the form of a PCI DSS Attestation of Compliance as specified in the PCI DSS Requirements and Security Assessment Procedures) that relates to the relevant environment in which the Services operate.

1.18 “PCI DSS Qualified Security Assessor” or “PCI DSS QSA” means a company approved by the Payment Card Industry Security Standards Council or PCI SSC (as published on www.pcisecuritystandards.org) to conduct on-site assessments.

1.19 “PCI DSS Compliance Letter” means the relevant compliance letter in relation to the Services which is issued annually by the relevant PCI QSA confirming that the components of the relevant environment in which the Services operate comply with PCI DSS.

1.20 “PCI DSS Attestation of Compliance” means the PCI DSS attestation of compliance (as specified in the PCI DSS Requirements and Security Assessment Procedures) which is issued and signed by the Supplier and the relevant PCI QSA annually in relation to the relevant environment in which the Services operate.

1.21 “Personal Data” has the meaning given in the relevant Data Protection Laws that is received or made available, directly or indirectly to the relevant party (or its Affiliates) by the other party (or its Affiliates) and which is Processed in connection with the provision or use of Services (as applicable) under the Agreement or otherwise as a consequence of the relationship of the parties under the Agreement.

1.22 “Regulatory Body” means any supervisory or government agency, body or authority having regulatory or supervisory authority over the relevant party or their respective assets, resources or business and/or over the Services and Equipment including without limitation the PCI SSC.

1.23 “Services” means the services as more particularly described in in any relevant Service Order Form.

1.24 “Service Charges” means the charges for the Services and Equipment as set out in any relevant Service Order Form and/or such other charges as agreed in writing between the parties from time to time.

1.25 “Service Commencement Date” means the commencement date of the relevant Service at the corresponding Customer Site which shall be the earlier of: (a) thirty (30) days from date of shipment of any relevant Equipment to the Customer, (b) the use of one or more of the component elements of the Service by the Customer (following installation of such Service component(s) at the relevant Customer Site) or (c) (where applicable) the commencement of any work or activity (as described in the Service Order Form) by ĢƵ.

1.26 “Service Level Agreement” means the service level agreement detailing the service levels relating to the Services and the Equipment as agreed in writing between the parties from time to time.

1.27 “Service Order Form” means the service order form(s) signed by both parties in relation to the provision of any Services and Equipment under this Agreement.

1.28 “SOF Effective Date” means the effective date of the relevant Service Order Form which shall be the earlier of: (a) date of receipt of an executed copy of this Service Order Form by ĢƵ or (b) the specific date specified in Service Order Form.

1.29 “SOF Initial Term” means the specified initial term in relation to a Service Order Form and the provision of the associated Services which shall commence from the Service Commencement Date.

1.30 “Third Country” means a country that is not a member state of the European Union.

1.31 “Third Party Service End User” means merchant, retailer or other third-party customer of the Customer and/or its relevant Affiliate(s) who use the Services to process their respective Transactional Data.

1.32 “ĢƵ Group Information Security Management System” or “ĢƵ Group ISMS” means the Global Information Security Management System (ISMS) Charter which is adopted by ĢƵ or its relevant Affiliate (ĢƵ Group) in relation to the operation of ĢƵ Group businesses. ĢƵ Group ISMS incorporates the relevant detailed security processes and procedures which are documented in the individual ĢƵ Group ISMS programs and underlying security policies (as outlined in the ĢƵ Group ISMS Charter);

1.33 “ĢƵ Group Security Measures” means the technical and organisational security measures adopted by ĢƵ and its relevant Affiliates as outlined in Part B of Schedule 1 of this Agreement, pursuant to the Data Protection Laws;

1.34 “ĢƵ Group Systems and Infrastructure” means the Network or other systems, Dedicated Connections, equipment and other infrastructure deployed by ĢƵ (or the relevant Affiliates) at relevant ĢƵ Sites in connection with the provisions of the Services and/or the receipt or transmission of any Transactional Data;

1.35 “ĢƵ Location” means, where relevant Customer Equipment shall be installed as part of the relevant Services, the relevant location within a relevant ĢƵ Site (as determined at the sole discretion of the ĢƵ) where such Customer Equipment is located.

1.36 “ĢƵ Site” means any premises or sites which are owned, operated or leased by ĢƵ which is used by ĢƵ in connection with the Services and the Equipment are to be provided under this Agreement.

1.37 “Transaction” means payment card, financial or other transactional related data packet containing Transactional Data of the Customer, a Customer Affiliate or (where applicable) a Third Party Service End User which is transmitted or otherwise processed as part of the Services.

1.38 “Transactional Data” means any cardholder, financial or other transaction orientated data relating to a Transaction which is transmitted or otherwise processed by ĢƵ and/or its Affiliates as part of the provision or use of the Services and which may contain Personal Data relating to a Data Subject;

1.39 Any references to any statute or statutory provision includes reference to any statute or statutory provision which amends, extends, consolidates, or replaces the same or which has been amended, extended, consolidated or replaced by the same and shall include any orders, regulations, codes of practice, instruments or other subordinate legislation made under the relevant statute or statutory provision.

2.Term

2.1 The initial term of this Agreement shall commence on Effective Date for a period of thirty-six (36) months (“Initial Term”). Upon expiry of the Initial Term, the term of this Agreement shall renew automatically for successive renewal periods of twelve (12) months each (“Renewal Term”) unless: (a) terminated sooner in accordance with the any other term(s) of this Agreement; or (b) either party elects not to renew this Agreement by giving written notice of such election to the other at least ninety (90) days prior to the expiry date of the Initial Term or (where appropriate) the Renewal Term PROVIDED ALWAYS THATsuch notice to terminate shall not become effective on or before the expiration or termination date of any Service Order Form(s) where there is any applicable unexpired initial term or renewal term relating to such Service Order Form(s).

2.2 Notwithstanding Clause 2.1 of this Agreement, each Service Order Form shall be effective from the SOF Effective Date and shall continue for the corresponding SOF Initial Term. Upon expiry of the relevant SOF Initial Term, eachService Order Form and provision of the associated Services thereunder shall continue thereafter until terminated by either party on one (1) months prior written notice.

3. Provision of Services and Equipment

3.1 ĢƵ agrees to provide the Customer with the Services and Equipment with reasonable care and skill and on the terms and conditions of this Agreement.

3.2 The parties acknowledge that it is technically impracticable to provide the Services free of faults and ĢƵ does not undertake to do so. ĢƵ does, however, agree to rectify faults in accordance with Clause 9 of this Agreement.

3.3 ĢƵ shall not be required to provide any service(s) beyond the Services unless such provision is agreed in writing by ĢƵ. ĢƵ will use reasonable endeavours to provide such additional service(s). Costs and expenses associated with such additional service(s) shall be borne by the Customer. In the event that the provision of such additional service(s) has been agreed in writing by ĢƵ, the parties agree that any such additional service(s) shall be provided on the terms and conditions of this Agreement and this Agreement shall be construed as incorporating any such additional service(s) as Services.

3.4 ĢƵ agrees to use all reasonable endeavours to provide a Dedicated Connection by the Contractual Delivery Date. If the Customer requests a change to the specification of a Dedicated Connection, before provision is complete, the date by which ĢƵ agrees to provide the Dedicated Connection to the new specification will become the Contractual Delivery Date.

3.5 ĢƵ shall, at the prior request of the Customer at the time of placing the order for the Services and for a maximum period of two (2) working days, carry out such testing of the Equipment and/ or the Customer’s Equipment as it may deem reasonably necessary. Such testing shall be undertaken at no additional cost to the Customer. Any request made pursuant to this Clause 3.5 shall be made prior to the Contractual Delivery Date. Any testing requested by the Customer over and above such two (2) working days or required due to the Customer related issues shall be chargeable by ĢƵ at their then standard commercial rates.

