PREDICTAP TERMS AND CONDITIONS

Access to and use of the Services provided by PredictAP, Inc. (“Company” or “PredictAP”) is subject to (i) a customer (“Customer”) entering into a PredictAP SaaS Order Form (an “Order Form”) with PredictAP and (ii) such Customer accepting and agreeing to be bound by and comply with these Platform Terms and Conditions as provided in the Order Form. These Platform Terms and Conditions and any applicable Order Forms are collectively referred to as the “Agreement”.

1. SAAS SERVICES AND SUPPORT

Subject to the terms of this Agreement, Company will provide Customer the Services as described in any Order Forms signed by the parties that are attached hereto and as updated from time to time, with the technical support and service level standards set forth in Exhibit A attached hereto (Service Level Agreement).

2. CUSTOMER RESTRICTIONS AND RESPONSIBILITIES

2.1 The Services may only be accessed by employees or representatives of Customer authorized by Customer (“Authorized Users”) who (i) have been properly issued a valid password and username (“Credentials”), and (ii) have agreed to abide by the terms and conditions of this Agreement. Customer shall be solely responsible for: (a) issuing, managing, and deleting Credentials, (b) verifying the identity of each Authorized User and validating use of Credentials by each Authorized User, and (c) monitoring Authorized User access to the Service to ensure that only Authorized Users that are permitted to access and use the Service do so. Customer shall assume all responsibility and liability with respect to access and use of the Services by Authorized Users, including ensuring that Authorized Users comply with all of the obligations and restrictions set forth in this Agreement.

2.2 Customer will not, directly or indirectly: (i) reverse engineer, decode, decompile, disassemble or otherwise attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Services or any software (including documentation and data provided with such software) related to the Services (“Software”); (ii) copy, in whole or in part, the Services, Software or any component thereof; (iii) modify, enhance, translate, combine with other programs, or create derivative works based on the Services or any Software (except to the extent expressly permitted by Company or authorized within the Services); (iv) sublicense, sell, rent, lease, transfer, distribute, or use the Services or any Software for timesharing or service bureau purposes or otherwise for the benefit of a third party; or (v) remove any proprietary notices or labels.

2.3 Further, Customer may not remove or export from the United States or allow the export or re-export of the Services, Software or anything related thereto, or any direct product thereof in violation of any restrictions, laws or regulations of the United States Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, or any other United States or foreign agency or authority. As defined in FAR section 2.101, the Software and documentation are “commercial items” and according to DFAR section 252.227‑7014(a)(1) and (5) are deemed to be “commercial computer software” and “commercial computer software documentation.” Consistent with DFAR section 227.7202 and FAR section 12.212, any use modification, reproduction, release, performance, display, or disclosure of such commercial software or commercial software documentation by the U.S. Government will be governed solely by the terms of this Agreement and will be prohibited except to the extent expressly permitted by the terms of this Agreement.

2.4 Customer represents, covenants, and warrants that Customer will use the Services only in compliance with this Agreement, Company’s standard published policies then in effect and all applicable laws and regulations. Customer hereby agrees to indemnify and hold harmless Company against any damages, losses, liabilities, settlements and expenses (including without limitation costs and attorneys’ fees) in connection with any claim or action that arises from an alleged violation of the foregoing or otherwise from Customer’s use of Services (except to the extent such claims directly arise from Company’s breach of this Agreement). Although Company has no obligation to monitor Customer’s use of the Services, Company may do so and may prohibit any use of the Services it believes may be (or alleged to be) in violation of the foregoing.

2.5 Customer shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”). Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of Customer account or the Equipment with or without Customer’s knowledge or consent.

2.6 As between Customer and Company, Customer is solely responsible for the accuracy, completeness, validity, authorization for use (including transmission) and integrity of all Customer Data, regardless of form or format. “Customer Data” is the non-public data provided by Customer to Company to enable the provision of the Services, which includes all accounts payable data, documents, metadata, usage data, analytics, and other related data assets that contain or relate to Customer’s accounts payable or invoice or payee information. Customer acknowledges and agrees that (i) Customer will be required to provide certain Customer Data to the Services to enable their operation, and (ii) the Services are designed to act on direction given to it by the Customer, and that Customer is solely responsible for such direction and the results thereof.

2.7 As a condition to Customer’s right to use and to permit its Authorized Users to use the Services, Customer shall establish security systems which, at a minimum, shall include mechanisms to (i) detect and terminate the unauthorized use of or access to the Services, (ii) safeguard the integrity and validity of the Credentials, and (iii) prevent unauthorized access to and protect all electronically stored, processed or transmitted information. Customer shall promptly inform Company of any unauthorized use of the Services or breach of this Agreement by any of its Authorized Users and inform Company of the steps being taken to terminate such unauthorized use or breach.

