Terms & Conditions

These Terms & Conditions are a legally binding agreement between you (Customer or you) and Fisar UK Ltd (No 16926890) incorporated and registered in England and Wales whose registered office is at Second Floor, Sutherland House, 70-78 West Hendon Broadway, London, United Kingdom, NW9 7BT (Fisar, us or we) for the provision of Fisar cloud-based software services by Fisar to you.

These Terms & Conditions permit you to use those services for so long as you pay the applicable subscription fees and are not in breach of your obligations. You do not become the owner of any software or other material provided by Fisar to you. Fisar remains the owner of all software and other material at all times.

CONTACT INFORMATION: Email: info@fisar.co.uk Telephone: 02046420600

Important Notice to All Users

• BY SIGNING UP TO A Fisar SERVICE YOU AGREE TO THESE TERMS & CONDITIONS WHICH WILL BIND YOU AND YOUR EMPLOYEES.
• THESE TERMS & CONDITIONS INCLUDE, IN PARTICULAR, LIMITATIONS ON LIABILITY IN CLAUSE 11.
• IF YOU DO NOT AGREE TO THESE TERMS & CONDITIONS, YOU MUST NOT SIGN UP TO ANY Fisar SERVICES AND YOU MAY NOT ACCESS ANY THOSE SERVICES.

You should print a copy of these Terms & Conditions for future reference.

1. Interpretation

1.1 The definitions and rules of interpretation in this clause apply in these Terms & Conditions.

Agreement: the agreement between Fisar and the Customer, which has the terms stated in these Terms & Conditions.

Business Day: any day which is not a Saturday, Sunday or public holiday in England and Wales.

Commencement Date: the date upon which Fisar enables the Customer and Users to commence live use of the Services.

Completed Redaction: a document redaction processed through the Services where the redaction has been confirmed by the User and the document has been converted to PDF format.

Completed SAR: a Subject Access Request processed through the Services where the response data has been downloaded by the data subject.

Completed Transaction: a Completed SAR or a Completed Redaction.

Confidential Information: means

(a) in the case where Fisar is the receiving party:

(i) all Customer Data; and

(ii) all information obtained by Fisar or any of its representatives (whether directly or indirectly) from the Customer, or their representatives, relating to the Services or this Agreement; and

(b) in the case where the Customer is the receiving party, all information obtained by Customer (whether directly or indirectly) from Fisar or its representatives, relating to

Fisar, the Services, this Agreement or which is identified as Confidential Information in clause 9.4; and, in all cases, shall include all copies of any such information prepared by the directors, officers or employees of the receiving party or any of its representatives which contains or otherwise reflects or is generated from such information.

Customer Data: the information and data relating to the Customer and/or its customers which is (a) data provided by the Customer and inputted by the Customer (or by Fisar on its behalf) for the purposes of using the Services or (b) the specific details of each transaction between the Customer and any User arising from a use of the Services.

Customer IPR: means IPR owned by or licensed by third parties to the Customer.

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications).

Data Sharing Agreement: the data sharing agreement provided to the Customer at or before Sign-up. Fisar and the Customer agree that the Data Sharing Agreement forms part of this Agreement.

Fisar Data: all information and data generated by Fisar in connection with the Services.

Fisar IPR: means IPR owned by or licensed by third parties to Fisar (including any IPR comprised in the Software).

Event of Force Majeure: any event beyond the reasonable control of the Affected Party (as defined in clause 14) including (to the extent it is beyond the Affected Party's reasonable control): pandemics and epidemics, acts of God; acts of civil or military authority; national emergencies; fire; floods; natural catastrophes; wars; insurrections; and riots.

Fees: the Subscription Fees, Overage Fees, and any other fees for services payable by the Customer to Fisar under this Agreement.

Fair Use Allowance: 100 Completed Transactions per Subscription Year, as more particularly described in clause 7.8.

Indemnified Party: means the Customer (in the case of any claim to which clause 10.1 applies) and Fisar (in the case of any claim to which clause 10.2 applies).

Indemnifying Party: means Fisar (in the case of any claim to which clause 10.1 applies), and the Customer (in the case of any claim to which clause 10.2 applies).

IPR: rights in patents, copyright, moral rights, database rights, trade marks, trade and business names, rights to sue for passing off, rights in the nature of unfair competition rights, trade secrets, confidentiality and other proprietary rights including rights to know-how and other technical information (in each case whether registered or unregistered and including applications to register any of the foregoing) and all rights in the nature of any of the foregoing anywhere in the world.

IPR Claim: any claim to which clause 10.1 or 10.2 applies.

Level: the particular level of the Services to which the Customer has subscribed, by reference to one or more of the following: storage, number of authorised Users, upload allowance, and/or functionality or features.

Losses: losses, claims, damages, costs, charges, expenses and liabilities (including reasonable legal fees and disbursements).

Notice Period: the minimum period of notice of termination of this Agreement, being:

(a) in the case of a monthly subscription, at least 48 hours expiring at midnight on the last day of the month for which the Customer wishes to use the Services; or

(b) in the case of an annual subscription, at least 60 days expiring on the last day of the 12 month period for which the Customer has previously paid or is liable to pay;

(c) such other period or limitations on use as is specified in the Sign-up. Overage Fee: the fee payable for each Completed Transaction in excess of the Fair Use Allowance, as specified in the Sign-up or as notified by Fisar to the Customer from time to time.