3.6 In the event that no testing is carried out pursuant to Clause 3.5 within thirty (30) days of the Contractual Delivery Date the Services shall be deemed accepted by the Customer and any testing shall be carried out at the Customer’s expense.

3.7 If the Customer fails to notify ĢƵ of any scheduled testing to be undertaken by the Customer at any time after placing the order for the Services, ĢƵ shall not be liable for any failure or delay in the installation of the Services. For the avoidance of doubt, any testing other than pursuant to Clause 3.5 above or other than pursuant to Clause 9.3 below (where Clause 9.4 is not applicable) shall be carried out by ĢƵ at the Customer’s expense.

3.8 The Customer acknowledges that ĢƵ is not the manufacturer of any of the Equipment. As regards any guarantees, warranties and conditions given to or made to ĢƵ by the said manufacturer in respect of the Equipment, ĢƵ will use its reasonable endeavours to procure for the Customer the benefits of any guarantees, warranties or conditions offered by the manufacturer of the Equipment.

4.Pricing

4.1 The Service Charges for the Services are set out in the relevant Service Order Form. The Customer agrees to pay ĢƵ each of the Service Charges. Unless specified otherwise in the relevant Service Order Order Form, all Service Charges or other charges incurred are in Pounds Sterling. Any Service Charges or other charges incurred in foreign currency will be converted to pounds sterling based on the applicable FXDaily currency exchange rate as set forth on on the last working day of each month.

4.2 ĢƵ reserves the right to change the Service Charges by giving thirty (30) days written notice to the Customer during any term of this Agreement as necessary to account for any increase in Equipment provisioning or facility costs resulting from a change in the Customer’s Service requirements.

4.3 The Customer acknowledges that tariffed local access charges (including, but not limited to, call set-up charges) or any other charges regulated under the Communications Act 2003 (or other relevant Applicable Laws) which are imposed by third party carriers and which may be passed on to the Customer as set forth herein are beyond the control of ĢƵ. In the event that such charges may be changed by such third-party carriers at any time during any term of this Agreement, ĢƵ reserves the right (at the sole discretion of ĢƵ) to pass on such charge increases to the Customer during the Initial Term or any Renewal Term in the form of a variation to the Service Charges PROVIDED THAT ĢƵ shall use all reasonable endeavours to minimise any proposed increased charges imposed by third party carriers.

4.4 To the extent that ĢƵ elects to change the Service Charges during the Initial Term or any Renewal Term pursuant to Clause 4.2 or 4.3, ĢƵ will furnish to the Customer at the Customer’s request such materials as are reasonably necessary to evidence such increase. The Customer will pay such increased Service Charges as are duly notified by ĢƵ to the Customer pursuant to Clause 4.2 and 4.3 PROVIDED THAT the Customer shall be permitted to dispute such increased Service Charges where ĢƵ has failed to furnish to the Customer such materials as are reasonably necessary to evidence such increase in the third-party charges.

5.Invoicing and Payment

5.1 The Customer shall pay ĢƵ all Service Charges, except those that are disputed in good faith, as and when due under this Agreement and ĢƵ shall invoice the Customer for such Service Charges in accordance with Clause 5.2 of the Agreement. The Customer shall have the right to dispute any amount invoiced and must notify ĢƵ in writing of its dispute within sixty (60) days of the receipt of such invoice(s) or the dispute shall be deemed waived by the Customer. A copy of the written notification of disputed charges plus any documentation supporting the Customer’s claim shall be forwarded to ĢƵ at the address set forth in the Agreement.

5.2 All payments shall be either mailed to the ĢƵ address stated on the invoice or paid by Direct Debit, Electronic Transfer or Bank Transfer to the company bank account, details stated on the invoice. Unless stated otherwise in any relevant Service Order Form, invoices will be issued quarterly in advance and are payable within thirty (30) days from the date shown on the invoice. Commencing upon the day after the due date of the invoice, and on a daily basis, interest shall be due and payable by the Customer to ĢƵ, at a rate of 1.5% per month, as current from time to time whether before or after judgment, on any undisputed portion of the invoice which has not been paid. Payments will be applied first to the oldest outstanding amounts.

5.3 Payment of all sums due under this Agreement will be made by the Customer in full without any set-off, deductions or withholding.

5.4 All sums due to ĢƵ under this Agreement are exclusive of Value Added Tax and any other applicable taxes, which may from time to time be introduced.

5.5 The Service Charges as set out in the relevant Service Order Form shall remain fixed for twelve (12) months from the Effective Date. Thereafter, any increase in the cost of such charges to the Customer shall be limited to the then UK Retail Price Index (RPI).

5.6 Without prejudice to any other right or remedy it may have, if the Customer fails to pay the Service Charges to ĢƵ by the due date (as specified in clause 5.2) and fails to make a payment within seven (7) days after receipt of written notice from ĢƵ of such breach, ĢƵ may suspend all Services with immediate effect until payment has been made in full by the Customer.

6.Variations of Terms and Conditions

6.1 For operational and other reasons, ĢƵ may at any time vary the technical specification and/or form of the Services without seeking the consent of the Customer PROVIDED THAT such variation does not detract from or impair to a material degree the overall operation or performance of the Services or will or may result in the Customer incurring additional costs or expenses. ĢƵ shall give notice to the Customer of any such variation as soon as practicable. The expense of any such variation shall be borne by ĢƵ.

6.2 Any other variation to the terms of this Agreement (including a change to the Services other than as outlined in Clause 6.1) shall be agreed in writing between the parties. Any request for a change to the Services by the Customer under this Clause 6 shall be made in writing.

7.Termination of service by notice

7.1 ĢƵ may terminate this Agreement and/or any Service Order Form(s) forthwith by written notice to the Customer if:

7.1.1 if the Customer fails to pay any Service Charges by the due date (as specified in Clause 5) and fails to make payment within fourteen (14) days after receipt of written notice from ĢƵ of such breach except where the relevant Service Charges are disputed in good faith in accordance with Clause 5.1; or

7.1.2 the Customer fails to perform or observe any other material term or condition of this Agreement which is not capable of remedy, or if capable of remedy has not been remedied within thirty (30) days after receipt of written notice from ĢƵ of such failure; or,

7.1.3 the Customer persistently and repeatedly breaches any of the terms of this Agreement in such a manner as to reasonably justify the opinion that its conduct is inconsistent with it having the intention or ability to give effect to the terms of this Agreement; or

7.1.4 an order is made or a resolution is passed for the winding-up of the Customer or an administrator or a receiver (which expression shall include an administrative receiver) is appointed in respect of the whole or any material part of the assets of the Customer or if the Customer enters administration or makes any voluntary arrangement with its creditors or if the Customer is unable to pay its debts within the meaning of Section 123 of the Insolvency Act 1986.

7.2 The Customer may terminate this Agreement and/or any Service Order Form(s)forthwith by written notice to ĢƵ, if:

7.2.1 ĢƵ fails to perform or observe any material term or condition of this Agreement which is not capable of remedy or, if capable of remedy, is not remedied within thirty (30) days after receipt of written notice from the Customer of such failure; or,

7.2.2 an order is made or a resolution is passed for the winding-up of ĢƵ or a receiver (which expression shall include an administrative receiver) is appointed in respect of the whole or any material part of the assets of ĢƵ or if ĢƵ is unable to pay its debts within the meaning of Section 123 of the Insolvency Act 1986, the Customer may terminate this Agreement

7.3 If the Customer gives ĢƵ notice to terminate any Services or facility asked for under the Services under any Service Order Form, before Services or the particular facility is provided as the case may be, ĢƵ may make a charge for abortive work done and will collect any out of pocket expenses, spent to meet the Customer’s requirements.