2.8 Customer and Authorized Users shall not intentionally insert any Malicious Code into any data that is inputted, transmitted, uploaded and/or otherwise transferred to the Services or Software or any data or documents electronically transmitted by an Authorized User to Company. Customer shall at all times use and shall require all Authorized Users and Customer’s third-party service providers to use, detection software for Malicious Code that is at a level consistent with industry-standard practices designed to detect, remove and limit the transmission of Malicious Code. If Malicious Code is found to have been introduced into any such data or documents by Customer or an Authorized User, Customer shall promptly notify Company and use industry-standard measures and commercially reasonable efforts to eliminate the Malicious Code from such data or documents at Customer’s expense. “Malicious Code” means computer software, code or instructions that are designed to: (i) adversely affect the operation, security or integrity of a computing, telecommunications or other digital operating or processing system or environment, including other programs, data, databases, computer libraries and computer and communications equipment, by altering, destroying, disrupting or inhibiting such operation, security or integrity; (ii) permit unauthorized access to any computer, network or system; or (iii) without authorization collect and/or transmit to other parties any information or data; including such software, code or instructions commonly known as viruses, Trojans, logic bombs, worms and spyware.

2.9 Company may impose size limitations relating to files that may be uploaded to the Services. These limitations may include file size as well as other dimensions such as number of pages per invoice. Such limitations will be clearly stated in Company’s platform literature and training materials and may be updated from time to time.

2.10 Subject to Customer’s written agreement, Company may use Customer’s name, logo and/or trademark for public relations and marketing purposes. Furthermore, the parties shall work together in good faith to issue at least one mutually agreed upon press release within 90 days of the Effective Date, and Customer otherwise agrees to reasonably cooperate with Company to serve as a reference account upon request.

3. OWNERSHIP

3.1 Customer shall own all right, title and interest in and to the Customer Data. Customer hereby grants to Company and its relevant service providers a limited, nonexclusive, perpetual, irrevocable, royalty-free, right and license, to access, store, reproduce, display, handle, perform, transmit, test, modify, process, combine with other data, and otherwise use Customer Data (i) as necessary for performance of Company’s obligations and exercise of Company’s rights under this Agreement; (ii) as required by applicable law; and (iii) to create data, solely in de-identified and aggregated form (“Aggregated Data”). Customer hereby grants to Company a limited, nonexclusive, perpetual, irrevocable royalty-free, irrevocable right and license, during and after the Term, to access, store, reproduce, display, handle, perform, transmit, test, modify, process, combine with other data, disclose, and otherwise use Aggregated Data for or in connection with improvements or derivative works to the Services or Software. Customer agrees that Company shall own all right, title, and interest in all Aggregated Data and in such improvements and derivative works.

3.2 Company shall own and retain all right, title and interest in and to (a) the Services and Software, all improvements, enhancements or modifications thereto, (b) any software, applications, inventions or other technology developed in connection with Services or support, and (c) all intellectual property rights related to any of the foregoing. Nothing contained herein shall be construed as granting Customer any rights in or to the Services, other than the right to use the Services as expressly stated herein.

3.3 The parties acknowledge and agree that Company may solicit and Customer may provide to Company suggestions, ideas, enhancement requests, feedback, recommendations, or other information relating to the Services (the “Feedback”). Customer hereby grants to Company a nonexclusive, perpetual, irrevocable, royalty-free, right and license to disclose, use and incorporate the Feedback in connection with the development and distribution of the Services and related products and services.

4. CONFIDENTIALITY; PROPRIETARY RIGHTS

Each party (the “Receiving Party”) understands that the other party (the “Disclosing Party”) has disclosed or may disclose business, technical, non-technical or financial information relating to the Disclosing Party’s business (hereinafter referred to as “Proprietary Information” of the Disclosing Party). The Receiving Party shall protect as the Proprietary Information of the Disclosing Party all such information that (a) is labeled as “confidential,” “proprietary,” or with a similar legend; (b) is identified as confidential or proprietary at the time of disclosure; or (c) the Receiving Party knew or should have known under the circumstances was considered confidential or proprietary. Proprietary Information of Company includes non-public information regarding features, functionality and performance of the Service. The Receiving Party agrees: (i) to take reasonable precautions to protect such Proprietary Information, (ii) not to use (except in performance of the Services or as otherwise permitted herein) or divulge to any third person any such Proprietary Information and (iii) notify the Disclosing Party promptly and in writing of the circumstances surrounding any suspected possession, use or knowledge of any such Proprietary Information or any part thereof at any location or by any person or entity other than those authorized by this Agreement. The Disclosing Party agrees that the foregoing shall not apply with respect to any information after five (5) years following the disclosure thereof or any information that the Receiving Party can document (a) is or becomes generally available to the public, or (b) was in its possession or known by it prior to receipt from the Disclosing Party, or (c) was rightfully disclosed to it without restriction by a third party, or (d) was independently developed without use of any Proprietary Information of the Disclosing Party. If Receiving Party becomes legally compelled to disclose any Proprietary Information, other than pursuant to a confidentiality agreement, Receiving Party will provide Disclosing Party prompt written notice, if legally permissible, and will use its best efforts to assist Disclosing Party in seeking a protective order or another appropriate remedy. If Disclosing Party waives Receiving Party’s compliance with this Agreement or fails to obtain a protective order or other appropriate remedy, Receiving Party will furnish only that portion of the Proprietary Information that is legally required to be disclosed; provided that any Proprietary Information so disclosed shall maintain its confidentiality protection for all purposes other than such legally compelled disclosure.