Services: Fisar's services, as such services are described in the Specification, or the relevant Level of those services.

Sign-up: the process whereby the Customer applied to subscribe for the Services, irrespective of whether such process was automated, online, manual or a combination.

Software: software developed by Fisar:

(a) used by Fisar in providing the Services; or

(b) which is provided to the Customer or Users to enable them to use the Services.

Specification: the specification of the Services set out in Schedule 1 to these Terms & Conditions.

Service Level Agreement or SLA: the service level commitments set out in Schedule 2 to these Terms & Conditions.

Subscription Fees: the fees payable by the Customer to Fisar for the right to use the Services, as specified in the Customer's Sign-up.

Subscription Period: the period beginning on the Commencement Date and ending on termination of this Agreement in accordance with clause 13.

Subscription Year: each consecutive 12-month period during the Subscription Period, the first such period commencing on the Commencement Date.

Third Party IPR: IPR owned by a person other than the Customer or Fisar.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK.

Usage Data: anonymous usage data regarding the activities carried out by the Customer or Users.

Users: individuals using the Services, and who are authorised to do so, as contemplated by the Sign-up and the relevant Level, if any.

Virus: any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.

1.2 Where these Terms & Conditions refer to or link to a document, such reference or link shall be deemed to be a reference or link to that document as amended or replaced from time to time, subject to the following:

(a) Fisar shall provide the Customer with at least 30 days' advance written notice before any amendment or replacement takes effect;

(b) Fisar shall indicate in such notice whether it considers the amendment or replacement to be material;

(c) if the amendment or replacement is material, the Customer may terminate this Agreement without penalty by giving written notice to Fisar within 30 days of receiving notification of the change; and

(d) non-material amendments (such as clarifications, corrections, or improvements that do not adversely affect the Customer's rights) shall take effect upon expiry of the notice period.

1.3 References to a month or monthly shall be deemed to refer to a period starting on a particular day (e.g. the 10th) in a calendar month and ending on the preceding day (e.g. the 9th) in the following calendar month.

1.4 References to clauses are to the clauses of these Terms & Conditions. Clause headings shall not affect the interpretation of these Terms & Conditions.

1.5 A person includes an individual, corporate or unincorporated body (whether or not having separate legal personality) and that person's legal and personal representatives, successors or permitted assigns.

1.6 A reference to a company shall include any company, corporation or other body corporate, wherever and however incorporated or established.

1.7 A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment and includes any subordinate legislation for the time being in force made under it.

1.8 A reference to writing or written includes e-mail.

2. Subscription To Use The Services

2.1 Subject to the Customer paying the Fees in accordance with this Agreement, the restrictions set out in this clause 2 and the other clauses of these Terms & Conditions, Fisar shall provide the Services from the Commencement Date until the end of the Subscription Period in accordance with the Service Level Agreement.

2.2 Each party shall use its best endeavours not to:

(a) distribute or transmit any Viruses on to the information technology systems of the other party, or

(b) access, store, distribute or transmit any material during the course of the provision or use of the Services that:

(i) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive;

(ii) facilitates illegal activity;

(iii) depicts sexually explicit images;

(iv) promotes unlawful violence;

(v) is discriminatory based on race, gender, colour, religious belief, sexual orientation, disability, or any other illegal activity; or

(vi) causes damage or injury to any person or property; and, in respect of the Customer's use of the Services, Fisar reserves the right, upon 5 Business Days' notice, to disable the Customer's access to any material that breaches the provisions of this clause, save in exceptional circumstances where Customer's access to such materials is necessary for legal or regulatory purposes.

2.3 The Customer shall not, for the duration of the Subscription Period:

(a) except as may be allowed by any applicable law or regulation which is incapable of exclusion by agreement between the parties or except to the extent permitted under this Agreement:

(i) attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit, or distribute all or any portion of the Services or the Software (as applicable) in any form or media or by any means; or

(ii) attempt to reverse compile, disassemble, reverse engineer or otherwise reduce to human-perceivable form all or any part of the Software; or

(b) access all or any part of the Services or the Software in order to build a product or service which competes with the Services; or

(c) use the Software or the Services to:

(i) provide services to third parties; or

(ii) unless and to the extent otherwise expressly stated in the Specification, market, promote the use of or otherwise publicize the products or services of any person other than the Customer; (without prejudice to the ability of the Customer or Users to use the Services in the manner described in the Specification); or

(d) license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Software or the Services available to any third party (without prejudice to the ability of the Customer or Users to use the Services in the manner described in the Specification); or

(e) attempt to obtain, or assist third parties in obtaining, access to the Software or the Services other than as permitted under this Agreement.

2.4 The Customer shall use reasonable endeavours to prevent any unauthorised access to, or use of, the online administration facilities available to the Customer in relation to the Software or the Services and, in the event of Customer becoming aware of any such unauthorised access or use, promptly notify Fisar in writing.

3. Data Protection

3.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 3 is in addition to, and does not relieve, remove or replace, a party's obligations under the Data Protection Legislation.

3.2 The terms: controller, processor, data subject, personal data, personal data breach, processing and appropriate technical and organisational measures and terms and expressions used in this clause 3 and not defined in these Terms & Conditions shall have the meaning assigned to them in the Data Protection Legislation.