7.4 In the event that this Agreement and/or anyService Order Form(s) are terminated for any reason then the Customer shall pay to ĢƵ the following sums:

7.4.1 all charges and payments which have fallen due under the Service Order Form(s) to the date of termination but have not been paid; and

7.4.2 unless terminated by the Customer pursuant to Clause 7.2, an amount equal to the aggregate of all Service Charges which would, but for the termination, have been payable for the Initial Term and any Renewal Term, such amount to be calculated by ĢƵ acting reasonably; and

7.4.3 any costs and expenses incurred by ĢƵ in collecting any payments due under this Clause 7.4; and

7.4.4 an amount equal to interest on all sums specified in sub-clauses 7.4.1 to 7.4.3 (inclusive) at the interest rate referred to in Clause 5.2 from the date on which such payment became due until the date of payment to accrue both before, after and notwithstanding any judgment.

7.4.5 any de-installation and disconnection fees, rental amounts and other charges and fees which are payable on termination as set out in any relevant Service Order Form and/or as otherwise agreed in writing between the parties.

7.5 Upon expiry or termination of the Agreement and/orService Order Form(s) for whatever reason, the Customer shall at ĢƵ’ option either forthwith return to ĢƵ all papers, documents and matters belonging to ĢƵ and in the Customer’s possession or under the Customer’s control or destroy the same and any copies thereof. The Customer shall procure that one of its duly authorised officers shall certify in writing to ĢƵ that the Customer has complied with its obligations as aforesaid.

8.Customer Responsibilities:

8.1 The Customer is responsible for the Dedicated Connection (including any cabinets or ducts enclosing it) within the boundary of the Customer Site and for its proper use. The Customer must not interfere with it nor permit anybody else (except someone authorised by ĢƵ) to do so. If the Dedicated Connection is lost, destroyed or damaged (except by fair wear and tear) the Customer must pay ĢƵ’ charges for its replacement or repair.

8.2 The Customer is solely responsible for the content of communications and data transmitted by the Customer using the Services, and shall defend, indemnify, and hold harmless ĢƵ from and against all liabilities and costs (including legal fees on a full indemnity basis) arising from any and all claims by any person based upon the content of any such communications. Such indemnity shall be subject to the condition that if any third party makes any such claim, or notifies an intention to make a claim, against ĢƵ which may reasonably be considered likely to give rise to a liability under this indemnity (a “Relevant ”), ĢƵ shall:

8.2.1 as soon as it is notified of or becomes aware of the Relevant Claim, give written notice of the Relevant Claim to the Customer, specifying the nature of the Relevant Claim in reasonable detail; and

8.2.2 having received reasonable prior notice from the Customer, provide the Customer and its professional advisers with copies of any relevant documents and records within the power or control of ĢƵ (at the Customer’s expense) which are requested by the Customer for the purpose of assessing, disputing, compromising or defending the Clause 8.2 Relevant Claim.

8.3 The Customer undertakes to use the Services and Equipment in accordance with any relevant Applicable Laws.

8.4 The Customer shall ensure that all Customer Equipment that connects to the Services will perform according to published technical specifications for such equipment and ĢƵ’ interface specifications as provided to the Customer from time to time, so as to enable the provision of the Services. This Agreement does not include the provision, maintenance or repair by ĢƵ of Customer Equipment. The Customer shall ensure that all Customer Equipment should be regularly maintained and should comply with any relevant Applicable Laws. The Customer shall not do any act or thing which shall be a breach of any lease, license or agreement, any Applicable Laws or otherwise affecting the use of the Customer Site or (if applicable) the ĢƵ Site(s)or provision of the Services and/ or use of the Equipment and shall procure that all individuals who access the ĢƵ Site(s) on its authority or at its invitation abide by all rules and regulations notified to them by ĢƵ from time to time.

8.5 The Customer will provide ĢƵ (free of charge) with all such information and co-operation that ĢƵ may reasonably require to provide the Services and/or Equipment to the Customer.

8.6 The Customer will provide ĢƵ with suitable accommodation, assistance, facilities and environmental conditions for the Equipment at the Customer Site and all necessary electrical and other installations and fittings for such Equipment, as notified to the Customer by ĢƵ from to time.

8.7 The Customer is not permitted to resell or re-supply the Services and Equipment. If the Customer permits third parties to access the Services and/or Equipment, the Customer shall defend, indemnify and hold harmless ĢƵ from and against all liabilities and costs (including legal fees on a full indemnity basis) arising from any and all claims made by any such third party in connection with the Services, regardless of the form of action, whether in contract, tort (including ĢƵ’ active or passive negligence), warranty, or strict liability. However, the Customer shall have no obligation to indemnify and defend ĢƵ against claims for direct damages to real or tangible personal property, or for bodily injury or death, proximately caused by ĢƵ’ negligence.

8.8 The Customer will not add to, modify, in any way interfere with, cause damage to, detract from or impair the performance or operation of the Equipment. ĢƵ shall not be liable for any failure to provide the Services which ĢƵ can reasonably demonstrate would have not occurred if the Customer had not added to, modified, in any way interfered with, caused damage to, detracted from or impaired the performance or operation of the Equipment, provided that all other failures shall continue to be so covered. The Customer shall implement security procedures necessary to limit access to the Services to the Customer’s authorised users and shall maintain a procedure external to the Services for reconstruction of lost or altered files, data or programs.

8.9 The Customer agrees to reimburse ĢƵ for reasonable documented out-of-pocket costs incurred by ĢƵ in relation to the following:

8.9.1 for any Equipment or Services ordered by the Customer but cancelled before installation;

8.9.2 for changes in delivery instructions in respect of Equipment and/or Services; and/or

8.9.3 for the relocation of Equipment at the Customer’s request.

8.10 The following terms shall apply to any Equipment provided by ĢƵ in connection with the provision of the Services:

8.10.1 such Equipment is and shall remain the property of ĢƵ;

8.10.2 the Customer will not remove or alter in any way any identification mark on any part of the Equipment showing that is owned by ĢƵ;

8.10.3 the Customer shall not pledge, loan, mortgage, or attempt in any other manner to dispose of the Equipment or to suffer any liens, encumbrances, or legal process to be incurred or levied on the Equipment;

8.10.4 the Customer shall not remove any Equipment from the Customer Site(s) or any third-party site where such Equipment is installed without the prior written consent of ĢƵ;

8.10.5 any assistance in such removal or moving of Equipment shall be at the cost of the Customer;

8.10.6 the Customer shall bear the entire risk of loss and damage to the Equipment for any cause (other than caused by a direct act or negligence on the part of ĢƵ) upon delivery of the Equipment to the Customer Sites;

8.10.7 the Customer shall be responsible for the physical security of all routers and any other relevant Equipment which is located at the relevant Customer Sites as required by PCI DSS;

8.10.8 in the event of loss or damage of any kind to the Equipment for which the Customer bears the risk, the Customer shall pay ĢƵ the costs to repair or replace the Equipment, as the case may be; and

8.10.9 the Customer shall return such Equipment to ĢƵ upon termination or expiration of this Agreement.

8.11 The Customer will use all Equipment provided to the Customer by ĢƵ in a careful and appropriate manner and in accordance with the terms of this Agreement. Subject to Clause 8.9 in relation to the Equipment, ĢƵ will use reasonable endeavours to repair or replace any failed Equipment as expeditiously as possible. The Customer will not cause the Equipment to be repaired, serviced or otherwise attended to or altered except by an authorised representative of ĢƵ. The Customer shall not, without in each and every case the prior written consent of ĢƵ, connect any of the Equipment to or disconnect any of the same from the Network or Dedicated Connection or make any alteration to the Equipment. The Customer, its employees, sub-contractors and agents shall not examine or interfere with the Equipment.