5. PERSONAL DATA

5.1 To the extent that provision of the Services involves the Processing of Customer Personal Data (as both terms are defined in the DPA), the Parties agree that the provisions of the PredictAP Data Processing Agreement (“DPA”), the current version of which is attached hereto as Exhibit B, will apply.

6. PAYMENT OF FEES

6.1 Customer will pay Company the then applicable fees described in the Order Form for the Services in accordance with the terms therein (the “Fees”). If Customer’s use of the Services exceeds the Service Capacity set forth on the Order Form or otherwise requires the payment of additional fees (per the terms of this Agreement), Customer shall be billed for such usage and Customer agrees to pay the additional fees in the manner provided herein. Company reserves the right to change the Fees or applicable charges and to institute new charges and Fees at the end of the Initial Service Term or then‑current renewal term, upon sixty (60) days prior notice to Customer (which may be sent by email). Prepaid Fees are not refundable except in the event of a termination of this Agreement by Customer due to Company’s material breach pursuant to Section 7.2, in which case Company shall refund to Customer prepaid Fees in respect of then-unused Services.

6.2 Company may choose to bill through an invoice, in which case, full payment for invoices issued in any given month must be received by Company thirty (30) days after the mailing date of the invoice. Unpaid amounts are subject to a finance charge of 1.5% per month on any outstanding balance, or the maximum permitted by law, whichever is lower, plus all expenses of collection and may result in immediate termination of Service. Customer shall be responsible for all taxes associated with Services other than U.S. taxes based on Company’s net income.

7. TERM AND TERMINATION

7.1 Subject to earlier termination as provided below, this Agreement is for License Term as specified in the Order Form and such renewal as contained therein.

7.2 In addition to any other remedies it may have, either party may also terminate this Agreement upon thirty (30) days’ notice (or without notice in the case of nonpayment), if the other party materially breaches any of the terms or conditions of this Agreement and such breach remains uncured at the end of said 30 day period. Customer will pay in full for the Services up to and including the last day on which the Services are provided. All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

8. WARRANTY AND DISCLAIMER

8.1 Company uses reasonable security precautions designed to prevent unauthorized access to the Services, and shall at all times maintain security precautions consistent with industry-standard practices; Company’s practices shall be materially consistent with those described in the Company’s “Security Systems and Procedures” document, as updated by Company from time to time, which Company will make available to Customer upon request. Company shall promptly notify Customer of any material unauthorized use of the Services by an unauthorized person or entity that affects the security of the Customer’s Proprietary Information and that is known to Company. The parties shall reasonably assist each other in investigating such unauthorized act and take such action as is reasonably necessary to prevent the continuation or recurrence thereof. Company will not intentionally insert into the Services any Malicious Code and shall at all times use detection software for Malicious Code that is at a level consistent with industry-standard practices designed to detect, remove and limit the transmission of Malicious Code. If Malicious Code is found to have been introduced into the Services by Company in breach of its obligations under this Section 8.1, Company shall, to the extent practicable, promptly notify Customer and use industry-standard measures and commercially reasonable efforts to eliminate the Malicious Code from the Services at Company’s expense.

8.2 Company shall use reasonable efforts consistent with prevailing industry standards to maintain the Services in a manner which minimizes errors and interruptions in the Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance or for unscheduled emergency maintenance, either by Company or by third-party providers, or because of other causes beyond Company’s reasonable control, but Company shall use reasonable efforts to provide advance notice in writing or by e-mail of any scheduled service disruption. Company represents and warrants that the Software and Services will be provided and perform in all material respects in accordance with the functions and features described in the then current Documentation and as otherwise required under the applicable Order Form. “Documentation” means Company’s user guides and manuals relating to the Services and Software, including on-line help, as updated and amended from time to time. However, Company does not warrant that the Services will be uninterrupted or error free; nor does it make any warranty as to the results that may be obtained from use of the Services. EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION, THE SERVICES ARE PROVIDED “AS IS” AND COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

9. LIMITATION OF LIABILITY

9.1 Neither Company nor Customer shall be liable with respect to any subject matter of this Agreement or terms and conditions related thereto under any contract, negligence, tort, strict liability or other theory (a) for any indirect, exemplary, incidental, special or consequential damages; or (b) for any amounts that, together with amounts associated with all other claims, exceed the greater of (i) one hundred thousand dollars ($100,000) and (ii) the fees paid by Customer to Company for the Services under this agreement in the 24 months prior to the act that gave rise to the liability, in each case, whether or not such party has been advised of the possibility of such damages. Company shall not be responsible or liable with respect to any subject matter of this Agreement or terms and conditions related thereto under any contract, negligence, tort, strict liability or other theory: (1) for error or interruption of use or for loss or inaccuracy or corruption of data or cost of procurement of substitute goods, services or technology or loss of business; or (2) for any matter beyond Company’s reasonable control (this Section 9.1, the “Limitation of Liability”).