3.3 The parties acknowledge that:

(a) if Fisar processes any personal data on the Customer's behalf when performing its obligations under this Agreement, the Customer is the controller and Fisar is the processor for the purposes of the Data Protection Legislation; and

(b) the scope, nature and purpose of processing by Fisar, the duration of the processing and the types of personal data and categories of data subject shall be as stated in the Data Sharing Agreement.

3.4 Without prejudice to the generality of clause 3.1, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to Fisar for the duration and purposes of this Agreement so that Fisar may lawfully use, process and transfer the personal data in accordance with this Agreement on the Customer's behalf.

3.5 Without prejudice to the generality of clause 3.1, Fisar shall, in relation to any personal data processed in connection with the performance by Fisar of its obligations under this Agreement:

(a) process that personal data only on the documented written instructions of the Customer unless Fisar is required by the laws of any member of the European Union or by the laws of the European Union applicable to Fisar and/or Domestic UK Law (where Domestic UK Law means the UK Data Protection Legislation and any other law that applies in the UK) to process personal data (Applicable Laws). Where Fisar

is relying on Applicable Laws as the basis for processing personal data, Fisar shall promptly notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Fisar from so notifying the Customer;

(b) not transfer any personal data outside of the European Economic Area and the United Kingdom unless the following conditions are fulfilled:

(i) the Customer or Fisar has provided appropriate safeguards in relation to the transfer;

(ii) the data subject has enforceable rights and effective legal remedies;

(iii) Fisar complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any personal data that is transferred; and

(iv) Fisar complies with reasonable instructions notified to it in advance by the Customer with respect to the processing of the personal data;

(c) assist the Customer, at the Customer's cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(d) notify the Customer of any personal data breach in accordance with the following:

(i) provide initial notification within 24 hours of becoming aware of a personal data breach (such initial notification may be preliminary and based on information then available);

(ii) provide detailed written notification within 72 hours of becoming aware of a personal data breach, including: the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences of the breach; the measures taken or proposed to address the breach and mitigate its effects; and a contact point for further information; and

(iii) provide ongoing updates as the investigation progresses and further information becomes available;

(e) at the written direction of the Customer, delete or return personal data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the personal data (and for these purposes the term "delete" shall mean to put such data beyond use); and

(f) maintain complete and accurate records and information to demonstrate its compliance with this clause 3 and immediately inform the Customer if, in the opinion of Fisar, an instruction infringes the Data Protection Legislation.

3.6 Each party shall ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).

3.7 Sub-processors:

(a) Fisar shall maintain a list of sub-processors engaged in the processing of personal data under this Agreement and shall provide such list to the Customer upon request.

(b) Fisar shall provide the Customer with at least 30 days' advance written notice before engaging any new sub-processor, such notice to include the identity of the proposed sub-processor and the processing activities to be undertaken.

(c) The Customer may object to the appointment of a new sub-processor on reasonable data protection grounds by giving written notice to Fisar within 14 days of receiving notification under clause 3.7(b).

(d) If the Customer objects pursuant to clause 3.7(c), the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If the parties are unable to resolve the objection within 30 days of the Customer's notice of objection, the Customer may terminate this Agreement without penalty by giving written notice to Fisar.

(e) Fisar shall ensure that any sub-processor agreement contains data protection obligations at least as protective as those set out in this Agreement.

(f) As between the Customer and Fisar, Fisar shall remain fully liable for all acts or omissions of any sub-processor appointed by it pursuant to this clause 3.7.

3.8 Audit and Certification:

(a) Fisar shall maintain a recognised security certification, being one or more of: ISO 27001, SOC 2 Type II, or Cyber Essentials Plus (or equivalent successor certifications).

(b) Fisar shall provide the Customer with a copy of its current security certification or audit report annually upon reasonable request.

(c) If Fisar does not hold a recognised security certification as described in clause 3.8(a), or following a security incident affecting the Customer's data, the Customer may conduct an audit of Fisar's compliance with its data protection obligations under this Agreement, subject to the following conditions:

(i) the Customer shall provide at least 30 days' advance written notice of the audit;

(ii) the audit shall be conducted during normal business hours and in a manner that minimises disruption to Fisar's operations;

(iii) the Customer shall bear its own costs of the audit;

(iv) the audit shall be limited to matters relating to the Customer's data and

Fisar's compliance with its data protection obligations under this Agreement; and

(v) Fisar may require any third-party auditor to sign a confidentiality undertaking before the audit commences.

4. Third Party Providers

The Customer acknowledges that the Services may enable or assist Users to access the online or other electronic content, products or services of third parties. Fisar makes no representation or commitment and shall have no liability or obligation whatsoever in relation to such content, products or services, or any transactions completed or any contracts entered into by Users with any such third party. Any such contract entered into and any such transaction completed by any User is with the relevant third party, not with Fisar. Fisar recommends that the Customer and/or Users refer to the third party's terms and conditions

and privacy policy prior to any usage. Fisar does not endorse or approve any third-party or its content, products or services made available via the Services.