8.12 The Customer agrees to permit reasonable access to any Customer Sites by ĢƵ employees or agents during normal business hours for the installation, commission, servicing or removal of Equipment. ĢƵ agrees that all such ĢƵ employees or agents shall abide by the Customer’s rules and procedures while on Customer Sites. The Customer will permit ĢƵ to inspect or test the Equipment remotely during the Customer’s normal business hours.

8.13 Where relevant Customer Equipment shall be installed at a ĢƵ Site as part of the relevant Services, the relevant ĢƵ Location at the ĢƵ Site shall designated by ĢƵ at its sole discretion and notified in writing to the Customer by ĢƵ. Customer shall not be permitted to make any alteration or modification to any property at the ĢƵ Location. Any Customer Equipment which is to be installed at the ĢƵ Location shall be at the Customer’s risk at all times and the Customer shall be responsible for insuring the Customer Equipment against all risks. The Customer agrees that all the Customer employees or agents shall abide by ĢƵ’ rules and procedures while on ĢƵ Sites and abide by any third party rules and procedures while on such third party site.

8.14 The Customer undertakes to use the Services and conduct itself (and ensure that its sub-contractors, clients and employees conduct themselves) in accordance with:

8.14.1 such reasonable conditions as may be notified in writing to the Customer by ĢƵ from time to time;

8.14.2 the relevant provisions of the Communications Act 2003 and any other relevant Applicable Laws; and

8.14.3 any direction of Ofcom or such other Regulatory Body which governs the running of electronic communication or telecommunication networks or services and equipment.

8.15 Where relevant Customer Equipment shall be installed at a ĢƵ Site as part of the relevant Services, the Customer warrants and represents that the total power consumption of all of the Customer Equipment at the relevant ĢƵ Locations shall not exceed 500 Watts per square metre unless previously advised by ĢƵ.

9.Fault Repair

9.1 ĢƵ shall be responsible for.

9.2 The Customer must promptly report a fault referred to in Clause 9.1 or any other fault in the Services, Equipment and/or Network by telephoning such number as ĢƵ may provide to the Customer from time to time. The Customer will at the time of report provide ĢƵ with a Contact telephone number to enable ĢƵ to advise on progress.

9.3 If the Customer reports a fault in the Services and/or Equipment, ĢƵ will respond by carrying out one or more of the following actions:

9.3.1 providing advice by telephone, including (where appropriate) advice as to tests and checks to be carried out by the Customer;

9.3.2 carrying out diagnostic checks from ĢƵ Site(s); and/or

9.3.3 escalating the fault, where appropriate, to the telecommunications provider.

9.4 Where a relevant Service Level Agreement has been agreed on writing between the parties, ĢƵ shall provide such maintenance and other support (including rectification of any faults) in relation to the Network, the Service and the Equipment and take all proper steps without undue delay to correct the fault as outlined in such Service Level Agreement.

9.5 If ĢƵ does work to correct a reported fault in the Services and finds there is none or that the fault is not due to an act or omission on the part of ĢƵ, ĢƵ may charge the Customer for:

9.5.1 any work carried out in connection with correcting the fault; and

9.5.2 for any costs and expenses incurred by ĢƵ or its subcontractors in attending the Customer Sites, other third party site used by the Customer in connection with the use of the Services and Equipment and/or (where appropriate) any relevant ĢƵ Site(s) in relation to investigating the reported fault.

10. Intellectual Property:

10.1 ĢƵ hereby grants to Customer a personal, non-exclusive, non-transferable license during the term of this Agreement and/or any relevantService Order Form(s) to use, in object code form, all software and related documentation (“Licensed Material”) which may be furnished to Customer under this Agreement and/or any relevantService Order Form(s). Customer agrees to use its best endeavours to ensure that its employees and users of all Licensed Material hereunder comply with the terms and conditions set out in this Agreement. Customer also agrees to refrain from taking any steps, such as reverse assembly or reverse compilation, to derive a source code equivalent to the software comprised in the Licensed Material. All Licensed Material furnished to Customer under this Agreement and/or any relevantService Order Form(s) shall be used by Customer only to support Customer’s use of the Services and Equipment and shall not, without ĢƵ’ prior written consent, be reproduced or copied in whole or in part, except for two (2) backup or archival copies, shall not be removed from the United Kingdom, and shall be returned to ĢƵ upon expiration or termination of this Agreement and the relevantService Order Form(s). The Customer’s right to use the Licensed Material shall cease on expiry or termination of this Agreement and/or any relevantService Order Form(s).

10.2 The Intellectual Property Rights, all other rights and confidential information in the interface and the software hardware and materials created and used by ĢƵ in providing the Services or in performing its obligations under this Agreement shall vest in ĢƵ and shall remain the exclusive property of ĢƵ unless ĢƵ otherwise agrees. The Customer will at the request of ĢƵ provide to ĢƵ such co-operation and assistance as ĢƵ shall reasonably require in order to protect and preserve ĢƵ’s Intellectual Property Rights and other matters referred to in this Clause 10.

10.3 ĢƵ shall defend, indemnify, and hold the Customer harmless, at the expense of ĢƵ, against any claims, actions or suits brought against the Customer based on a claim of infringement of any Intellectual Property Rights arising out of use by the Customer of the Services, Equipment and/or the Licensed Material. Such indemnity shall be subject to the condition that if any third party makes any such claim, or notifies an intention to make a claim, against the Customer which may reasonably be considered likely to give rise to a liability under this indemnity (an “IP Relevant), the Customer shall:

10.3.1 as soon as it is notified of or becomes aware of the IP Relevant Claim, give written notice of the IP Relevant Claim to ĢƵ, specifying the nature of the Relevant Claim in reasonable detail;

10.3.2 give ĢƵ immediate and complete control of the dispute, compromise or defense of the IP Relevant Claim;

10.3 3 not make any admission of liability, agreement or compromise in relation to the IP Relevant Claim without the prior written consent of ĢƵ (such consent not to be unreasonably conditioned, withheld or delayed); and

10.3.4 give ĢƵ and its professional advisers access at reasonable times (on reasonable prior notice) to the Customer Sites and its officers, directors, employees, agents, representatives or advisers, and to any relevant assets, accounts, documents and records within the power or control of the Customer and give ĢƵ all reasonable assistance, so as to enable ĢƵ and its professional advisers to examine them and to take copies (at the expense of ĢƵ) for the purpose of assessing, disputing, compromising or defending the IP Relevant Claim.

10.4 If a final injunction is obtained against ĢƵ prohibiting the use by the Customer of the Services and/or the Licensed Material due to infringement of third party Intellectual Property Rights, ĢƵ will, at its option, either:

10.4.1 procure the right for the Customer to continue using the Services, Equipment and/or the Licensed Material; or

10.4.2 direct the Customer to return any ĢƵ materials in its possession relating to the infringing Services, Equipment and/or Licensed Material at the expense of ĢƵ; or

10.4.3 in the case of 10.4.3., the Customer will have the right to terminate this Agreement and/or any relevantService Order Form(s), and ĢƵ will repay to the Customer any Service Charges paid to ĢƵ in advance, prorated to the date of termination.

11. Warranty and Limitation of Liability:

11.1 Without prejudice to the express warranties contained herein, and to the maximum extent permissible in law, all conditions and warranties, which are to be implied by statute or otherwise by general law into this Agreement any relevantService Order Form(s) and/or relating to the provision or use of the Services and the Equipment, are hereby excluded.

