EDAA Trust Seal

ACCELERATE TERMS AND CONDITIONS Effective Q1 2026

These Accelerate Terms and Conditions, together with the Schedules (collectively the Terms), are made and entered into on the Effective Date by and between Epsilon Data Management, LLC (formerly d/b/a Yieldify), a Delaware corporation with its principal place of business at 35 W. Wacker Dr., 29th Floor, Chicago, IL 60601, United States (Epsilon) and the entity signing the Order Form which references these Terms (Customer).

These Terms, along with the Order Forms referencing these Terms, constitute the agreement between the parties (collectively referred to as the "Agreement"). Customer may be a direct customer or an agency acting on behalf of a client (Agency).

1 Definitions

1.1 Capitalized terms not otherwise set out in these Terms shall have the meaning set out in the attached Schedule 1 (Definitions).

2 Services

2.1 Epsilon will provide to Customer the applicable Services purchased by Customer as set out in the relevant Order Form, which may consist of some or all of the following:

2.1.1 provide a Tag to Customer to be placed on the Website by Customer, in accordance with the instructions provided by Epsilon to Customer in writing, in order to collect certain data from Prospects and track a Prospects movements and behavior on the Website to provide targeted Campaigns to such Prospects;

2.1.2 launch on Customers Website the number of Campaigns as set out in the Order Form and which are created and launched either by:

2.1.2.1 giving Customer access to the applicable Epsilon Technology to enable Customer to create and launch Campaigns itself on its Website; or

2.1.2.2 Epsilon in accordance with Section 2.2 below; and

In each case for the duration agreed in the applicable Project Brief and in accordance with such Project Brief and the applicable Order Form; and/or

2.1.3 access to certain reports regarding the Campaigns and such other information related to the Services, as made available by Epsilon (Report(s)), which are delivered either through the Epsilon Technology or such other format as Epsilon may provide.

2.2 Where it is agreed in the applicable Order Form that Epsilon will create the Campaigns for Customer for each Campaign:

2.2.1 Customer will provide to Epsilon all details, requirements and relevant Content for each Campaign, including any required translations of the Content in the format reasonably requested by Epsilon;

2.2.2 the parties will mutually agree to a Project Brief based on such details, requirements and Content provided by Customer;

2.2.3 Epsilon will create Campaigns utilizing the Content and in accordance with the applicable Project Brief; and

2.2.4 Epsilon will send such created Campaigns to Customer for review and approval. The approval by Customer shall be deemed to include the confirmation by Customer that all legal checks required to run such Campaigns in any jurisdiction contemplated by a Campaign have been performed and Epsilon is permitted to run the Campaign as approved.

2.3 Subject to payment of the applicable Fees, the restrictions set out in this Section 2 and the terms and conditions of these Terms and the applicable Order Form, Epsilon hereby grants to Customer a non-exclusive, non-transferable, non-assignable, non-sublicensable right during the Term to use the Services, the applicable Epsilon Technology and in accordance with the Scope and solely for Customer's internal business operations.

2.4 In relation to the Authorized Users, Customer undertakes that each Authorized User shall keep a secure password for its use of the Services, that such password shall be changed frequently and that each Authorized User password shall be kept confidential.

2.5 Customer shall permit Epsilon to audit Customers Use of the Services in order to establish that the use of the Services by Customer is in accordance with the Scope.

2.6 Except as expressly permitted in the Agreement or may be permitted by Applicable Law that is incapable of exclusion by agreement between the parties, Customer shall not and shall procure that its Authorized Users shall not:

2.6.1 make alterations to, or modifications of, the whole or any part of the Services or Epsilon Technology or permit the Services or Epsilon Technology or any part of them to be combined with, or become incorporated in, any other programs;

2.6.2 disassemble, decompile, reverse-engineer or create derivative works based on the whole or any part of the Services or Epsilon Technology or attempt to do any such thing;

2.6.3 provide, commercially exploit or otherwise make available the Services or Epsilon Technology, in any form to any person;

2.6.4 access all or any part of the Services and/or Epsilon Technology in order to build a product or service which competes with the Services and/or Epsilon Technology;

2.6.5 use the Services and/or Epsilon Technology to provide services to third parties; or

2.6.6 access or use the Services or Epsilon Technology for any illegal activities.

3 Service Levels and Support Services

3.1 Epsilon will use commercially reasonable endeavors to make the Epsilon Platform available 24 hours a day, seven days a week, except for planned or emergency maintenance and Epsilon will use reasonable endeavors to give Customer prior notice of such maintenance.

3.2 Subject to Customer paying the Fees as outlined in the Order Form, Epsilon will, as part of the Services provide to Customer Support Services Epsilon will provide the Support Services with due skill and care and in accordance with good industry practice.

4 Charges and Payment Terms

4.1 Customer shall pay to Epsilon the Fees set forth in the applicable Order Form in accordance with this Section 4.

4.2 Epsilon will invoice Customer for the applicable Services Fees annually in advance during the Term with the first invoice issued on or after Effective Date by email to the billing contact on the Order Form.

4.3 Customer shall pay invoices in full and without deduction by credit card or electronic money transfer to the account details provided in each invoice within thirty (30) days of the date of the invoice in the currency specified in the Order Form.

4.4 All amounts and Fees stated or referred to in the Agreement are non-refundable and are exclusive of all Taxes. Customer shall be solely responsible for, and pay all applicable Taxes relating to the Agreement, and the use or access to the Services and Support Services. In the event Epsilon invoices Customer for any such Taxes, Customer shall pay all Taxes invoiced by Epsilon or, if paid by Epsilon, reimburse Epsilon for all Taxes, including taxes assessed after a tax authority audit after the Effective Date. Customer shall also pay any interest or penalties assessed on such Taxes and agrees to hold Epsilon harmless from all claims and liability arising from Customers failure to report or pay any such Taxes.

4.5 If Epsilon has not received payment for any invoices which are not the subject of a bona fide dispute by the due dates and without prejudice to any other rights and remedies of Epsilon, Epsilon may:

4.5.1 by giving thirty (30) days prior written notice to Customer, without liability to Customer, disable Customers password, account and access to all or part of the Services and/or suspend the provision of Support Services and Epsilon shall be under no obligation to provide any or all of the Services and/or Support Services while the invoice(s) concerned remain unpaid; and

4.5.2 charge interest which shall accrue on such overdue amounts at the higher of (i) an annual rate equal to 4% or (ii) the maximum interest rate allowed under Applicable Law.