9.2 The Limitation of Liability shall not apply to (i) bodily injury of a person, (ii) direct damages arising from a party’s gross negligence or willful misconduct; (iii) indemnification obligations; or (iv) a breach of Section 4 (Confidentiality) (this paragraph, the “Exceptions”). For the avoidance of doubt, a breach of the DPA or the occurrence of a Covered Data Breach (as defined in the DPA) (i) shall not be treated as an Exception and (ii) shall be subject to the Limitation of Liability.

9.3 Customer agrees that (i) any claim brought by it in connection with or related to this Agreement shall only be brought against Company and (ii) no Company affiliate or any supplier (including but not limited to any equipment or technology supplier), director, officer, employee, contractor, shareholder, representative or agent of Company or its affiliates shall have any liability to Customer in connection with or related to this Agreement.

10. INDEMNITY

10.1 Company will defend Customer from and against any third-party claim to the extent alleging that the Services, when used by Customer as authorized in this Agreement, infringe the claimant third party’s registered U.S. patent, copyright or trademark (each, an “IPR Claim”), and will indemnify and hold harmless Customer against any damages or costs awarded against Customer (including reasonable attorneys’ fees) in a final judgment or agreed in settlement by Company, in each case resulting from the claim. In response to an actual or potential IPR Claim, if required by settlement or injunction or as Company determines necessary to avoid material liability, Company may at its option: (a) procure rights for Customer’s continued use of the Services, (b) replace or modify the allegedly infringing portion of the Services to avoid infringement without reducing the Services’ overall functionality or (c) terminate this Agreement and refund to Customer any pre-paid, unused fees for the terminated portion of the applicable Term. Company’s obligations in this Section 10 do not apply (1) to infringement resulting from Customer’s modification of the Services or use of the Services in combination with items not provided by Company, (2) to unauthorized use of the Services, (3) breach by Customer of any provision of this Agreement, or (4) if Customer settles or makes any admissions about a claim without Company’s prior consent. This Section 10 sets out Customer’s exclusive remedy and Company’s entire liability regarding infringement of third-party intellectual property rights.

11. INSURANCE

Company will maintain the insurance coverage described below and with limits not less than those shown below, all of which shall be provided at the sole cost of Company:

Upon request by Customer, Company shall require that all policies in any way related to the Services and/or this Agreement and maintained by Company, excluding Workers Compensation, be endorsed specifically to name Customer (and its affiliates if applicable) as additional insureds for ongoing Services and to provide that each policy, including Workers Compensation, waives its right of subrogation against Customer and its affiliates. Upon request, all of the aforesaid policies shall be further endorsed to provide that they are primary coverages and not in excess of any other insurance available to Customer and its affiliates. A Certificate of Insurance indicating such coverage will be delivered by Company to Customer upon request. Company will provide customer with at least 30 days prior written notice of any cancellation and non-replacement of any such insurance.

12. MISCELLANEOUS

If any provision of this Agreement is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect and enforceable. This Agreement is not assignable, transferable or sublicensable by Customer except with Company’s prior written consent. Company may transfer and assign any of its rights and obligations under this Agreement without consent. This Agreement is the complete and exclusive statement of the mutual understanding of the parties and supersedes and cancels all previous written and oral agreements, communications and other understandings relating to the subject matter of this Agreement. All amendments or modifications to this Agreement must be in a writing signed by both parties, except as otherwise provided herein. The waiver by either party of any provision of this Agreement or of a breach or a default of any provision of this Agreement by the other party must be in writing and shall not be construed as a subsequent waiver of the same or any other provision or any subsequent breach of the same or any other provision, nor shall any delay or omission on the part of either party to exercise or avail itself of any right, power or privilege that it has, or may have hereunder, operate as a waiver of any right, power or privilege by such party. No agency, partnership, joint venture, or employment is created as a result of this Agreement and Customer does not have any authority of any kind to bind Company in any respect whatsoever. In any action or proceeding to enforce rights under this Agreement, the prevailing party will be entitled to recover costs and attorneys’ fees. All notices under this Agreement will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by facsimile or e-mail; the day after it is sent, if sent for next day delivery by recognized overnight delivery service; and upon receipt, if sent by certified or registered mail, return receipt requested. This Agreement shall be governed by the laws of the State of Delaware without regard to its conflict of laws provisions, and the jurisdiction and venue for actions related to this Agreement will be the state and federal courts located in Delaware and both parties submit to the personal jurisdiction of those courts.