11.2 The following provisions in this Clause 11 set out ĢƵ’s entire liability (including any liability for the acts and omissions of its employees, agents or sub‑contractors) to the Customer in respect of:

11.2.1 a breach of ĢƵ’ contractual obligations;

11.2.2 a tortious act or omission for which ĢƵ is liable;

11.2.3 an action arising out of a misrepresentation by or on behalf of ĢƵ; and/or

11.2.4 arising in connection with the performance or contemplated performance of any relevantService Order Form(s) or out of an act done or omission made as a consequence of the entry into by ĢƵ of any relevantService Order Form(s).

11.3 Subject to Clauses 11.4 and 11.6, the total liability which ĢƵ shall owe to the Customer and in respect of all claims shall not exceed the lower of (a) a sum equal to the current annual Service Charges payable under the relevantService Order Form(s); or (b) five hundred thousand pounds (£500,000).

11.4 ĢƵ shall in no circumstances be liable to the Customer for loss of profits, loss of business revenue, loss of goodwill or loss of anticipated savings or any other special, indirect, consequential, incidental or collateral loss or damage.

11.5 ĢƵ shall in no circumstances (whether before or after termination of this Agreement and/or any relevantService Order Forms) be liable to the Customer for any loss of or corruption to data or programs held or used by or on behalf of the Customer. The Customer shall at all times keep adequate back‑up copies of the data and programs held or used by or on behalf of the Customer.

11.6 Notwithstanding anything to the contrary herein contained, the liability of ĢƵ to the Customer for death or personal injury resulting from the negligence, fraud and fraudulent misrepresentation of ĢƵ shall not be limited.

11.7 This Clause 11 shall survive the termination of the whole or a part of this Agreement and/or any relevantService Order Form(s).

11.8 ĢƵ shall not be liable for:

11.8.1 service impairments caused by acts within the control of the Customer, its employees, agents, subcontractors, suppliers or licensees; or

11.8.2 interoperability of specific Customer systems and applications of the Customer which are used in connection with the Services and Equipment.

12. Confidentiality:

12.1 All Confidential Information such shall be deemed the property of the Disclosing Party and shall be returned upon request. The Receiving Party shall:

12.1.1 hold the Confidential Information in confidence at all times both during and following termination of this Agreement;

12.1.2 restrict disclosure of Confidential Information solely to its employees and employees of its Affiliates, as well as its agents, subcontractors or advisors with a need to know; and

12.1.3 use the same degree of care as it uses for its own confidential information to prevent the unauthorised disclosure, use or publication of Confidential Information.

12.2 The receiving party shall have no obligation to preserve the confidentiality of any information which:

12.2.1 was previously known to the receiving party or any of its Affiliates free of any confidentiality obligation;

12.2.2 is disclosed to third parties by the disclosing party without restrictions;

12.2.3 becomes publicly available by other than unauthorised disclosure.

12.2.4 is independently developed by the receiving party;

12.2.5 is disclosed with the prior consent of the disclosing party.

12.3 The Service Charges and any related payment terms in any relevantService Order Formsand other terms and conditions of this Agreement are Confidential Information and shall be treated in confidence by both parties.

12.4 The parties acknowledge that monetary damages would not be an adequate remedy for the disclosing party for breach by the receiving party of its obligations under Clause 12 and accordingly agree that the disclosing party shall be entitled to specific performance of the receiving party’s obligations herein and to injunctive and other equitable relief in addition to any other remedy to which it may be entitled at law or in equity, including damages.

12.5 This Clause 12 shall survive termination or expiry of the whole or part of this Agreement and/or any relevantService Order Form(s).

13. General

13.1 The Customer and ĢƵ shall make a good faith effort to settle any disputes that may arise with respect to the terms and conditions or any subject matter referred to in or governed by this Agreement and/or any relevantService Order Formswithin sixty (60) days from the date the dispute is first discussed and documented between the parties. Nothing in this Clause 13.1 precludes legal proceedings by either party in the courts at any time:

13.1.1 For an order (whether interim or final) to restrain the other party from doing any act or compelling the other party to do any act; or

13.1.2 for a judgment for a liquidated sum to which there is no arguable defense;

13.1.3 the purpose of which is to prevent a claim becoming time-barred under any statute of limitations;

13.1.4 in relation to Intellectual Property Rights infringement claims; or

13.1.5 in the case of ĢƵ, to claim a debt.

13.2 Any legal action arising from or in connection with this Agreement, or any Services provided or work performed under any relevantService Order Forms, must be brought within two (2) years after the cause of action accrues.

13.3 Nothing in this Agreement and/or any relevantService Order Formsshall create or vest in the Customer any right, title, or interest in the Services, other than the right to use the Services under the terms and conditions of this Agreement.

13.4 ĢƵ’ performance obligations under this Agreement and/or any relevantService Order Formsshall be solely to the Customer and not to any third party. Other than as expressly set forth herein, this Agreement shall not be deemed to provide third parties with any remedy, claim, right of action, or other right. For the avoidance of any doubt no term of this Agreement is enforceable under the Contracts (Rights of Third Parties) Act 1999 by any person who is not a party to this Agreement.

13.5 Neither party shall be liable for any breach of this Agreement and/or any relevantService Order Formsdue to any cause beyond its reasonable control, (save an obligation in respect of the payment of monies). Including but not limited to Acts of God, inclement weather, flood, lightening or fire, industrial action, act or omission of government, or other competent authority, riot, war or act or omission of any other party for whom that party is not responsible (“an Event of Force Majeure.”). If an Event of Force Majeure continues for more than three (3) months, the party not as a result avoiding liability under this Clause 13.5 may serve notice on the other party terminating this Agreement and/or any relevantService Order Forms.

13.6 This Agreement and/or theService Order Formsshall be governed by and construed in accordance with the law of England and Wales and, subject to 13.1 (where a relevant dispute cannot be so settled through each party’s respective escalation procedures), the parties hereby submit to the non-exclusive jurisdiction of the courts of England and Wales.

13.7 Any assignment by either party of any right, obligation or duty, in whole, in part, or of any other interest hereunder, without the written consent of the other party shall be void, except assignments to an Affiliate of either ĢƵ or Customer. All obligations and duties of any party under this Agreement and/or any relevantService Order Formsshall be binding on all successors in interest and assigns of such party. ĢƵ may subcontract any of the Services to be performed under any relevantService Order Forms. ĢƵ shall be liable to the Customer for all acts and omissions of any subcontractors to the extent that, had such acts or omissions been of ĢƵ, ĢƵ would have been liable to the Customer.

13.8 All notices, requests, demands and other communications hereunder shall be in writing and shall be deemed to have been duly given when delivered or mailed first class postage prepaid, or registered post. Notices shall be mailed to ĢƵ or the Customer at its respective address set forth in the relevantService Order Forms. The parties may change the addresses giving ten (10) days prior written notice.

13.9 Nothing in this Agreement and/or any relevantService Order Formsis intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorise any party to make or enter into any commitments for or on behalf of any other party.

13.10 If any provision or part-provision of this Agreement and/or any relevantService Order Formsis or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this Agreement and/or any relevantService Order Forms.

13.11 This is the entire agreement between the parties with respect to the Services and Equipment provided hereunder and it supersedes all prior agreements, proposals, representations, statements or understandings, whether written or oral, concerning the Services and Equipment. No change, modification or waiver of any of the terms of this Agreement shall be binding unless included in a written agreement and signed by both parties.

13.12 Neither this Agreement nor any provision contained in this Agreement shall create or provide any rights, remedies or obligations, including but not limited to the rights of third party beneficiaries, in any person or entity other than the Customer or ĢƵ.