4.6 If Customer is an Agency, Fees shall be due regardless of whether Agency receives payments from the Agency Client. In addition, Fees shall be due regardless of whether or not targeting criteria results in the targeting of Campaigns to Prospects.

5 Customer Obligations

5.1 Customer shall:

5.1.1 provide all necessary co-operation and information and where applicable grant Epsilon access to its applicable systems and Website(s) as may be reasonably required by Epsilon in order to provide the Services as applicable including, without limitation, providing suitably qualified staff to attend meetings and review and approve Campaigns prior to their launch;

5.1.2 comply with Epsilons reasonable instructions from time to time in relation to its implementation and use of the Services, as applicable. Customer acknowledges that failure to comply with any such instructions may affect the performance of the Services, as applicable;

5.1.3 notify Epsilon promptly of any issues relating to the Services, as applicable, and promptly provide all necessary information and co-operation reasonably required by Epsilon to enable it to diagnose and remedy such issues;

5.1.4 and shall procure that its Authorized Users shall: (i) use the Services in accordance with the terms and conditions of the Agreement; (ii) comply with all Applicable Laws and regulations with respect to its activities under the Agreement; (iii) only use the Services for lawful purposes; and (iv) conduct Customers business with the highest of ethical standards and fairness. Customer shall be liable for any breach of the Agreement by its Authorized Users;

5.1.5 be solely responsible for procuring and maintaining its network connections and telecommunications links and all problems, conditions, delays and delivery failures arising from or relating to such network connections or telecommunications links;

5.1.6 use all reasonable efforts to prevent any unauthorized access to, or use of, the Services and, in the event of any such unauthorized access or use, promptly notify Epsilon;

5.1.7 be solely responsible for the accuracy, completeness, design, appropriateness, creation, maintenance, and updating thereof of all Customer Data in the use of the Services. Epsilon shall not be liable for any errors or inaccuracies in (i) any information provided by Customer; (ii) any Customer Data, or (iii) any changes or modifications to any Customer Data by Epsilon upon Customers written instructions, beyond its responsibility to accurately reproduce such Customer Data on Customers instruction;

5.1.8 be solely responsible for the creation and maintenance of the IT environment infrastructure regarding access to the Services, including, without limitation to the hardware and operating systems and providing supported versions of browser software; and

5.1.9 be responsible for obtaining (and maintaining) all required licenses and consents required for Epsilon to use and process Customer Data in the provision of the Services, including without limitation, all necessary consents (including those required for children aged 13-16 and under 13 in accordance with CCPA), licenses, approvals and legal checks required for the implementation and running of all Campaigns (whether created by Customer of Epsilon) and for the collection of Prospect Data through the Campaign Services.

5.2 Customer shall not and shall procure that its Authorized Users shall not during the course of its use of the Services, provide, upload, input, access, store, distribute or transmit any Viruses, nor any material, including without limitation Customer Data and/or Content, that:

5.2.1 is Inappropriate Content;

5.2.2 is unlawful (including breach of Intellectual Property Rights of any other party), harmful, threatening, defamatory,

5.2.3 facilitates illegal activity or is otherwise illegal or causes damage or injury to any person or property; and Epsilon reserves the right, without liability or prejudice to its other rights to Customer, to (i) disable Customer's access to any such material that breach the provisions of this Section, including, but not limited to installing a blocking access program; to (ii) remove any such content where, in Epsilons sole and reasonable discretion, Epsilon suspects such content to be Inappropriate Content; and/or (iii) to terminate the Agreement for material breach in accordance with Section 10.2.

5.3 Customer warrants and represents to Epsilon that it (i) will maintain and abide by a privacy and cookies policy on its Website(s) and/or where data gathering occurs that complies with Applicable Laws and in particular complies with Applicable Data Protection Laws related to data collection by the Epsilon Technology (including without limitation the Tag) and/or the Campaigns, the sharing of any data collected from the Website(s) and/or Campaigns with third parties, such as Epsilon and any further processing (including, but not limited to, Processing) or use of the data by such third parties; and (ii) has obtained and maintained all required licenses, authorizations and consents pursuant to Section 5.1.9. Customer shall ensure there is a link to the privacy policy and cookies policy as well as appropriate opt-out provisions for Prospects in compliance with Applicable Data Protection Laws on each webpage where the Tag is located and/or where data gathering occurs (including without limitation where the Campaigns are implemented). Epsilon will provide (or otherwise make available) to Customer its then current Data Collection Policy to assist Customer with its compliance with this Section and Applicable Data Protection Laws.

5.4 Customer agrees to defend, indemnify and hold harmless Epsilon and its Affiliated Companies from and against any and all claims, losses, damages, expenses and costs, including without limitation reasonable court costs and attorneys fees, arising out of or in connection with any third party claim, action or proceeding relating to: (i) Customers use of the Services in violation of the Agreement; and/or (ii) Customer Data.

5.5 Where Customer is an Agency, such Agency enters into the Agreement for and on behalf of its client as set out in the relevant Order Form (Agency Client), Agency shall ensure that the Agency Client is made aware of, is bound by, and complies with the terms of the Agreement in respect of its use of the Services, and Agency shall be responsible and liable for any breach of the terms of the Agreement by such Agency Clients.

6 Affiliates

6.1 If the Customer is using an Affiliate and the Fees payable to Epsilon from Customer for Customers use of the Services will be determined by the Affiliate then Customer will pay each invoice it receives from the Affiliate in full and in accordance with the terms stated therein.

6.2 If Epsilon does not receive payment from the Affiliate within the applicable due date, then Epsilon will invoice Customer for any outstanding amount owed to Epsilon for the Customers use of the Services.

6.3 Customer shall pay invoices from Epsilon in full and without deduction by electronic money transfer to the account details provided in each invoice within thirty (30) days of the date of the invoice.

6.4 If Epsilon has not received payment from the Affiliate for any invoices which are not the subject of a bona fide dispute, then without prejudice to any other rights and remedies of Epsilon, Epsilon may:

6.4.1 by giving thirty (30) days prior written notice to Customer, without liability to Customer, disable Customers password, account and access to all or part of the Services and/or suspend the provision of Support Services and Epsilon shall be under no obligation to provide any or all of the Services and/or Support Services while the invoice(s) concerned remain unpaid; and

6.4.2 charge interest which shall accrue on such due amounts at the higher of (i) an annual rate equal to 4% or (ii) the maximum interest rate allowed under applicable law.

7 Customer Data

7.1 Customer shall own all right, title and interest in and to all of the Customer Data and shall have sole responsibility and liability for (i) the legality, appropriateness, and integrity of the Customer Data; and (ii) the completeness, reliability, accuracy and quality of the Customer Data.

7.2 Customer grants Epsilon and its Affiliated Companies, a non-exclusive, royalty-free, worldwide, transferable license during the Term:

7.2.1 to use, host, transmit, display and create derivative works of the Customer Data (i) in connection with the provision of the Services; and (ii) for the purposes of improving and/or developing the Services; and

7.2.2 where necessary, to transfer Customer Data to any third parties used by Epsilon, only as required for the provision of the Services;

provided that Epsilons use of the Customer Data beyond termination of any Order Form shall not include any personal data of Customer or Prospects. Customer further acknowledges and agrees that Epsilon may use anonymized Customer Data at any time for the purposes of providing its services to its customers (including improving and/or developing such services) and/or providing to third parties for benchmarking and other reports (e.g. performance statistics and vertical level insights).

7.3 Customer acknowledges that it has responsibility for all Customer Data and that except as stated otherwise hereunder, Epsilon will not be held responsible in any way for any Intellectual Property Right infringement or violation, the violation of any other persons rights or the violation of any laws, arising or relating to such Customer Data.

7.4 Epsilon shall follow its archiving procedures for Customer Data as set out in its Back-Up Policy as such document may be amended by Epsilon in its sole discretion from time to time, with any such amended version to be made available to Customer. In the event of any loss or damage to Customer Data, Customer's sole and exclusive remedy shall be for Epsilon to use commercially reasonable efforts to restore the lost or damaged Customer Data from the latest back-up of such Customer Data maintained by Epsilon in accordance with the archiving procedure described in its Back-Up Policy. Epsilon shall not be responsible for any loss, destruction, alteration or disclosure of Customer Data caused by any third party, (except those third parties sub-contracted by Epsilon to perform services related to Customer Data maintenance and back-up) unless solely caused by Epsilon negligence or willful misconduct.

7.5 Customer acknowledges that Epsilon is neither obliged nor able to edit Customer Data (including third-party information). However, Epsilon reserves the right to remove any Customer Data (or third-party information) which Epsilon reasonably believes breaches any laws or regulations or any third partys rights or the Agreement and/or is deemed Inappropriate Content. Epsilon will notify Customer if it removes any Customer Data (or third-party information) in accordance with this Section. To the extent permitted by applicable law, Epsilon disclaims all liability of any kind in respect of third party products, services, information and any other material or services which can be accessed using the Services. Epsilon expressly disclaims all liability for any fraud committed in connection with the Services.

8 Warranty

8.1 Epsilon warrants for the Term that the Services will be provided with reasonable skill and care.

8.3 The warranty provided in Section 8.1 shall not apply to the extent of any non-conformance which is caused by:

8.2.1 Customers implementation or use of the Services contrary to Epsilons instructions or otherwise in breach of the Agreement; or

8.2.2 modification or alteration of the Services by any party other than Epsilon or Epsilon's duly Authorized contractors or agents.

8.3 If the Services do not conform to the warranty provided in Section 8.1, Epsilon will, at its expense, use commercially reasonable efforts to correct any such non-conformance within a reasonable period of time. This Section sets out the Customer's sole and exclusive remedy and Epsilons entire liability for breach of Section 8.1.

8.4 Notwithstanding the foregoing, Epsilon:

8.4.1 does not warrant that Customer's use of the Services will be uninterrupted or error-free, or that the Services and/or the information obtained by Customer through the Services will meet Customer's requirements;

8.4.2 is not responsible for any delays, delivery failures, or any other loss or damage resulting from Customers access to and use of the Services and/or third-party applications or the transfer of data over communications networks and facilities, including the Internet, and Customer acknowledges that the Services may be subject to limitations, delays and other problems inherent in the use of such communications facilities;

8.4.3 is not responsible for any Virus which was not detected by Epsilon using reasonable current commercial methods of detection or transmitted through any third-party services;

8.4.4 nor its suppliers or third-party service providers or software vendors, shall have any liability whatsoever for the accuracy, completeness, or timeliness of Customer Data, or for any decision made or action taken by Customer, any Authorized User, or any third party in reliance upon any Customer Data.

8.5 EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS SECTION 8, EPSILON (AND ITS AFFILIATED COMPANIES AND SUPPLIERS) TO THE EXTENT PERMITTED BY APPLICABLE LAW, DISCLAIMS ALL OTHER REPRESENTATIONS, WARRANTIES OR CONDITIONS, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES AND CONDITIONS OF MERCHANTABILITY, ACCURACY, CORRESPONDENCE WITH DESCRIPTION, FITNESS FOR A PARTICULAR PURPOSE OR USE, SATISFACTORY QUALITY, AND NON-INFRINGEMENT.

8.6 The Agreement shall not prevent Epsilon from entering into similar Agreements with third parties, or from independently developing, using, selling or licensing documentation, products and/or services which are similar to those provided under the Agreement.

9 Data Protection

9.1 Each party shall, in connection with the exercise of its rights and the performance of its obligations under the Agreement, comply with the Applicable Data Protection Laws. The type of Personal Data processed by Epsilon under this Agreement and the duration and purpose of such Processing is set forth in the Data Collection Policy.

9.2 In respect of its access to and/or Processing of any such Personal Data of Customer in the provision of the Services as a Processor, Epsilon shall:

9.2.1 have in place appropriate technical and organizational measures to ensure an appropriate level of security for the Processing of such Personal Data of Customer and to protect such Personal Data against unauthorized or unlawful Processing or accidental loss, destruction or damage;

9.2.2 preserve the integrity of such Personal Data of Customer and prevent the loss or corruption of such Personal Data;

9.2.3 only process such personal data in accordance with the Agreement and any other written instructions and directions of Customer and not for its own purpose, shall not retain, use or disclose the personal information for any purpose other than the specific purpose of performing the services as set out in the Agreement, and shall ensure that anyone in its organization Processing Personal Data of Customer is subject to the same duties of confidence as set out in this Section 9;

9.2.4 notify Customer without undue delay if it becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Customers Personal Data (a Security Incident) and provide sufficient detail of the Security Incident for Customer to take action to remedy the Security Incident;

9.2.5 provide such reasonable assistance and information to Customer as it may reasonably require to allow the Customer to comply with its obligations under the Applicable Data Protection Laws;

9.2.6 subject to the rights in Section 7.2, upon termination of the Agreement at the direction of Customer either return to Customer or securely destroy such data and delete any copies, except where Epsilon is required by applicable law to retain copies;

9.2.7 allow Customer and its auditors, at Customers own cost and expense and upon reasonable prior written notice, to conduct audits or inspections during the Term and for 12 months thereafter, in connection with the Processing of any such data to ensure any Personal Data Processing by Epsilon is in accordance with Applicable Data Protection Laws;

9.2.8 maintain complete and accurate records to demonstrate its compliance with this Section 9;

9.2.9 not transmit any personal data of Customer or otherwise process it outside the European Economic Area unless it has complied with its applicable obligations under Applicable Data Protection Laws in ensuring adequate safeguards in relation to such transfer; and

9.2.10 where CCPA applies:

9.1.10.1 not collect, sell or use further personal information (as defined within the CCPA) except as necessary to perform the business purpose;

9.1.10.2 will be liable for civil penalties if Epsilon uses personal information received from Customer in violation of CCPA;

9.1.10.3 be liable for civil penalties if Epsilon uses personal information received from Customer in violation of CCPA; and

9.1.10.4 Epsilon acknowledges that it is acting as a service provider, as such term is defined within CCPA.

9.2.11 Customer consents to Epsilon using third party sub-processors appointed by it to process Customers Personal Data under the Agreement, provided that Epsilon has entered or (as the case may be) will enter with such third party sub-processors into a written agreement incorporating terms which are the same as or substantially similar to those set out in this Section 9. A list of the current sub-processors is set out in the Data Collection Policy. Customer may, acting reasonably, object to the appointment of a new sub-processor by Epsilon. As between Customer and Epsilon, Epsilon shall remain fully liable for all acts or omissions of any third party sub-processor appointed by Epsilon pursuant to the Agreement and this Section 9.

9.3 Nothing in the Agreement shall relieve Epsilon of its own direct responsibilities and liabilities under Applicable Data Protection Laws.

9.4 Epsilon shall assist Customer meeting its obligations relating to the exercise by a data subject of their rights under Applicable Law, including but not limited to data subject rights access requests, right to be forgotten and rectification of data.

9.5 In the event of a material change to Applicable Data Protection Laws, such as any change that results in a different classification of a party in relation to the Services, data localization, or if a transfer mechanism is deemed invalid, the parties will negotiate a suitable resolution in good faith, which may constitute an additional scope of Service to be detailed in a statement of work or change order. If the parties fail to reach such a resolution or if either party reasonably deems a change in Applicable Data Protection Laws to present a material risk to its business or operations, either party may suspend or terminate the impacted Services. If the change pertains only to a particular jurisdiction or specific Service, the party may terminate the Service only as to that jurisdiction and/or the impacted Service specifically. Any suspension or termination under this Section shall be deemed to be without fault by either party and shall be subject to the Agreement.

9.6 Notwithstanding the remainder of this Section 9, where a Disclosing Controller makes available Personal Data to a Recipient (including, but not limited to, where Epsilon is acting in its capacity as a Controller), the following provisions shall apply:

9.6.1 TOMS. The Recipient will provide the same level of privacy protection to the Personal Data as required of Disclosing Controller by Applicable Data Protection Laws. The Recipient will implement technical and organizational measures appropriate to the nature of the Personal Data received from the Disclosing Controller that are designed to protect the Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Applicable Data Protection Laws, which are at minimum such measures as identified in Schedule 2 Technical and Organizational Measures;

9.6.2 Permitted Purposes. The Recipient will process the Personal Data solely in accordance with the description of Processing, including the purposes identified within the specific description(s) of Processing included in the Agreement, which may be updated by the parties in writing (email to suffice);

9.6.3 Additional Requirements under Applicable Data Protection Laws. The parties shall adhere to the following terms if required under Applicable Data Protection Laws:

9.6.3.1 Attestation. Upon the request of Disclosing Controller, the Recipient will provide an attestation confirming Recipients Processing of the Personal Data is consistent with Disclosing Controllers obligations under Applicable Data Protection Laws.

9.6.3.2 Notice of Inability to Comply. The Recipient will notify Disclosing Controller if Recipient determines it can no longer meet its obligations under Applicable Data Protection Laws related to Recipients Processing of the Personal Data, and the parties will negotiate a suitable resolution in good faith.

9.6.3.3 Non-compliance. In the event that Recipient has failed to comply with these requirements, Disclosing Controller may require Recipient to stop Processing the Personal Data immediately until Recipient can confirm its compliance.

9.6.3.4 Deidentified Data. To the extent Recipient receives deidentified data (as defined by Applicable Data Protection Laws) from Disclosing Controller, Recipient will (i) take reasonable measures to ensure that such data cannot be associated with a Data Subject or household, (ii) will maintain and use the information in deidentified form, and (iii) not attempt to reidentify such data.

9.6.4 Indemnification and Liability. Notwithstanding anything to the contrary in the Agreement:

9.6.4.1 each party (the Indemnitor) shall indemnify, defend, and hold harmless the other party (the Indemnitee) from any third party claims or investigations and resulting losses, costs, damages, fines, and expenses included by the Indemnitee that arise from the Indemnitors breach of its obligations under this Section 9.6, and

9.6.4.2 ANY AND ALL LIABILITY ARISING FROM A PARTYS BREACH OF THIS SECTION 9 WILL IN NO EVENT EXCEED THE GREATER OF THE LIABILITY CAP IDENTIFIED IN THE AGREEMENT OR ONE TIMES (1X) THE AGGREGATE AMOUNT OF FEES PAID OR PAYABLE TO EPSILON UNDER THE AGREEMENT DURING THE PRECEDING 12-MONTH PERIOD.

9.6.5 Survival. To the extent that Recipient continues to Process the Personal Data disclosed or made available by Disclosing Controller, the terms of this Section 9.6 shall survive termination or expiry of the Agreement, and Recipient may continue to Process the Personal Data for the period identified in the description of processing, provided that such Processing complies with the requirements of this Section 9.6 and Applicable Data Protection Laws.

10 Epsilon Intellectual Property Rights

Customer acknowledges and agrees that Epsilon and its licensors and suppliers own all Intellectual Property Rights in the Epsilon Technology, Services, and Epsilon Data, but excluding Customer Data.

Except as expressly stated herein, the Agreement does not grant Customer any Intellectual Property Rights or any other rights or licenses in respect of the Epsilon Technology, Services, or Epsilon Data.

11 Term and Termination

11.1 The Agreement shall, unless otherwise terminated as provided in this Section 11, commence on the Effective Date and shall continue for the Initial Term. Thereafter, the Agreement shall automatically renew for successive periods of 12 months (or such other period as specified in the applicable Order Form) (each a Renewal Term), unless either party terminates with not less than two (2) months written notice prior to the end of the Initial Term or relevant Renewal Term, or otherwise terminates in accordance with the provisions of the Agreement. The Initial Term together with any subsequent Renewal Terms shall constitute the Term. Without a Renewal Term in place, Customers access to and use of the Services, Epsilon Technology shall automatically terminate.

11.2 Without prejudice to any other rights or remedies to which the parties may be entitled, either party may terminate the Agreement without liability to the other at any time with immediate effect upon written notice if the other party:

11.2.1 is in material breach of any of its obligations under the Agreement and/or an Order Form and, in the case of a breach which is capable of remedy, fails to remedy such breach within thirty (30) days following notice of the breach; or

11.2.2 files, or has filed against it, a petition of bankruptcy or insolvency, and the petition is not vacated within sixty (60) days being filed, or shall have a receiver or administrative receiver appointed over it or any of its assets; or shall pass a resolution for winding-up or dissolution of the business affairs of an entity or if the other party shall become subject to an administration order or shall enter into any voluntary arrangement with its creditors or shall cease or threaten to cease to carry on business; or is subject to any analogous event or proceeding in any applicable jurisdiction.

11.3 On termination or expiration of the Agreement for any reason:

11.3.1 Customers rights of use granted under the Agreement shall immediately terminate and Customer shall immediately cease the use of the Services subscribed to under the Agreement, the Epsilon Technology, and the Support Services;

11.3.2 Customer shall promptly pay all monies due or to become due under the Agreement through the effective date of termination and for the remainder of the then current Initial Term or Renewal Term as applicable; and

11.3.3 the parties shall comply with their respective obligations set out in Section 12.4.

12 Confidentiality

12.1 Each party may be given access to Confidential Information from the other party in order to perform its obligations under the Agreement. A party's Confidential Information shall not be deemed to include information that:

12.1.1 is or becomes publicly known other than through any act or omission of the receiving party;

12.1.2 was in the other party's lawful possession before the disclosure;

12.1.3 is lawfully disclosed to the receiving party by a third party without restriction on disclosure;

12.1.4 is independently developed by the receiving party, which independent development can be shown by written evidence; or

12.1.5 is required to be disclosed by law, by any court of competent jurisdiction or by any regulatory or administrative body.

12.2 Each party shall (i) hold the other's Confidential Information in confidence and, unless required by law, not make the other's Confidential Information available to any third party, or use the other's Confidential Information for any purpose other than the implementation of the Agreement; and (ii) take all reasonable steps to ensure that the other's Confidential Information to which it has access is not disclosed or distributed by its employees or agents in violation of the terms of the Agreement. Neither party shall be responsible for any loss, destruction, alteration or disclosure of Confidential Information caused by any third party.

12.3 Customer acknowledges that details of the Epsilon Technology, Services, Epsilon Data, and the results of any performance tests of the Services, constitute Epsilon's Confidential Information.

12.4 Subject to Section 12.2 and except where a party is expressly required by law to retain a copy, on termination of the Agreement or when requested to do so in writing by the disclosing party, the receiving party shall promptly:

12.4.1 deliver to the disclosing party any documents and other materials in its possession or control that contain any of the Confidential Information;

12.4.2 permanently delete, destroy and erase all electronic copies of the Confidential Information from any computer or data storage system into which the Confidential Information was entered (except where a party is required by Applicable Law to keep copies); and

12.4.3 make no further use of the Confidential Information.

12.5 The receiving party, if requested by the disclosing party, shall confirm in writing that the provisions of Section 12.4 have been complied with. The obligations of confidentiality under this Section 12 shall survive any expiration or termination of the Agreement for a period of 2 years from the date of termination, except for any information which is deemed a trade secret of a party in respect of which the obligations of confidentiality shall continue for as long as such information remains a trade secret.

13 Limitation of Liability

13.1 EXCEPT WITH RESPECT TO AMOUNTS OWED BY CUSTOMER TO EPSILON HEREUNDER, THE AGGREGATE LIABILITY OF EACH PARTY FOR OR IN RESPECT OF ANY LOSS OR DAMAGE SUFFERED BY THE OTHER PARTY (WHETHER DUE TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE) UNDER OR IN CONNECTION WITH THE AGREEMENT IN ANY 12 MONTH PERIOD SHALL BE LIMITED TO THE TOTAL AMOUNT OF FEES PAID BY CUSTOMER DURING THE 12 MONTHS IMMEDIATELY PRECEDING THE DATE THE CLAIM AROSE.

13.2 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR SPECIAL, CONSEQUENTIAL, INCIDENTAL OR OTHER INDIRECT DAMAGES, OR FOR LOSS OF PROFITS, ANTICIPATED SAVINGS, BUSINESS OPPORTUNITY, GOODWILL, OR LOSS OF REVENUE, LOSS OF USE OR LOSS OF DATA (INCLUDING CORRUPTION OF DATA), OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES ARISING OF THE AGREEMENT, HOWSOEVER CAUSED AND UNDER ANY THEORY OF LIABILITY (INCLUDING CONTRACT, TORT, NEGLIGENCE OR OTHERWISE) EVEN IF THE OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE PARTIES ACKNOWLEDGE THAT THE AMOUNTS PAYABLE HEREUNDER ARE BASED IN PART ON THESE LIMITATIONS AND FURTHER AGREE THAT THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. EPSILON ACCEPTS NO LIABILITY FOR FAILURE TO MAINTAIN ANY LEVEL OF AVAILABILITY OF THE SERVICES OTHER THAN WHERE IT IS IN BREACH OF ITS OBLIGATIONS UNDER THE AGREEMENT.

13.3 IN ADDITION TO THE OTHER EXCLUSIONS SET OUT IN THIS SECTION 13, EPSILON HAS NO LIABILITY:

13.3.1 FOR ANY THIRD PARTY PRODUCTS OR SERVICES ACCESSED AND/OR USED BY CUSTOMER THROUGH THE SERVICES;

13.3.2 WHERE ANY FAILURE TO PROVIDE THE SERVICES IS CAUSED BY A NETWORK, HARDWARE OR SOFTWARE FAULT IN EQUIPMENT WHICH IS NOT UNDER THE CONTROL OF EPSILON;

13.3.3 ANY ACT OR OMISSION OF CUSTOMER;

13.3.4 USE OF THE SERVICES IN BREACH OF THE AGREEMENT;

13.3.5 ANY UNAUTHORIZED ACCESS TO THE SERVICES INCLUDING A MALICIOUS SECURITY BREACH; OR

13.3.6 LOSS OR DAMAGE CAUSED BY CUSTOMERS DELAY OR FAILURE TO TIMELY PROVIDE ANY REQUIRED INFORMATION OR CO-OPERATION OR TO FULFIL ITS OBLIGATIONS UNDER THE AGREEMENT.

13.4 IN THE EVENT OF ANY LOSS OR DAMAGE TO CUSTOMER DATA, CUSTOMER'S SOLE AND EXCLUSIVE REMEDY SHALL BE AS SET OUT IN SECTION 7.4.

13.5 CUSTOMER ASSUMES SOLE RESPONSIBILITY FOR RESULTS OBTAINED FROM THE USE OF THE SERVICES BY CUSTOMER, AND FOR CONCLUSIONS DRAWN FROM SUCH USE. EPSILON SHALL HAVE NO LIABILITY FOR ANY DAMAGE CAUSED BY ERRORS OR OMISSIONS IN ANY INFORMATION, DATA OR INSTRUCTIONS PROVIDED TO EPSILON BY CUSTOMER IN CONNECTION WITH THE SERVICES OR ANY ACTIONS TAKEN BY EPSILON AT CUSTOMER'S DIRECTION.

13.6 EPSILON DOES NOT AND CANNOT CONTROL THE FLOW OF DATA TO OR FROM THE NETWORK WHERE THE SERVICES RESIDE AND OTHER PORTIONS OF THE INTERNET INCLUDING DENIAL OF SERVICE ATTACKS (AN ATTACK WHICH SEND A FLOOD OF INCOMING MESSAGES TO THE TARGET SYSTEM FORCING THE SYSTEM TO SHUT DOWN, THEREBY DENYING SERVICE TO LEGITIMATE USERS). SUCH FLOW DEPENDS IN LARGE PART ON THE PERFORMANCE OF INTERNET SERVICES PROVIDED OR CONTROLLED BY THIRD PARTIES. AT TIMES, ACTIONS OR INACTIONS OF SUCH THIRD PARTIES CAN IMPAIR OR DISRUPT CUSTOMERS CONNECTIONS TO THE INTERNET (OR PORTIONS THEREOF). EPSILON CANNOT GUARANTEE THAT SUCH EVENTS WILL NOT OCCUR. ACCORDINGLY, EPSILON, ITS SUPPLIERS AND SUBCONTRACTORS, IF ANY, DISCLAIM ANY AND ALL LIABILITY RESULTING FROM OR RELATED TO SUCH EVENTS AND CUSTOMER SHALL HAVE NO CLAIM IN RESPECT THEREOF.

13.7 EPSILON SHALL HAVE NO LIABILITY TO CUSTOMER UNDER THE AGREEMENT IF IT IS PREVENTED FROM OR DELAYED IN PERFORMING ITS OBLIGATIONS UNDER THE AGREEMENT DUE TO A FORCE MAJEURE EVENT. EPSILON SHALL PROVIDE CUSTOMER WITH NOTICE OF A FORCE MAJEURE EVENT AND ITS EXPECTED DURATION.

14 General

14.1 Marketing. Customer agrees that Epsilon may publish Customers name and logo in its customer lists and promotional materials. Any other use of Customer name or logo will require Customers prior written consent.

14.2 Entire Agreement. The Agreement together with its Schedules and Order Form(s) sets out the entire agreement and understanding between the parties and supersedes any previous agreement between the parties relating to its subject matter. Unless otherwise expressly agreed in writing the Agreement applies in place of and prevails over any terms or conditions contained in or referred to in any correspondence or elsewhere or implied by trade custom or course of dealing. Any general terms of business or other terms and conditions of any order or other document issued by the Customer in connection with the Agreement shall not be binding on Epsilon. In entering into the Agreement each party acknowledges and agrees that it has not relied on any representations made by the other. Any such representations are excluded. Nothing in this Section shall limit liability for any representations made fraudulently.

14.3 Warranty of Authority. Each party represents and warrants to the other that it is duly organized, validly existing and in good standing under the laws of the jurisdiction of its organization, and has the requisite power and authority to execute, deliver and perform its obligations under the Agreement. Each party represents and warrants to the other that the Agreement has been duly Authorized, executed and delivered by such party and constitutes a valid and binding obligations of such party enforceable against such party according to its terms.

14.4 Governing Law and Jurisdiction. The Agreement (including its Schedules) and any disputes or claims arising out of or in connection with it, its subject matter or formation (including non-contractual disputes or claims) shall be governed by the laws of New York without reference to conflicts of laws principles. The parties agree that any disputes under this Agreement (including its Schedules) shall be brought in the federal or state courts located in New York, New York. The parties hereby consent to and waive defenses of the personal and exclusive jurisdiction and venue of these courts.

14.5 Subcontracting and Assignment. Epsilon may at any time use subcontractors to fulfil its obligations under the Agreement; provided that it shall at all times remain liable for the performance of its obligations under this Agreement and for any breach of the Agreement by such subcontractors. Epsilon may, at any time by notice in writing to the Customer, assign or otherwise transfer its rights and obligations under the Agreement to any of its Affiliated Companies, successors or assigns. Epsilon shall have the right to sub-contract any of its obligations hereunder to a third party, provided that Epsilon shall continue to remain responsible for the performance of the Services hereunder. Customer may by notice in writing to Epsilon assign, or otherwise transfer its rights and obligations under the Agreement in full (but not in part) to an Affiliated Company provided that such Affiliated Company is at least of the same financial standing as Customer. Any attempted assignment, sub-contracting or other transfer in violation of the Agreement shall be null and void.

14.6 Notices.

14.6.1 All notices to be given under the Agreement shall be given in English and in writing.

14.6.2 Notices regarding renewal or termination of the Agreement:

14.6.2.1 by Customer must be sent by email to: renewals@yieldify.com; and

14.6.2.2 by Epsilon will be sent by email to both the contact email address and billing contact email address given on the Order Form, any notice given under this Section 14.6.2 will be deemed to be received at the time of sending unless an undeliverable or similar notification is received by the sender. If Customer wishes to amend either the contact email address or billing contact email address then this must be sent by email to renewals@yieldify.com.

14.6.3 All other notices not referred to elsewhere in this Section 14.6 may be sent to the Legal Department at the address stated at the beginning of the Agreement, or to such other address as shall be given by either Party to the other in writing and shall be sent by (i) recognized overnight courier or (ii) by e-mail to the email addresses set out in Section 14.6.2 and confirmed by first class mail. All notices shall be deemed to have been given and received on the earlier of actual receipt or three (3) days from the date of postmark.

14.7 Variations. Save as otherwise expressly stated in the Agreement, the Agreement may only be modified or varied in writing executed by duly authorized representatives of both parties.

14.8 Independent Contractor. The parties to the Agreement are independent contractors. Customer bears all risk and cost of operating its own business, including risk of loss. Nothing in the Agreement is intended to, or shall be deemed to, constitute a partnership or joint venture of any kind or employment relationship between the parties, not constitute any party an employee or agent of another party for any purpose. No party shall have authority to act as employee or agent for, or to bind, the other party in any way.

14.9 Severability. Should parts of the Agreement be or become invalid, this shall not affect the validity of the remaining provisions of the Agreement, which shall remain unaffected. The invalid provision shall be replaced by the parties with such term which comes as close as possible, in a legally permitted manner, to the commercial terms intended by the invalid provision.

14.10 Waiver. The waiver of one breach or default or any delay in exercising any rights shall not constitute a waiver of any subsequent breach or default. The Agreement may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument. The headings are for convenience and shall not be used to construe the Agreement.

14.11 Survival. In addition to those provisions which by their nature are intended to survive any termination of the Agreement, Sections 7.1, 7.2, 7.3, 10, 11, 12, 13 and 14 of the Agreement shall survive such termination or expiration of the Agreement.

14.12 Basis Of Bargain. EACH PARTY RECOGNIZES AND AGREES THAT THE WARRANTY DISCLAIMERS AND LIABILITY AND REMEDY LIMITATIONS IN THIS AGREEMENT ARE MATERIAL, BARGAINED FOR BASES OF THIS AGREEMENT, AND THAT THEY HAVE BEEN TAKEN INTO ACCOUNT AND REFLECTED IN DETERMINING THE CONSIDERATION TO BE GIVEN BY EACH PARTY UNDER THIS AGREEMENT AND IN THE DECISION BY EACH PARTY TO ENTER INTO THIS AGREEMENT.

15 List of Schedules

15.1 Schedule 1 Definitions

15.2 Schedule 2 Technical And Organizational Measures

SCHEDULE 1 - Definitions

The following definitions apply to the Agreement and its Schedules (including the Order Form(s) attached as Schedules)). Any capitalized terms not otherwise defined in the Agreement or its Schedules have the meanings set out below:

1. Accelerate Platform: means the Epsilon Accelerate platform upon which the Services and Customer Data are hosted;

2. Affiliate: the party named as Affiliate pursuant to the Order Form;

3. Affiliated Companies: an entity that is directly or indirectly controlled by, or is under common control with, a party to the Agreement. For purposes of the foregoing, control means the ownership of (i) greater than fifty per cent (50%) of the voting power to elect directors of the entity, or (ii) greater than fifty per cent (50%) of the ownership interest in the entity;

4. Agency Client: has meaning given in Section 5.5;

5. Applicable Data Protection Laws: means all applicable state and federal statutory and regulatory requirements regarding privacy and the protection of personal data or personally identifiable information (as defined by such laws), and the California Consumer Protection Act 2018 (the CCPA) as amended from time to time or any other applicable similar laws relating to the protection of personal data in other jurisdictions and the General Data Protection Regulation (EU) 2016/679;

6. Applicable Law: all applicable local, state, national and foreign laws, treaties and regulations in connection with Customers use of the Services, including those related to advertising, the Applicable Data Protection Laws, international communications and the transmission of technical or personal data, and all compulsory industry self-regulations;

7. Authorized Users: those employees, agents and independent contractors of Customer who are Authorized by Customer to access and use the Services;

8. Back Up Policy: Epsilons policy for archiving and backing up of Customer Data hosted on the Accelerate Platform through the use of the Services;

9. Campaign(s): marketing campaigns (such as for example, overlays displaying targeted short term incentives) created by either (i) Epsilon based on the Content and online offer details provided by Customer to Epsilon and as agreed in the relevant Project Briefs; or (ii) by Customer through its use of the Epsilon Technology, and in each case as permitted in and subject to the limitations (such as the permitted number of Campaigns per month, types of Devices upon which the Campaigns may be used, as applicable) set out in applicable Order Form;

10. Claim Year: means each successive period of twelve (12) months commencing on the Effective Date of the Agreement;

11. Confidential Information: information of a party concerning its business and/or affairs, including without limitation to information relating to a party's operations, technical or commercial know-how, specifications, inventions, processes or initiatives, plans, product information, pricing information, know-how, designs, trade secrets, software, documents (including for Epsilon its Software, and Services), data and information which, when provided by a party to the other: a) are clearly identified as Confidential or Proprietary or are marked with a similar legend; b) are disclosed orally or visually, identified as Confidential Information at the time of disclosure and confirmed as Confidential Information in writing within 10 days; or c) a reasonable person would understand to be confidential or proprietary at the time of disclosure;

12. Content: the imagery and such other content (such as copy and coupon codes) of Customer provided to Epsilon for use in and generating and running the Campaigns;

13. Controller: a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

14. Customer Data: the (i) data and information and Content provided by Customer to Epsilon and/or imported, inputted, uploaded and/or shared by Customer, Authorized Users or Epsilon on Customers behalf, for the purpose of using the Services or facilitating Customers use of the Services; or (ii) data collected and processed by or for Customer through Customers use of the Services (including without limitation Prospect Data), but excluding Epsilon Data;

15. Data Collection Policy: Epsilons then current data collection policy detailing the types of personal data (as defined under Applicable Data Protection Laws) Epsilon collects and processes under this Agreement, how such data is processed by Epsilon, the purposes of such processing and how long it is processed by Epsilon, as found at https://support.yieldify.com;

16. Data Subject: a natural person or household that can be identified, directly or indirectly;

17. Device: the medium on which the Campaign is launched which may include desktop, tablet and/or mobile as specified in the applicable Project Brief;

18. Disclosing Controller: a Controller that discloses to or makes available (including collection digitally) of Personal Data by a Recipient;

19. Effective Date: the effective date of the Order Form as set out in such Order Form;

20. Epsilon Data: any information or data provided by Epsilon to Customer as part of the Services and any feedback or suggestions on the Services provided by Customer to Epsilon;

21. Epsilon Marks: the Epsilon name, logo, and any of the product names associated with the Services, all of which are trademarks of Epsilon;

22. Epsilon Technology: any technology or software used by Epsilon to provide the Services, including without limitation, the Tags, the Accelerate Platform and/or any other underlying technology, trade secrets, data, content or information.

23. Fees: the Services Fees and any other fees payable under the Agreement pursuant to the Order Form;

24. Force Majeure Event: acts, events, omissions or accidents beyond a partys reasonable control, including, without limitation, strikes, lock-outs or other industrial disputes, failure of a utility service or transport or telecommunications network, act of God, war, riot, civil commotion, malicious damage, fire, flood or storm;

25. Inappropriate Content: content which is (i) unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; (ii) facilitates illegal activity, including, without limitation, the offering or facilitation of prostitution or sex trafficking; (iii) depicts sexually explicit images; (iv) promotes unlawful violence; (v) is discriminatory on the grounds of race, gender, color, religious belief, sexual orientation, disability or any other illegal activity; or (vi) causes damage or injury to any person or property;

26. Initial Term: the initial term of Customers access to and use of the Services as set forth in the Order Form;

27. Intellectual Property Rights: intellectual property rights including without limitation rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, trade secrets and any other intellectual property rights arising anywhere in the world, whether registered or unregistered, and including applications for the grant of any such rights;

28. Order Form: the order form executed by both parties which references these Terms and details the Services ordered by Customer, the Scope, the Initial Term and the Fees payable by Customer and any other additional terms in respect of Customers access to and use of the Services;

29. Personal Data: any information relating to a Data Subject and includes personal data, personal information, personally identifiable information, and any substantially similar term as defined under Applicable Data Protection Laws;

30. Processing: any operation or set of operations performed on Personal Data;

31. Prospects: any third party who visits the Website(s) and/or responds to Campaigns run by or on behalf of Customer;

32. Prospect Data: data of Prospects collected by Epsilon (for example through use of the Tag on the Websites);

33. Project Brief: the details of each Campaign as mutually agreed by the parties, including without limitation the start date and duration, as set out in (i) the Order Form where only 1 Campaign is purchased or (ii) the separate document entitled Project Brief agreed by the parties where multiple Campaigns will be provided (such document may be agreed by the parties in the form of an email);

34. Recipient: a party that receives Personal Data from a Controller;

35. Renewal Term: has the meaning given in Section 11.1 of these Terms;

36. Reports: has the meaning given in Section 2.1.3 of these Terms;

37. Scope: means the limits (in addition to those set forth in these Terms) within which Customer may use the Services as set forth in this Agreement and the applicable Order Form or Project Brief.

38. Services: the Services described in Section 2 and purchased by Customer as set forth in the applicable Order Form and provided in accordance with the Agreement and the Project Brief, including access to the applicable Epsilon Technology for such Services;

39. Standard Contractual Clauses: set of Standard Contractual Clauses adopted by the European Commission governing the transfer of personal data to countries that are not recognized as providing adequate protection measures for such personal data processing;

40. Support Services: the provision by Epsilon to Customer of technical advice, basic training and such other assistance and support related to the use of the Services;

41. Tag: a line of javascript;

42. Taxes: any applicable taxes, including without limitation, withholding, sales, use, excise, value added tax, duties, assessments, excise or other similar taxes based on this Agreement but shall not include taxes based on Epsilons gross income;

43. Term: the Initial Term and any subsequent Renewal Term;

44. Virus: anything or device (including any software, code, file or program) which may prevent, impair or otherwise adversely affect the access to or operation, reliability or user experience of any computer software, hardware or network, telecommunications service, equipment or network or any other service or device, including worms, trojan horses, viruses and other similar things or devices;

45. Website(s): Customers websites as identified in the Order Form.

SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES

Recipient must maintain an effective Information Security Program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

  1. Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.
  2. Confidentiality, Integrity and Availability: Recipient shall maintain confidentiality, integrity and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, network/data segregation controls.
  3. Vulnerability management: Wherever applicable, each party must ensure that any software component (such as code or API) provided to the other party is free from any security vulnerability or issues and ensure security of data processed using such component.
  4. Asset management: Recipient shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that (a) employees must return Recipients assets upon termination of employment; (b) assets shall be disposed of securely when they are no longer required; and (c) retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.
  5. Identity and access management: Any employee of Recipient having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.
  6. Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
  7. Security risk management program relating to third parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.
  8. Encryption: To the extent the parties have agreed in writing that the Disclosing Controller can share sensitive data (as defined by Applicable Data Protection Laws) with the Recipient, Recipient will ensure that any such sensitive data is encrypted at rest and in transit.