Mango End-User Agreement

Authorised User	means an individual the Client has authorised to have access to the Systems and to whom a password has been issued for such purpose, including any editorial users granted increased access rights to the Systems.
Charges	means the charges for the rights granted by this EULA, as agreed between the parties including without limitation fees, expenses and other costs.
Commencement Date	means the date of completion of the New Customer Registration Form.
Confidential Information	means in the case of either party all information (in any media) of a confidential nature disclosed by that party its employees, agents, consultants or subcontractors to the other including but not limited to all technical or commercial know-how, specifications, inventions, processes or initiatives.
New Customer Registration Form	means the form completed by new customers when they wish to subscribe to the Services, either directly with Mango or via a Partner.
Documents	means any and all drawings, specifications, technical know-how, plans, reports, models, presentation materials, brochures, guides, course notes, training materials promotional materials etc. prepared by or on behalf of Mango.
Group	means in relation to a company, that company, any subsidiary or holding company from time to time of that company, and any subsidiary from time to time of a holding company of that company.
ISFS	means the fact sheet prepared by Mango which describes the information security policies, processes and procedures used by Mango to preserve the confidentiality, integrity and availability of Client information.
IP	means any patents, patent applications, trademarks or trading names (in each case, whether or not registered), trade mark applications, know-how, design rights registered or unregistered (including registered design applications), confidential information, copyright, database rights and all other intellectual property rights including any rights analogous to the same subsisting anywhere in the world at any time.
Partner	means a third party entity (if any) who has entered or will shortly enter into a contract with you to provide the Services either alone or combined with other services.
Services	the subscription services and support services provided by Mango to the Client via a website notified to the Client by Mango from time to time, as more particularly described in the Documents.
Subscription Term	a period of one month commencing on the Commencement Date, which shall be automatically extended on a monthly basis until Mango is provided with at least one month’s written notice of cancellation.
Systems	the online software applications provided by Mango as part of the Services.
Unauthorised User	means: (a) the Client’s employee(s), agent(s) or independent contractor(s); and/or (b) any other party under the Client’s control, who is not an Authorised User.
Virus	means any thing or device (including any software, code, file or programme) which may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data, including the reliability of any programme or data (whether by re-arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or October 2023 2 devices.
Working Day	means Monday to Friday (inclusive) excluding Bank Holidays and other days when clearing banks are not open for business.

1.2 Wherever in this EULA provision is made for a communication to be “written” or “in writing” this includes email. 1.3 References to any statutes or statutory regulations shall be deemed to include any subsequent revisions or reenactments thereof.

2. SERVICES
2.1 Mango shall supply the Services to the Client using all reasonable skill, care and diligence to the standards of a reasonably qualified and competent provider of services similar to the Services.

2.2 Mango shall have the right to make any changes to the Services:

(a) which are necessary to comply with any applicable law or safety requirement; or
(b) which do not materially adversely affect the nature or quality of the Services and Mango shall notify the Client of any relevant changes.

2.3 In the event that Mango makes changes pursuant to clause 2.2(a), Mango shall notify the Client of any consequent amendment to the Charges.

2.4 Mango’s information security policies, processes and procedures are described in the ISFS. Mango shall have the right to make changes to the ISFS from time to time as it sees fit, but shall not make any changes that materially decrease the protection for the security of the Client’s information.

2.5 Mango shall have the right to make changes to this EULA from time to time, provided that Mango gives you one month’s prior notice of the coming into effect of a revised version.

3. THE CLIENT’S OBLIGATIONS

3.1 The Client will ensure:

(a) prompt provision of resources, including decisions, information, documentation and access (to personnel, records and premises) required to enable Mango, and employees and consultants engaged by Mango to provide the Services;
(b) that no information the Client provides to Mango infringes the IP of or defames any person and, subject to clause 8.8, indemnify and keep Mango indemnified accordingly;
(c) that it has collected, stored and otherwise dealt with all of the data which has been disclosed, or may be disclosed, to Mango via the Systems in accordance with all applicable legal requirements; and

3.2 The Client hereby acknowledge that the provision by Mango of the Services in accordance with this EULA shall not absolve the Client from any obligation, including any statutory obligation, to which the Client may from time to time be subject.