5. Fisar's Obligations

5.1 Fisar warrants and undertakes that it will perform its obligations under this Agreement (and/or procure that its obligations are performed):

(a) in accordance with the Specification;

(b) in accordance with the Service Level Agreement; and

(c) in compliance with all applicable laws and regulations with respect to its activities under this Agreement.

5.2 The undertakings at clause 5.1(a) shall not apply to the extent of any non-conformance which is caused by use of the Services by the Customer other than as permitted under this Agreement, or modification or alteration of the Services by the Customer (or any other person authorised or allowed by the Customer to use or access the Services) other than as permitted under this Agreement.

5.3 Notwithstanding the foregoing, Fisar does not warrant that the Customer's or User's use of the Services will be uninterrupted or error-free; nor that the Services and/or the information obtained by the Customer or any User through the Services will meet their non-contractual requirements, save as expressly set out in the Service Level Agreement.

5.4 Fisar shall not be responsible for any delays, delivery failures, or any other loss or damage resulting from the transfer of data over communications networks and facilities, including the internet, and the Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities.

5.5 This Agreement shall not prevent Fisar from entering into similar agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under this Agreement.

5.6 Fisar warrants that it has and will maintain all necessary licences, consents, and permissions necessary for the performance of its obligations under this Agreement.

5.7 Fisar shall maintain throughout the Subscription Period:

(a) professional indemnity insurance with a minimum cover of £1,000,000 per claim; and

(b) cyber liability insurance with a minimum cover of £1,000,000 per claim.

Fisar shall provide evidence of such insurance coverage to the Customer upon reasonable request.

5.8 Business Continuity and Disaster Recovery:

(a) Fisar shall maintain appropriate business continuity and disaster recovery procedures.

(b) Fisar shall perform regular backups of Customer Data at least once every 24 hours.

(c) Backups shall be stored securely and separately from primary systems.

(d) In the event of a disaster affecting the Services, Fisar shall use reasonable endeavours to restore the Services within 48 hours.

(e) Fisar shall use reasonable endeavours to minimise any loss of Customer Data in the event of a disaster.

5.9 The terms implied by sections 3 to 5 of the Supply of Goods and Services Act 1982 and any other applicable legislation are, to the fullest extent permitted by law, excluded from this Agreement.

6. Customers Obligations - The Customer shall:

(a) provide Fisar with:

(i) all reasonably necessary co-operation in relation to this Agreement; and

(ii) all necessary access to such information as may reasonably be required by Fisar; in order to provide the Services, including but not limited to Customer Data, security access information and configuration services (in each case subject to such confidentiality and security restrictions as are reasonably necessary in the circumstances);

(b) comply with all applicable laws and regulations with respect to its activities under this Agreement;

(c) carry out all other Customer responsibilities set out in this Agreement in a timely and efficient manner. In the event of any delays in the Customer's provision of such assistance as agreed by the parties, Fisar may adjust any agreed timetable or delivery schedule as reasonably necessary;

(d) obtain and shall maintain all necessary licences, consents, and permissions necessary for Fisar to perform its obligations under this Agreement;

(e) ensure that its network and systems comply with the relevant specifications provided by Fisar from time to time; and

(f) be solely responsible for procuring and maintaining its network connections and telecommunications links from its systems to Fisar's data centres, and all problems, conditions, delays, delivery failures and all other loss or damage arising from or relating to the Customer's network connections or telecommunications links or caused by the internet (other than to the extent caused by the act or omission of the Customer or any of its sub-contractors).

7. Charges And Payment

7.1 The Customer shall pay the Fees to Fisar in accordance with this clause 7.

7.2 The Customer shall when requested provide to Fisar valid, up-to-date and complete contact and billing details, including details of the Customer's bank, credit card or other account for the purpose of payment of Fees (Payment Account).

7.3 Fisar shall invoice the Customer for the Fees, as and when payable, and the Customer shall pay each invoice within 30 days after the date of such invoice.

7.4 Fisar may at any time adopt a system for automated payments, in which it may invoice the Customer for Fees and automatically collect payment of such invoice from the Payment Account at any time from the date of such invoice.

7.5 If Fisar has not received payment within 30 days after the due date, and without prejudice to any other rights and remedies of Fisar:

(a) Fisar may, without liability to the Customer, disable the Customer's password, account and access to all or part of the Services and Fisar shall be under no obligation to provide any or all of the Services while the invoice(s) concerned remain unpaid; and

(b) interest shall accrue on such due amounts at an annual rate equal to 4% over the then current base lending rate of Fisar's bankers in the UK at the date the relevant invoice was issued, commencing on the due date and continuing until fully paid, whether before or after judgment.

7.6 Fee increases:

(a) Fisar shall be entitled to increase the Fees with effect from any time from each anniversary of the Commencement Date, and no more frequently than once every 12 months, upon at least 60 days' prior written notice to the Customer.

(b) If any Fee increase exceeds 15% of the Fees payable immediately prior to the increase, the Customer may terminate this Agreement without penalty by giving written notice to Fisar within 30 days of receiving notification of such increase, such termination to take effect on the date the increase would otherwise have taken effect.

(c) If the Customer does not terminate in accordance with clause 7.6(b), this Agreement shall be deemed to have been amended to reflect the increased Fees.

7.7 All amounts and fees stated or referred to in this Agreement:

(a) shall be payable in pounds sterling or such other currency as specified in the Sign-up;

(b) shall be payable annually in advance or on such other dates or in respect of such other periods as are specified in the Sign-up;

(c) shall be paid within 30 days of the date of the relevant invoice;

(d) are non-cancellable and non-refundable, except that:

(i) service credits issued under the Service Level Agreement may be applied against future invoices;

(ii) if the Customer terminates this Agreement due to sustained SLA breach in accordance with Schedule 2, any accrued service credits shall be refunded to the Customer on a pro-rata basis;

(iii) if Fisar terminates this Agreement other than for Customer breach, or if

Fisar discontinues the Services, the Customer shall be entitled to a pro-rata refund of any prepaid Fees for the unexpired portion of the Subscription Period; and

(e) are exclusive of value added tax, which shall be added to Fisar's invoice(s) at the applicable rate.

7.8 Fair Use Allowance:

(a) The Subscription Fees include a Fair Use Allowance of 100 Completed Transactions per Subscription Year.

(b) The Fair Use Allowance is calculated on a combined basis, meaning Completed SARs and Completed Redactions count together toward the limit of 100 Completed Transactions per Subscription Year.

(c) For the purposes of calculating the Fair Use Allowance:

(i) a Subject Access Request is a Completed SAR when the response data has been downloaded by the data subject; and

(ii) a redaction is a Completed Redaction when the redaction has been confirmed by the User and the document has been converted to PDF format.

(d) If the Customer exceeds the Fair Use Allowance in any Subscription Year, Overage Fees shall be payable for each Completed Transaction in excess of the Fair Use Allowance.

(e) Overage Fees shall be charged at the rate specified in the Sign-up, or as otherwise notified by Fisar to the Customer in accordance with clause 7.6.

(f) Fisar shall invoice the Customer for Overage Fees monthly in arrears, or at such other intervals as Fisar may reasonably determine. Payment of Overage Fee invoices shall be due within 30 days of the invoice date.

(g) The Fair Use Allowance does not roll over to subsequent Subscription Years. Any unused portion of the Fair Use Allowance at the end of a Subscription Year shall expire and shall have no cash value.

(h) Fisar shall provide the Customer with access to usage data within the Platform showing the number of Completed Transactions in the current Subscription Year.

8. Proprietary Rights And Intellectual Property

8.1 The Customer acknowledges and agrees that Fisar and/or its licensors own all IPR in the Software and the Services (excluding, for the avoidance of doubt, the Customer Data and any other information or materials provided by the Customer). Except as expressly stated herein, this Agreement does not grant the Customer any rights to, or in, IPR in respect of the Software or the Services.

8.2 Fisar confirms that it has all the rights in relation to the Software and the Services that are necessary to grant all the rights it purports to grant under, and in accordance with, this Agreement.

8.3 Fisar hereby grants (and shall procure the grant of) for the duration of the Subscription Period a royalty-free, non-exclusive licence of Fisar IPR (and, to the extent it is used in the provision of the Services and is needed for the receipt and use of the Services under this Agreement, Third Party IPR) to the Customer, for the purpose of and to the extent necessary for the receipt and use of the Services.

8.4 Customer hereby grants (and shall procure the grant of) for the duration of the Subscription Period a royalty-free, non-exclusive licence of the Customer IPR (with no right to sub-licence other than to Fisar's sub-contractors solely for the purposes of this Agreement) to Fisar solely to the extent necessary to provide the Services (and for no other purpose) in accordance with this Agreement.

8.5 The Customer shall own all rights, title and interest in and to all of the Customer Data. Save as described in this Agreement, Fisar shall have no responsibility for the legality, reliability, integrity, accuracy and quality of the Customer Data.

8.6 The Customer hereby grants Fisar a non-exclusive, non-transferable licence to hold and use the Customer Data solely to the extent necessary for providing the Services for the duration of Subscription Period.

8.7 The parties agree and acknowledge that Fisar shall own the Usage Data.

9. Confidentiality

9.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. A party's Confidential Information shall not be deemed to include information to the extent that it:

(a) is or becomes publicly known other than through any act or omission of the receiving party;

(b) was in the other party's lawful possession before the disclosure;

(c) is lawfully disclosed to the receiving party by a third party without restriction on disclosure;

(d) is independently developed by the receiving party, which independent development can be shown by written evidence; or

(e) is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.

9.2 Each party shall hold the other's Confidential Information in confidence (with at least the same security measures and degree of care that would apply to its own confidential information) and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than for the purposes of this Agreement.

9.3 Each party shall ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents or sub-contractors in violation of this Agreement.

9.4 The Customer acknowledges that details of the Services, and the results of any performance tests of the Services, constitute Fisar's Confidential Information.

9.5 Fisar acknowledges that the Customer Data is the Confidential Information of the Customer.

9.6 This clause 9 shall survive termination of this Agreement, however arising.

10. Indemnity

10.1 Fisar shall indemnify the Customer for Losses in connection with any claim against the Customer or any User by a third party of alleged or actual infringement of any Third Party IPR arising out of or in connection with the use of the Software in accordance with this Agreement (save to the extent it concerns any services, data or documents to which clause

10.2 applies).

10.2 The Customer shall indemnify Fisar against Losses in connection with any claim against Fisar by a third party of alleged or actual infringement of any Third Party IPR arising out of or in connection with the use by Fisar in accordance with this Agreement of any services, data or documents provided by or on behalf of the Customer to Fisar pursuant to this Agreement.

10.3 The Indemnified Party shall:

(a) give to the Indemnifying Party prompt notice of any IPR Claim of which it becomes aware;

(b) not make any admission or take any other action, which might be prejudicial thereto without the prior consent of the Indemnifying Party (such consent not to be unreasonably withheld or delayed);

(c) give to the Indemnifying Party conduct of any litigation which may ensue and all negotiations for a settlement of the IPR Claim (provided that the Indemnifying Party

shall consult in good faith with the Indemnified Party on an ongoing basis in respect of such IPR Claim, and shall take into account the reasonable commercial interests of the Indemnified Party in connection therewith);

(d) give to the Indemnifying Party, at the Indemnifying Party's request and expense, all reasonable assistance in connection with any such IPR Claim; and

(e) use reasonable steps to mitigate its Losses.

10.4 If any IPR Claim under clause 10.1 prevents the Customer or any User from receiving, using or enjoying the benefit of the Services, Fisar shall:

(a) procure the right for the Customer and/or User to continue using the Services; or

(b) (at no cost to Customer) replace or modify the Services so that they become non-infringing (and Fisar shall remain bound by its obligations under this Agreement in respect of that Service).

10.5 In no event shall Fisar, its employees, agents and sub-contractors be liable to the Customer to the extent that the alleged infringement is based on:

(a) a modification of the Software or Services by the Customer (or any other person authorised or allowed by the Customer to use or access the Software or Services), unless such modification was requested by Fisar or is otherwise permitted under this Agreement; or

(b) the Customer's use of the Software or Services in a manner otherwise than in accordance with this Agreement; or

(c) the Customer's use of the Software or Services after at least 5 Business Days written notice of the alleged or actual infringement from Fisar or any appropriate authority.

11. Limitation Of Liability

11.1 Notwithstanding anything else in this Agreement neither party excludes or limits its liability for death or personal injury caused by its negligence; fraud; or any other loss, liability for which may not legally be limited.

11.2 Subject to clauses 11.1 and 11.4, neither party shall be liable to the other party (whether in contract, tort (including negligence), misrepresentation or for breach of any duty (including strict liability) or otherwise) under or in connection with this Agreement (including the supply or non-supply of the Services) for any:

(a) indirect or consequential loss or damage; or

(b) any loss of future business or future profits, provided that this clause 11.2 shall be without prejudice to the Customer's obligation to pay the Fees.

11.3 Subject to clause 11.1, and save in relation to the liabilities described in clause 11.4, the maximum aggregate liability of either party under or in connection with this Agreement in contract, tort (including negligence), misrepresentation, for breach of duty (including strict liability) or otherwise shall be, in respect of any Losses resulting from any and all events in any 12 month period, an amount equal to the total Fees paid or to be paid by the Customer in that 12 month period, provided that this clause 11.3 shall be without prejudice to Customer's obligations to pay Fees due in accordance with this Agreement.

11.4 The limitations on and exclusions of liability set out in clauses 11.2 and 11.3 shall not apply to:

(a) the indemnities given under this Agreement in clauses 10.1 and 10.2;

(b) any breach of clauses 3 or 9; or

(c) any Loss incurred by a party due to the wilful default or malicious acts of the other party.

11.5 Without prejudice to any other provision of this Agreement, the Customer acknowledges that the accuracy and completeness of redactions and other outputs of the Services are not guaranteed by Fisar and it is the Customer's responsibility to review and check all such outputs.

12. Service Discontinuation and Insolvency

12.1 If Fisar intends to discontinue the Services, Fisar shall provide the Customer with at least 90 days' advance written notice of such discontinuation.

12.2 In the event of Fisar's insolvency (as described in clause 13.3(b) to (g)) or planned discontinuation of the Services:

(a) the Customer shall have priority access to extract Customer Data from the Services during any wind-down period;

(b) Fisar shall use reasonable endeavours to assist the Customer with transition to an alternative service provider; and

(c) Fisar shall provide the Customer Data to the Customer in accordance with clause 13.4(c) as soon as reasonably practicable.

13. Term And Termination

13.1 This Agreement shall, unless otherwise terminated as provided in this clause 13, commence on the Commencement Date and shall continue indefinitely until and unless:

(a) the Customer gives written notification of termination to Fisar, the minimum period of such notification being at least the Notice Period, in which case this Agreement shall terminate upon the expiry of the Notice Period;

(b) Fisar gives written notification of termination to the Customer, the minimum period of such notification being at least the Notice Period, in which case this Agreement shall terminate upon the expiry of the Notice Period; or

(c) otherwise terminated in accordance with the provisions of this Agreement.

13.2 The Customer may terminate this Agreement without penalty:

(a) pursuant to clause 1.2(c) (material changes to incorporated documents);

(b) pursuant to clause 3.7(d) (unresolved sub-processor objection);

(c) pursuant to clause 7.6(b) (fee increase exceeding 15%);

(d) pursuant to Schedule 2 (sustained SLA breach); or

(e) pursuant to clause 15.8 (assignment to which Customer objects).

13.3 Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate this Agreement without liability to the other if:

(a) the other party commits a material breach of any of the terms of this Agreement and (if such a breach is remediable) fails to remedy that breach within 30 days of that party being notified in writing of the breach; or

(b) an order is made or a resolution is passed for the winding up of the other party, or circumstances arise which entitle a court of competent jurisdiction to make a winding-up order in relation to the other party; or

(c) an order is made for the appointment of an administrator to manage the affairs, business and property of the other party, or documents are filed with a court of competent jurisdiction for the appointment of an administrator of the other party, or notice of intention to appoint an administrator is given by the other party or its directors or by a qualifying floating charge holder (as defined in paragraph 14 of Schedule B1 to the Insolvency Act 1986); or

(d) a receiver is appointed of any of the other party's assets or undertaking, or if circumstances arise which entitle a court of competent jurisdiction or a creditor to appoint a receiver or manager of the other party, or if any other person takes possession of or sells the other party's assets; or

(e) the other party makes any arrangement or composition with its creditors, or makes an application to a court of competent jurisdiction for the protection of its creditors in any way; or

(f) the other party ceases, or threatens to cease, to trade; or

(g) the other party takes or suffers any similar or analogous action in 13.3(b) to (f) in any jurisdiction in consequence of debt.

13.4 Following expiry or termination of this Agreement:

(a) all licences granted under this Agreement shall immediately terminate;

(b) each party shall return and make no further use of any equipment, property, documentation and other items (and all copies of them) belonging to the other party;

(c) Fisar will provide the Customer Data in format(s) agreed between the parties, or if not agreed, in a reasonable and commonly-used format that preserves data integrity (such as original file formats where still held by Fisar, and CSV or JSON for structured data), within 10 Business Days of the date of termination of this Agreement, and will then be obliged to destroy all Customer Data stored within its systems; and

(d) the accrued rights of the parties as at termination, or the continuation after termination of any provision expressly stated to survive or implicitly surviving termination, shall not be affected or prejudiced.

14. Force Majeure

14.1 Neither the Customer nor Fisar (respectively) (the Affected Party) shall be liable to the other Party (the Claiming Party) for delay or failure to perform its obligations (other than an obligation of payment) to the extent that such delay or failure results from an Event of Force Majeure provided that:

(a) the Affected Party has used its reasonable endeavours to mitigate the effect of such circumstances and to continue to perform its affected obligations; and

(b) the Affected Party shall not be excused performance of its obligations unaffected by an Event of Force Majeure.

14.2 The Affected Party shall:

(a) on the occurrence of an Event of Force Majeure, promptly notify the Claiming Party (such notice to contain details of the circumstances giving rise to the Event of Force Majeure and its anticipated duration); and

(b) upon the cessation of the Event of Force Majeure, promptly notify the Claiming Party and recommence performance of its affected obligations.

14.3 If a delay or failure to perform any of the Affected Party's obligations under this Agreement due to an Event of Force Majeure continues for more than 30 days, the Claiming Party shall be entitled to terminate this Agreement.

14.4 For the avoidance of doubt, on any cessation of a Service pursuant to this clause 14, the Claiming Party shall have no liability to Fisar in respect of any Fees for such Service which would have otherwise been payable but for such cessation.

15. General

15.1 A waiver of any right under this Agreement is only effective if it is in writing and it applies only to the party to whom the waiver is addressed and to the circumstances for which it is given.

15.2 No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

15.3 Unless specifically provided otherwise, rights arising under this Agreement are cumulative and do not exclude rights provided by law.

15.4 If any provision (or part of a provision) of this Agreement is found by any court or administrative body of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions shall remain in force.

15.5 If any invalid, unenforceable or illegal provision would be valid, enforceable or legal if some part of it were deleted, the provision shall apply with whatever modification is necessary to give effect to the commercial intention of the parties.

15.6 This Agreement constitutes the whole agreement between the parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter they cover.

15.7 Except in the case of fraud or fraudulent misrepresentation, each of the parties acknowledges and agrees that in entering into this Agreement it does not rely on any undertaking, promise, assurance, statement, representation, warranty or understanding (whether in writing or not) of any person (whether party to this Agreement or not) relating to the subject matter of this Agreement, other than as expressly set out in this Agreement.

15.8 Neither party shall, without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed), assign, transfer, charge, sub-contract or deal in any other manner with all or any of its rights or obligations under this Agreement.

15.9 Fisar shall be permitted to sub-contract performance of its obligations under this Agreement but it shall not thereby be relieved of any of its obligations under this Agreement.

15.10 Nothing in this Agreement is intended to or shall operate to create a partnership between the parties, or authorise either party to act as agent for the other, and neither party shall have the authority to act in the name or on behalf of or otherwise to bind the other in any way (including, but not limited to, the making of any representation or warranty, the assumption of any obligation or liability and the exercise of any right or power).

15.11 This Agreement does not confer any rights on any person or party (other than the parties to this Agreement and, where applicable, their successors and permitted assigns) pursuant to the Contracts (Rights of Third Parties) Act 1999.

15.12 Any notice required or permitted to be given under this Agreement shall be in writing and shall be sent to the email address of the recipient specified in writing during the Sign-up or to such other email address in the United Kingdom as the recipient may designate by notice given in accordance with the provisions of this clause 15.12. Any such notice may be delivered by email and shall be deemed to have been served when transmitted.