13.13 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by Applicable Law shall constitute a waiver of that or any other right or remedy, nor shall it preclude or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall preclude or restrict the further exercise of that or any other right or remedy.

14.Publicity

14.1 The parties acknowledge that it would be beneficial to promote appropriate publicity of the arrangements made between them. Announcements, circulars or other publicity in connection with the existence or subject matter of this Agreement and/or any relevantService Order Forms, shall only be made by either party with the prior approval of the other as to its content, form and manner of publication (such approval not to be unreasonably withheld or delayed) save that any announcement, circular or other publicity required to be made or issued by either party pursuant to any legal or regulatory authority may be made or issued without such approval. The parties shall consult together upon the form of any such announcement, circular or other publicity and the other party shall promptly provide such information and comment as the party issuing any such announcement, circular or other publicity may from time to time reasonably request.

14.2 Neither party shall publish or use any advertising, sales, promotions, press releases or other publicity which uses the other party’s name, logo, trademark or service marks without the prior written approval of the other party, such approval shall not be unreasonably withheld.

15.Appropriate Use Policy

15.1 The Customer understands that the Network is a special purpose data network designed to provide specific application message transport, such as APACS. The Customer agrees to ensure that all application traffic will be defined to ĢƵ in advance of Network use to ensure appropriate transport design. The Customer will not perform any protocol spoofing to obtain transport of a non-approved application over the provided transport subject as otherwise provided by the terms of this Agreement and/or any relevantService Order Forms. The Customer shall not resell or otherwise distribute its right to access and use the Network or any of the Services to any other party. The Customer shall not use its access to the Network to provide message relay, gateway services, connectivity to any downstream networks or any other service designed to forward messages to any other transport provider. The Customer shall not, and shall not permit any other person to, interface equipment with the Equipment or any other equipment used to transmit information via the Network to the Customer. The Customer shall notify ĢƵ immediately if it becomes aware of any unauthorised use of information transmitted via the Network.The Customer agrees that any use of the Network will be in compliance with all Applicable Laws and regulations, and that it will not use, or knowingly allow any other person to use, the Network for or in connection with any illegal purpose or activity. In the event that the Customer breaches the terms of this Clause 15, ĢƵ may, upon fourteen (14) days written notice to the Customer, terminate the Services and/or disconnect the Customer from the Network if the breach is not remedied within seven (7) days of such notice.

16.PCI DSS Compliance

16.1 The parties acknowledge that the ĢƵ Network has a PCI DSS Certification as at the Effective Date. ĢƵ agrees to maintain such PCI DSS Certification where applicable to the ĢƵ Network during the term of this Agreementand/or theService Order Forms.

16.2 Subject to Clause 16.3, the parties agree to comply with PCI DSS in relation to the relevant environment (including without limitation any relatedCustomer’s Equipment andEquipment) in which the relevant Services operate and/or the performance of their respective relevant obligations under this Agreementand/or theService Order Forms(which requires such compliance with PCI DSS).For the avoidance of doubt, the parties acknowledge and agree that the following shall apply to all router devices and any other Equipment that is supplied as part of the Services and located at the relevant Customer Sites:

(a) the Customer shall be responsible for the physical security of all such Equipment which is located at the relevant Customer Sites as required by PCI DSS (as outlined in clause 8.10.7 of this Agreement); and

(b) ĢƵ shall remain responsible for the logical security of all such Equipment as is required by PCI DSS.

16.3 Where any changes to the criteria of PCI DSS are introduced by PCI SSC during any twelve month period from the date of the relevant PCI DSS Attestation of Compliance, the parties agree that ĢƵ shall only be obligated to comply with the version of PCI DSS that applied as at the date of that relevant PCI DSS Attestation of Compliance for the remainder of the relevant twelve month period and the relevant changes to the PCI DSS shall only apply to subsequent PCI DSS Certification(s) and corresponding PCI DSS Attestation(s) of Compliance.

16.4 The Customer agrees to use certain designated encryption methods for transmitting data into the ĢƵ Network in the event that any Services and Equipment access the ĢƵ Network using an open public network including without limitation public DSL and wireless connectivity. The Customer acknowledges and agrees that the Customer shall have sole liability for any losses, proceedings, claims, actions or suits arising from the Customer’s failure to use the designated encryption methods for transmitting data to the ĢƵ Network. The Customer shall defend, indemnify, and hold harmless ĢƵ from and against all liabilities and costs (including reasonable and properly incurred legal costs) arising from any and all claims by any person based upon the Customer’s failure to comply with this Clause 16.

16.5 Any changes to the criteria of PCI DSS that are introduced by PCI SSCafter the Effective Date shall be deemed to be a change to the Services and subject to written agreement between the parties.

17.Data Protection

17.1 Each party warrants and represents to the other that in relation to this Agreement and/or any relevantService Order Forms, each party shall, to the extent applicable to that party for the proper performance of this Agreement, comply with all the requirements of the Data Protection Laws.

17.2 In the event that ĢƵ Process any Transactional Data which contains Personal Data in the course of providing the Services under any relevantService Order Forms, both Parties hereby agree that, for the purposes of the Data Protection Laws, and at all times, ĢƵ shall be a Data Processor and the Customer shall be a Data Controller.

17.3 The Customer warrants that all Personal Data Processed by the Data Processor has been and shall be collected and Processed by the Data Controller in accordance with Data Protection Laws. The Customer (as the Data Controller) shall be responsible for:

(a) its Processing of the Personal Data, and any Processing instructions it issues to ĢƵ;

(b) ensuring it has the right to collect, transfer, or provide access to, the Personal Data to ĢƵ for any Processing activities undertaken by ĢƵ as part of the provision or use of the Services under any relevantService Order Form(s);

(c) taking (and procuring that Customer Affiliates and any of its Third Party Service End User do take) all steps necessary to ensure that the Processing of Personal Data by the Data Processor as part of the provision or use of the Services under any relevantService Order Form(s)is in compliance with Data Protection Laws (including without limitation providing appropriate fair collection notices and ensuring that there is a lawful basis for the Data Processor to Process the Personal Data); and

(d) ensuring that it shall not disclose (nor permit Third Party Service End User or any Data Subject to disclose) any Special Categories of Personal Data to ĢƵ for Processing.

17.4 ĢƵ (as the Data Processor) shall:

17.4.1 Process the Personal Data or disclose Personal Data as outlined in Part A of Schedule 1 or otherwise in accordance with the Data Controller’s documented instructions (unless otherwise required by Data Protection Law). For the avoidance, Part A of Schedule 1 of this Agreement sets out the details of the Processing which is authorized by Data Controller under any relevantService Order Form(s)as at the Effective Date. Each party may from time to time make reasonable changes to Part A of Schedule 1 by written notice to the other if necessary to comply with (i) any legal requirement of Article 28(3) of the GDPR or equivalent provisions of any Data Protection Laws, (ii) guidance from a Supervisory Authority, and/or (iii) if required to take account of any changes to the Processing of Personal Data as part of the provision or use of the Services under any relevantService Order Form(s);

17.4.2 implement and maintain the ĢƵ Group Security Measures (as outlined in Part B of Schedule 1) which the Customer acknowledges and agrees are appropriate technical and organizational measures to ensure a level of security appropriate to the risk that are presented by the Processing by ĢƵ as part of the provision of the Services, including in particular the risks associated with any accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Personal Data;

17.4.3 take reasonable steps to ensure the reliability of persons authorized to Process the Personal Data and ensure that they have committed themselves to obligations of confidentiality; and

17.4.4 provide reasonable assistance to the Customer, taking into account the nature of Processing and information available to ĢƵ, to allow the Customer to comply with its obligations in relation to: (i) demonstrating the implementation of ĢƵ Group Security Measures; (ii) notifying Personal Data Breaches and Data Subject requests without undue delay and (iii) providing reasonable assistance in relating to data privacy risk assessments. ĢƵ shall be entitled to recover its reasonable costs of providing such assistance to the Customer.