Exhibit A

Service Level Agreement

1. Availability. The PredictAP Service (as referenced in the Order form) shall have no less than ninety-nine and nine-tenths percent (99.9%) Uptime on a monthly basis. “Uptime” means that the PredictAP Service will respond to requests that have been entered by the customer in compliance with PredictAP’s standard operating directions. Failure to respond to such requests shall not constitute an Uptime failure if caused by any of the following (each an “Excluded Event”):

(a) Acts of God, acts of any governmental body, war, terrorism, earthquake, fire, flood, labor dispute, acts of hackers and any other acts, omissions or occurrences as are outside the reasonable control of Company;
(b) Failure of access circuits to the hosting service backbone;
(c) Failure resulting from the unavailability of or errors within Customer equipment or resources;
(d) Routine scheduled maintenance (as described below); or
(e) DNS issues outside the control of Company.

Uptime will be calculated as follows:

       (Potential Uptime - Outage Time) x 100
---------------------------------------------------
                       Potential Uptime

Where “Potential Uptime” means the number of minutes in the calendar month and “Outage Time” means the number of minutes that the Services were unavailable to respond to requests that have been entered by the customer in compliance with PredictAP’s standard operating directions during that calendar month.
Both Potential Uptime and Outage Time will exclude minutes associated with an Excluded Event. By way of example, assuming a thirty (30) day month in which there was one (1) hour of scheduled maintenance and ten (10) minutes of downtime attributable to technology problems within Company’s reasonable control, the calculation would be as follows: ((((60*24*30)-60) – 10) x100)/((60*24*30)-60) = 99.977%.
Company will measure Outage Time with periodic test requests from a locally connected device in sixty (60) minute intervals. If an invalid response is returned, Company will attempt a periodic test request in one (1) minute intervals. Outage Time will begin upon receiving an invalid response to a periodic test request for three (3) consecutive intervals. For the avoidance of doubt, Uptime is based on the availability of the PredictAP Service to respond to a valid request, and not based on whether a particular result can be achieved by an end user.

2. Scheduled Maintenance. Company shall use commercially reasonable efforts to notify Customer of any routine maintenance at least five (5) days prior to taking the PredictAP offline for routine scheduled maintenance and shall use commercially reasonable efforts to perform such maintenance at off-peak hours.

3. Support and Response Time. Company will provide technical support to an agreed list of designated users of Customer (“Designated Users”) via both telephone and electronic mail on weekdays during the hours of 9:00 am through 5:00 pm EST , with the exclusion of Federal Holidays (“Support Hours”). Company shall use commercially reasonably efforts to respond to requests from Designated Users regarding errors in the PredictAP Service made during Support Hours within the following timeframes following confirmed receipt by Company of an error support request from Customer, and shall use commercially reasonable efforts to provide a workaround and/or permanent fix with a level of effort commensurate with the Severity Level of the error:

Customer shall first attempt to confirm the source of the problem as an error with the PredictAP Service that is not attributable to software or services not provided by Company. Customer acknowledges that PredictAP’s standard hourly support fees shall apply to time expended Company personnel in responding to requests by Customer that are determined by Company to not relate to errors within the PredictAP Service. Customer agrees to make available all reasonably necessary technical information and personnel requested by Company in connection with error resolution.

4. Remedy. As Customer’s sole remedy in respect of any Outage Time (without limiting Customer’s right to terminate the Agreement if Outage Time is so severe as to constitute a material breach of the Agreement), Customer shall be entitled to Service Level Credits as follows:

In the event that Uptime falls below 99.9% averaged over any consecutive 2-month period the following credits shall be available for said period:

- Less that 99.9%, but above 99.5% - 2% credit
- Less than 99.5%, but above 99% - 5% credit
- Below 99% - 10% credit

The credits shall be calculated by multiplying the credit percentage with the aggregate invoice processing fee paid by Customer in the month during which the Outage Time took place. Credits shall be applied to the next-in-time invoice rendered by Company after the credit is earned, and are not redeemable for cash under any circumstances.

Exhibit B

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of any Order Form and the PredictAP Terms and Conditions (collectively, the “Agreement”) between PredictAP, Inc. (“Company”) and Customer (“Customer”).
This DPA is incorporated into the Agreement between Company and Customer and applies to Company’s Processing of Personal Data in connection with Company’s provision of Services (as defined in the Agreement) to Customer. In the event of any inconsistency between the DPA and the Agreement as to Company’s Processing of Personal Data, the DPA shall control.
For purposes of this DPA, the following terms and those defined within the body of this DPA apply.