3.3 The Client acknowledges that Mango provides the Services in reliance on information and data provided by the Client. The Client is responsible entirely for the accuracy, relevance and completeness of all information provided by it in any form. All assessments completed by Mango are based on such information and Mango shall not have any duty to check the accuracy or completeness of information. Mango accepts no liability for the incorrect provision of the Services based on information provided by the Client.

3.4 The Client agrees that Mango shall not be liable under any circumstances for any delay, error or problem caused by any act or omission on the part of the Client, its agents or employees. Mango may levy additional charges (at its then current standard rates) resulting from any additional work or additional costs incurred or undertaken as a consequence of any such act or omission, provided these are agreed in advance with the Client.

3.5 The Client shall and shall procure that any Authorised Users:

(a) operate the Systems only in accordance with Mango’s instructions and ensure that no modifications are made to the Systems;
(b) do not make any attempt to reproduce, copy, adapt, decompile, disassemble, modify, reverse engineer or make error connections to the Systems; and (c) keep any username and password issued for the Systems confidential and not at any time share access details to the System with any third party.

3.6 The Client shall maintain an up to date list of all Authorised Users and shall supply a copy to Mango on request. The Client shall immediately inform Mango when individual Authorised Users no longer require access to the Systems.

3.7 Mango hereby grants the Client a royalty-free, non-exclusive and revocable licence to use the Systems in accordance with this EULA for the sole purpose of receiving the Services for the duration of the Subscription Term.

3.8 In respect of the use of the Systems, the Client shall comply with generally accepted principles of internet usage and ensure that:

(a) the System is not used fraudulently, in connection with any criminal offence, or otherwise unlawfully, or to send or receive any information or material which is offensive, abusive, indecent, defamatory, obscene or menacing, or in breach of confidence, copyright, privacy or any other rights, or to send or provide unsolicited advertising or promotional material;
(b) all reasonable endeavours are used to prevent any unauthorised access to, or use of, the Systems and, in the event of any such unauthorised access or use, promptly notify Mango; and
(c) no Viruses are introduced into the System, and that, if any Viruses are transmitted or introduced into the System by the Client or any Authorised User or Unauthorised User, the Client shall promptly notify Mango and, unless otherwise directed by Mango, shall take any such action at its own cost as is reasonably necessary to eliminate such Viruses and/or ameliorate their effect.

3.9 The Client acknowledges and accepts that Mango may be required by law to monitor website content and traffic and, if necessary, give evidence of the same together with use of log-on identification to support or defend any dispute or actionable cause.

3.10 Mango does not guarantee that the Systems shall be uninterrupted, error or Virus free, and excludes any liability in relation to the same. Mango reserves the right to undertake maintenance or emergency works to the Systems from time to time, and shall use all reasonable endeavours to notify the Client of this in advance.

4. THE CHARGES

4.1 The Client will pay the Charges:

(a) to Mango within 30 days of the date of invoice; or
(b) (where applicable) to the Partner in accordance with the contract with the Partner.

4.2 The Charges shall increase by 5% on 1st January in each calendar year.

4.3 The Charges are based on the number of the persons employed by you together with any third parties such as contractors which you request to have access to the Systems and which Mango agrees to so provide. You shall be obliged to notify Mango if the number of employees and third parties moves above the band which currently applies to your Charges and Mango shall adjust the Charges accordingly. The bands are currently 0-50, 51-100, 101-200, 201-300, 301-400, 401-500, 500+. For the avoidance of doubt, you shall be entitled to request a reduction in the Charges if your number of employees and third parties decreases below the band which currently applies to your Charges.

4.4 The Charges include the provision of 50GB of data storage (“Included Storage Level”). Additional charges will apply for any storage above that level. Mango shall notify you if your data storage exceeds the Included Storage Level. Within 14 days of Mango’s notification pursuant to this clause 4.4, you will either reduce your storage to below the Included Storage Level or agree to pay the additional charges which apply for excess usage, such charges to apply on and from the date upon which the data storage exceeded the Included Storage Level.

4.5 In addition to the Charges, the Client will pay to Mango or (where applicable) to the Partner any applicable bank fees and charges associated with foreign exchange payments and electronic processing suffered or incurred by Mango in relation to the receipt of the Charges.