17.5 Subcontracting and Subprocessors

17.5.1 ĢƵ shall be permitted to subcontract any of the relevant components of the Services, Network and/or any ĢƵ Group Systems and Infrastructure (which incorporate third party telecom and IT products and services) to third party telecom and IT suppliers PROVIDED THAT any associated Processing of relevant Personal Data within any associated Transactions is only undertaken by ĢƵ or authorised Sub-processors.

17.5.2 The Customer authorises ĢƵ to appoint sub-contractors to Process the Personal Data (“Sub-processors”) subject always to ĢƵ meeting the conditions set out in Article 28(2) and (4) of the GDPR and providing to the Customer a list of Other Sub-processors which it uses during the term of the Agreement and the relevantService Order Form(s).

17.5.3 If at any time ĢƵ wishes to make any changes to the list of Sub-processors, (i) ĢƵ shall notify the Customer of the proposed change and (ii) the Customer shall have a period of thirty (30) days after receipt of ĢƵ’s notice to notify ĢƵ if the Customer objects to any new Sub-processor on legitimate grounds.

17.5.4 Where notice has been provided by ĢƵ pursuant to Clause 17.5.3, the parties agree to work together in good faith to make available a commercially reasonable change in the provision of the Service which avoids the use of the objected-to sub-processor or if such change cannot be agreed within fifteen (15) days of receipt of ĢƵ’s notice, either party may terminate the Agreement and/or any relevantService Order Form(s)with reasonable prior written notice without fault. In cases of no objection, the new or alternate Sub-processor shall be deemed approved by the Customer.

17.6 International Transfers of Personal Data

17.6.1 The Customer consents on behalf of itself and (where appropriate) all Customer Affiliates and their respective Third Party Service End User that any Personal Data of the Customer (or any Third Party Service End User) and other data collected by ĢƵ as part of the provision of the Services under any relevantService Order Form(s)(including but not limited to Transactional Data collected during the provision of the Services) may for the purposes of fulfilling any relevantService Order Form(s)be Processed by ĢƵ, its subcontractors, or its associated companies within the European Union.

17.6.2 The Customer acknowledges and agrees that, in providing the Services under any relevantService Order Form(s), ĢƵ may also transfer Personal Data to a Sub-processor (as importer) located in a Third Country PROVIDED THAT (where applicable) ĢƵ has entered into Standard Contractual Clauses (Processors) (as laid down in the Commission Decision 2010/87 EU of 5 February 2010 (or any subsequent version which replaces these) (“Standard Contractual Clauses”), under which the Customer (as exporter) will have direct contractual rights of enforcement against the sub-processor (as importer). The Customer hereby consents to such international transfer and appoints ĢƵ to act as attorney on its behalf to enter into Standard Contractual Clauses (where applicable) as necessary to facilitate these arrangements in accordance with Data Protection Laws.

17.6.3 Notwithstanding Clause 17.6.1 and 17.6.2, the Customer acknowledges and agrees that:

(a) as part of the use of the Services, the Customer or any Third Party Service End User may require the transmission and other Processing of payment cardholder related Transactional Data or other Customer data (which contains any Personal Data) to either (i) a relevant host or other system of Third Party Transactional Data Processors(as defined in Part A of Schedule 1) or (ii) relevant host or other system of the Customer, Customer Affiliate or Third Party Service End User (collectively “PCP System”); and

(b) such PCP Systems may be located in a Third Country.

17.6.4 The Customer and (where applicable) Third Party Service End User consent to the Processing outlined in Clause 17.6.3 of this Agreement and the Customer agrees that the Customer and (where applicable) Third Party Service End User are responsible for the compliance of the Data Protection Laws in relation to the associated international transfer and that Clause 17.6.2 shall not apply to any payment cardholder related Transactional Data which is transmitted to a PCP System(s) as part of the Services.

17.7 The Customer is entitled to exercise the rights of access, amendment, deletion or objection to the Personal Data held by ĢƵ, in accordance with the provisions of the Data Protection Laws, by notifying ĢƵ in writing.

18.Inducements and Anti-Corruption

18.1 Each party undertakes to the other party that it will comply withthe Anti-Corruption Lawsand that it shall not do, nor omit to do, any act that will lead to the other party being in breach of any of the Anti-Corruption Laws.

18.2 Each party shall maintain an anti-bribery and corruption policy (“Relevant Anti-Bribery and Corruption Policy”) and comply with such Relevant Anti-Bribery and Corruption Policy.

18.3 Each party shall review their Relevant Anti-Bribery and Corruption Policy on a regular basis and shall promptly implement any amendments to their Relevant Anti-Bribery and Corruption Policy which it considers necessary for continued compliance with the Anti-Corruption Laws.

18.4 Each party shall provide reasonable co-operation to the other party from time to time in connection with the obligations of that party under this Clause 18.

18.5 Each party shall immediately notify the other party in writing of any suspected or known breach of the Relevant Anti-Bribery and Corruption Policy or any of the Anti-Corruption Laws. This obligation shall continue after the expiry or termination of this Agreement.

18.6 Regardless of any other provision in this Agreement, neither party shall be obliged to do, nor obliged to omit to do, any act which would, in its reasonable opinion, put it in breach of any Anti-Corruption Laws and/or the Relevant Anti-Bribery and Corruption Policy.

Schedule 1

Details of Processing Activities and ĢƵ Group Security Measures

Part A

Details of Processing Activities

This Part A of Schedule 1 includes certain details of the Processing of the Personal Data necessary to provide the Service as required by Article 28(3) GDPR or equivalent provisions of any Data Protection Law.

Controller(s)

Customer; (b) Customer Affiliate, (c) Third Party Service End User and/or (d) third party acquirers and other Cardholder related Transactional Data processors who have been appointed by either Customer, Customer Affiliate or the relevant Third Party Service End User (“Third Party Transactional Data Processors”)

Processor(s)

ĢƵ and its Affiliates

Type of relationship

Controller to Processor

Types of Data Subject whose Personal Data is Processed

(a) Cardholders – the Data Subjects who are named on the relevant payment card which is associated to each Transaction

(b) Third Party Service End Users including without limitation individual merchants or retailers who are Data Subjects under the Data Protection Laws

(c) Other Data Subjects who are employees, agents, contractors, clients, business contacts and suppliers of the Customer, Customer Affiliate and/or any Third Party Service End Users – these third parties manage and/or have specified responsibilities in relation to the provision or use of the Services

Types of Personal Data Processed

(a) Cardholder related Transactional Data – data or information in whatever form, whether in oral, tangible or in documented form, relating to Transactions and each associated payment card and which is processed as part of the Services, including but not limited to Card number, Cardholder name, service code, expiration date and sensitive authentication data (comprising full magnetic stripe data, CAV2/CVC2/CVV2/CID and PIN/PIN block.

(b) Additional Cardholder related Transactional Data relating to ATM Transactions – in addition to the above, where the source of the Transaction is an ATM, Transactional Data shall include without limitation: (a) a successful or rejected withdrawal of cash by the Cardholder at the ATM; (b) any other cash type Transaction by a relevant Cardholder at an ATM; and (c) other payment card type initiated Transactions made from an ATM including successful or rejected PIN changes, mobile phone top-ups, mini-statement requests, deposits and balance enquiries;

(c) Third Party Service End User who are Merchants – Merchant name, Merchant ID and relating to that Merchant) which is part of the Transactional Data Processed as part of the Services;

(d) Employees of the Customer, Customer Affiliate and/or any Third Party Service End Users – name and other contact information (including phone number and email addresses) relating to Data Subjects.