1. DEFINITIONS

1.1. In this DPA, the terms “Personal Data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in applicable Data Protection Laws with the same or equivalent terms. For purposes of this DPA, the term “Controller” includes the term “Business,” the term “Processor,” includes “Service Provider,” and the term “Personal Data” includes “Personal Information,” as each term is defined under applicable Data Protection Laws. The following words and expressions shall have the following meanings unless the context otherwise requires:

1.2. “Customer Personal Data” means the Personal Data described in Annex 1 of Schedule 1, and any other Personal Data that Company Processes on behalf of Customer in connection with Company’s provision of the Services pursuant to the Agreement.

1.3. “Data Protection Laws” means all applicable laws, rules and regulations as amended, repealed, consolidated or replaced from time to time, in any jurisdiction, relating to privacy, data protection, data security, breach notification, or the Processing of personal data, including without limitation, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); the United Kingdom Data Protection Act of 2018; the Swiss Federal Act on Data Protection (“FADP”); and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended and including its regulations (“CCPA”), and other applicable U.S. state and federal laws. For the avoidance of doubt, if Company’s Processing activities involving Personal Data are not within the scope of a Data Protection Law, such law is not applicable for purposes of this DPA.

1.4. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Customer Personal Data by Company or on Company systems that compromises the security, confidentiality or integrity of such Customer Personal Data.

1.5. “Services” shall have the meaning set forth in the Agreement.

1.6. “EU Standard Contractual Clauses” means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://data.europa.eu/eli/dec_impl/2021/914/oj and completed as set forth herein.

1.7. “Subprocessor” means any Processor engaged by Company to Process Customer Personal Data on Company’s behalf in connection with providing the Services pursuant to the Agreement.

1.8. “Restricted Third Country” means any destination country to which Customer Personal Data is transferred where the Data Protection Laws and applicable Supervisory Authorities of the originating country have not adopted an adequacy decision regarding the Data Protection Laws of the destination country such that additional transfer mechanisms as discussed below in Section 4 are required.

1.9. “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office, located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and completed as set forth herein.

Capitalized terms used in this DPA and not defined above shall have the meaning set forth in the Agreement.

2. DATA PROCESSING OBLIGATIONS

2.1. Roles of the Parties. To the extent that Customer is the Controller of Customer Personal Data, Company is its Processor. To the extent that Customer is a Processor of Customer Personal Data, Company is its Subprocessor.

2.2. Customer’s Obligations. Customer shall provide all applicable notices to Data Subjects required under applicable Data Protection Laws for the lawful Processing of Customer Personal Data by Company in accordance with the Agreement. If Customer is not required by Data Protection Laws to obtain and maintain valid consent from Data Subjects, Customer will otherwise obtain and maintain a valid legal basis in accordance with Data Protection Laws to provide such data to Company for Processing under the Agreement. Customer represents and warrants that Customer’s provision of Customer Personal Data, and Customer’s instructions to Company for the Processing of Customer Personal Data pursuant to the Agreement, shall comply with the Data Protection Laws.

2.3. Company’s Obligations.

(a) Company will only Process Customer Personal Data in accordance with the Agreement to the extent necessary to provide the Services to Customer, and pursuant to Customer’s written instructions, including with respect to transfers of Customer Personal Data. Company shall not Process Customer Personal Data outside of the direct business relationship between Customer and Company. Company shall not ‘sell’ or ‘share’ (as such terms are specifically defined in applicable Data Protection Laws) Customer Personal Data. To the extent required by applicable Data Protection Laws, Company certifies that it understands the foregoing restrictions and will comply with them.
(b) As required by applicable Data Protection Laws, if Company believes any Customer instructions to Process Customer Personal Data will violate applicable Data Protection Laws, or if applicable Data Protection Laws require Company to process Customer Personal Data relating to data subjects in a way that does not comply with Customer’s documented instructions, Company shall notify Customer in writing, unless applicable Data Protection Laws prohibit such notification .
(c) Company shall Process Customer Personal Data for the duration of the provision of Services in accordance with the Agreement and thereafter only as set forth in the Agreement and this DPA.
(d) Each Party will comply with Data Protection Laws applicable to such Party in connection with the Agreement and this DPA and provide the same level of protection for Customer Personal Data as provided for in such applicable Data Protection Laws.

3. SUBPROCESSORS

3.1. Consent to Subprocessor Engagement. Customer provides general authorization to Company’s engagement of third parties as Subprocessors, to assist Company in its provision of Services. For the avoidance of doubt, this authorization constitutes Customer’s prior written consent to the subprocessing of Customer Personal Data for purposes of Clause 9, Option 2 of the EU Standard Contractual Clauses and any similar requirements of other data transfer mechanisms.

3.2. Information about Subprocessors. Company is currently using the Subprocessors identified in Annex III of Schedule 1 attached hereto (“Subprocessor List”). Customer may sign up to receive notices of additions to the Subprocessor List by notifying Company at privacy@predictap.com.

3.3. Requirements for Subprocessor Engagement. When engaging any new Subprocessor, Company will execute with Subprocessors a written agreement providing: (a) the Subprocessor only Processes Customer Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement and this DPA; and (b) the Subprocessor will utilize the same level of data protection and security with regard to its Processing of Customer Personal Data as are described in this DPA.