4.6 Notwithstanding any other terms of this EULA, Mango may withhold or suspend the provision of the Services and/or access to the Systems (in addition to any other remedy available to Mango), without terminating this EULA if the Client has failed to pay Charges by the due date for payment (excluding any sums the subject of a genuine dispute).

5. RESERVATION OF TITLE

5.1 Title to and property in the Documents and the Systems shall remain vested in Mango at all times.

5.2 Mango shall be entitled to remove access to any Systems for which it retains title at any time (including but not limited upon termination of this EULA).

6. DATA PROTECTION The parties agree that, with respect to any Client Data that constitutes personal data, the parties shall comply with their respective obligations in Schedule 1

7. INTELLECTUAL PROPERTY

7.1 Mango shall retain all IP relating to the Services and in any and all Documents, Systems, any other systems, methods, material and items created by or on behalf of Mango whether specifically for the purposes of this EULA or otherwise.

7.2 Subject to clauses 7.3 and 8.8, Mango shall defend the Client, its officers, directors and employees against any claim that the Systems and/or the Documents infringe any third-party IP rights, and shall indemnify the Client for any amounts awarded against the Client in judgment or settlement of such claims, provided that:

(a) Mango is given prompt notice of any such claim;
(b) the Client provides reasonable co-operation to Mango in the defence and settlement of such claim, at Mango’s expense; and
(c) Mango is given sole authority to defend or settle the claim.

7.3 In no event shall Mango, its employees, agents and sub-contractors be liable to the Client to the extent that an alleged IP infringement by Mango is based on:

(a) a modification of the Systems and/or the Documents by anyone other than Mango; or
(b) the Client's use of the Systems and/or the Documents in a manner contrary to the instructions given to the Client by Mango; or
(c) the Client's use of the Systems and/or the Documents after notice of the alleged or actual infringement from Mango or any appropriate authority; or
(d) any misuse by or on behalf of the Client, or any other person, of any of the Systems and/or Documents (which shall be determined by reference to the purpose for which the Systems and/or Documents were originally prepared) or any other deliverables generated during the provision of the Services.
(e) The indemnity in clause 7.2, subject to clause 8, states the Client's sole and exclusive rights and remedies, and Mango’s (including Mango’s employees', agents' and sub-contractors’) entire obligations and liability, for infringement of any IP right.
(f) The Client hereby acknowledges that Mango shall have no liability for any misuse by or on behalf of the Client or any other person of any of the Documents (which shall be determined by reference to the purposes for which the Documents were originally prepared) or any other deliverables generated during the provision of the Services.
(g) The Client hereby grants Mango a royalty-free, non-exclusive and irrevocable licence to copy and use any material provided by the Client for all reasonable purposes related to the Services.
(h) The Client hereby agrees to fully indemnify and hold Mango harmless in respect of any third party claims brought against Mango as a result of or relating to the use of any IP provided by the Client to Mango under this EULA, including a breach by the Client of its obligations in clause 3.6 and/or 3.7 and/or clause 7.6.

7.4 The Client shall not use the Systems, Documents, or any deliverables resulting from the Services for any purpose whatsoever other than as necessary to receive the Services.

7.5 The Client shall not be entitled to rely on the content of the Documents, assessments or any other deliverables or information provided by Mango during the Subscription Term outside of the Subscription Term or for any reason during the Subscription Term other than for its own usual business purposes and/or the purpose for which they were originally provided. Mango accepts no liability for use after the Subscription Term has ended of the Documents, assessments and any other information provided to the Client and any such use shall be entirely at the Client’s risk.

7.6 For the avoidance of doubt, the Client shall not be entitled to sell, derive any commercial benefit or otherwise provide the benefit of Documents, assessments or other information and/or deliverables provided by Mango to the Client or via the Systems to any third party or member of its Group that is not an Authorised User.

7.7 In the event that there is an actual, alleged or threatened breach of any third party’s intellectual property rights arising out of the Client’s use of the Systems, Mango may procure the right for the Client to continue using the Systems, replace or modify the Systems so that they become non-infringing or, if such remedies are not reasonably available, withdraw the Client’s access to the Systems without any additional liability or obligation to pay liquidated damages or other additional costs to the Client.

7.8 Mango shall be entitled to remove access to any Systems in accordance with clause 7.7, or where the Client breaches its obligations under clause 3.7 and/or clause 3.8 and/or clause 7.6, or with immediate effect where this EULA is terminated in accordance with its provisions.