Special Category Personal Data Processed

None

The purpose, nature and subject matter of the Processing

(a) General – The purpose, nature and subject matter of the Processing of Personal Data by ĢƵ, under the Agreement, are those Processing operations which are necessary to provide the Services which are referred to in the Agreement.

(b) Cardholder Data – the relevant Processing activities include:

· Receipt and Transmission of Transactions and Cardholder related Transactional Data of the Customer, Customer Affiliate or their associated Third Party Service End User. These activities may include without limitation international data transfers to processing host systems of either (i) Third Party Transactional Data Processors and/or (ii) the Customer, Customer Affiliate or Third Party Service End User in connection with either (a) the authorisation, settlement or other Processing of the Transactions Cardholder and the related Transactional Data and/or (b) general service provision to the Cardholder.

· Adaptation or alteration of the Cardholder related Transactional Data – (where applicable to the associated Services), relevant adaptation or alteration of such Transactional Data which is a component part of the relevant Service as more particularly described in the Agreement.

· Storage of Cardholder related Transactional Data – (where applicable to the associated Services), storage of such Transactional Data on related processing systems/environments which form part of the ĢƵ Group Systems and Infrastructure and which are operated or hosted by ĢƵ in connection the provision of Services and associated Processing of the relevant Personal Data.

· Analysis and reporting, including financial reconciliations in relation to Cardholder related Transactional Data (which incorporate personal data) as part of the provision of such Services to the relevant ĢƵ Group Customer(s).

(c) Data Subjects who are employees of the Customer or the relevant Customer Affiliate – the relevant Processing activities include use of the data in relation to the management and/or undertaking obligations under the Agreement and the use of the Services

Duration of Processing

The Processing of the Personal Data relating to the Services shall occur throughout the term of the Agreement.

Obligations and rights of the Controller

The rights and obligations of the Data Controller are as set out in the Agreement.

Part B

ĢƵ Group Security Measures

  1. The relevant security measures that ĢƵ have adopted in connection with (a) the provision of the Services under this Agreement and/or (b) any access or associated use of any Network or other ĢƵ Group Systems and Infrastructure shall be as outlined in this Schedule 1.

2.ĢƵ ISMS Charter and underlying ĢƵ ISMS Programs and ĢƵ Information Security Policies

2.1 ĢƵ has established and shall maintain the ĢƵ Group ISMS which shall utilize the international standard ISO/IEC 27001-27002 control objectives. Each control is supported with policy, standards, technology and controls activities as documented in the ĢƵ ISMS Programs and ĢƵ Information Security Policies that form part of the ĢƵ ISMS Charter and relevant guard-at-the-gate enforcement of control points. Each control within the ĢƵ ISMS Programs and ĢƵ Information Security Policies emphasizes and supports the requirements for establishing, implementing, deploying, monitoring, reviewing, maintaining, updating and improving theĢƵ Group ISMS.

2.3 The following is a list of the ĢƵ ISMS Programs as at the date of this Agreement:

  • Identity and Access Management
  • Incident Response
  • Security Awareness
  • Physical Security
  • Cryptography
  • Security Architecture, Design, and Review
  • Security Monitoring
  • Vulnerability Management
  • Disaster Recovery and Business Continuity Plans

2.4 The following is a list of the ĢƵ Information Security Policies as at the date of this Agreement:

  • PGP Secure Key Management Policy
  • ĢƵ Firewall Security Policy
  • ĢƵ Data Management Policy
  • ĢƵ Vulnerability Management Policy
  • ĢƵ Endpoint Security Policy
  • ĢƵ Log Data Policy
  • ĢƵ Security Incident Response Policy
  • ĢƵ Physical Security Policy
  • ĢƵ Acceptable Use and Security Policy Summary
  • ĢƵ Global Modem Usage Policy
  • ĢƵ Access Control Policy
  • ĢƵ Router Security Standards
  • ĢƵ Router Security Policy
  • ĢƵ Employee Security Training Policy
  • ĢƵ Firewall Security Standards
  • ĢƵ Corporate Wireless Security Policy
  • ĢƵ Outsourcing Security Policy
  • ĢƵ Mobile Device Security Policy
  • ĢƵ Certificate Policy
  • ĢƵ Cryptographic Policy
  • ĢƵ Data Loss Prevention Standards
  • Websense Scan Profile Standards
  • ĢƵ P2PE Data Centre Access Policies and Procedures

2.5 ĢƵ shall comply with the ĢƵ Group ISMS at all times when (a) providing the Services and ĢƵ Group Systems and Infrastructure and (b) performing its other obligations under the Service Agreement.

2.6 The parties acknowledge and agree that the ĢƵ ISMS Charter and underlying ĢƵ ISMS Programs and ĢƵ Information Security Policies are subject to review and change. Where the ĢƵ update and publish a revised version of the ĢƵ ISMS Charter and/or any of the underlying ĢƵ ISMS Programs and ĢƵ Information Security Policies, the Customer shall comply with the relevant revised versions of the corresponding revised document(s) which form part of the ĢƵ ISMS Charter.

2.7 Upon written request, a copy of the ĢƵ ISMS Charter will be made available for inspection at the relevant ĢƵ Site PROVIDED THAT the Customer acknowledges the contents of the ĢƵ ISMS Charter are Confidential Information and subject to the confidentiality undertakings in the Agreement.

3.Additional technical and organisational security measures relating to Cardholder Data

3.1 Where the relevant Personal Data is payment cardholder related Transactional Data, ĢƵ agree to comply with PCI DSS in relation to (a) the Services, (b) the relevant environment(s) (including without limitation any Equipment and relevant ĢƵ Group Systems and Infrastructure) in which the relevant Services operate and/or (c) the security of payment cardholder related Transactional Data that is processed as part of the provision of the Services to the Customer.

3.2 ĢƵ shall procure that the ĢƵ Group maintain corresponding PCI DSS Certification(s) in relation to the relevant environments in which the relevant Services operate during the term of the Service Agreement (including without limitation the appointment of a PCI QSA to undertake the relevant PCI assessment of each environment annually) and otherwise maintaining compliance with PCI DSS during the term of the Service Agreement).

3.3 Where any changes to the criteria of PCI DSS are introduced by PCI SSC during any twelve (12) month period from the relevant date of the corresponding PCI DSS Certification(s), the Customer agrees that ĢƵ shall only be obligated to comply during the remainder of that applicable twelve (12) month compliance period with the version of PCI DSS that applied to the corresponding environment(s) in which the Services operate Standards as of the relevant PCI Certification Date of such environments.

3.4 The relevant changes to the PCI DSS or (where applicable) any Other PCI Security Standards (as outlined in paragraph 3.3 of this Part B Schedule 1 shall only apply to subsequent PCI DSS Certification(s) of the corresponding environment in which the Services operate and corresponding PCI DSS Attestation(s) of Compliance relating thereto.

3.5 Any changes to the criteria of PCI DSS that are introduced by PCI SSC during the term of the Service Agreement and which effect either (a) Services and/or (b) the environment(s) in which the Services operate shall be implemented in accordance with the relevant ĢƵ Group change control procedure.

3.6 As part of its obligations under this paragraph 3 of this Part B of Schedule 1, ĢƵ will ensure that the ĢƵ Group ISMS Charter and underlying ĢƵ ISMS Programs and ĢƵ Information Security Policies meet the requirements of PCI DSS.

4. Upon written request, ĢƵ and (where applicable) ĢƵ Affiliate shall provide the contact details for the person(s) responsible for (a) ĢƵ ISMS Charter and information security in the ĢƵ Group and/or (b) compliance with PCI DSS.