AGREED INTERPRETATION

In this Agreement the following terms shall have the following meaning:

"Agreement" means these terms and conditions together with the Schedules and any amendments agreed in writing between the parties;

"Confidential Information" means all information relating to a party's business and products (including without limitation operations, plans, market opportunities, customers (including personal data of customers), know-how (including without limitation processes of production and technology), trade secrets and software) disclosed to the other party whether in writing, orally (provided that it is identified as confidential at the time of disclosure) or by any other medium;

"Customer" means any customer or any prospective customer of either of the parties;

“Disclosing Party” means a party to this Agreement which discloses or makes available directly or indirectly Confidential Information.

“Group” means in relation to a company, that company, each and any subsidiary or holding company of that company and each and any subsidiary of a holding company of that company.

“Recipient” means a party to this Agreement which receives or obtains directly or indirectly Confidential Information.

“Representative(s)” means employees, agents and other representatives of the Recipient.

SCOPE OF AGREEMENT

1. Working Together

2. Change Adopt shall provide marketing material for services supplied

3. Partner shall market and promote the use of Change Adopts services to Partner Customers utilising the marketing material provided by Change Adopt.

4. Partner shall provide to Change Adopt contact names and details in respect of Partner customers that express interest in using Change Adopt Services (“Partner Provided Customers”).

5. Change Adopt shall work in the form of a subcontractor with the Partner Provided Customers identified to Change Adopt in order to conclude sales of Change Adopt Services to those Partner Customers.

6. Any sales contact established by Change Adopt with any Partner Customer, the billing and payment terms will be agreed and confirmed on a per customer basis and confirmed in the customer contract or statement of work or if not in place will revert to this Partner Agreement.

7. Change Adopt shall not knowingly contact existing Partner Customers other than those identified to Change Adopt as Partner Provided Customers unless such Customer is an existing Change Adopt Customer or has been contacted prior to the date of the partnership agreement with Partner.

8. Change Adopt shall promptly provide to Partner contact names and details in respect of Partner Provided Customers that express interest to Change Adopt in buying other products and services that are provided by Partner.

9. Each party shall supply such technical and commercial information and assistance to the other as each party deems is reasonably required to achieve the Purpose, provided always that information is disclosed in accordance with this Clause 1.8 shall be subject to the provisions of Clause 9.

10. Pricing and Payment

11. Pricing. Where Change Adopt provides Services to a Partner Provided Customer on an annual or multi-year contract the license prices that prevailed at the time the license/service was sold to the Customer under the terms of this partnership shall continue until the contract relevant to the Customer sale has terminated or expired. On expiration of an agreement relating to license/service terms, Change Adopt will notify Partner and provide renewal pricing to Partner to allow them to agree revised pricing with the Partner Provided Customer.

Where a Partner provided customer is consuming the Change Adopt provided Services on the Price Per User Per Month model, any price increase will be notified 6 months prior to it taking affect.

Pricing is detailed in Appendix A of this Agreement.

2. Fees. As detailed via the Ingram Micro portal

3. Payment Terms. All payments are due and payable to Change Adopt within 30 days from the end of each monthly license measurement.

4. Customer Billing. Partner is free to determine its own prices for the services. Partner will be solely responsible for billing and collecting fees for the service from all Customers. Payments due to Change Adopt will not depend on Partner’s receipt of payments from Customers.

5. Suspension of Access to the Service. Partner acknowledges Change Adopts right to suspend Partner and all of it’s Customers access to the Service if Partner is more than 15 days past due in payment. In no case will any such terminations or suspension give rise to any liability of Change Adopt to Partner or to any Customer for a refund or damages.

6. Responsibility for Costs

7. Unless otherwise agreed by the parties in writing, each party shall pay and assume entire responsibility for all its respective costs and expenditures incurred in connection with this Agreement.

8. Governance

9. The parties shall meet regularly, at least once every quarter (face-to face or virtually), to review progress towards fulfilling the Purpose and agree actions and activities necessary to progress the Purpose.

10. No variation of this Agreement, including any additional terms and conditions, shall be effective unless it is in writing and signed by each of the parties (or their authorised representatives).