8. LIMITATION OF LIABILITY AND REMEDIES

8.1 Subject to clauses 8.2 and 8.8, each party’s maximum total liability under or arising out of or in connection with this EULA shall not exceed the sum which is three times the total value of the Charges paid (or payable) by the Client in the year during which the claim arose (or such pro-rated amount should the claim arise in the first year of the Subscription Term).

8.2 Subject to clause 8.3, neither party shall in any circumstances have any liability (whether direct or indirect) for: (i) loss of business or business opportunity; (ii) loss of revenue; (iii) loss of profits; (iv) loss of anticipated savings; (v) loss of or damage to data; (vi) loss of goodwill or injury to reputation; (vii) any third party claims (save in relation to the claims referred to in clauses 3.1(b) and 7.2); (viii) in the case of Mango, loss due to downtime of the Systems for maintenance or emergencies; or (ix) any consequential or indirect loss.

8.3 Nothing in this EULA seeks to exclude or limit any liability of either party for death or personal injury caused by its negligence or for its fraudulent misrepresentation or any other liability which cannot be limited by law. In countries where the limitations and exclusions to liability are not legally permitted, Mango shall be responsible only for actual direct damages and losses that are the reasonably foreseeable result of Mango’s acts (or failure to act).

8.4 The Client hereby acknowledges and agrees that the limitations of liability referred to in clauses 8.1 and 8.2 are fair and reasonable, reflected in the level of the Charges and the insurance cover carried by Mango and are just and equitable having full regards to the extent of Mango’s responsibility for any loss or damage suffered.

8.5 If Mango’s performance of its obligations under this EULA is prevented or delayed by any act or omission of the Client, its agents, subcontractors, consultants or employees, Mango shall not be liable for any costs, charges or losses sustained or incurred by the Client arising directly or indirectly from such prevention or delay.

8.6 Save as required by law, and save as may otherwise be set out in this EULA, Mango disclaims and the Client waives all other warranties, express or implied, with respect to the Services, arising by law or otherwise, including, without limitation, any implied warranty of satisfactory quality, fitness for a particular purpose and any obligation, liability, right, remedy or claim in tort.

8.7 Save as required by law, the Client’s exclusive remedy for any default or defect in the performance of the Services by Mango shall be to correct and/or re-perform any such defective Services by Mango. If it is not economical or technically feasible for Mango to correct and/or re-perform the defect, then the Client’s exclusive remedy shall be a full or partial credit of sums paid for the defective Service(s) (subject always to the other provisions of this clause 8).

8.8 The total aggregate liability of:

(a) Mango in respect of the indemnity at clause 7.2; and
(b) the Client in respect of the indemnity at clause 3.1(b) shall be limited to the sum of 300,000 NZ$ (three hundred thousand New Zealand dollars).

9. CONFIDENTIAL INFORMATION

9.1 Each party shall keep in strict confidence and treat the other party’s Confidential Information as confidential and to use it only for the purposes of this EULA except in so far as may be necessary for the performance of any obligations of this EULA or to the extent that such information is generally available to the public or to the extent that disclosure of information is required to be made by law or any regulatory authority.

9.2 Each party agrees that the obligation in clause 9.1 shall continue in force without limitation in point of time notwithstanding the termination or expiry of the Services for any reason but shall cease to apply to information from the point at which it enters into the public domain via a source independent of the parties and shall also cease to apply to information which is received independently from another source without the imposition of any duty of confidence. 1

0. FORCE MAJEURE Neither party shall have any liability to the other party if it is prevented from, or delayed in performing, its obligations under this EULA or from carrying on its business by any event(s) or combination of events where such event(s) arises from, or is attributable to acts, events, omissions or accidents beyond the reasonable control of the relevant party including, but not limited to, acts of God, terrorism, pandemic, industrial action, war, flood or fire (“Force Majeure Event”). In such circumstances the time for performance shall be extended by a period equivalent to the period during which performance of the obligation has been delayed or failed to be performed due to the Force Majeure Event. If the Force Majeure Event continues for a period of more than sixty (60) days, either party may terminate this EULA.