3.4. Opportunity to Object to Subprocessor Changes. Customer may, on reasonable and objective grounds relating to the protection of Customer Personal Data, object to Company’s use of a new Subprocessor by providing Company with written notice within fifteen (15) days after Company has provided notice to Customer as described herein with documentary evidence that reasonably shows that the Subprocessor does not or cannot comply with the requirements in this DPA or Data Protection Laws (“Objection”). In the event of an Objection, Customer and Company will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the DPA or Data Protection Laws. To the extent Customer and Company do not reach a mutually acceptable resolution within a reasonable timeframe, Company will use reasonable endeavors to make available to Customer a change in the Services or will recommend a commercially reasonable change to the Services to prevent the applicable Subprocessor from Processing Customer Personal Data. If Company is unable to make available such a change within a reasonable period, Company and Customer shall escalate to their applicable executive or senior leadership to discuss the matter in good faith and determine an appropriate resolution and next steps.

4. INTERNATIONAL TRANSFERS

4.1. In accordance with Customer’s instructions under Section 2, Company may Process Customer Personal Data on a global basis as necessary to provide the Services, provided such Processing is consistent with applicable Data Protection Laws.

4.2. To the extent that the Processing of Customer Personal Data by Company involves the transfer of such Customer Personal Data to a Restricted Third Country, then such transfers shall be subject to the protections and provisions of the EU Standard Contractual Clauses (for which the SCC Appendix is attached to this DPA in Schedule 1), the UK Addendum for transfers from the UK to Restricted Third Countries, or other binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with Data Protection Laws.

4.3. Customer shall be deemed to have signed the SCC Appendix in Schedule 1, Annex I in its capacity of “data exporter” and Company in its capacity as “data importer.” Module Two or Module Three of the EU Standard Contractual Clauses shall apply to the transfer, as applicable. For purposes of Clauses 17 and 18 of the EU Standard Contractual Clauses, the Parties select Ireland. To the extent such a transfer includes Customer Personal Data subject to Data Protection Laws of Switzerland, the Standard Contractual Clauses shall be adapted to use for Switzerland (where the Swiss FADP shall apply as the applicable Data Protection Law, Clauses 17 and 18 of the EU Standard Contractual Clauses shall refer to Switzerland, and Data Subjects in Switzerland shall be able to avail themselves of any rights conferred by the EU Standard Contractual Clauses).

4.4. In the event of any conflict between any terms in the EU Standard Contractual Clauses or UK Addendum, as applicable, and the DPA, the EU Standard Contractual Clauses or UK Addendum, as applicable, shall prevail to the extent of the conflict.

5. DATA SECURITY AND SECURITY NOTIFICATIONS

5.1. Company Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the Processing, including the measures set out in Schedule 1. Company may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of the Agreement. Such measures shall include process for regularly testing, assessing, and evaluating the effectiveness of the measures.

5.2. Personal Data Breach Notification. If Company discovers a Personal Data Breach has occurred, Company will:
(a) notify Customer of the Personal Data Breach without undue delay and, in any case, as soon as practicable after such determination, at the contact information on file, where such notification shall describe (1) the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (2) the reasonably anticipated consequence of the Personal Data Breach; (3) measures taken or planned to be taken to mitigate any possible adverse effects; and (4) other information concerning the Personal Data Breach reasonably known or available to Company that Customer is required to disclose to a Supervisory Authority or Data Subjects under Data Protection Laws; and
(b) investigate the Personal Data Breach and provide such reasonable assistance to Customer (and any law enforcement or regulatory official) as legally required to investigate the Personal Data Breach.

5.3. Except as required by applicable Data Protection Laws, the obligations set out in Section 5.2 shall not apply to Personal Data Breaches caused by Customer.

5.4. Company’s contact point for additional details regarding a Personal Data Breach is: privacy@predictap.com. Company’s provision of any notification of a Personal Data Breach shall not constitute an admission of fault.

5.5. Customer is solely responsible for fulfilling any Personal Data Breach notification obligations applicable to Customer. Customer and Company shall work together in good faith within the timeframes for Customer to provide Personal Data Breach notifications in accordance with Data Protection Laws to finalize the content of any notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Laws.

5.6. Subject to Article 9 of the Agreement, Company will reimburse Customer and its affiliates for the reasonable direct costs, expenses, damages, and liabilities incurred by Customer arising from any Covered Personal Data Breach to the extent that such costs, expenses, damages, and liabilities are (i) required by law; or (ii) are finally awarded by a court of competent jurisdiction. A “Covered Data Breach” is a Personal Data Breach that was solely caused by Company’s gross negligence, willful misconduct, or breach of the Agreement or this DPA, in each case as mutually agreed by the Parties or as determined by a court of competent jurisdiction or duly appointed arbitrator.