15.13 Dispute Resolution:

(a) If any dispute arises out of or in connection with this Agreement, the parties shall first attempt to resolve the dispute through good faith negotiations between senior representatives (or other nominated representatives) of each party.

(b) The senior representatives shall meet (in person or remotely) within 14 days of a written request by either party to attempt to resolve the dispute.

(c) If the dispute is not resolved within 14 days of the senior representatives first meeting (or if no meeting takes place within 14 days of the written request), either party may pursue court proceedings in accordance with clause 15.15.

15.14 This Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) are governed by, and construed in accordance with, the law of England.

15.15 Subject to clause 15.13, the parties irrevocably agree that the courts of England have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).

Service Specification

1. Overview

Fisar is a software-as-a-service provided by Fisar UK Ltd. The service provides automated Subject Access Request (SAR) processing capabilities to help customers respond efficiently and compliantly to data subject requests.

2. Core Functionality

Fisar will provide the following core functionality throughout the Subscription Period. Core functionality will not be materially reduced without notice and exit rights as set out in clause 1.2:

(a) Identity Verification: verification processes to confirm the identity of data subjects making requests;

(b) Document and Data Retrieval: automated search and retrieval of Personal Identifiable Information (PII) within native client systems;

(c) Third-Party Integration: integration capabilities with third-party applications which may store data subject information;

(d) Duplicate Removal: tools to identify and remove duplicated documentation;

(e) Redaction: comprehensive redaction capabilities for:

(i) text content;

(ii) images;

(f) Secure Delivery: encrypted secure delivery of processed data to the data subject; and

(g) Request Tracking: tracking of Subject Access Requests and their completion progress against deadlines.

3. Supported File Formats

The service supports the following file formats (Fisar may add support for additional formats from time to time):

(a) Documents: .txt, .doc, .docx, .pdf;

(b) Presentations: .ppt, .pptx;

(c) Spreadsheets: .xls, .xlsx, .csv;

(d) Email: .pst, .msg, .eml;

4. Output Formats Documents can be downloaded in their original form (without redactions) or as a fully rasterised PDF file with redactions applied.

5. Service Availability Service availability and performance are governed by the Service Level Agreement set out in Schedule 2.

Schedule 2 - Service Level Agreement

Service Availability

1.1 Fisar commits to a Service availability target of 99.5% measured on a monthly basis (the "Availability Target").

1.2 Availability is calculated as: ((Total minutes in month - Downtime minutes) / Total minutes in month) x 100.

1.3 "Downtime" means any period during which the Services are not accessible to the Customer, excluding Scheduled Maintenance and Excused Downtime.

2. Scheduled Maintenance

2.1 Fisar shall provide at least 48 hours' advance notice of any scheduled maintenance that may affect Service availability.

2.2 Fisar shall use reasonable endeavours to schedule maintenance during periods of low usage and to minimise the duration of any Service interruption.

2.3 Scheduled maintenance for which proper notice has been given shall not count as Downtime for the purposes of calculating availability.

3. Excused Downtime

The following shall not count as Downtime for the purposes of calculating availability:

(a) Scheduled maintenance notified in accordance with paragraph 2;

(b) Downtime caused by Events of Force Majeure;

(c) Downtime caused by the Customer's acts or omissions, or those of its Users;

(d) Downtime caused by failures of the Customer's network, systems, or internet connectivity;

(e) Downtime caused by third-party services not under Fisar's control; and

(f) Downtime required for emergency security patches or updates, provided Fisar notifies the Customer as soon as reasonably practicable.

4. Support Response Times

Fisar shall respond to support requests within the following timeframes (measured during Business Hours, being 09:00 to 17:30 Monday to Friday, excluding public holidays in England):

Priority Description Response Time Critical Service completely unavailable; data loss or security breach 4 hours High Major functionality impaired; no workaround available 8 hours Medium Functionality impaired but workaround available 24 hours Low Minor issues; general queries 48 hours

5. Service Credits

5.1 If Fisar fails to meet the Availability Target in any calendar month, the Customer shall be entitled to service credits calculated as follows:

Monthly Availability Service Credit 99.0% to 99.4% 5% of monthly fee

5.2 To claim a service credit, the Customer must submit a written request to Fisar within 30 days of the end of the month in which the failure occurred.

5.3 Service credits will be applied against the next invoice. Service credits are the Customer's sole and exclusive remedy for failure to meet the Availability Target, except as provided in paragraph 6.

5.4 The maximum service credit in any calendar month shall not exceed 25% of the monthly fee for that month.

6. Sustained SLA Breach

6.1 If Fisar fails to meet the Availability Target for three consecutive months, or for any four months in any twelve-month period, the Customer may terminate this Agreement without penalty by giving written notice to Fisar within 30 days of the end of the relevant month.

6.2 Upon such termination, the Customer shall be entitled to a pro-rata refund of any prepaid Fees for the unexpired portion of the Subscription Period, plus any accrued service credits.

Fisar UK Ltd Contact Details

Registered Address: Second Floor, Sutherland House, 70-78 West Hendon Broadway, London, United Kingdom, NW9 7BT

Company Number: 16926890

Email: info@fisar.co.uk

Telephone: 02046420600

‍

‍