11. TERMINATION

11.1 Either party may terminate this EULA forthwith by notice to the other party without liability if:

(a) the other party is in material breach of this EULA which breach is not capable of remedy or, if capable of remedy, is not remedied within 30 days of a notice specifying the breach and requiring its remedy; or
(b) the other party has had a trustee, receiver, administrative receiver or similar official appointed over a material part of its business or assets; or an order has been made or a resolution passed for the other party’s winding up (otherwise than for the purpose of a bona fide scheme of arrangement or solvent amalgamation or reconstruction) or an administration order has been made; or a proposal has been made in respect of the other party for a voluntary arrangement within Part 1 of the Insolvency Act 1986 or for any other composition scheme of arrangement with (or assignment for the benefit of) its creditors; or the other party ceases to trade or is unable to pay its debts as and when they fall due; or any other analogous event occurs in any other jurisdiction;
(c) the other party ceases or threatens to cease trading; or
(d) in the case of Mango, the Client fails to make any payment of the Charges (excluding any sums the subject of a genuine dispute).

11.2 Upon termination of this EULA howsoever occurring:

(a) the Client's right to access and/or use the Systems shall cease immediately;
(b) each party shall return or dispose any of the other party’s Confidential Information in its possession, and any Documents, deliverables and all copies thereof in accordance with the other party’s reasonable instructions; and
(c) the Client shall remain liable to pay Mango any Charges outstanding at the date of termination.

11.3 Termination of this EULA for any reason shall be without prejudice to any rights of either party which may have accrued up to the date of termination.

12. JURISDICTION This EULA, its subject matter and its formation (and any non-contractual disputes or claims) are governed by the laws of New Zealand. We both irrevocably agree to the exclusive jurisdiction of the courts of New Zealand.

SCHEDULE 1 DATA PROTECTION

1. Definitions

1.1. In this Schedule, unless the context otherwise requires:

1.1.1. "CCPA" means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq.); as may be amended, superseded, or replaced. 1.1.2. “Controller” has the meaning given to it in the GDPR/UK GDPR.
1.1.3. “Data Subject, “Personal Data”, “Personal Data Breach”, “Process”, “Processing” or “Processed”, “Processor” and “Data Controller”, as those terms are defined in the GDPR/UK GDPR.
1.1.4. “Data Protection Impact Assessment” means a data protection impact assessment, as described in Article 35 of the GDPR/UK GDPR.
1.1.5. “Data Protection Laws” means: (a) the GDPR, Directive 2002/58/EC and Directive 2009/136/EC, together with any national implementing laws in any Member State of the European Union; or where applicable the UK GDPR and the UK Data Protection Act 2018; and (c) any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world; each as applicable to a Party and each as amended, consolidated, superseded or replaced from time to time.
1.1.6. “Data Subject” has the meaning given to it in the GDPR/UK GDPR.
1.1.7. “EEA” means the European Economic Area.
1.1.8. “GDPR” means Regulation (EU) 2016/679, as amended, consolidated, or replaced from time to time.
1.1.9. “International Data Transfer Addendum” or “IDT Addendum” refers to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018.
1.1.10. “International Data Transfer Agreement” refers to the Standard Data Protection Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018.
1.1.11. “Personnel” means any current, former, or prospective employee, consultant, temporary worker, agency worker, intern, other non-permanent employee, contractor, secondee or other personnel.
1.1.12. “Relevant Personal Data” means the categories of Personal Data that are set out in an SOW and that are Processed under, or in connection with the provision of the Services.
1.1.13. Standard Contractual Clauses (SSCs) refers to COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
1.1.14. “Subprocessor” means any party engaged by EcoOnline to Process Relevant Personal Data within the Services.
1.1.15. “Supervisory Authority” means a regulatory or other governmental body or authority with jurisdiction or oversight over Data Protection Laws
1.1.16. “Term” has the meaning given in the Contract.
1.1.17. “UK GDPR” means as defined by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419.

2. Subject Matter and Scope 2.1. This Schedule applies only to the Processing of Relevant Personal Data.

2.2. The purpose of this Schedule is to help ensure adequate protection of Relevant Personal Data. To the extent that there is any conflict between the main body of this Agreement and this Schedule in relation to that purpose, this Schedule shall govern.

3. Obligations of EcoOnline

3.1. The parties hereby acknowledge and agree that Client is a Controller; and EcoOnline is a Processor with respect to the Processing of Relevant Personal Data. In addition to, and notwithstanding any other right or obligation arising under the Agreement, EcoOnline shall, in relation to such Processing:

3.1.1. Process Relevant Personal Data: (i) to the extent necessary in connection with the Services; and (ii) in accordance with the documented instructions received from Client from time to time; except where required to Process any Personal Data by Data Protection Laws, in which case EcoOnline shall inform Client in advance of such Processing to the maximum extent permitted by applicable law. If at any point EcoOnline becomes unable to comply with Client's instructions regarding the Processing of Relevant Personal Data (whether as a result of a change in applicable law, or a change in Client's instructions, or for any other reason), EcoOnline shall promptly:
3.1.2. notify Client of such inability and provide a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply to the greatest extent permitted by applicable law; and
3.1.3. cease all Processing of the affected Relevant Personal Data (other than merely storing and maintaining the security of the affected Relevant Personal Data) until such time as Client issues new instructions with which EcoOnline is able to comply.
3.1.4. Ensure: (i) that Relevant Personal Data are kept confidential; (ii) the reliability and trustworthiness of EcoOnline’s Personnel and any Subprocessors; and (iii) that all relevant EcoOnline Personnel, and any relevant Subprocessors, have committed themselves to ensuring the confidentiality of all Relevant Personal Data that they Process;
3.1.5. Subject to paragraph 6.2, implement appropriate technical and organisational measures to protect Relevant Personal Data, and take reasonable steps to ensure that such technical and organisational measures are appropriate to the particular risks that are presented by its Processing activities;
3.1.6. Ensure that, in each instance in which it engages a Subprocessor to Process any Relevant Personal Data, it shall: (i) appoint such Subprocessors in accordance with Client’s prior authorisation, subject to the provisions of paragraphs 4.1 and 7.1; and (ii) enter into a binding written Data Processing Agreement with the Subprocessor that is materially consistent with this Schedule with respect to the Processing of Relevant Personal Data;
3.1.7. At Client’s request and expense, provide to Client any reasonable technical and organisational assistance necessary to enable Client to respond appropriately to requests from Data Subjects to exercise their rights;
3.1.8. Assist the Client in ensuring that the obligations under Articles 32-36 of the GDPR is complied with, taking into account the type of Processing and the Personal Data to which EcoOnline has access;
3.1.9. Delete (or, at the election of Client, return) all Relevant Personal Data in EcoOnline’s possession, within sixty (60) days after the end of the Subscription Term, unless the applicable Data Protection Laws require otherwise;
3.1.10. At Client’s request: (i) provide Client with all information reasonably necessary to demonstrate that the obligations of this Schedule are met; and (ii) subject always to paragraph 6.3, allow for and contribute to limited audits, including inspections, conducted by Client or an auditor appointed by Client that is not a direct competitor of EcoOnline and is bound to an obligation of confidentiality; and
3.1.11. Notify Client without undue delay upon: (i) becoming aware of any Personal Data Breach affecting Relevant Personal Data; or (ii) receipt of any correspondence or communication from any Data Subject or Supervisory Authority regarding the Processing of Relevant Personal Data.

3.2. To the extent that Relevant Personal Data is subject to the CCPA, EcoOnline agrees that it shall process the data as a service provider as defined in the CCPA and shall not (a) retain, use, or disclose the data for any purpose other than the purposes set out in the Agreement and as permitted by the CCPA; or (b) "sell" Relevant Personal Data (as defined and understood within the requirements of the CCPA).

4. Subprocessors

4.1. For the purposes of paragraph 3.1.6, Client hereby grants EcoOnline a general authorisation to engage Subprocessors in connection with the Processing of Relevant Personal Data under the Agreement provided that EcoOnline provides Client at least thirty (30) days’ prior notice of the appointment of each such Subprocessor in writing, and by updating the list of Subprocessors available at Sub-processors | EcoOnline, during which time Client may object in good faith to such appointment subject to the provisions of paragraph 7.1. If EcoOnline does not receive such objection from Client within that thirty (30) day notice period, EcoOnline shall be entitled to instruct the relevant Subprocessor to proceed with the Processing of Relevant Personal Data.

5. Data Transfer

5.1. For EU/EEA Clients: Where the Client is established in the EU/EEA, and to the extent a Subprocessor of EcoOnline processes Relevant Personal Data outside the EU/EEA, EcoOnline (Data Exporter) shall enter into the EU Standard Contractual Clauses for transfers between processors (Module Three) with the relevant Subprocessors (Data Importers).

5.2. For UK Clients: Where the Client is established in the UK, and to the extent a Subprocessor of EcoOnline processes Relevant Personal Data outside the UK, EcoOnline (Data Exporter) shall enter into an International Data Transfer Agreement with the relevant Subprocessor (Data Importer).

5.3. For North American and other non-EU/EEA or UK based Clients: Where the Client is established in a country considered not to provide an adequate level of data protection in accordance with GDPR Art. 45(1) or equivalent, the Client (Data Importer) and EcoOnline (Data Exporter) shall enter into EU Standard Contractual Clauses for transfers between Processor and Controller (Module Four) for the reverse transfer of Relevant Personal Data between the parties.

5.4. Before commencing such restricted transfer as referenced in paragraphs 5.1 to 5.3, EcoOnline shall conduct a transfer impact assessment that (i) assess the levels of data protection provided by the laws of the country of data importation and under the applicable SCCs or International Data Transfer Agreement (as the case may be) used by the parties; and (ii) evaluates in light of (i) whether any supplementary measures are needed to ensure an adequate level of protection for the personal data. Any such supplementary measures shall be included in the data processing agreement with the Subprocessor. The transfer impact assessment, and any supplementary measures identified and/or taken shall be documented. A summary of the assessment and supplementary measures identified and/or taken shall be made available to the Client upon request at EcoOnline’s expense.

5.5. Paragraphs 5.1 to 5.3 apply only insofaras there is no other valid basis for the transfer, e.g., that the relevant jurisdiction in which the Data Importer is based has been deemed by the relevant Data Protection Authorities to provide an adequate level of protection for personal data.

6. Obligations of Client

6.1. Client warrants that it complies with its obligations under applicable Data Protection Laws in respect of EcoOnline’s engagement to Process any Relevant Personal Data.

6.2. Client confirms that the security measures set out in the Annex below are sufficient for the purposes of Processing the Relevant Personal Data under the Agreement.

6.3. Client shall solely exercise its audit right set out in paragraph 3.1.10 by instructing EcoOnline to obtain and provide an audit report that the relevant EcoOnline entity produces in the ordinary course of business concerning EcoOnline’s compliance with this Schedule solely at EcoOnline’s expense. Client may contest the scope and/or methodology of the report and may in such cases request a physical or remote audit/inspection under a revised scope and/or different methodology. The Client or the Client’s representative shall in those cases have access to audit where the Processing of Personal Data is carried out by EcoOnline as may be reasonably required in order to ascertain EcoOnline’s compliance with this Schedule.

6.4. The Client shall provide at least 30 days’ notice of its intention to conduct such an audit, use reasonable endeavours to ensure that the conduct of the audit does not disrupt EcoOnline, and it shall be conducted, if at all, solely at the Client’s expense. The Client may not conduct such an audit more than once per twelve-month period unless it reasonably believes that EcoOnline is in violation of its obligations under this Schedule.

6.5. Based on the results of the audit, the Client may request further measures to be taken to ensure compliance with this Schedule.

6.6. Client shall not, whether through action or omission, place EcoOnline in breach of any Data Protection Laws. EcoOnline is not responsible for determining the requirements of Data Protection Laws applicable to Client’s business or that the Services meet the requirements of any such applicable Data Protection Laws.

7. Termination

7.1. If EcoOnline receives an objection from Client under paragraph 4.1 which is not resolved to the reasonable satisfaction of Client, then notwithstanding any other provision of the Agreement:

7.1.1. EcoOnline shall be entitled to terminate any relevant SOW and (if all SOWs are affected) the Framework Agreement at any time thereafter, immediately upon written notice, without fault or liability of any kind.
7.1.2. Any such termination shall be without prejudice to any rights or remedies that EcoOnline may have accrued under or in connection with any relevant SOW and/or the Framework Agreement;
7.1.3. All sums due from Client under a relevant SOW shall be payable within thirty (30) days following termination under this paragraph 7.1; and
7.1.4. No refunds or compensation of any kind shall be paid or payable by EcoOnline, or any Subprocessor, in respect of any sums paid prior to termination under this paragraph 7.1.

Annex – Technical and Organisational Security Measures

1. Control of Physical Access to Premises Technical and organisational measures to control physical access to premises and facilities, particularly to identify permitted Personnel at entry are as follows:

☒Locked doors on all entrances / exits (e.g., electronic locks; physical locks; etc.)
☒Access control systems (e.g., biometric security; access card security; etc.)
☒Burglar alarm systems
☒Additional physical security measures to protect IT systems: Physically secured server room.

2. Control of Access to IT Systems
Technical and organisational security measures designed to ensure that users with access to the relevant IT systems are identified and authenticated are as follows:
☒IT security systems requiring individual users to log in using unique usernames
☒IT security systems requiring the use of strong / complex passwords
☒IT security systems requiring the use of multi-factor authentication
☒Additional system log-in requirements for particular applications
☒State-of-the art encryption applied to all data ‘in transit’
☒State-of-the art encryption applied to all data ‘at rest’
☒Automatic locking of IT terminals and devices after periods of non-use, with passwords required to ‘wake’ the terminal or device
☒Password databases are subject to strong encryption / hashing ☒Regular audits of security procedures (e.g., ISO 27000 series certifications)
☒Training for employees regarding access to IT systems

3. Control of Access to Personal Data

Technical and organisational security measures designed to ensure that users with access to the Relevant Personal Data are identified and authenticated are as follows:
☒‘Read’ rights for systems containing Personal Data restricted to specified Personnel roles
☒‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles or profiles
☒State-of-the art encryption on drives and media containing Personal Data (e.g., using Sophos SafeGuard; TrueCrypt; etc.)
☒Training for employees regarding access to Personal Data

4. Control of Disclosure of Personal Data

Technical and organisational measures to transport, transmit and communicate or store data on data media and for subsequent checking are as follows: ☒Secure data networks (e.g., encrypted VPNs)
☒State-of-the art encryption for all systems used to send Personal Data (e.g., encrypted email; encrypted FTP; etc.)
☒SSL encryption for all internet access portals
☒Enforced encryption of all drives that are used to take sensitive data off the network
☒Training for employees regarding transfers of Personal Data

5. Control of Input Mechanisms

Technical and organisational security measures to permit the recording and later analysis of information about when input to data systems (e.g., editing, adding, deleting, etc.) occurred and who was responsible for such input are as follows:
☒Logging of all input actions in systems containing Personal Data
☒‘Edit’ rights for systems containing Personal Data restricted to specified Personnel roles
☒Binding Agreements in writing with all employees who Process Personal Data, imposing strict confidentiality obligations

6. Control of Workflows between Controllers and Processors

Technical and organisational measures to segregate the responsibilities between Controllers and Processors Processing the Relevant Personal Data are as follows:
☒Binding Agreement in writing governing the appointment and responsibilities of Processors with access to the Relevant Personal Data
☒Binding Agreements in writing governing the allocation of data protection compliance responsibilities between all Controllers with access to the Relevant Personal Data
☒Regular reviews of compliance with the relevant Agreements
☒Training for employees regarding Processing of Personal Data

7. Control Mechanisms to Ensure Availability of Relevant Personal Data

Technical and organisational measures that ensure the physical and electronic availability and accessibility of the Relevant Personal Data are as follows: ☒Documented disaster recovery procedures
☒Secure backup procedures in place, with full backups run regularly
☒Multiple backup facilities and locations
☒Uninterruptible power supplies at backup facilities ☒Physical security of backup facilities (e.g., secure premises; security Personnel; etc.).
☒Security alarm systems at backup facilities
☒Electronic security of backup facilities (e.g., firewalls; antivirus software; etc.)
☒Environmental controls at backup facilities (e.g., cooling; humidity controls; etc.)
☒Fire protection at backup facilities (e.g., sprinkler systems; fireproof doors; etc.)
☒Secure anonymisation or deletion of Personal Data that are no longer required for lawful Processing purposes
☒Training for employees regarding backups and disaster recovery

8. Control mechanisms to ensure separation of the Relevant Personal Data from other data

Technical and organisational measures to ensure that the Relevant Personal Data are stored and Processed separately from other data are as follows: ☒Logical separation of live or production data from backup data and development or test data.