11. Intellectual Property

12. Both parties maintain their full and exclusive ownership of any intellectual property, know-how, policies, methodologies and procedures owned by each party respectively at the Effective Date.

13. Confidentiality

14. The Recipient shall keep the Disclosing Party's Confidential Information confidential and unless it has the prior written consent of the Disclosing Party (and shall ensure that its Representatives shall):

15. 1. not use or exploit the Confidential Information in any way except for the Purpose;
    2. not disclose or make available the Confidential Information in whole or in part to any third party, except as expressly permitted by this Agreement;
    3. not copy, reduce to writing or otherwise record the Confidential Information except as strictly necessary for the Purpose (and any such copies, reductions to writing and records shall be the property of the Disclosing Party);
    4. not use, reproduce, transform, or store the Confidential Information in an externally accessible format

16. The provisions of clause 9.1 shall not apply to the whole or any part of the Confidential Information that can be shown by the receiving party to be:

17. 1. known to the receiving party prior to the date of this agreement otherwise than as a result of being obtained directly or indirectly from the party disclosing such Confidential Information;
    2. obtained from a third party that lawfully possessed such Confidential Information and which has not been obtained in a breach of a duty of confidence owed to the disclosing party by any reason; or
    3. in the public domain in the form in which it is possessed by the disclosing party other than as a result of a breach of a duty of confidence owed to the disclosing party by any person.

18. Where such Confidential Information is software the Recipient shall not adapt, decompile, modify, translate, reverse engineer, disassemble or otherwise derive the source code of the software nor permit any third party to do so.

19. The Recipient may only disclose the Disclosing Party's Confidential Information to those of its Representatives who need to know this Confidential Information for the Purpose, provided that:

20. 1. it informs these Representatives of the confidential nature of the Confidential Information before disclosure; and
    2. at all times, it is responsible for the Representatives' compliance with the obligations set out in this Agreement.

21. A party may disclose Confidential Information to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this clause 6.5 it takes into account the reasonable requests of the other party in relation to the content of this disclosure

22. If any Confidential Information shall be copied, disclosed or used, other than as allowed under this Agreement then, upon becoming aware of the same, the Receiving Party shall, as soon as it is able to, notify the Disclosing Party of such event.

23. All Confidential Information shall remain the property of the Disclosing Party. Each party reserves all rights in its Confidential Information.

24. Except in the case of fraudulent misrepresentation, the Disclosing Party accepts no responsibility for nor makes any representation or warranty, express or implied, with respect to the accuracy, reliability or completeness of any Confidential Information made available to the Receiving Party or its Representatives.

25. Each Disclosing Party warrants that it has the right to disclose its Confidential Information to the Recipient and to authorise the Recipient to use such Confidential Information for the Purpose.

26. Liabilities

27. Change Adopt shall have no liability to the Partner, whether in contract, tort (including negligence), breach of statutory duty, misrepresentation or otherwise for any:

28. 1. loss of actual or anticipated profits, loss of anticipated savings, loss of business, loss of goodwill, loss of data, loss of revenue or of the use of money; or
    2. special, indirect or consequential loss or damage,

whether or not such loss is foreseeable, known or foreseen or not, in respect of the performance, non-performance or purported performance of this Agreement or otherwise in relation to this Agreement or the entering into or performance of this Agreement.

2. Change Adopt’s total aggregate liability, whether in contract, tort (including negligence), breach of statutory duty, misrepresentation or otherwise, arising under or in connection with this Agreement, shall not exceed the greater of £10,000 (ten thousand pounds) and the amount of the fees paid by the Partner to Change Adopt under this Agreement in the 12 month period prior to the date the claim arose.

3. Each party's liability for death or injury to any person caused by its negligence, or for fraudulent misrepresentation, or for any other liability that cannot be excluded under applicable law, shall be unlimited.

4. Term & Termination

5. This Agreement shall commence on the Effective Date and shall continue in force for one year from that date and thereafter, the term of this Agreement will renew automatically for an additional one year period unless either party gives written notice of its intent not to renew the Agreement at least sixty days prior to the end of the initial term.

6. Upon expiry or termination of this Agreement, at the request of the Disclosing Party, the Recipient shall:

7. 1. destroy or return to the Disclosing Party all documents and materials (and any copies) containing, reflecting, incorporating, or based on the Disclosing Party's Confidential Information;
   2. erase all the Disclosing Party's Confidential Information from its computer systems or which is stored in electronic form (to the extent possible); and
   3. certify in writing to the Disclosing Party that it has complied with the requirements of this clause 8.2 provided that Recipient may keep evidence that it has performed its obligations under this Agreement.

8. The provisions of Clauses 5, 6 and 7 shall survive termination of this agreement for any reason.

9. Termination of this Agreement shall not affect any accrued rights or remedies to which either party is entitled.

10. Publicity, Trademarks and Logos

11. Neither party shall make, or permit any person to make, any public announcement concerning this Agreement or the Purpose without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed).

12. Neither party will be entitled to use the others trademarks, logos or brands without the written consent of the other, such consent not to be unreasonably withheld.

13. Any marketing or promotional materials either party intends to prepare to promote the Purpose which mentions the other party’s involvement or name or any trademark, logo or brand is subject always to the first party receiving the second party’s prior written consent to the design, content and layout of the materials.

14. General

15. This Agreement constitutes the whole agreement between the parties and supersedes all previous agreements between the parties relating to its subject matter. Each party acknowledges that, in entering into this Agreement, it has not relied on, and shall have no right or remedy in respect of, any statement, representation, assurance or warranty (whether made negligently or innocently) other than as expressly set out in this Agreement. Nothing in this clause shall limit or exclude any liability for fraud or for fraudulent misrepresentation.

16. Each party confirms that it is acting as principal and not as nominee, agent or broker for any other person and that it will be responsible for any costs incurred by it or its advisers in considering or pursuing the Purpose and in complying with the terms of this Agreement.

17. Neither party may assign the benefit of this Agreement nor any interest except with the prior written consent of the other.

18. No failure or delay in exercising any remedy or right under this Agreement will operate as a waiver of it, nor will any single or partial exercise of it preclude any further exercise or the exercise of any remedy or right under this Agreement or otherwise.

19. The provisions of this Agreement shall be severable in the event that any of its provisions are held by a court of competent jurisdiction or other applicable authority to be invalid, void or otherwise unenforceable, and the remaining provisions shall remain enforceable to the fullest extent permitted by law.

20. This Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with English law and the parties irrevocably submit to the exclusive jurisdiction of the courts of England.

21. Data Protection Addendum

Change Adopt’s provision of the Service shall be in accordance with Change Adopt Data Protection Addendum which is incorporated into this Agreement by reference.

1. Data Protection Addendum

This Change Adopt Data Protection Addendum (“DPA”) is between the parties with respect to the terms governing the Processing of Personal Data under the Change Adopt Partner Agreement (the “Master Agreement”).  This DPA sets out the additional terms, requirements and conditions on which Change Adopt, as Processor (defined below), will process Personal Data (defined below) when providing services under the Master Agreement.  This DPA serves as an addendum to the Master Agreement and is effective upon the execution of the Master Agreement.

Change Adopt will periodically update the terms and conditions of this DPA.  You will be notified of any material updates or changes via email or through the Admin Portal which will be binding on the parties once notified.

Terms not otherwise defined in this DPA shall have the meaning as set forth in the Master Agreement.

1. Definitions and Interpretation

1.1 The following definitions and rules of interpretation apply in this DPA:

“Business Purpose” means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Data Protection Legislation” shall mean the UK General Data Protection Regulation, the Data Protection Act 2018 and any other UK legislation related to the processing of Personal Data from time to time.

“Data Subject” means an identified or identifiable individual who is the subject of Personal Data.

“Partner” shall mean the Partner defined in the Master Agreement or Order Form, and who shall determine the purpose and means of the Processing of Personal Information.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing, processes, or process” means  any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

“Security Breach” means any act or omission that compromises the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organisational safeguards put in place to protect it. The loss of or unauthorised access, disclosure, or acquisition of Personal Data is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

“Supervisory Authority” means the independent public body which is established in the relevant state to enforce compliance with the Data Protection Legislation (and which in the UK is the Information Commissioner’s Office) and “Supervisory Authorities” shall be construed accordingly.

1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement.

1.3 The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.

1.4 A reference to writing or written includes email but not messages sent via fax.

1.5 In the case of conflict or ambiguity between:

a. any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;

b. any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail.

2. Personal Data Types and Processing Purposes

2.1 Change Adopt and the Partner acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Controller, the Partner is the Processor and Change Adopt is the sub-Processor.

2.2 The Partner retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including providing any required notices and obtaining any required consents from Data Subjects, and for the processing instructions it gives to Change Adopt.

2.3 Appendix A describes the subject matter, duration, nature and purpose of the processing and the types of Personal Data and categories of Data Subject Change Adopt may process to fulfil the Business Purposes of the Master Agreement.

3. Change Adopt’s Obligations

3.1 Change Adopt will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes and in accordance with the Partner’s written instructions. Change Adopt will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation. Change Adopt will promptly notify the Partner if, in its opinion, the Partner’s instruction would not comply with the Data Protection Legislation.

3.2 Change Adopt shall, except as required otherwise by law, promptly comply with any reasonable Partner request or instruction requiring Change Adopt to amend, transfer, or delete the Personal Data.

3.3 Change Adopt will maintain the confidentiality of all Personal Data and will not disclose Personal Data to third parties unless the Partner or this DPA specifically authorises the disclosure, or as required by law. If a law requires Change Adopt to disclose Personal Data, Change Adopt shall, to the extent practicable given the timeframes for making the disclosure, first inform the Partner of the legal requirement and give the Partner an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4 Change Adopt will reasonably assist the Partner with meeting the Partner’s compliance obligations under the Data Protection Legislation, taking into account the nature of Change Adopt’s processing and the information available to Change Adopt, including the Partner’s obligations in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with Supervisory Authorities under the Data Protection Legislation.

3.5 The Partner acknowledges that Change Adopt is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Partner instructions or of the Personal Data..

4. Change Adopt’s Employees

4.1 Change Adopt will limit Personal Data access to:

a. those employees who require Personal Data access to meet Change Adopt’s obligations under this DPA and the Master Agreement; and

b. the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.2 Change Adopt will ensure that all employees:

a. are informed of the Personal Data’s confidential nature and use restrictions;

b. are bound by confidentiality obligations and use restrictions in respect of the Personal Data;

c. have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and

d. are aware of both Change Adopt’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

4.3 Change Adopt will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all its’ employees with access to the Personal Data.

5. Security

5.1 Change Adopt will maintain appropriate technical and organisational measures designed to safeguard Personal Data against unauthorised or unlawful processing, and against accidental loss, destruction, or damage. These shall include any security measures set out in Appendix B. Change Adopt will periodically review these measures at least annually to ensure they remain current and complete.

5.2 Change Adopt will take reasonable precautions to preserve the integrity of any Personal Data it processes and to prevent any corruption or loss of the Personal Data, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breaches and Personal Data Loss

6.1 Change Adopt will notify the Partner without undue delay (and within a maximum of 48 hours of becoming aware of the matter) if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable.

6.2 Change Adopt will notify the Partner without undue delay (and within a maximum of 48 hours of becoming aware of the matter) of:

a. any accidental, unauthorised or unlawful processing of the Personal Data; or

b. any Security Breach.

6.3 Promptly following any unauthorised or unlawful Personal Data processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. Change Adopt will reasonably co-operate with the Partner in the Partner’s handling of the matter, including:

a. assisting with any investigation;

b. providing the Partner with physical access to any facilities and operations affected;

c. facilitating interviews with Change Adopt’s employees, former employees and others involved in the matter; and

d. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Partner.

6.4 Change Adopt will not inform any third party of any Security Breach without first obtaining the Partner’s prior written consent, except when law or regulation requires it.

6.5 Change Adopt agrees that the Partner has the sole right to determine:

a. whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Partner’s discretion, including the contents and delivery method of the notice; and

b. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

7. Cross – Border transfers of Personal Data.

7.1 Change Adopt shall not transfer or otherwise process Personal Data outside the United Kingdom (UK) and the European Economic Area (EEA) unless:

a. Change Adopt is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or

b. Change Adopt transfers the Personal Data under the European Commission’s “Standard Contractual Clauses” approved for the transfer of Personal Data outside the EEA; or

c. the transfer otherwise complies with the Data Protection Legislation.

8. Subcontractors

8.1 Change Adopt may only authorise a third party (subcontractor) to process the Personal Data if:

a. other than those set forth in Appendix A, the Partner is given an opportunity to object within 14 days after Change Adopt supplies the Partner with details regarding the subcontractor and the subcontractor’s proposed role with respect to the Personal Data;

b. Change Adopt enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA;

c. Change Adopt maintains control over all Personal Data it entrusts to the subcontractor; and

d. the subcontractor’s contract terminates automatically on termination of this DPA for any reason.

8.2 Change Adopt shall list all current subcontractors that it anticipates using to carry out the Business Purposes in Appendix A. The Partner’s agreement to this DPA shall authorise Change Adopt to use the subcontractors as described in Appendix A.

8.3 If a subcontractor fails to fulfil its obligations under such written agreement, Change Adopt remains responsible to the Partner for the subcontractor’s performance of its obligations.

9. Complaints, Data Subject Requests, and Third-Party Rights

9.1 Change Adopt shall notify the Partner promptly if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Data processing or to either party’s compliance with the Data Protection Legislation.

9.2 Change Adopt will notify the Partner within 5 working days if it receives a request from a Data Subject regarding their Personal Data unless Change Adopt is able to fully handle and respond to such request.

9.3 Change Adopt will give the Partner all reasonable co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request related to the processing of Personal Data under this DPA.

9.4 Change Adopt shall not disclose the Personal Data to any Data Subject or to a third party unless the disclosure is either at the Partner’s request or instruction, permitted by this DPA, or is otherwise required by law.

10. Term and Termination

10.1 This DPA will remain in full force and effect so long as:

a. the Master Agreement remains in effect; or

a. Change Adopt retains any Personal Data related to the Master Agreement in its possession or control (the “Term”).

10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Data will remain in full force and effect.

10.3 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. The parties agree to work together in good faith to bring the processing into line with the new requirements, and to agree appropriate changes to this DPA, as quickly as possible. If the parties are unable to bring the Personal Data processing and / or this DPA into compliance with the Data Protection Legislation within a reasonable time, either party may terminate the Master Agreement upon written notice to the other party.

11. Data Return and Destruction

11.1 At the Partner’s request, Change Adopt will give the Partner a copy of or access to all or part of the Partner’s Personal Data in its possession or control in the format and on the media reasonably specified by the Partner.

11.2 On termination of the Master Agreement for any reason or expiration of its term, Change Adopt will securely destroy or, if directed in writing by the Partner, return and not retain, all or any Personal Data related to this agreement in its possession or control, except for one copy that it may retain and use for audit purposes only.

11.3 If any law, regulation, or government or regulatory body requires Change Adopt to retain any documents or materials that Change Adopt would otherwise be required to return or destroy, it will notify the Partner in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. Change Adopt may only use this retained Personal Data for the required retention reason or audit purposes.

11.4 If Partner requests following the termination of the Master Agreement, Change Adopt will certify in writing that it has destroyed the Personal Data in accordance with this clause 11 within 14 days after receiving the Partner’s request.

12. Records

12.1 Change Adopt will keep appropriate and up-to-date records regarding any processing of Personal Data it carries out for the Partner, including but not limited to, the access, control, and security of the Personal Data, approved subcontractors, the processing purposes,  and any other records required by the applicable Data Protection Legislation (the “Records”).

12.2 Change Adopt will ensure that the Records are sufficient to enable the Partner to verify Change Adopt’s compliance with its obligations under this DPA.

12.3 The Partner and Change Adopt shall review the information listed in the Appendices to this DPA annually to confirm its current accuracy and update it if required to reflect current practices.

13. Audit

13.1 At least annually, Change Adopt will audit its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA.

13.2 Upon the Partner’s written request, Change Adopt will make the relevant audit reports available to the Partner for review. The Partner will treat such audit reports as Change Adopt’s confidential information under the Master Agreement.

13.3 Change Adopt will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by Change Adopt’s management.

14. Warranties

14.1 Change Adopt warrants and represents that:

a. it and anyone operating on its behalf will process the Personal Data in compliance with both the terms of this DPA and all applicable Data Protection Legislation; and

b. it has no reason to believe that any Data Protection Legislation prevent it from providing any of the Master Agreement’s contracted services; and

c. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of Personal Data and the accidental loss or destruction of, or damage to, Personal Data, and ensure a level of security appropriate to:

i. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction, or damage; and

ii. the nature of the Personal Data protected; and

iii. comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in Appendix B.

14.2 The Partner warrants and represents that Change Adopt’s expected use of the Personal Data for the Business Purpose and as specifically instructed by the Partner will comply with all the Data Protection Legislation.

15. Liability

15.1 The limitations on liability set forth in the Master Agreement shall apply to this DPA.

16. Notice

16.1 Any notice or other communication given to a party under or in connection with this DPA shall be in writing and delivered to:

For the Partner: (i) to the points of contact Partner designates in the Master Agreement or Order Form, or (ii) to the Partner’s Admins such as Partner may identify in the QuickHelp Admin Portal;

For Change Adopt: Change Adopt Dale House 64Fink Hill Horsforth LS18 4DH.

16.2 Clause 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Appendix A

Personal Data Processing Purposes and Details

Business Purposes:  To provide Partner with the Service, as set forth in the Master Agreement.

Duration of Processing: the duration of the Master Agreement plus a short time afterwards to allow the data to be returned to the partner or deleted in accordance with this DPA.

Nature of Processing: the nature of the processing includes the receiving, storing, transferring, accessing, using, deleting and destroying the data.

Personal Data Categories:  The personal data processed includes the name, work email, title, company name, department, IP address, profile picture, participation in online learning and training, performance in online learning and training, rankings, and other data in an electronic form in the context of Change Adopt’s Service.

Data Subject Types:  The data subjects include end-users of Change Adopt’s services.

Approved Subcontractors:  Brainstorm Inc. USA (QuickHelp platform provider); Microsoft Azure (hosting services); Google Analytics (data analytics); Kissmetrics (data analytics), and SendGrid (email messaging tool with the Service).

Change Adopt also uses consultants in its business from time to time to support Change Adopt in the delivery of its services to customers.

Change Adopt’s legal basis for cross-border transfers of Personal Data: European Commission’s Standard Contractual Clauses.

Appendix B

Security Measures

Change Adopt will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of the data uploaded to the service, as described in the Master Agreement or in this DPA, or otherwise made reasonably available by Change Adopt. The security practices described in this Appendix B are currently observed by Change Adopt.  Although it reserves the right to modify or update these practices, Change Adopt will not materially decrease the overall security of the Service during a subscription term.

PHYSICAL ACCESS CONTROLS:  QuickHelp is hosted in Microsoft Azure, a multi-tenant environment.  The physical and environmental security controls are audited for SOC 2 Type II compliance, among other certifications.

SYSTEM ACCESS CONTROLS:  Access controls within the Service are designed to permit role-based access control using least privileged access principals.  Change Adopt utilises multi-factor authentication for access to management system portals.

DATA ACCESS CONTROLS:  Users of the Service have access to non-public data via the application.  Partners and their users are not allowed direct access to the underlying infrastructure of the Service.  Only Change Adopt and Brainstorm Inc. has direct access to Partner data and Partner’s Personal Data.  The authorisation protocols are designed to permit only designated individuals’ access to the underlying infrastructure.  Authorisation to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

TRANSMISSION CONTROLS: Brainstorm Inc. encrypts all QuickHelp data and Personal Data at rest and in-transit using HTTPS encryption.

INPUT CONTROLS:  Change Adopt and Brainstorm Inc. logs information regarding system behaviour, system authentication, and other application requests.  Utilising Azure Threat Detection, Change Adopt is able to monitor and be responsive to malicious, unintended, or anomalous activities. Change Adopt also maintains a record of security incidents.  Any suspected or confirmed security incident is investigated by Change Adopt’s personnel, who then identify appropriate steps to resolve the incident and minimise damage or unauthorised disclosure (if any).

DATA BACKUPS.  By hosting the Service in Azure, Change Adopt is able to ensure redundancy and fail-over protections, including geo-redundancy.  All databases are backed up and maintained using industry standard methods.