5.7. Company Employees and Personnel. Company shall treat Customer Personal Data as the Confidential Information of Customer, and shall put procedures in place to ensure that:

(a) access to Customer Personal Data is limited to those employees or other personnel who have a business need to have access to such Customer Personal Data; and
(b) any employees or other personnel with access to Customer Personal Data have committed themselves to confidentiality of Customer Personal Data or are under an appropriate statutory obligation of confidentiality and do not Process such Customer Personal Data other than in accordance with this DPA.

6. AUDITS

6.1. Standard Audit Process. Company will make available to Customer documentation, data, certifications, reports, and records (“Records”) relating to Company’s Processing of Customer Personal Data to demonstrate compliance with this DPA (an “Audit”) provided the Agreement remains in effect and such audit is at Customer’s sole expense. Customer may request an Audit upon fourteen (14) days’ prior written notice to Company, no more than once annually, except in the event of a Personal Data Breach occurring on Company’s systems, in which case Customer may request an Audit within a reasonable period of time following such Personal Data Breach.

6.2. Written Requests and Inspections. If Customer has a reasonable objection that the Records provided are not sufficient to demonstrate Company’s compliance with this DPA, Customer may, as necessary: (i) request additional information from Company in writing, and Company will respond to such written requests within a reasonable period of time (“Written Requests”); and (ii) only where Company’s responses to such Written Requests do not provide the necessary level of information required by Customer, request access to Company’s premises, systems and staff, upon twenty one (21) days prior written notice to Company (an “Inspection”) subject to the parties having mutually agreed upon (a) the scope, timing, and duration of the Inspection, (b) the use of an auditor to conduct the Inspection, (c) the Inspection being carried out only during Company’s regular business hours, with minimal disruption to Company’s business operations, and (d) all costs associated with the Inspection being borne by Customer (including Company’s time in connection with facilitating the Inspection, charged at Company’s then-current rates). Inspections will be permitted no more than once annually, except in the event of a Personal Data Breach.

7. ASSISTANCE WITH DATA SUBJECT RIGHTS

7.1. Save as required (or where prohibited) under applicable law, Company shall promptly notify Customer of any request received by Company or any Subprocessor from a Data Subject in respect of their Personal Data included in Customer Personal Data (“Data Subject Request”) and shall inform the Data Subject that their request has been redirected to Customer as the Controller.

7.2. Where applicable, and taking into account the nature of the Processing, Company shall use reasonable endeavors to assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to Data Subject Requests as required by Data Protection Laws. In order to receive such assistance, Customer shall submit a support request to correct, delete, block, access or copy the Personal Data of a Data Subject.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1. To the extent required under applicable Data Protection Laws, Company shall provide reasonable assistance to Customer with any data protection impact assessments and with any prior consultations with any Supervisory Authority of Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Company.

8.2. Such cooperation and assistance are provided to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Company. Company may fulfil its above obligations by providing Customer with documentation regarding its Processing operations.

9. RETENTION AND DELETION OF PERSONAL DATA

9.1. Except to the extent required otherwise by Data Protection Laws, Company will, at Company’s option, upon Customer’s written request on or after the termination of the Agreement, securely destroy, delete or de-identify all Customer Personal Data, unless Data Protection Laws require Company, its affiliates, and/or its subprocessors to retain Customer Personal Data.

10. GENERAL

10.1. Company may share and disclose Customer Personal Data and other data of Customer in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of Company’s business by or to another company, including the transfer of contact information and data of customers, partners and end users.

10.2. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.


SCHEDULE 1

APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES

ANNEX I

A. LIST OF PARTIES

C. COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority shall be the Irish Data Protection Commissioner, the UK ICO for matters related to Data Subjects in the UK, and the Swiss Federal Data Protection Commissioner for Data Subjects in Switzerland.

ANNEX II

Company agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by applicable Data Protection Law(s). Such measures will include:

1. Establish and maintain an information security program designed to (i) protect the security and confidentiality of data exporter’s Personal Data; (ii) protect against any anticipated threats or hazards to the security or integrity of data exporter’s Personal Data; (iii) protect against unauthorized access to or use of data exporter’s Personal Data; and (iv) ensure the proper disposal of data exporter’s Personal Data.
2. Provide security awareness and training programs delivered not less than annually, for all Company personnel who access data exporter’s Personal Data.
3. Maintain controls that provide reasonable assurance that access to data importer’s physical servers at its production data center (“Systems”) is limited to properly authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes.
4. Maintain policies and procedures designed to protect the confidentiality, integrity, and availability of data exporter’s Personal Data and protect it from unauthorized disclosure, alteration, or destruction.
5. Maintain a security incident response plan that includes procedures to be followed in the event of any incident that results in a Personal Data Breach.
6. Implement storage and transmission security measures designed to guard against unauthorized access to data exporter’s Personal Data that is being transmitted over an electronic communications network.

ANNEX III

The data exporter has authorized the use of the following subprocessors: